/List` to see the report results.
If you’re already on the webpage, you’ll need to refresh the page to see the results.
- 
+ 
### Troubleshooting publishing errors
@@ -141,7 +141,7 @@ If you have errors while you’re publishing your project, you should try to upd
1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
- 
+ 
2. Click **Updates** on the left side of the tool, and click the **Update All** button.
You may need to do some additional package cleanup to remove older package versions.
diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
index 4651adf5cf..4573423115 100644
--- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -9,7 +9,7 @@ centralized control, you can create one global list of websites that render usin
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** setting.
Turning this setting on also requires you to create and store a site list.
2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
@@ -24,7 +24,7 @@ All of your managed devices must have access to this location if you want them t
2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file.
For example:
+  -->
- **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"`
diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
index b34f9be63f..c8ef3d030c 100644
--- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -33,7 +33,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
- 
+ 
2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
@@ -45,7 +45,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
3. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
- 
+ 
Your **Value data** location can be any of the following types:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 1acd936993..65fbb8eaaf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -38,11 +38,11 @@ Before you start, you need to make sure you have the following:
1. Go to the [Microsoft Security Bulletin](/security-updates/) page, and change the filter to **Windows Internet Explorer 11**.
- 
+ 
2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
- 
+ 
3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
@@ -284,13 +284,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con
1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
- 
+ 
2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
- 
+ 
4. Select the check boxes next to the following classes, and then click **OK**:
@@ -397,12 +397,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam
### SCCM Report Sample – ActiveX.rdl
Gives you a list of all of the ActiveX-related sites visited by the client computer.
-
+
### SCCM Report Sample – Site Discovery.rdl
Gives you a list of all of the sites visited by the client computer.
-
+
## View the collected XML data
After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
@@ -440,7 +440,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit
1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
- 
+ 
2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index e8d1ec3d7d..5cfa201d18 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -48,7 +48,7 @@ The compatibility improvements made in IE11 lets older websites just work in the
## Document mode selection flowchart
This flowchart shows how IE11 works when document modes are used.
-
+
[Click this link to enlarge image](img-ie11-docmode-lg.md)
## Known Issues with Internet Explorer 8 document mode in Enterprise Mode
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index 333686dc07..9ec7ddf862 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -45,7 +45,7 @@ To see if this fix might help you, run through this process one step at a time,
1. Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool.
- 
+ 
2. Starting with the **11 (Default)** option, test your broken scenario.
If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](/previous-versions/windows/internet-explorer/ie-developer/samples/dn255001(v=vs.85)).
@@ -62,7 +62,7 @@ There are two versions of the Enterprise Mode site list schema and the Enterpris
1. Open the Enterprise Mode Site List Manager, and click **Add**.
- 
+ 
2. Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.
Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11.
@@ -74,7 +74,7 @@ For more information about Enterprise Mode, see [What is Enterprise Mode?](what-
### Review your Enterprise Mode site list
Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like:
-
+
And the underlying XML code will look something like:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 75283c1f64..4eed39657f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -62,15 +62,15 @@ When IE blocks an outdated ActiveX control, you’ll see a notification bar simi
**Internet Explorer 9 through Internet Explorer 11**
-
+
**Windows Internet Explorer 8**
-
+
Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE:
-
+
## How do I fix an outdated ActiveX control or app?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 6edccdda73..9424e5e32f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -27,7 +27,7 @@ You can use the Group Policy setting, **Set a default associations configuration
1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.
Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
- 
+ 
2. Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.
If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index dd26f8e369..b42426f1d7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -31,11 +31,11 @@ ms.date: 07/27/2017
Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu.
-
+
The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic.
-
+
Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
@@ -51,11 +51,11 @@ When you turn logging on, you need a valid URL that points to a server that can
3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
- 
+ 
4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
- 
+ 
5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.
Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
@@ -76,7 +76,7 @@ When you turn logging on, you need a valid URL that points to a server that can
### IIS log file information
This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode.
-
+
## Using the GitHub sample to collect your data
@@ -103,14 +103,14 @@ For logging, you’re going to need a valid URL that points to a server that can
5. Right-click on the name, PhoneHomeSample, and click **Publish**.
- 
+ 
6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
**Important**
Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.
- 
+ 
After you finish the publishing process, you need to test to make sure the app deployed successfully.
@@ -135,7 +135,7 @@ For logging, you’re going to need a valid URL that points to a server that can
- Go to `https:///List` to see the report results.
If you’re already on the webpage, you’ll need to refresh the page to see the results.
- 
+ 
### Troubleshooting publishing errors
@@ -145,7 +145,7 @@ If you have errors while you’re publishing your project, you should try to upd
1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
- 
+ 
2. Click **Updates** on the left side of the tool, and click the **Update All** button.
You may need to do some additional package cleanup to remove older package versions.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index 14bd40e745..ec77071c73 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -28,7 +28,7 @@ Jump to:
[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website.
-
+
Sites in the \ section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \ section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View.
@@ -84,7 +84,7 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern
- Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab.
- 
+ 
- Run the site in each document mode until you find the mode in which the site works.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 8c84054dc3..1b32fa64ad 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -39,7 +39,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.
Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
- 
+ 
2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
@@ -51,7 +51,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:
- 
+ 
- **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index b4db0fb7a4..897b27ceed 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -37,7 +37,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
- 
+ 
2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
@@ -49,7 +49,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
- 
+ 
Your **Value data** location can be any of the following types:
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index fd6904f4a8..54ae269373 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -33,32 +33,32 @@ During installation, you must pick a version of IEAK 11, either **External** or
| Feature | Internal | External |
|-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
-| Welcome screen |  |  |
-| File locations |  |  |
-| Platform selection |  |  |
-| Language selection |  |  |
-| Package type selection |  |  |
-| Feature selection |  |  |
-| Automatic Version Synchronization (AVS) |  |  |
-| Custom components |  |  |
-| Internal install |  |  |
-| User experience |  |  |
-| Browser user interface |  |  |
-| Search providers |  |  |
-| Important URLs – Home page and support |  |  |
-| Accelerators |  |  |
-| Favorites, Favorites bar, and feeds |  |  |
-| Browsing options |  |  |
-| First Run wizard and Welcome page options |  |  |
-| Connection manager |  |  |
-| Connection settings |  |  |
-| Automatic configuration |  |  |
-| Proxy settings |  |  |
-| Security and privacy settings |  |  |
-| Add a root certificate |  |  |
-| Programs |  |  |
-| Additional settings |  |  |
-| Wizard complete |  |  |
+| Welcome screen |  |  |
+| File locations |  |  |
+| Platform selection |  |  |
+| Language selection |  |  |
+| Package type selection |  |  |
+| Feature selection |  |  |
+| Automatic Version Synchronization (AVS) |  |  |
+| Custom components |  |  |
+| Internal install |  |  |
+| User experience |  |  |
+| Browser user interface |  |  |
+| Search providers |  |  |
+| Important URLs – Home page and support |  |  |
+| Accelerators |  |  |
+| Favorites, Favorites bar, and feeds |  |  |
+| Browsing options |  |  |
+| First Run wizard and Welcome page options |  |  |
+| Connection manager |  |  |
+| Connection settings |  |  |
+| Automatic configuration |  |  |
+| Proxy settings |  |  |
+| Security and privacy settings |  |  |
+| Add a root certificate |  |  |
+| Programs |  |  |
+| Additional settings |  |  |
+| Wizard complete |  |  |
---
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index d0251e80ba..bbf1be6015 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -24,13 +24,13 @@ manager: dansimp
| Tool | Description |
| :---: |:--- |
-| [](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
-| [](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)** Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
-| [](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
-| [](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** Open [OneNote](#edu-task4) and create an example group project for your class. |
-| [](#edu-task5) | **Curious about telling stories through video?** Try the [Photos app](#edu-task5) to make your own example video. |
-| [](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
-| [](#edu-task7) | **Want to provide a personal math tutor for your students?** Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
+| [](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
+| [](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)** Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
+| [](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
+| [](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** Open [OneNote](#edu-task4) and create an example group project for your class. |
+| [](#edu-task5) | **Curious about telling stories through video?** Try the [Photos app](#edu-task5) to make your own example video. |
+| [](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
+| [](#edu-task7) | **Want to provide a personal math tutor for your students?** Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
@@ -41,7 +41,7 @@ manager: dansimp
-
+
## 1. Log in and connect to the school network
To try out the educator tasks, start by logging in as a teacher.
@@ -55,7 +55,7 @@ To try out the educator tasks, start by logging in as a teacher.
-
+
## 2. Significantly improve student reading speed and comprehension
> [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y]
@@ -78,7 +78,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
4. Select the **Immersive Reader** button.
- 
+ 
5. Press the **Play** button to hear text read aloud.
@@ -86,14 +86,14 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
| Text to Speech | Text Preferences | Grammar Options | Line Focus |
| :------------: | :--------------: | :-------------: | :--------: |
- |  |  |  |  |
+ |  |  |  |  |
-
+
## 3. Spark communication, critical thinking, and creativity in the classroom
> [!VIDEO https://www.youtube.com/embed/riQr4Dqb8B8]
@@ -114,7 +114,7 @@ Take a guided tour of Microsoft Teams and test drive this digital hub.
-
+
## 4. Expand classroom collaboration and interaction between students
> [!VIDEO https://www.youtube.com/embed/dzDSWMb_fIE]
@@ -135,16 +135,16 @@ When you're not using the pen, just use the magnet to stick it to the left side
3. Follow the instructions for the project. Look for the **Try this!** callouts to experiment with these engaging activities.
- Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling.
- 
+ 
- Type anywhere on the page! Just click your cursor where you want to place text.
- Use the checkmark in the **Home** tab to keep track of completed tasks.
- 
+ 
- To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
- 
+ 
@@ -178,7 +178,7 @@ Use video to create a project summary.
8. Drag the videos to the Storyboard, one by one. Your project should look roughly like this:
- 
+ 
9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**.
@@ -191,7 +191,7 @@ Use video to create a project summary.
4. Play back your effect.
5. Select **Done** when you have it where you want it.
- 
+ 
12. Select **Music** and select a track from the **Recommended** music collection.
1. The music will update automatically to match the length of your video project, even as you make changes.
@@ -208,7 +208,7 @@ Check out this use case video of the Photos team partnering with the Bureau Of F
-
+
## 6. Get kids to further collaborate and problem solve
> [!VIDEO https://www.youtube.com/embed/QI_bRNUugog]
@@ -226,7 +226,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
3. Scroll down to the **Details** section and select **Download World**.
- 
+ 
4. When prompted, save the world.
@@ -250,7 +250,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram.
- 
+ 
12. Access and adapt over 300 lesson plans, spanning all grades and subjects, to meet your needs. Enjoy exploring new worlds and happy crafting.
@@ -260,13 +260,13 @@ Today, we'll explore a Minecraft world through the eyes of a student.
2. Click **Class Resources**.
3. Click **Find a Lesson**.
- 
+ 
-
+
## 7. Use Windows Ink to provide a personal math tutor for your students
The **Math Assistant** and **Ink Replay** features available in the OneNote app give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph.
@@ -275,15 +275,15 @@ The **Math Assistant** and **Ink Replay** features available in the OneNote app
To get started:
1. Open the OneNote app for Windows 10 (not OneNote 2016).
- 
+ 
2. In the top left corner, click on the **<** arrow to access your notebooks and pages.
- 
+ 
3. Click **Add Page** to launch a blank work space.
- 
+ 
4. Make sure your pen is paired to the device. To pair, see Connect to Bluetooth devices.
@@ -292,26 +292,26 @@ To solve the equation 3x+4=7, follow these instructions:
2. If you wrote the equation using digital ink, use the **Lasso tool** to circle the equation. If you typed the equation, highlight it using your mouse.
- 
+ 
3. On the **Draw** tab, click the **Math** button.
- 
+ 
4. From the drop-down menu in the **Math** pane, select the option to **Solve for x**. You can now see the final solution of the equation.
- 
+ 
5. From the second drop-down below, choose **Steps for Solving Linear Formula**, which shows you the step-by-step solution of this equation.
6. On the **View** tab, click the **Replay** button. Use your mouse to select the written equation and watch your text in replay. Replay is great for students to review how the teacher solved the equation and for teachers to review how students approached a problem.
- 
+ 
To graph the equation 3x+4=7, follow these instructions:
1. From the drop-down menu in the **Math** pane, select the option to **Graph Both Sides in 2D**. You can play with the interactive graph of your equation - use a single finger to move the graph position or two fingers to change the **zoom** level.
- 
+ 
2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md
index f21a0ddcf4..5f1c865bce 100644
--- a/education/trial-in-a-box/index.md
+++ b/education/trial-in-a-box/index.md
@@ -16,7 +16,7 @@ ms.date: 12/11/2017
# Microsoft Education Trial in a Box
-
+
@@ -28,7 +28,7 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea
-| [](educator-tib-get-started.md) | [](itadmin-tib-get-started.md) |
+| [](educator-tib-get-started.md) | [](itadmin-tib-get-started.md) |
| :---: | :---: |
| **Educator**Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills. [Get started](educator-tib-get-started.md) | **IT Admin**Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage. [Get started](itadmin-tib-get-started.md) |
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index be9a131941..d0ba6a05b3 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -24,11 +24,11 @@ manager: dansimp
| | |
| :---: |:--- |
-| [](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. |
-| [](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. |
-| [](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. |
-| [](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
-| [](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
+| [](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. |
+| [](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. |
+| [](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. |
+| [](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
+| [](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
@@ -42,7 +42,7 @@ If you run into any problems while following the steps in this guide, or you hav
-
+
## 1. Log in to Device A with your IT Admin credentials and connect to the school network
To try out the IT admin tasks, start by logging in as an IT admin.
@@ -56,7 +56,7 @@ To try out the IT admin tasks, start by logging in as an IT admin.
-
+
## 2. Configure Device B with Set up School PCs
Now you're ready to learn how to configure a brand new device. You will start on **Device A** by downloading and running the Set up School PCs app. Then, you will configure **Device B**.
@@ -66,11 +66,11 @@ If you've previously used Set up School PCs to provision student devices, you ca
1. From the **Start** menu, find and then click **Microsoft Store** to launch the Store.
- 
+ 
2. Search for the **Set up School PCs** app.
- 
+ 
3. Click **Install**.
@@ -78,7 +78,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
1. On **Device A**, launch the Set up School PCs app.
- 
+ 
2. Click **Get started**.
3. Select **Sign-in**.
@@ -95,7 +95,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
We recommend checking the highlighted settings below:
- 
+ 
- **Remove apps pre-installed by the device manufacturer** - If you select this option, this will reset the machine and the provisioning process will take longer (about 30 minutes).
- **Allow local storage (not recommended for shared devices)** lets students save files to the **Desktop** and **Documents** folder on the student PC.
@@ -108,7 +108,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test.
- 
+ 
1. Specify if you want to create a Take a Test button on the students' sign-in screens.
2. Select **Advanced settings** to allow keyboard text suggestions to appear and to allow teachers to monitor online tests.
@@ -120,7 +120,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
8. **Add recommended apps** lets you choose from a set of recommended Microsoft Store apps to provision.
- 
+ 
The recommended apps include the following:
* **Office 365 for Windows 10 S (Education Preview)** - Optional. This works well for the Trial in a Box PCs running Windows 10 S. However, if you try to install this app on other editions of Windows 10, setup will fail. Also note that if you select **Office 365 for Windows 10 S (Education Preview)**, it will take about 30-45 minutes longer for Set up School PCs to create the provisioning package as the app downloads Office 365 for Windows 10 S (Education Preview) from the Microsoft Store.
@@ -131,7 +131,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
To change any of the settings, select the page or section (such as **Sign-in** or **Settings**) to go back to that page and make your changes.
- 
+ 
10. Accept the summary and then insert a USB drive in **Device A**. Use the USB drive that came in the Trial in a Box accessories box to save the provisioning package.
11. Select the drive and then **Save** to create the provisioning package.
@@ -153,7 +153,7 @@ A provisioning package is a method for applying settings to Windows 10 without n
1. Start with **Device B** turned off or with the PC on the first-run setup screen. In Windows 10 S Fall Creators Update, the first-run setup screen says **Let's start with region. Is this right?**.
- 
+ 
If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.**
@@ -166,20 +166,20 @@ You can complete the rest of the IT admin tasks using **Device A**.
-
+
## 3. Express configure Intune for Education to manage devices, users, and policies
Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
1. Log into the Intune for Education console.
2. On the Intune for Education dashboard, click **Launch Express Configuration** or select the **Express configuration**.
- 
+ 
3. In the **Welcome to Intune for Education** screen, click **Get started** and follow the prompts until you get to the **Choose group** screen.
4. In the **Choose group** screen, select **All Users** so that all apps and settings that we select during express setup will apply to this group.
5. In the **Choose apps** screen, you will see a selection of desktop (Win32) apps, Web apps, and Microsoft Store apps.
- 
+ 
6. Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in step 5.
@@ -197,7 +197,7 @@ Intune for Education provides an **Express configuration** option so you can get
-
+
## 4. Find apps from the Microsoft Store for Education and deploy them to managed devices in your tenant
The Microsoft Store for Education is where you can shop for more apps for your school.
@@ -205,7 +205,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
2. In the **Store apps** section, select **+ New app** to go to the Microsoft Store for Education.
3. Select **Sign in** and start shopping for apps for your school.
- 
+ 
4. Check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express configuration for Intune for Education. For example, these apps are free:
- Duolingo - Learn Languages for Free
@@ -222,7 +222,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
The apps will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
- 
+ 
In the **Private store** column of the **Products & services** page, the status for some apps will indicate that it's "In private store" while others will say "Adding to private store" or "Not applicable". Learn more about this in Distribute apps using your private store.
@@ -231,7 +231,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
-
+
## 5. Create custom folders that will appear on each managed device's Start menu
Update settings for all devices in your tenant by adding the **Documents** and **Downloads** folders to all devices managed in Intune for Education.
@@ -239,7 +239,7 @@ Update settings for all devices in your tenant by adding the **Documents** and *
2. Select **Group > All Devices > Settings** and expand **Windows interface settings**.
3. In **Choose folders that appear in the Start menu**, select **Documents** and **Downloads**.
- 
+ 
4. **Save** your changes.
diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md
index 9cb32351de..627a78c9ef 100644
--- a/education/trial-in-a-box/support-options.md
+++ b/education/trial-in-a-box/support-options.md
@@ -38,7 +38,7 @@ For more information about checking for updates, and how to optionally turn on a
> [!NOTE]
> For the alternate email address, make sure you use a different address from your Office 365 email address.
- 
+ 
4. Click **Save**.
@@ -46,17 +46,17 @@ For more information about checking for updates, and how to optionally turn on a
1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console.
- 
+ 
You will see a sidebar window open up on the right-hand side of the screen.
- 
+ 
If you chose to have a support representative call you, a new support ticket will be opened and you can track these in **Support tickets**.
- 
+ 
-2. Click the **question button**  in the top navigation of the sidebar window.
+2. Click the **question button**  in the top navigation of the sidebar window.
3. In the field below **Need help?**, enter a description of your help request.
4. Click the **Get help button**.
5. In the **Let us call you** section, enter a phone number where you can be reached.
@@ -69,7 +69,7 @@ Forget your password? Follow these steps to recover it.
1. Go to https://portal.office.com
2. Select **Can't access your account** and follow the prompts to get back into your account.
- 
+ 
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index 00b99a4c75..c0ac95e03e 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -61,7 +61,7 @@ You can set the policy using one of these methods:
- When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example:
- 
+ 
## Trigger Autopilot Reset
Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
@@ -70,7 +70,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**.
- 
+ 
This will open up a custom login screen for Autopilot Reset. The screen serves two purposes:
@@ -78,7 +78,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
- 
+ 
2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
@@ -97,7 +97,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
- Is returned to a known good managed state, connected to Azure AD and MDM.
- 
+ 
Once provisioning is complete, the device is again ready for use.
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index b104042dbc..ea30225b3e 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -65,7 +65,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f
**Figure 1** - Enter the details for the Windows edition change
- 
+ 
3. The change will automatically be applied to the group you selected.
@@ -78,7 +78,7 @@ You can use Windows Configuration Designer to create a provisioning package that
**Figure 2** - Enter the license key
- 
+ 
3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education.
@@ -123,7 +123,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi
**Figure 3** - Check the box to confirm
- 
+ 
5. Click **Change all my devices**.
@@ -169,13 +169,13 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
**Figure 4** - Select how you'd like to set up the device
- 
+ 
2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**.
**Figure 5** - Enter the account details
- 
+ 
3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription.
@@ -188,21 +188,21 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
**Figure 6** - Go to **Access work or school** in Settings
- 
+ 
2. In **Access work or school**, click **Connect**.
3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom.
**Figure 7** - Select the option to join the device to Azure Active Directory
- 
+ 
4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD.
5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD.
**Figure 8** - Verify the device connected to Azure AD
- 
+ 
#### Step 2: Sign in using Azure AD account
@@ -286,7 +286,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change
**Figure 12** - Revert to Windows 10 Pro
- 
+ 
4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**.
5. Click **Close** in the **Success** page.
@@ -304,7 +304,7 @@ You need to synchronize these identities so that users will have a *single ident
**Figure 13** - On-premises AD DS integrated with Azure AD
-
+
For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
- [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity)
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 59da859362..d927aef072 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -118,7 +118,7 @@ At the end of this section, you should have a list of Chromebook user and device
You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices.
-
+
Figure 1. Google Admin Console
@@ -221,7 +221,7 @@ Table 3. Settings in the Security node in the Google Admin Console
In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
-
+
Figure 2. Locally-configured settings on Chromebook
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index f662b8ac78..27b3806af5 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -94,19 +94,19 @@ Use one of these methods to set this policy.
- Data type: Integer
- Value: 0
- 
+ 
### Group Policy
Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
-
+
### Provisioning tools
- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
- 
+ 
## SetEduPolicies
**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
@@ -123,7 +123,7 @@ Use one of these methods to set this policy.
- Data type: Boolean
- Value: true
- 
+ 
### Group Policy
**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc).
@@ -147,7 +147,7 @@ For example:
- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
- 
+ 
## Ad-free search with Bing
Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States.
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 5ca4cb7ea0..9dcdd7ca81 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -34,21 +34,21 @@ Proper preparation is essential for a successful district deployment. To avoid c
As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 1. Typical district configuration for this guide*
A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses.
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 2. Typical school configuration for this guide*
Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses.
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 3. Typical classroom configuration in a school*
@@ -181,7 +181,7 @@ The high-level process for deploying and configuring devices within individual c
9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration.
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 4. How district configuration works*
@@ -768,7 +768,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 5, the
> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)).
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 5. Automatic synchronization between AD DS and Azure AD*
@@ -779,7 +779,7 @@ For more information about how to perform this step, see the [Integrate on-premi
In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 6. Bulk import into Azure AD from other sources*
@@ -812,14 +812,14 @@ You can deploy the Azure AD Connect tool:
- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
> [!div class="mx-imgBorder"]
- > 
+ > 
*Figure 7. Azure AD Connect on premises*
- **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
> [!div class="mx-imgBorder"]
- > 
+ > 
*Figure 8. Azure AD Connect in Azure*
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 3b464f9fa6..318b892188 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -30,13 +30,13 @@ Proper preparation is essential for a successful school deployment. To avoid com
As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
-
+
*Figure 1. Typical school configuration for this guide*
Figure 2 shows the classroom configuration this guide uses.
-
+
*Figure 2. Typical classroom configuration in a school*
@@ -112,7 +112,7 @@ The high-level process for deploying and configuring devices within individual c
6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
-
+
*Figure 3. How school configuration works*
@@ -346,7 +346,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 4, the
**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)?f=255&MSPPError=-2147217396).
-
+
*Figure 4. Automatic synchronization between AD DS and Azure AD*
@@ -356,7 +356,7 @@ For more information about how to perform this step, see the [Integrate on-premi
In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
-
+
*Figure 5. Bulk import into Azure AD from other sources*
@@ -383,13 +383,13 @@ You can deploy the Azure AD Connect tool by using one of the following methods:
- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
- 
+ 
*Figure 6. Azure AD Connect on premises*
- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
- 
+ 
*Figure 7. Azure AD Connect in Azure*
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index eaa2f7c35b..03a761c858 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -55,11 +55,11 @@ To turn off access to contacts for all apps on individual Windows devices:
1. On the computer, go to **Settings** and select **Privacy**.
- 
+ 
2. Under the list of **Privacy** areas, select **Contacts**.
- 
+ 
3. Turn off **Let apps access my contacts**.
@@ -73,7 +73,7 @@ For IT-managed Windows devices, you can use a Group Policy to turn off the setti
If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off.
-
+
The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts.
@@ -83,7 +83,7 @@ To allow only certain apps to have access to contacts, you can:
* Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce.
- 
+ 
## Skype and Xbox settings
@@ -109,7 +109,7 @@ Skype uses the user’s contact details to deliver important information about t
To manage and edit your profile in the Skype UWP app, follow these steps:
-1. In the Skype UWP app, select the user profile icon  to go to the user’s profile page.
+1. In the Skype UWP app, select the user profile icon  to go to the user’s profile page.
2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal.
@@ -127,7 +127,7 @@ To manage and edit your profile in the Skype UWP app, follow these steps:
6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
- 
+ 
* To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**).
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 586d6ea6b8..f4ea0cf4ef 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -39,7 +39,7 @@ Admins can control whether or not teachers are automatically assigned the **Basi
2. Click **Manage**, and then click **Settings**.
3. On **Shop**, select or clear **Make everyone a Basic Purchaser**.
-
+
> [!NOTE]
> **Make everyone a Basic Purchaser** is on by default.
@@ -52,7 +52,7 @@ When **Make everyone a Basic Purchaser** is turned off, admins can manually assi
2. Click **Manage**, and then choose **Permissions**.
3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**.
- 
+ 
**Blocked Basic Purchasers**
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 78f1759c45..a89e29de02 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -29,7 +29,7 @@ ms.topic: conceptual
Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution.
-
+
## Prerequisites
@@ -39,11 +39,11 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
- Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
- If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
-
+
[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md)
-
+
[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
\ No newline at end of file
diff --git a/education/windows/index.md b/education/windows/index.md
index 81e3f97634..cf961bfe83 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -14,15 +14,15 @@ ms.date: 10/13/2017
# Windows 10 for Education
-
+
-##  Learn
+##  Learn
Windows 10 editions for education customers
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
Compare each Windows edition
Find out more about the features and functionality we support in each edition of Windows.
Get Windows 10 Education or Windows 10 Pro Education
When you've made your decision, find out how to buy Windows for your school.
-##  Plan
+##  Plan
Windows 10 configuration recommendations for education customers
Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
Deployment recommendations for school IT administrators
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
@@ -30,14 +30,14 @@ ms.date: 10/13/2017
Take tests in Windows 10
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
Chromebook migration guide
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
-##  Deploy
+##  Deploy
Set up Windows devices for education
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
Deploy Windows 10 in a school
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
Deploy Windows 10 in a school district
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
Test Windows 10 S on existing Windows 10 education devices
Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.
-##  Switch
+##  Switch
Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index e3900603b6..a728b75a41 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -50,15 +50,15 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**.
-
+
2. Enter your email address, and select Educator, Administrator, or Student. If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one.
-
+
3. Select **Get the app**. This will take you to the Microsoft Store for Education to download the app. You will also receive an email with instructions and a link to the Store.
-
+
4. Sign in to Microsoft Store for Education with your email address.
@@ -66,7 +66,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
-
+
Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
@@ -113,11 +113,11 @@ After you've finished the purchase, you can find your invoice by checking **Mine
2. Click **Minecraft: Education Edition** in the list of apps.
3. On **Minecraft: Education Edition**, click **View Bills**.
- 
+ 
4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf.
- 
+ 
The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check.
@@ -133,11 +133,11 @@ Admins can also add Minecraft: Education Edition to the private store. This allo
### Configure automatic subscription assignment
@@ -168,7 +168,7 @@ You can install the app on your PC. This gives you a chance to test the app and
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
-
+
3. Click **Install**.
@@ -180,33 +180,33 @@ Enter email addresses for your students, and each student will get an email with
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**.
- 
+ 
3. Click **Invite people**.
4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
- 
+ 
**To finish Minecraft install (for students)**
1. Students will receive an email with a link that will install the app on their PC.
- 
+ 
2. Click **Get the app** to start the app install in Microsoft Store app.
3. In Microsoft Store app, click **Install**.
- 
+ 
After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. Microsoft Store app is preinstalled with Windows 10.
- 
+ 
When students click **My Library** they'll find apps assigned to them.
- 
+ 
### Download for others
Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
@@ -225,11 +225,11 @@ Minecraft: Education Edition will not install if there are updates pending for o
1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
2. Click the account button, and then click **Downloads and updates**.
- 
+ 
3. Click **Check for updates**, and install all available updates.
- 
+ 
4. Restart the computer before installing Minecraft: Education Edition.
@@ -238,7 +238,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
- 
+ 
2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
@@ -257,7 +257,7 @@ However, tenant admins can control whether or not teachers automatically sign up
To prevent educators from automatically signing up for Microsoft Store for Business
1. In Microsoft Store for Business, click **Settings**, and then click **Permissions**.
- 
+ 
2. Click **Allow educators in my organization to sign up for the Microsoft Store for Business.**
@@ -269,7 +269,7 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
- Acquire and manage the app
- Info on Support page (including links to documentation and access to support through customer service)
- 
+ 
**To assign Basic Purchaser role**
@@ -280,15 +280,15 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
2. Click **Settings**, and then choose **Permissions**.
- 
+ 
3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
- 
+ 
Microsoft Store for Business updates the list of people and permissions.
- 
+ 
-->
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
index 6d62b6bb55..02198518ca 100644
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -48,7 +48,7 @@ Active Directory** \> **Devices** \> **Device settings**.
for Azure AD by selecting **All** or **Selected**. If you choose the latter
option, select the teachers and IT staff to allow them to connect to Azure AD.
-
+
You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff.
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index 22d45b09fc..328b2f80a1 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -43,7 +43,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment (
**Figure 7** - Add the account to use for test-taking
- 
+ 
The account can be in one of the following formats:
- username
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 7d803777e5..f0bb65fa78 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -35,7 +35,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur
2.
2. On the **Finish** page, select **Switch to advanced editor**.
- 
+ 
**Next steps**
- [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
@@ -52,7 +52,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
2. Click **Advanced provisioning**.
- 
+ 
3. Name your project and click **Next**.
@@ -89,17 +89,17 @@ Universal apps that you can distribute in the provisioning package can be line-o
2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
- 
+ 
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
- 
+ 
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Microsoft Store for Business, you generate the license for the app on the app's download page.
- 
+ 
[Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps)
@@ -168,7 +168,7 @@ If your build is successful, the name of the provisioning package, output direct
**During initial setup, from a USB drive**
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
- 
+ 
2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
@@ -176,11 +176,11 @@ If your build is successful, the name of the provisioning package, output direct
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
- 
+ 
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
- 
+ 
5. Select **Yes, add it**.
@@ -188,11 +188,11 @@ If your build is successful, the name of the provisioning package, output direct
6. Read and accept the Microsoft Software License Terms.
- 
+ 
7. Select **Use Express settings**.
- 
+ 
8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
@@ -200,18 +200,18 @@ If your build is successful, the name of the provisioning package, output direct
9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
- 
+ 
10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
- 
+ 
**After setup, from a USB drive, network folder, or SharePoint site**
On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install.
-
+
-->
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index b401df97ef..e1acdf9f1d 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -27,7 +27,7 @@ Choose the tool that is appropriate for how your students will sign in (Active D
You can use the following diagram to compare the tools.
-
+
## In this section
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index 3044c770e5..10e2d2f7e0 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -39,7 +39,7 @@ If you set up Take a Test, this adds a **Take a Test** button on the student PC'
**Figure 1** - Configure Take a Test in the Set up School PCs app
-
+
### Set up a test account in Intune for Education
You can set up a test-taking account in Intune for Education. To do this, follow these steps:
@@ -49,7 +49,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
**Figure 2** - Add a test profile in Intune for Education
- 
+ 
3. In the new profile page:
1. Enter a name for the profile.
@@ -60,7 +60,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
**Figure 3** - Add information about the test profile
- 
+ 
After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
@@ -68,13 +68,13 @@ You can set up a test-taking account in Intune for Education. To do this, follow
**Figure 4** - Assign the test account to a group
- 
+ 
5. In the **Groups** page, click **Change group assignments**.
**Figure 5** - Change group assignments
- 
+ 
6. In the **Change group assignments** page:
1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group.
@@ -82,7 +82,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
**Figure 6** - Select the group(s) that will use the test account
- 
+ 
And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests.
@@ -136,7 +136,7 @@ To set up a test account through Windows Configuration Designer, follow these st
**Figure 7** - Add the account to use for test-taking
- 
+ 
The account can be in one of the following formats:
- username
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 1286a5aec8..9d26301975 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -30,13 +30,13 @@ To configure the assessment URL and a dedicated testing account on a single PC,
**Figure 1** - Use the Settings app to set up a test-taking account
- 
+ 
4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account.
**Figure 2** - Choose the test-taking account
- 
+ 
> [!NOTE]
> If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 7e016c22c0..f9ba6a9479 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -32,7 +32,7 @@ Many schools use online testing for formative and summative assessments. It's cr
## How to use Take a Test
-
+
There are several ways to configure devices for assessments, depending on your use case:
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 136499ee4c..6f0d1d4341 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -65,7 +65,7 @@ After Minecraft: Education Edition licenses have been purchased, either directly
- You can assign the app to others.
- You can download the app to distribute.
-
+
### Install for me
You can install the app on your PC. This gives you a chance to work with the app before using it with your students.
@@ -73,7 +73,7 @@ You can install the app on your PC. This gives you a chance to work with the app
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
-
+
3. Click **Install**.
@@ -84,13 +84,13 @@ Enter email addresses for your students, and each student will get an email with
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**.
-
+
3. Click **Invite people**.
4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
- 
+ 
You can assign the app to students with work or school accounts.
If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin.
@@ -100,20 +100,20 @@ Enter email addresses for your students, and each student will get an email with
Students will receive an email with a link that will install the app on their PC.
-
+
1. Click **Get the app** to start the app install in Microsoft Store app.
2. In Microsoft Store app, click **Install**.
- 
+ 
After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**.
- 
+ 
When students click **My Library** they'll find apps assigned to them.
- 
+ 
### Download for others
Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
@@ -132,11 +132,11 @@ Minecraft: Education Edition will not install if there are updates pending for o
1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
2. Click the account button, and then click **Downloads and updates**.
- 
+ 
3. Click **Check for updates**, and install all available updates.
- 
+ 
4. Restart the computer before installing Minecraft: Education Edition.
@@ -145,7 +145,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
- 
+ 
2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 3f31119391..ca36e12e5a 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -103,7 +103,7 @@ We strongly recommend that you avoid changing preset policies. Changes can slow
The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your PC and click **Get started**.
- 
+ 
### Package name
Type a unique name to help distinguish your school's provisioning packages. The name appears:
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 4294d7199e..3b6a109ef3 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -18,7 +18,7 @@ ms.topic: conceptual
# Get started: Deploy and manage a full cloud IT solution for your business
-
+
**Applies to:**
@@ -61,7 +61,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 1** - Try or buy Office 365
- 
+ 
2. Fill out the sign up form and provide information about you and your company.
3. Create a user ID and password to use to sign into your account.
@@ -76,7 +76,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 2** - Microsoft 365 admin center
- 
+ 
6. Select the **Admin** tile to go to the admin center.
@@ -86,7 +86,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 3** - Admin center
- 
+ 
8. Go back to the
admin center to add or buy a domain.
@@ -94,14 +94,14 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 4** - Option to add or buy a domain
- 
+ 
2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*.
**Figure 5** - Microsoft-provided domain
- 
+ 
- If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain.
- If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order.
@@ -110,7 +110,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 6** - Domains
- 
+ 
### 1.2 Add users and assign product licenses
Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Microsoft 365 admin center.
@@ -123,7 +123,7 @@ When adding users, you can also assign admin privileges to certain users in your
**Figure 7** - Add users
- 
+ 
2. In the **Home > Active users** page, add users individually or in bulk.
- To add users one at a time, select **+ Add a user**.
@@ -132,7 +132,7 @@ When adding users, you can also assign admin privileges to certain users in your
**Figure 8** - Add an individual user
- 
+ 
- To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
@@ -140,13 +140,13 @@ When adding users, you can also assign admin privileges to certain users in your
**Figure 9** - Import multiple users
- 
+ 
3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them.
**Figure 10** - List of active users
- 
+ 
### 1.3 Add Microsoft Intune
Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see
What is Intune?
@@ -160,14 +160,14 @@ Microsoft Intune provides mobile device management, app management, and PC manag
**Figure 11** - Assign Intune licenses
- 
+ 
5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
6. Select **Intune**. This will take you to the Intune management portal.
**Figure 12** - Microsoft Intune management portal
- 
+ 
Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution).
@@ -185,21 +185,21 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
**Figure 13** - Access to Azure AD is not available
- 
+ 
3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365.
4. Click **Azure subscription**. This will take you to a free trial sign up screen.
**Figure 14** - Sign up for Microsoft Azure
- 
+ 
5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**.
6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**.
**Figure 15** - Start managing your Azure subscription
- 
+ 
This will take you to the
Microsoft Azure portal.
@@ -216,26 +216,26 @@ To add Azure AD group(s), we will use the
Microsoft Store for Business using the same tenant account that you used to sign into Intune.
4. Accept the EULA.
@@ -312,20 +312,20 @@ In this part of the walkthrough, we'll be working on the
Intune management portal, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
**Figure 26** - Configure Store for Business sync in Intune
- 
+ 
9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
**Figure 27** - Enable Microsoft Store for Business sync in Intune
- 
+ 
The **Microsoft Store for Business** page will refresh and it will show the details from the sync.
@@ -348,7 +348,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
**Figure 28** - Shop for Store apps
- 
+ 
2. Click to select an app, such as **Reader**. This opens the app page.
3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page.
@@ -358,7 +358,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
**Figure 29** - App inventory shows the purchased apps
- 
+ 
> [!NOTE]
> Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync).
@@ -372,7 +372,7 @@ If you need to sync your most recently purchased apps and have it appear in your
**Figure 30** - Force a sync in Intune
- 
+ 
**To view purchased apps**
- In the
Intune management portal, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly.
@@ -393,7 +393,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi
**Figure 31** - First screen in Windows device setup
- 
+ 
> [!NOTE]
> During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection.
@@ -403,13 +403,13 @@ To set up new Windows devices, go through the Windows initial device setup or fi
**Figure 32** - Choose how you'll connect your Windows device
- 
+ 
4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
**Figure 33** - Sign in using one of the accounts you added
- 
+ 
5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup.
@@ -430,7 +430,7 @@ In the
Intune management
**Figure 34** - Check the PC name on your device
- 
+ 
2. Log in to the Intune management portal.
3. Select **Groups** and then go to **Devices**.
@@ -441,7 +441,7 @@ In the
Intune management
**Figure 35** - Check that the device appears in Intune
- 
+ 
## 3. Manage device settings and features
You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
@@ -460,7 +460,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 36** - Reconfigure an app's deployment setting in Intune
- 
+ 
6. Click **Finish**.
7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
@@ -470,7 +470,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 37** - Confirm that additional apps were deployed to the device
- 
+ 
### 3.2 Configure other settings in Intune
@@ -486,7 +486,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 38** - Add a configuration policy
- 
+ 
7. Click **Save Policy**. A confirmation window will pop up.
8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now.
@@ -495,7 +495,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 39** - The new policy should appear in the **Policies** list.
- 
+ 
**To turn off Windows Hello and PINs during device setup**
1. In the Intune management portal, select **Admin**.
@@ -504,7 +504,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 40** - Policy to disable Windows Hello for Business
- 
+ 
4. Click **Save**.
@@ -531,32 +531,32 @@ For other devices, such as those personally-owned by employees who need to conne
**Figure 41** - Add an Azure AD account to the device
- 
+ 
4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user.
**Figure 42** - Enter the account details
- 
+ 
5. You will be asked to update the password so enter a new password.
6. Verify the details to make sure you're connecting to the right organization and then click **Join**.
**Figure 43** - Make sure this is your organization
- 
+ 
7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**.
**Figure 44** - Confirmation that the device is now connected
- 
+ 
8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources.
**Figure 45** - Device is now enrolled in Azure AD
- 
+ 
9. You can confirm that the new device and user are showing up as Intune-managed by going to the
Intune management portal and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
diff --git a/smb/index.md b/smb/index.md
index cc4c596a1c..a6ae7f1200 100644
--- a/smb/index.md
+++ b/smb/index.md
@@ -17,16 +17,16 @@ audience: itpro
# Windows 10 for SMB
-
+
-##  Learn
+##  Learn
Windows 10 for business
Learn how Windows 10 and Windows devices can help your business.
SMB blog
Read about the latest stories, technology insights, and business strategies for SMBs.
How to buy
Go here when you're ready to buy or want to learn more about Microsoft products you can use to help transform your business.
-##  Deploy
+##  Deploy
Get started: Deploy and manage a full cloud IT solution for your business
Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index 73c2ce1f3d..882b7e57ba 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -55,7 +55,7 @@ There are a couple of things we need to know when you pay for apps. You can add
2. Select **Manage**, and then select **Settings**.
3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**.
-
+
## Allow app requests
diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md
index 26bb2598f8..bee1e82435 100644
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@@ -51,7 +51,7 @@ invoice and descriptions for each term.
The **Invoice Summary** is on the top of the first page and shows information about your billing profile and how you pay.
-
+
| Term | Description |
@@ -68,7 +68,7 @@ The **Invoice Summary** is on the top of the first page and shows information ab
The **Billing Summary** shows the charges against the billing profile since the previous billing period, any credits that were applied, tax, and the total amount due.
-
+
| Term | Description |
| --- | --- |
@@ -91,7 +91,7 @@ The total amount due for each service family is calculated by subtracting Azure
`Total = Charges/Credits - Azure Credit + Tax`
-
+
| Term |Description |
| --- | --- |
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index bb29be21a9..3bdd7d61bc 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -91,7 +91,7 @@ Get-MSStoreInventory
>1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/).
>2. Click **Manage** and then choose **Apps & software**.
>3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example:
->
+>
## View people assigned to a product
Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands:
diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
index 784e422a8a..0a66d2a739 100644
--- a/store-for-business/troubleshoot-microsoft-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -36,23 +36,23 @@ The private store for your organization is a page in Microsoft Store app that co
1. Click the people icon in Microsoft Store app, and click **Sign in**.
- 
+ 
2. Click **Add account**, and then click **Work or school account**.
- 
+ 
3. Type the email account and password, and click **Sign in**.
- 
+ 
4. You should see the private store for your organization. In our example, the page is named **Contoso publishing**.
- 
+ 
Click the private store to see apps in your private store.
- 
+ 
## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 66f34fdabe..4b0cd1e47d 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -26,7 +26,7 @@ Microsoft Store for Business and Education regularly releases new and improved f
:::row:::
:::column span="1":::
- 
+ 
:::column-end:::
:::column span="1":::
**Use security groups with Private store apps**
On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store.
[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education
@@ -38,7 +38,7 @@ Microsoft Store for Business and Education regularly releases new and improved f
We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
| | |
|-----------------------|---------------------------------|
-|  |**Performance improvements in private store**
We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.
[Get more info](./manage-private-store-settings.md#private-store-performance)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
+|  |**Performance improvements in private store**
We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.
[Get more info](./manage-private-store-settings.md#private-store-performance)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
|
| **Manage Windows device deployment with Windows Autopilot Deployment**
In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.
[Get more info](add-profile-to-devices.md)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
|  |**Request an app**
People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.
[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
||  |**Private store collections**
You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom.
[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 2150c9e7c3..8efc8effad 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -46,7 +46,7 @@ You'll need to set up:
- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
The process and timing look like this:
-
+
##
Add an LOB publisher (Admin)
Admins need to invite developer or ISVs to become an LOB publisher.
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index b0bdee5283..130ad633ee 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -423,7 +423,7 @@ The process then configures the client for package or connection group additions
This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user).
-
+
**Package add file and registry data**
@@ -454,7 +454,7 @@ During the Publishing Refresh operation, the specific publishing operation, **Pu
Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details.
-
+
**Package add file and registry data—global**
@@ -481,7 +481,7 @@ After the Publishing Refresh process, the user launches and then relaunches an A
7. The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as-needed basis.
- 
+ 
**Package add file and registry data—stream**
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index 501a6eae9f..4183212c31 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -20,9 +20,9 @@ This checklist outlines the recommended steps and items to consider when deployi
|Status|Task|References|Notes|
|---|---|---|---|
-||Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)||
-||Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)||
-||Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
[How to deploy the App-V server](appv-deploy-the-appv-server.md)||
+||Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)||
+||Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)||
+||Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
[How to deploy the App-V server](appv-deploy-the-appv-server.md)||
>[!NOTE]
>Keep track of server names and associated URLs you create during installation. You'll need this information throughout the installation process.
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index e8785b3d7f..9bde5d0531 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -28,7 +28,7 @@ The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit
1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
2. Select the **Get Windows ADK for Windows 10** button on the page to start the ADK installer. Make sure that **Microsoft Application Virtualization (App-V) Sequencer** is selected during the installation.
- 
+ 
3. To open the Sequencer, go to the **Start** menu and select **Microsoft Application Virtualization (App-V) Sequencer**.
See [Creating and managing virtual applications](appv-creating-and-managing-virtualized-applications.md) and the [Application Virtualization Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx) for information about creating virtual applications with the Sequencer.
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index e838f04c45..50887ca724 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -23,12 +23,12 @@ This checklist can be used to help you plan for preparing your organization for
|Status|Task|References|Notes|
|---|---|---|---|
-||Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)||
-||Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)||
-||If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)||
-||Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)||
-||If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)||
-||Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)||
+||Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)||
+||Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)||
+||If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)||
+||Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)||
+||If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)||
+||Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)||
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index d123957cd1..0a72c19e87 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -23,15 +23,15 @@ Enterprise users want the same ability to enable or limit background activity. I
Users have the ability to control background activity for their device through two interfaces in the **Settings** app: the **Background apps** page and the **Battery usage by app** page. The **Background apps** page has a master switch to turn background activity on or off for all apps, and provides individual switches to control each app's ability to run in the background.
-
+
The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop:
-
+
Here is the set of available controls for mobile devices:
-
+
Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity).
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 0cda2dc8c9..4483687ba8 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -102,19 +102,19 @@ If a per-user service can't be disabled using a the security template, you can d
5. Right-click **Registry** > **New** > **Registry Item**.
- 
+ 
6. Make sure that HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path.
- 
+ 
7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**.
- 
+ 
8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**.
- 
+ 
9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8.
@@ -140,14 +140,14 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled):
-
+
> [!CAUTION]
> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution.
Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry:
-
+
### Manage template services by modifying the Windows image
@@ -186,4 +186,4 @@ For example, you might see the following per-user services listed in the Service
You can query the service configuration from the command line. The **Type** value indicates whether the service is a user-service template or user-service instance.
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 4130fde7e5..8482a3497c 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -48,11 +48,11 @@ Refactoring also makes it easier to view running processes in Task Manager. You
For example, here are the running processes displayed in Task Manager in Windows 10 version 1607:
-
+
Compare that to the same view of running processes in Windows 10 version 1703:
-
+
@@ -66,7 +66,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
The default value of **1** prevents the service from being split.
For example, this is the registry key configuration for BFE:
-
+
## Memory footprint
@@ -77,7 +77,7 @@ Consider the following:
|Grouped Services (< 3.5GB) | Split Services (3.5GB+)
|--------------------------------------- | ------------------------------------------ |
-| | |
+| | |
> [!NOTE]
> The above represents the peak observed values.
diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index 260944a53c..6da0fdfdb9 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -23,11 +23,11 @@ ms.topic: article
Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
-
+
The tools in the folder might vary depending on which edition of Windows you are using.
-
+
These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index ac96c101cf..c2a8ea0c57 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -41,53 +41,53 @@ Check Windows Security Event log on the NPS Server for NPS events that correspon
In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
- 
+ 
*Example: event ID 6273 (Audit Failure)*
- 
+ 
*Example: event ID 6272 (Audit Success)*
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example:
-
+
Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure.
First, validate the type of EAP method that's used:
-
+
If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section.
-
+
The CAPI2 event log is useful for troubleshooting certificate-related issues.
By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**.
-
+
For information about how to analyze CAPI2 event logs, see
[Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication:
-
+
If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples:
-
+
*Client-side packet capture data*
-
+
*NPS-side packet capture data*
> [!NOTE]
> If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example:
-
+
## Audit policy
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 646585085e..d039c10c17 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -50,7 +50,7 @@ The kernel passes control to the session manager process (Smss.exe) which initia
Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
-
+
[Click to enlarge](img-boot-sequence.md)
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index ce4154396e..57d2cc10a8 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -152,7 +152,7 @@ The important components of the MSM include:
- Security Manager (SecMgr) - handles all pre and post-connection security operations.
- Authentication Engine (AuthMgr) – Manages 802.1x auth requests
- 
+ 
Each of these components has their own individual state machines which follow specific transitions.
Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
@@ -327,4 +327,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta
In the following example, the **View** settings are configured to **Show Only Filtered Lines**.
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index 69fa51d4e4..d59710d70b 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -54,4 +54,4 @@ To change the policy for an external storage device:
7. Select the policy that you want to use.
- 
+ 
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 275869bf99..4d8f35673e 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -24,7 +24,7 @@ ms.topic: article
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
-
+
## Set up
@@ -40,7 +40,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
- 
+ 
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
index b1077e5be6..6ce343dade 100644
--- a/windows/client-management/img-boot-sequence.md
+++ b/windows/client-management/img-boot-sequence.md
@@ -14,4 +14,4 @@ ms.prod: w10
Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
-
+
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index 376916c1d3..9354d9c8c9 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -56,13 +56,13 @@ Page files extend how much "committed memory" (also known as "virtual memory") i
The system commit memory limit is the sum of physical memory and all page files combined. It represents the maximum system-committed memory (also known as the "system commit charge") that the system can support.
-
+
The system commit charge is the total committed or "promised" memory of all committed virtual memory in the system. If the system commit charge reaches the system commit limit, the system and processes might not get committed memory. This condition can cause freezing, crashing, and other malfunctions. Therefore, make sure that you set the system commit limit high enough to support the system commit charge during peak usage.
-
+
-
+
The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values.
diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md
index 263dd24430..db00986ab0 100644
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@@ -212,7 +212,7 @@ This policy setting will change the evaluation order in which Allow and Prevent
Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
-
_Device Installation policies flow chart_
+
_Device Installation policies flow chart_
@@ -261,17 +261,17 @@ To find device identification strings using Device Manager
4. Find the “Printers” section and find the target printer
- 
_Selecting the printer in Device Manager_
+ 
_Selecting the printer in Device Manager_
5. Double-click the printer and move to the ‘Details’ tab.
- 
_Open the ‘Details’ tab to look for the device identifiers_
+ 
_Open the ‘Details’ tab to look for the device identifiers_
6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies.
- 
+ 
- 
_HWID and Compatible ID_
+ 
_HWID and Compatible ID_
> [!TIP]
> You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs.
@@ -360,7 +360,7 @@ Creating the policy to prevent all printers from being installed:
6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
- 
_List of prevent Class GUIDs_
+ 
_List of prevent Class GUIDs_
7. Click ‘OK’.
@@ -399,7 +399,7 @@ Getting the right device identifier to prevent it from being installed:
1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously
- 
_Printer Hardware ID_
+ 
_Printer Hardware ID_
2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
@@ -417,7 +417,7 @@ Creating the policy to prevent a single printer from being installed:
5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0
- 
_Prevent Device ID list_
+ 
_Prevent Device ID list_
6. Click ‘OK’.
@@ -477,7 +477,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
- 
_List of prevent Class GUIDs_
+ 
_List of prevent Class GUIDs_
7. Click ‘OK’.
@@ -489,7 +489,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
- 
_Apply layered order of evaluation policy_
+ 
_Apply layered order of evaluation policy_
9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
@@ -497,7 +497,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
- 
_Allow Printer Hardware ID_
+ 
_Allow Printer Hardware ID_
12. Click ‘OK’.
@@ -532,22 +532,22 @@ Getting the right device identifier to prevent it from being installed and its l
3. Find the USB thumb-drive and select it.
- 
_Selecting the usb thumb-drive in Device Manager_
+ 
_Selecting the usb thumb-drive in Device Manager_
4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree.
- 
_Changing view in Device Manager to see the PnP connection tree_
+ 
_Changing view in Device Manager to see the PnP connection tree_
> [!NOTE]
> When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked.
- 
_When blocking one device, all the devices that are nested below it will be blocked as well_
+ 
_When blocking one device, all the devices that are nested below it will be blocked as well_
5. Double-click the USB thumb-drive and move to the ‘Details’ tab.
6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
- 
_USB device hardware IDs_
+ 
_USB device hardware IDs_
Creating the policy to prevent a single USB thumb-drive from being installed:
@@ -563,7 +563,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07
- 
_Prevent Device IDs list_
+ 
_Prevent Device IDs list_
6. Click ‘OK’.
@@ -620,7 +620,7 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I
- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
- “Generic USB Hub” -> USB\USB20_HUB
-
_USB devices nested under each other in the PnP tree_
+
_USB devices nested under each other in the PnP tree_
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine.
@@ -663,7 +663,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.
- 
_Apply layered order of evaluation policy_
+ 
_Apply layered order of evaluation policy_
10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
@@ -671,7 +671,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07
- 
_Allowed USB Device IDs list_
+ 
_Allowed USB Device IDs list_
13. Click ‘OK’.
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index a177277d07..f64ee0de0c 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -35,7 +35,7 @@ Policy paths:
**User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
-
+
## Configuring the Group Policy
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 22ba2d74a8..0e9dd8a789 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -92,7 +92,7 @@ For more information about how Windows 10 and Azure AD optimize access to work r
As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
-
+
## Settings and Configuration
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index b5b30659d6..7b77f47742 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -75,7 +75,7 @@ First, you create a default user profile with the customizations that you want,
> [!TIP]
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
>
- > 
+ > 
>
> Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
@@ -86,11 +86,11 @@ First, you create a default user profile with the customizations that you want,
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
- 
+ 
1. In **Copy To**, under **Permitted to use**, click **Change**.
- 
+ 
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
@@ -98,11 +98,11 @@ First, you create a default user profile with the customizations that you want,
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
- 
+ 
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
- 
+ 
1. Click **OK** to copy the default user profile.
@@ -139,9 +139,9 @@ When a user is configured with a mandatory profile, Windows 10 starts as though
| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
| --- | --- | --- | --- | --- |
-| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled |  |  |  |  |
-| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled |  |  |  |  |
-| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled |  |  |  |  |
+| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled |  |  |  |  |
+| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled |  |  |  |  |
+| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled |  |  |  |  |
> [!NOTE]
> The Group Policy settings above can be applied in Windows 10 Professional edition.
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 930343209f..42722f7bd7 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -22,7 +22,7 @@ AccountManagement CSP is used to configure setting in the Account Manager servic
The following diagram shows the AccountManagement configuration service provider in tree format.
-
+
**./Vendor/MSFT/AccountManagement**
Root node for the AccountManagement configuration service provider.
diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
index 34f60116f4..64394a6989 100644
--- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
+++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
@@ -21,45 +21,45 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
- 
+ 
2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available.
- 
+ 
3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**.
- 
+ 
4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**.
- 
+ 
5. After you finish creating your Azure account, you can add an Azure AD subscription.
If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
- 
+ 
6. Select **Install software**.
- 
+ 
7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation.
- 
+ 
8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase.
- 
+ 
9. Continue with your purchase.
- 
+ 
10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....).
- 
+ 
When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications.
@@ -69,27 +69,27 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
1. Sign in to the Microsoft 365 admin center at
using your organization's account.
- 
+ 
2. On the **Home** page, select on the Admin tools icon.
- 
+ 
3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
- 
+ 
4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
- 
+ 
5. It may take a few minutes to process the request.
- 
+ 
6. You will see a welcome page when the process completes.
- 
+ 
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 3df830bda7..5669fcf0f8 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -263,16 +263,16 @@ Supported operations are Get, Add, Delete, and Replace.
The **Device Portal** page opens on your browser.
- 
+ 
8. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
9. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps.
- 
+ 
10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
- 
+ 
The following table shows the mapping of information to the AppLocker publisher rule field.
diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md
index 157bf6f4d0..4c8f6eaecd 100644
--- a/windows/client-management/mdm/appv-deploy-and-config.md
+++ b/windows/client-management/mdm/appv-deploy-and-config.md
@@ -23,7 +23,7 @@ manager: dansimp
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
-
+
(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index 82a11f3eb6..97f22aae88 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -90,7 +90,7 @@ After the users accepts the Terms of Use, the device is registered in Azure AD a
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
-
+
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this topic.
@@ -173,7 +173,7 @@ IT administrators use the Azure AD app gallery to add an MDM for their organizat
The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software.
-
+
### Add cloud-based MDM to the app gallery
@@ -732,7 +732,7 @@ Response:
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
-
+
## Error codes
diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index 21499425a9..ce25592491 100644
--- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -20,10 +20,10 @@ manager: dansimp
2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
3. Select **Microsoft Intune** and configure the blade.
-
+
Configure the blade
-
+
You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users).
diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md
index 0bb9326924..e07354fa81 100644
--- a/windows/client-management/mdm/bootstrap-csp.md
+++ b/windows/client-management/mdm/bootstrap-csp.md
@@ -27,7 +27,7 @@ The BOOTSTRAP configuration service provider sets the Trusted Provisioning Serve
The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
-
+
**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.
diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md
index 46ee3a5e98..15a939f7eb 100644
--- a/windows/client-management/mdm/browserfavorite-csp.md
+++ b/windows/client-management/mdm/browserfavorite-csp.md
@@ -30,7 +30,7 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID
The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
-
+
***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index 4fabdbc971..d1db6d514e 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -57,7 +57,7 @@ Using the WCD, create a provisioning package using the enrollment information re
1. Open the WCD tool.
2. Click **Advanced Provisioning**.
- 
+ 
3. Enter a project name and click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
@@ -74,20 +74,20 @@ Using the WCD, create a provisioning package using the enrollment information re
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
Here is the screenshot of the WCD at this point.
- 
+ 
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
10. When you are done adding all the settings, on the **File** menu, click **Save**.
11. On the main menu click **Export** > **Provisioning package**.
- 
+ 
12. Enter the values for your package and specify the package output location.
- 
- 
- 
+ 
+ 
+ 
13. Click **Build**.
- 
+ 
14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
15. Apply the package to your devices.
@@ -108,7 +108,7 @@ Using the WCD, create a provisioning package using the enrollment information re
5. Set **ExportCertificate** to False.
6. For **KeyLocation**, select **Software only**.
- 
+ 
7. Specify the workplace settings.
1. Got to **Workplace** > **Enrollments**.
2. Enter the **UPN** for the enrollment and then click **Add**.
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index 64372f26a8..ab4cb97c8f 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -21,7 +21,7 @@ The CellularSettings configuration service provider is used to configure cellula
The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
-
+
**DataRoam**
Optional. Integer. Specifies the default roaming value. Valid values are:
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 5063181c3f..1d42413872 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -20,7 +20,7 @@ This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capa
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
-
+
***entryname***
Defines the name of the connection.
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index cce8060fe3..d4793c91e6 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2555,36 +2555,36 @@ The following list shows the CSPs supported in HoloLens devices:
| Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
|------|--------|--------|--------|
-| [AccountManagement CSP](accountmanagement-csp.md) |  |  4 | 
-| [Accounts CSP](accounts-csp.md) |  |  |  |
-| [ApplicationControl CSP](applicationcontrol-csp.md) |  |  |  |
-| [AppLocker CSP](applocker-csp.md) |  |  |  |
-| [AssignedAccess CSP](assignedaccess-csp.md) |  |  4 |  |
-| [CertificateStore CSP](certificatestore-csp.md) |  | |  |
-| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) |  |  |  |
-| [DevDetail CSP](devdetail-csp.md) |  |  |  |
-| [DeveloperSetup CSP](developersetup-csp.md) |  |  2 (runtime provisioning via provisioning packages only; no MDM support)|  |
-| [DeviceManageability CSP](devicemanageability-csp.md) |  |  |  |
-| [DeviceStatus CSP](devicestatus-csp.md) |  |  |  |
-| [DevInfo CSP](devinfo-csp.md) |  |  |  |
-| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |  |
-| [DMAcc CSP](dmacc-csp.md) |  |  |  |
-| [DMClient CSP](dmclient-csp.md) |  |  |  |
-| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) |  |  |  10 |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |  |
-| [NetworkProxy CSP](networkproxy-csp.md) |  |  |  |
-| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) |  |  |  8|
-| [NodeCache CSP](nodecache-csp.md) |  |  |  |
-[PassportForWork CSP](passportforwork-csp.md) |  |  |  |
-| [Policy CSP](policy-configuration-service-provider.md) |  |  |  |
-| [RemoteFind CSP](remotefind-csp.md) |  |  4 |  |
-| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) |  |  4 |  |
-| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
-| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  10 |
-| [Update CSP](update-csp.md) |  |  |  |
-| [VPNv2 CSP](vpnv2-csp.md) |  |  |  |
-| [WiFi CSP](wifi-csp.md) |  |  |  |
-| [WindowsLicensing CSP](windowslicensing-csp.md) |  |  |  |
+| [AccountManagement CSP](accountmanagement-csp.md) |  |  4 | 
+| [Accounts CSP](accounts-csp.md) |  |  |  |
+| [ApplicationControl CSP](applicationcontrol-csp.md) |  |  |  |
+| [AppLocker CSP](applocker-csp.md) |  |  |  |
+| [AssignedAccess CSP](assignedaccess-csp.md) |  |  4 |  |
+| [CertificateStore CSP](certificatestore-csp.md) |  | |  |
+| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) |  |  |  |
+| [DevDetail CSP](devdetail-csp.md) |  |  |  |
+| [DeveloperSetup CSP](developersetup-csp.md) |  |  2 (runtime provisioning via provisioning packages only; no MDM support)|  |
+| [DeviceManageability CSP](devicemanageability-csp.md) |  |  |  |
+| [DeviceStatus CSP](devicestatus-csp.md) |  |  |  |
+| [DevInfo CSP](devinfo-csp.md) |  |  |  |
+| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |  |
+| [DMAcc CSP](dmacc-csp.md) |  |  |  |
+| [DMClient CSP](dmclient-csp.md) |  |  |  |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) |  |  |  10 |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |  |
+| [NetworkProxy CSP](networkproxy-csp.md) |  |  |  |
+| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) |  |  |  8|
+| [NodeCache CSP](nodecache-csp.md) |  |  |  |
+[PassportForWork CSP](passportforwork-csp.md) |  |  |  |
+| [Policy CSP](policy-configuration-service-provider.md) |  |  |  |
+| [RemoteFind CSP](remotefind-csp.md) |  |  4 |  |
+| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) |  |  4 |  |
+| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
+| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  10 |
+| [Update CSP](update-csp.md) |  |  |  |
+| [VPNv2 CSP](vpnv2-csp.md) |  |  |  |
+| [WiFi CSP](wifi-csp.md) |  |  |  |
+| [WindowsLicensing CSP](windowslicensing-csp.md) |  |  |  |
## CSPs supported in Microsoft Surface Hub
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index 8e886f3661..cc589f1f13 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -42,7 +42,7 @@ For more information about the CSPs, see [Update CSP](update-csp.md) and the upd
The following diagram provides a conceptual overview of how this works:
-
+
The diagram can be roughly divided into three areas:
@@ -56,7 +56,7 @@ The Microsoft Update Catalog is huge and contains many updates that are not need
This section describes how this is done. The following diagram shows the server-server sync protocol process.
-
+
MSDN provides much information about the Server-Server sync protocol. In particular:
@@ -140,7 +140,7 @@ The enterprise IT can configure auto-update polices via OMA DM using the [Policy
The following diagram shows the Update policies in a tree format.
-
+
**Update/ActiveHoursEnd**
> [!NOTE]
@@ -676,7 +676,7 @@ Example
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
-
+
**Update**
The root node.
@@ -889,9 +889,9 @@ Here is the list of older policies that are still supported for backward compati
The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields.
-
+
-
+
## SyncML example
@@ -945,5 +945,5 @@ Set auto update to notify and defer.
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
-
+
diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md
index f24564545c..0db22bf159 100644
--- a/windows/client-management/mdm/deviceinstanceservice-csp.md
+++ b/windows/client-management/mdm/deviceinstanceservice-csp.md
@@ -26,7 +26,7 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile.
The following diagram shows the DeviceInstanceService configuration service provider in tree format.
-
+
**Roaming**
A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index cef65071ec..9933e58a23 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -32,7 +32,7 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
The following image shows the DeviceLock configuration service provider in tree format.
-
+
**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 6043b61d8c..92ed52968c 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -20,13 +20,13 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
1. On your managed device go to **Settings** > **Accounts** > **Access work or school**.
1. Click your work or school account, then click **Info.**
- 
+ 
1. At the bottom of the **Settings** page, click **Create report**.
- 
+ 
1. A window opens that shows the path to the log files. Click **Export**.
- 
+ 
1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
@@ -59,7 +59,7 @@ Starting with the Windows 10, version 1511, MDM logs are captured in the Event
Here's a screenshot:
-
+
In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer.
@@ -238,26 +238,26 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
1. Open eventvwr.msc.
2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
- 
+ 
3. Navigate to the etl file that you got from the device and then open the file.
4. Click **Yes** when prompted to save it to the new log format.
- 
+ 
- 
+ 
5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
- 
+ 
6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
- 
+ 
7. Now you are ready to start reviewing the logs.
- 
+ 
## Collect device state data
diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
index 35fe6568b0..5f48d033a0 100644
--- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
@@ -137,7 +137,7 @@ You can only use the Work Access page to unenroll under the following conditions
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
-
+
When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state.
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 43882781ec..2ef69ad6c3 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -24,35 +24,35 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
1. Run rasphone.exe.
- 
+ 
1. If you don't currently have a VPN connection and you see the following message, select **OK**.
- 
+ 
1. In the wizard, select **Workplace network**.
- 
+ 
1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
- 
+ 
1. Create a fake VPN connection. In the UI shown here, select **Properties**.
- 
+ 
1. In the **Test Properties** dialog, select the **Security** tab.
- 
+ 
1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
- 
+ 
1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
- 
+ 
1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
@@ -267,7 +267,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio
1. Follow steps 1 through 7 in the EAP configuration article.
1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this selects EAP TLS).
- 
+ 
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
@@ -277,11 +277,11 @@ Alternatively, you can use the following procedure to create an EAP configuratio
1. Select the **Properties** button underneath the drop-down menu.
1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
- 
+ 
1. On the **Configure Certificate Selection** menu, adjust the filters as needed.
- 
+ 
1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
1. Close the rasphone dialog box.
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index d6a0127bab..cfc9928a0b 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -47,19 +47,19 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
2. Under **Best match**, click **Edit group policy** to launch it.
- 
+ 
3. In **Local Computer Policy** navigate to the policy you want to configure.
In this example, navigate to **Administrative Templates > System > App-V**.
- 
+ 
4. Double-click **Enable App-V Client**.
The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
- 
+ 
3. Create the SyncML to enable the policy that does not require any parameter.
@@ -99,15 +99,15 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
- 
+ 
- 
+ 
2. Find the variable names of the parameters in the ADMX file.
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
- 
+ 
3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx.
diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
index f4c951af17..bab52cb7fd 100644
--- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
@@ -84,7 +84,7 @@ After the upgrade to Windows 10 is complete, if you decide to push down a new we
The following diagram shows a high-level overview of the process.
-
+
## Step 1: Prepare a test device to download updates from Microsoft Update
@@ -107,15 +107,15 @@ Trigger the device to check for updates either manually or using Microsoft Endpo
1. Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline.
- 
+ 
2. Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step.
- 
+ 
3. Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
- 
+ 
4. Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.)
5. Follow the prompts for downloading the updates, but do not install the updates on the device.
@@ -216,11 +216,11 @@ The deployment process has three parts:
1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**.
- 
+ 
2. Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
- 
+ 
3. Select **Remediate noncompliant settings**, and then select **OK**.
@@ -231,7 +231,7 @@ The deployment process has three parts:
1. Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
2. Select **Remediate noncompliant settings**.
- 
+ 
3. Select **OK**.
@@ -242,11 +242,11 @@ The deployment process has three parts:
1. Create a configuration baseline item and give it a name (such as ControlledUpdates).
2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**.
- 
+ 
3. Deploy the configuration baseline to the appropriate device or device collection.
- 
+ 
4. Select **OK**.
@@ -472,57 +472,57 @@ Use this procedure for pre-GDR1 devices:
2. In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**.
3. Select **Create Configuration Item**.
- 
+ 
4. Enter a filename (such as GetDUReport), and then select **Mobile Device**.
5. On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**.
- 
+ 
6. On the **Additional Settings** page, select **Add**.
- 
+ 
7. On the **Browse Settings** page, select **Create Setting**.
- 
+ 
8. Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**.
9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**.
- 
+ 
10. On the **Browse Settings** page, select **Close**.
11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**.
- 
+ 
12. Close the **Create Configuration Item Wizard** page.
13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
14. Select the new created mobile device setting (such as DUReport), and then select **Select**.
15. Enter a dummy value (such as zzz) that is different from the one on the device.
- 
+ 
16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option.
17. Select **OK** to close the **Edit Rule** page.
18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**.
19. Select **Create Configuration Item**.
- 
+ 
20. Enter a baseline name (such as RetrieveDUReport).
21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport).
- 
+ 
22. Select **OK**, and then select **OK** again to complete the configuration baseline.
23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**.
- 
+ 
24. Select **Remediate noncompliant rules when supported**.
25. Select the appropriate device collection and define the schedule.
- 
+ 
26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**.
27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab.
28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
- 
+ 
29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here.
- 
+ 
30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 322e4dbc40..c9f13235e0 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -46,11 +46,11 @@ To ensure that the auto-enrollment feature is working as expected, you must veri
The following steps demonstrate required settings using the Intune service:
1. Verify that the user who is going to enroll the device has a valid Intune license.
- 
+ 
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
- 
+ 
> [!IMPORTANT]
> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
@@ -62,23 +62,23 @@ The following steps demonstrate required settings using the Intune service:
You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
- 
+ 
Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
- 
+ 
This information can also be found on the Azure AD device list.
- 
+ 
5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
- 
+ 
6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
- 
+ 
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune.
You may contact your domain administrators to verify if the group policy has been deployed successfully.
@@ -87,7 +87,7 @@ You may contact your domain administrators to verify if the group policy has bee
9. Verify that Microsoft Intune should allow enrollment of Windows devices.
- 
+ 
## Configure the auto-enrollment Group Policy for a single PC
@@ -102,18 +102,18 @@ Requirements:
Click Start, then in the text box type gpedit.
- 
+ 
2. Under **Best match**, click **Edit group policy** to launch it.
3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
> [!div class="mx-imgBorder"]
- > 
+ > 
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
- 
+ 
5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
@@ -129,7 +129,7 @@ Requirements:
If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
- 
+ 
> [!Tip]
> You can avoid this behavior by using Conditional Access Policies in Azure AD.
@@ -139,7 +139,7 @@ Requirements:
7. Click **Info** to see the MDM enrollment information.
- 
+ 
If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
@@ -148,13 +148,13 @@ Requirements:
1. Click **Start**, then in the text box type **task scheduler**.
- 
+ 
2. Under **Best match**, click **Task Scheduler** to launch it.
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
- 
+ 
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
@@ -239,13 +239,13 @@ To collect Event Viewer logs:
3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully:
- 
+ 
If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons:
- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed:
- 
+ 
To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information.
@@ -253,7 +253,7 @@ To collect Event Viewer logs:
The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
- 
+ 
> [!Note]
> This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.
@@ -262,24 +262,24 @@ To collect Event Viewer logs:
**Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**.
Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
- 
+ 
When the task is completed, a new event ID 102 is logged.
- 
+ 
Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required.
One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
- 
+ 
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
- 
+ 
### Related topics
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index b809041a65..c29e2047ad 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -41,7 +41,7 @@ These classifications are represented as nodes in the EnterpriseModernAppManagem
The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
-
+
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md
index 51c1a6581f..98249aad50 100644
--- a/windows/client-management/mdm/enterpriseappmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md
@@ -23,7 +23,7 @@ The EnterpriseAppManagement enterprise configuration service provider is used to
The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
-
+
***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 12547591ba..3df7b51be2 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -24,7 +24,7 @@ The FileSystem configuration service provider is used to query, add, modify, and
The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
-
+
**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 9f691cab8c..03fb5b432d 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -104,7 +104,7 @@ The following is a list of functions performed by the Device HealthAttestation C
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
- Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report)
-
+
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index 36a979715e..af7934b674 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -27,7 +27,7 @@ The HotSpot configuration service provider is used to configure and enable Inter
The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
-
+
**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 08a455f462..68633b48af 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.
-
+
MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index 12e50c7af7..875c7d0ded 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -59,13 +59,13 @@ The Store for Business provides services that enable a management tool to synchr
The following diagram provides an overview of app distribution from acquisition of an offline-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.
-
+
### Online-licensed application distribution
The following diagram provides an overview of app distribution from acquisition of an online-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application prior to issuing the policy to install the application.
-
+
## Integrate with Azure Active Directory
@@ -105,7 +105,7 @@ After registering your management tool with Azure AD, the management tool can ca
The diagram below shows the call patterns for acquiring a new or updated application.
-
+
**Here is the list of available operations**:
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index d1e7b033f2..6dbe747d92 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -25,7 +25,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l
You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
-
+
### Connect your device to an Active Directory domain (join a domain)
@@ -40,15 +40,15 @@ Joining your device to an Active Directory domain during the out-of-box-experien
1. On the **Who Owns this PC?** page, select **My work or school owns it**.
- 
+ 
2. Next, select **Join a domain**.
- 
+ 
3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue.
- 
+ 
### Use the Settings app
@@ -56,27 +56,27 @@ To create a local account and connect the device:
1. Launch the Settings app.
- 
+ 
2. Next, select **Accounts**.
- 
+ 
3. Navigate to **Access work or school**.
- 
+ 
4. Select **Connect**.
- 
+ 
5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**.
- 
+ 
6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials.
- 
+ 
### Help with connecting to an Active Directory domain
@@ -101,11 +101,11 @@ To join a domain:
1. Select **My work or school owns it**, then select **Next.**
- 
+ 
2. Select **Join Azure AD**, and then select **Next.**
- 
+ 
3. Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services.
@@ -113,7 +113,7 @@ To join a domain:
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain.
- 
+ 
### Use the Settings app
@@ -121,27 +121,27 @@ To create a local account and connect the device:
1. Launch the Settings app.
- 
+ 
2. Next, navigate to **Accounts**.
- 
+ 
3. Navigate to **Access work or school**.
- 
+ 
4. Select **Connect**.
- 
+ 
5. Under **Alternate Actions**, selct **Join this device to Azure Active Directory**.
- 
+ 
6. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
- 
+ 
7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
@@ -151,7 +151,7 @@ To create a local account and connect the device:
After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username.
- 
+ 
### Help with connecting to an Azure AD domain
@@ -183,19 +183,19 @@ To create a local account and connect the device:
1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**.
- 
+ 
2. Navigate to **Access work or school**.
- 
+ 
3. Select **Connect**.
- 
+ 
4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
- 
+ 
5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
@@ -205,11 +205,11 @@ To create a local account and connect the device:
Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up.
- 
+ 
6. After you complete the flow, your Microsoft account will be connected to your work or school account.
- 
+ 
### Connect to MDM on a desktop (enrolling in device management)
@@ -221,29 +221,29 @@ To create a local account and connect the device:
1. Launch the Settings app.
- 
+ 
2. Next, navigate to **Accounts**.
- 
+ 
3. Navigate to **Access work or school**.
- 
+ 
4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
- 
+ 
5. Type in your work email address.
- 
+ 
6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen.
- 
+ 
After you complete the flow, your device will be connected to your organization’s MDM.
@@ -300,7 +300,7 @@ To connect your devices to MDM using deep links:
- IT admins can add this link to a welcome email that users can select to enroll into MDM.
- 
+ 
- IT admins can also add this link to an internal web page that users refer to enrollment instructions.
@@ -308,20 +308,20 @@ To connect your devices to MDM using deep links:
Type in your work email address.
- 
+ 
3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
After you complete the flow, your device will be connected to your organization's MDM.
- 
+ 
## Manage connections
To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection.
-
+
### Info
@@ -335,7 +335,7 @@ Selecting the **Info** button will open a new page in the Settings app that prov
Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot.
-
+
> [!NOTE]
> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
@@ -357,7 +357,7 @@ You can collect diagnostic logs around your work connections by going to **Setti
Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here.
-
+
diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md
index e9383e871f..ad2d4edddc 100644
--- a/windows/client-management/mdm/messaging-csp.md
+++ b/windows/client-management/mdm/messaging-csp.md
@@ -17,7 +17,7 @@ The Messaging configuration service provider is used to configure the ability to
The following diagram shows the Messaging configuration service provider in tree format.
-
+
**./User/Vendor/MSFT/Messaging**
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 32f9b5ee66..6c898afe02 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -68,7 +68,7 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
-
+
Here is the corresponding registry key:
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 1b5f5ecdd4..0b715c1a53 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -27,11 +27,11 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
-
+
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
-
+
**NAPAUTHINFO**
Defines a group of authentication settings.
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index ce79fdb702..272489e4a8 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -240,7 +240,7 @@ Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windo
The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine.
-
+
### MDM enrollment fails on the mobile device when traffic is going through proxy
@@ -439,7 +439,7 @@ Alternatively you can use the following procedure to create an EAP Configuration
1. Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article.
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
- 
+ 
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
@@ -447,10 +447,10 @@ Alternatively you can use the following procedure to create an EAP Configuration
3. Click the **Properties** button underneath the drop down menu.
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
- 
+ 
5. In the **Configure Certificate Selection** menu, adjust the filters as needed.
- 
+ 
6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
7. Close the rasphone dialog box.
8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering.
@@ -492,7 +492,7 @@ No. Only one MDM is allowed.
4. Click **Configure**.
5. Set quota to unlimited.
- 
+ 
### **What is dmwappushsvc?**
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index c73d5fdc8d..84ff8f5e34 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -23,13 +23,13 @@ The PassportForWork configuration service provider is used to provision Windows
The following diagram shows the PassportForWork configuration service provider in tree format.
-
+
### Device configuration diagram
The following diagram shows the PassportForWork configuration service provider in tree format.
-
+
**PassportForWork**
Root node for PassportForWork configuration service provider.
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index ddeb61f84a..da0f0543dc 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -44,7 +44,7 @@ The Policy configuration service provider has the following sub-categories:
The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
-
+
**./Vendor/MSFT/Policy**
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 9d7aa06011..013edacaec 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -549,7 +549,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
```
You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
-:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image":::
+:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image.":::
@@ -743,7 +743,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
You can also block installation by using a custom profile in Intune.
-
+
@@ -863,7 +863,7 @@ You can also block installation and usage of prohibited peripherals by using a c
For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed.
-
+
@@ -977,7 +977,7 @@ You can also block installation and usage of prohibited peripherals by using a c
For example, this custom profile prevents installation of devices with matching device instance IDs.
-
+
To prevent installation of devices with matching device instance IDs by using custom profile in Intune:
1. Locate the device instance ID.
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index cdf909411f..7f7e8ae961 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -40,20 +40,6 @@ manager: dansimp
-Steps to use this policy correctly:
-
-1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s).
-1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s).
- 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays
- 1. The value can be between min / max allowed.
-1. Enroll HoloLens devices and verify both configurations get applied to the device.
-1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
-1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
-1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
-
-> [!NOTE]
-> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
-
@@ -79,6 +65,20 @@ Steps to use this policy correctly:
+Steps to use this policy correctly:
+
+1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s).
+1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s).
+ 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays
+ 1. The value can be between min / max allowed.
+1. Enroll HoloLens devices and verify both configurations get applied to the device.
+1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
+1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
+1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
+
+> [!NOTE]
+> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
+
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index b02ba826b4..d627137d97 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 10/14/2020
+ms.date: 08/26/2021
ms.reviewer:
manager: dansimp
---
@@ -62,7 +62,7 @@ manager: dansimp
System/AllowUserToResetPhone
- System/AllowWuFBCloudProcessing
+ System/AllowWUfBCloudProcessing
System/BootStartDriverInitialization
@@ -964,7 +964,7 @@ The following list shows the supported values:
-**System/AllowWuFBCloudProcessing**
+**System/AllowWUfBCloudProcessing**
@@ -985,6 +985,15 @@ If you disable or do not configure this policy setting, devices enrolled to the
+
+
+The following list shows the supported values:
+
+- 0 - Disabled.
+- 8 - Enabled.
+
+
+
**System/BootStartDriverInitialization**
diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md
index a0a34ee244..92df20eba2 100644
--- a/windows/client-management/mdm/push-notification-windows-mdm.md
+++ b/windows/client-management/mdm/push-notification-windows-mdm.md
@@ -52,34 +52,34 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app.
1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account.
- 
+ 
2. Create a new app.
- 
+ 
3. Reserve an app name.
- 
+ 
4. Click **Services**.
- 
+ 
5. Click **Push notifications**.
- 
+ 
6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page.
- 
+ 
7. In the **Application Registration Portal** page, you will see the properties for the app that you created, such as:
- Application Id
- Application Secrets
- Microsoft Store Package SID, Application Identity, and Publisher.
- 
+ 
8. Click **Save**.
9. Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard.
10. Select your app from the list on the left.
11. From the left nav, expand **App management** and then click **App identity**.
- 
+ 
12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app.
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index 48baff3fe8..e2d40a822a 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -23,11 +23,11 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W
The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
-
+
The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
-
+
**PXPHYSICAL**
Defines a group of logical proxy settings.
diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
index be9c8a5339..28e198aa1f 100644
--- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
+++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
@@ -23,15 +23,15 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
1. Sign in to the Microsoft 365 admin center at using your organization's account.
- 
+ 
2. On the **Home** page, click on the Admin tools icon.
- 
+ 
3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. This will take you to the Azure Active Directory portal.
- 
+ 
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 9e203d4d39..4ffdbad557 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -25,7 +25,7 @@ For the SecurityPolicy CSP, you cannot use the Replace command unless the node a
The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
-
+
***PolicyID***
Defines the security policy identifier as a decimal value.
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index 5b211a0f55..21f39c4389 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -56,11 +56,11 @@ Group Policy option button setting:
The following diagram shows the main display for the Group Policy Editor.
-
+
The following diagram shows the settings for the "Publishing Server 2 Settings" Group Policy in the Group Policy Editor.
-
+
Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply ``. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every `` element and id attribute in the ADMX policy definition, there must be a corresponding `` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol.
diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md
index 7916778bec..00d2b86cd5 100644
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@@ -119,7 +119,7 @@ Currently SwapfileSize should not be relied for determining or controlling the o
**CurrentSession/MaximumOverlaySize** or **NextSession/MaximumOverlaySize**
should be used for that purpose.
-:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting":::
+:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting.":::
> [!NOTE]
> Only single swapfile is supported in current implementation and creating swapfile on specific volume will disable any other swapfile created on other volumes.
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 3f6badf192..42a6882673 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -33,7 +33,7 @@ Important considerations:
The following diagram shows the VPN configuration service provider in tree format.
-
+
***ProfileName***
Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/).
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index d6b9110b32..e7321b1888 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -25,7 +25,7 @@ The default security roles are defined in the root characteristic, and map to ea
The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning.
-
+
**APPID**
Required. This parameter takes a string value. The only supported value for configuring MMS is "w4".
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index 20f21f79bc..7aaa801796 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -23,7 +23,7 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f
The following image shows the configuration service provider in tree format as used by OMA Client Provisioning.
-
+
> **Note** All parm names and characteristic types are case sensitive and must use all uppercase.
Both APPSRV and CLIENT credentials must be provided in provisioning XML.
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index 125bbfb687..e867ae66ef 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -31,7 +31,7 @@ Programming considerations:
The following image shows the WiFi configuration service provider in tree format.
-
+
The following list shows the characteristics and parameters.
diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
index a8be6bba9c..e5e7511669 100644
--- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
@@ -25,7 +25,7 @@ The DM client is configured during the enrollment process to be invoked by the t
The following diagram shows the work flow between server and client.
-
+
## Management workflow
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index c68424cd04..fc13fd3034 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -19,7 +19,7 @@ The Windows Defender Advanced Threat Protection (WDATP) configuration service pr
The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
-
+
The following list describes the characteristics and parameters.
diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
index 2f3cdf7fc7..2fe71b5e76 100644
--- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
@@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------|
-| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | |
-| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
-| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
@@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
|--------------------------------------------------------------------------|------------------------------------------|
[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) |
-[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | 
-[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | 
+[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | 
+[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | 
[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) |
-[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | 
-[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | 
-[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | 
+[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | 
+[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | 
+[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | 
[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) |
-[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |
-[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | 
+[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |
+[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | 
[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) |
-[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | 
+[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | 
[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) |
[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) |
[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) |
@@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) |
[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) |
[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) |
-[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | 
+[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | 
[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) |
-[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | 
+[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | 
[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) |
-[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | 
+[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | 
[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) |
[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) |
[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) |
[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) |
[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) |
-[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | 
+[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | 
[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) |
[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) |
[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) |
[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) |
[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) |
-[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | 
+[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | 
[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) |
[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) |
[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) |
@@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) |
[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) |
[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) |
-[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | 
-[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | 
+[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | 
+[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | 
[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) |
[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) |
[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) |
[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) |
[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) |
-[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | 
-[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | 
+[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | 
+[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | 
[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) |
[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) |
-[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | 
+[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | 
[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) |
-[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | 
+[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | 
[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) |
-[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | 
+[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | 
[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) |
[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) |
-[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | 
+[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | 
[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
**Win32\_WindowsUpdateAgentVersion** |
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index 6a50151342..acdcd2d268 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -57,7 +57,7 @@ Both the helper and sharer must be able to reach these endpoints over port 443:
7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service.
-:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established":::
+:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established.":::
### Data and privacy
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index e0afd3d480..490b24075a 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -119,7 +119,7 @@ To verify the BCD entries:
> [!NOTE]
> If the computer is UEFI-based, the file path value that's specified in the **path** parameter of **{bootmgr}** and **{default}** contains an **.efi** extension.
- 
+ 
If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that's named **bcdbackup**. To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup**.
@@ -179,11 +179,11 @@ Dism /Image:: /Get-packages
After you run this command, you'll see the **Install pending** and **Uninstall Pending** packages:
-
+
1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer.
- 
+ 
2. Navigate to ***OSdriveLetter*:\Windows\WinSxS**, and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**.
@@ -193,14 +193,14 @@ After you run this command, you'll see the **Install pending** and **Uninstall P
5. Navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **COMPONENT** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineComponentHive** for the new hive.
- 
+ 
6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key.
7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**.
> [!div class="mx-imgBorder"]
- > 
+ > 
8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **SYSTEM** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineSystemHive** for the new hive.
@@ -256,7 +256,7 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the
\Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
> [!div class="mx-imgBorder"]
- > 
+ > 
If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value.
@@ -274,8 +274,8 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the
* `chkdsk /f /r OsDrive:`
- 
+ 
* `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows`
- 
+ 
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 454101462a..390add3169 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -165,13 +165,13 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols
6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below.
- 
+ 
7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page.
8. A detailed bugcheck analysis will appear. See the example below.
- 
+ 
9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL.
diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md
index 77e524634d..10ae554304 100644
--- a/windows/client-management/troubleshoot-tcpip-connectivity.md
+++ b/windows/client-management/troubleshoot-tcpip-connectivity.md
@@ -44,17 +44,17 @@ If the initial TCP handshake is failing because of packet drops, then you would
Source side connecting on port 445:
-
+
Destination side: applying the same filter, you do not see any packets.
-
+
For the rest of the data, TCP will retransmit the packets five times.
**Source 192.168.1.62 side trace:**
-
+
**Destination 192.168.1.2 side trace:**
@@ -79,15 +79,15 @@ In the below screenshots, you see that the packets seen on the source and the de
**Source Side**
-
+
**On the destination-side trace**
-
+
You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.
-
+
The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection.
@@ -110,8 +110,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai
You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
-
+
Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection.
-
+
diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
index b432191920..daa23de8b1 100644
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -21,7 +21,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is
To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image:
-
+
When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch.
@@ -29,15 +29,15 @@ When the driver gets hooked to the network interface card (NIC) during installat
1. Run netmon in an elevated status by choosing Run as Administrator.
- 
+ 
2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**.
- 
+ 
3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire.
- 
+ 
4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file.
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index ca8551b1dd..4c1e8b1b7f 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -58,19 +58,19 @@ Since outbound connections start to fail, you will see a lot of the below behavi
- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
- 
+ 
- Group Policy update failures:
- 
+ 
- File shares are inaccessible:
- 
+ 
- RDP from the affected server fails:
- 
+ 
- Any other application running on the machine will start to give out errors
@@ -84,15 +84,15 @@ If you suspect that the machine is in a state of port exhaustion:
a. **Event ID 4227**
- 
+ 
b. **Event ID 4231**
- 
+ 
3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
- 
+ 
After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
@@ -136,7 +136,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind
1. Add a column called “handles” under details/processes.
2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
- 
+ 
3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
@@ -157,7 +157,7 @@ Steps to use Process explorer:
File \Device\AFD
- 
+ 
10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
index 37b4dfa002..ba02501c81 100644
--- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -16,7 +16,7 @@ manager: dansimp
You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error.
-
+
This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’.
@@ -37,7 +37,7 @@ Before getting in to troubleshooting the *RPC server unavailable- error
Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake.
-
+
RPC ports can be given from a specific range as well.
### Configure RPC dynamic port allocation
@@ -162,13 +162,13 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md)
- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use.
- 
+ 
- Check if we are connecting successfully to this Dynamic port successfully.
- The filter should be something like this: `tcp.port==` and `ipv4.address==`
- 
+ 
This should help you verify the connectivity and isolate if any network issues are seen.
@@ -177,7 +177,7 @@ This should help you verify the connectivity and isolate if any network issues a
The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
-
+
The port cannot be reachable due to one of the following reasons:
diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md
index 29a781be98..16c416a9cd 100644
--- a/windows/client-management/windows-version-search.md
+++ b/windows/client-management/windows-version-search.md
@@ -22,27 +22,27 @@ Click **Start** > **Settings** > **System** > click **About** from the bottom of
You'll now see **Edition**, **Version**, and **OS Build** information. Something like this:
-
+
## Using Keyword Search
You can simply type the following in the search bar and press **ENTER** to see version details for your device.
**“winver”**
-
+
**“msinfo”** or **"msinfo32"** to open **System Information**:
-
+
## Using Command Prompt or PowerShell
At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER**
-
+
At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below:
-
+
## What does it all mean?
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 15407ebc50..5f433844ac 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -31,7 +31,7 @@ The order of apps in the XML file dictates the order of pinned apps on the taskb
The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square).
-
+
## Configure taskbar (general)
@@ -142,11 +142,11 @@ The `` section will append listed apps to the tas
```
**Before:**
-
+
**After:**
- 
+ 
## Remove default apps and add your own
@@ -175,11 +175,11 @@ If you only want to remove some of the default pinned apps, you would use this m
```
**Before:**
-
+
**After:**
-
+
## Remove default apps
@@ -250,15 +250,15 @@ The following example shows you how to configure taskbars by country or region.
When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK:
-
+
The resulting taskbar for computers in Germany or France:
-
+
The resulting taskbar for computers in any other country region:
-
+
> [!NOTE]
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index e8a0cdee55..1190119050 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -19,7 +19,7 @@ Cortana integration is a Preview feature that's available for your test or dev e
>[!NOTE]
>For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819).
-
+
## Turn on Cortana with Dynamics CRM in your organization
You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](https://go.microsoft.com/fwlink/p/?LinkId=746817)?
@@ -43,7 +43,7 @@ You must tell your employees to turn on Cortana, before they’ll be able to use
2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**.
- 
+ 
The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 65919eb8e8..481cb27659 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -48,35 +48,35 @@ Before you can start this testing scenario, you must first set up your test envi
2. Expand the left rail by clicking the **Show the navigation pane** icon.
- 
+ 
3. Click **Get Data** from the left-hand navigation in Power BI.
- 
+ 
4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
- 
+ 
5. Click **Retail Analysis Sample**, and then click **Connect**.
- 
+ 
The sample data is imported and you’re returned to the **Power BI** screen.
6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
- 
+ 
7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
- 
+ 
8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
- 
+ 
>[!NOTE]
>It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana.
@@ -92,7 +92,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
**To create a custom sales data Answer Page for Cortana**
1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
- 
+ 
2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**.
@@ -100,11 +100,11 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list.
- 
+ 
4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**.
- 
+ 
The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders.
@@ -112,7 +112,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns.
- 
+ 
6. Click **File**, click **Save as**, and save the report as _Sales data 2016_.
@@ -128,13 +128,13 @@ Now that you’ve set up your device, you can use Cortana to show your info from
Cortana shows you the available results.
- 
+ 
3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**.
Cortana returns your custom report.
- 
+ 
>[!NOTE]
>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index 478aeb7938..c701623a88 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -49,7 +49,7 @@ While these aren't line-of-business apps, we've worked to make sure to implement
2. Click on **Connected Services**, click **Uber**, and then click **Connect**.
- 
+ 
**To use the voice-enabled commands with Cortana**
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 601ad70810..f50e213ce8 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -161,7 +161,7 @@ When you have the Start layout that you want your users to see, use the [Export-
A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
-
+
When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 12f62c8444..7b7dcaed64 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -92,13 +92,13 @@ This procedure adds the customized Start and taskbar layout to the user configur
2. Go to **User Configuration** or **Computer Configuration** > **Administrative Templates** >**Start Menu and Taskbar**.
- 
+ 
3. Right-click **Start Layout** in the right pane, and click **Edit**.
This opens the **Start Layout** policy settings.
- 
+ 
4. Enter the following settings, and then click **OK**:
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index ea856b24cd..42b70e6248 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -87,7 +87,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this:
- 
+ 
7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index aa195fb89f..f5540c6ddd 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -50,7 +50,7 @@ To get the names and AUMIDs for all apps installed for the current user, perform
3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.)
-
+
## To find the AUMID of an installed app for the current user by using the registry
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index bd502511d7..9efa2b652d 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -24,13 +24,13 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t
A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.
- 
+ 
- **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.
A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device.
- 
+ 
Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
@@ -38,25 +38,25 @@ There are several kiosk configuration methods that you can choose from, dependin
- **Which type of app will your kiosk run?**
- 
+ 
Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
- **Which type of kiosk do you need?**
- 
+ 
If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop).
- **Which edition of Windows 10 will the kiosk run?**
- 
+ 
All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.
- **Which type of user account will be the kiosk account?**
- 
+ 
The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index 154b35c3d0..ba1aaa2b58 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -54,7 +54,7 @@ Disable removable media. | Go to **Group Policy Editor** > **Computer Con
Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
-
+
## Automatic logon
@@ -257,7 +257,7 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w
When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session.
-
+
To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog.
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index f510b637bd..73e724bd75 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -137,7 +137,7 @@ The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`.
-
+
After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups.
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 8baee6a466..eac49be093 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -24,7 +24,7 @@ ms.topic: article
A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
-
+
>[!IMPORTANT]
>[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
@@ -66,7 +66,7 @@ When your kiosk is a local device that is not managed by Active Directory or Azu
- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
-
+
### Instructions for Windows 10, version 1809
@@ -98,7 +98,7 @@ To remove assigned access, select the account tile on the **Set up a kiosk** pag
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
-
+
**To set up assigned access in PC settings**
@@ -131,7 +131,7 @@ To remove assigned access, choose **Turn off assigned access and sign out of the
>
>Account type: Local standard user
-
+
You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
@@ -191,7 +191,7 @@ Clear-AssignedAccess
>
>Account type: Local standard user, Active Directory
-
+
>[!IMPORTANT]
diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md
index 75781737fb..e34bee8204 100644
--- a/windows/configuration/kiosk-troubleshoot.md
+++ b/windows/configuration/kiosk-troubleshoot.md
@@ -53,7 +53,7 @@ For example:
3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
-
+
### Automatic logon issues
diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md
index c2221b549a..5c2cfa795b 100644
--- a/windows/configuration/lock-down-windows-10-applocker.md
+++ b/windows/configuration/lock-down-windows-10-applocker.md
@@ -34,7 +34,7 @@ AppLocker rules are organized into collections based on file format. If no AppLo
This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
-
+
## Install apps
@@ -50,13 +50,13 @@ After you install the desired apps, set up AppLocker rules to only allow specifi
2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**.
- 
+ 
3. Check **Configured** under **Executable rules**, and then click **OK**.
4. Right-click **Executable Rules** and then click **Automatically generate rules**.
- 
+ 
5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
@@ -68,7 +68,7 @@ After you install the desired apps, set up AppLocker rules to only allow specifi
9. Read the message and click **Yes**.
- 
+ 
10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 702221c085..2bbcd7f1a3 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -81,7 +81,7 @@ Let's start by looking at the basic structure of the XML file.
- A profile has no effect if it’s not associated to a config section.
- 
+ 
You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md)
@@ -271,7 +271,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint,
>[!NOTE]
>If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
-
+
##### Taskbar
@@ -494,7 +494,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created.
- 
+ 
8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
@@ -544,7 +544,7 @@ Provisioning packages can be applied to a device during the first-run experience
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
- 
+ 
2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
@@ -552,11 +552,11 @@ Provisioning packages can be applied to a device during the first-run experience
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
- 
+ 
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
- 
+ 
5. Select **Yes, add it**.
@@ -570,7 +570,7 @@ Provisioning packages can be applied to a device during the first-run experience
>[!NOTE]
>if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
-
+
### Use MDM to deploy the multi-app configuration
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
index d577b69cff..6dc4c73ddb 100644
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ b/windows/configuration/manage-wifi-sense-in-enterprise.md
@@ -46,7 +46,7 @@ You can manage your Wi-Fi Sense settings by using Group Policy and your Group Po
1. Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting.
- 
+ 
2. Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment.
@@ -60,7 +60,7 @@ You can manage your Wi-Fi Sense settings by using registry keys and the Registry
2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.
Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see How to configure Wi-Fi Sense on Windows 10 in an enterprise.
- 
+ 
### Using the Windows Provisioning settings
You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**.
@@ -81,7 +81,7 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by
### How employees can change their own Wi-Fi Sense settings
If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**.
-
+
**Important**
The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means:
diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md
index ecf485cb1d..87f2b7b7cf 100644
--- a/windows/configuration/mobile-devices/lockdown-xml.md
+++ b/windows/configuration/mobile-devices/lockdown-xml.md
@@ -62,7 +62,7 @@ The settings for the Default role and other roles must be listed in your XML fil
## Action Center
-
+
The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.
@@ -92,7 +92,7 @@ The following example is a complete lockdown XML file that disables Action Cente
## Apps
-
+
The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running.
@@ -110,7 +110,7 @@ The following example makes Outlook Calendar available on the device.
When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size).
-
+
Tile sizes are:
* Small: 1x1
@@ -152,7 +152,7 @@ In the following example, Outlook Calendar and Outlook Mail are pinned to the St
That layout would appear on a device like this:
-
+
You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start.
@@ -203,7 +203,7 @@ When an app is contained in a folder, its **PinToStart** configuration (tile siz
## Buttons
-
+
In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify.
@@ -213,11 +213,11 @@ When a user taps a button that is in the lockdown list, nothing will happen. The
Button | Press | PressAndHold | All
---|:---:|:---:|:--:|-
-Start |  |  | 
-Back |  |  | 
-Search |  |  | 
-Camera |  |  | 
-Custom 1, 2, and 3 |  |  | 
+Start |  |  | 
+Back |  |  | 
+Search |  |  | 
+Camera |  |  | 
+Custom 1, 2, and 3 |  |  | 
> [!NOTE]
> Custom buttons are hardware buttons that can be added to devices by OEMs.
@@ -270,7 +270,7 @@ In the following example, when a user presses the Search button, the phone diale
## CSPRunner
-
+
You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
@@ -317,7 +317,7 @@ SyncML entry | Description
## Menu items
-
+
Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create.
@@ -329,7 +329,7 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when
## Settings
-
+
The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings.
@@ -363,7 +363,7 @@ For a list of the settings and quick actions that you can allow or block, see [S
## Tiles
- 
+ 
By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
@@ -446,7 +446,7 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (
3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
- 
+ 
4. On the **File** menu, select **Save.**
diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
index 68774e0da5..a7d82f6088 100644
--- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md
+++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
@@ -16,7 +16,7 @@ manager: dansimp
# Use the Lockdown Designer app to create a Lockdown XML file
-
+
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile.
@@ -55,7 +55,7 @@ Perform these steps on the device running Windows 10 Mobile that you will use to
>[!IMPORTANT]
>Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**.
>
->
+>
## Prepare the PC
@@ -89,7 +89,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
3. Click **Pair**.
- 
+ 
**Connect to remote device** appears.
@@ -99,7 +99,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
- 
+ 
7. Click the **Save** icon and enter a name for your project.
@@ -113,7 +113,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
3. On the **Project setting** > **General settings** page, click **Pair**.
- 
+ 
**Connect to remote device** appears.
@@ -123,7 +123,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
- 
+ 
7. Click the **Save** icon and enter a name for your project.
@@ -134,13 +134,13 @@ The apps and settings available in the pages of Lockdown Designer should now be
| Page | Description |
| --- | --- |
-|  | Each app from the test mobile device is listed. Select the apps that you want visible to users.You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
-|  | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) |
-|  | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. |
-|  | On this page, you select the settings that you want visible to users. |
-|  | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
-|  | This page contains several settings that you can configure:- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. |
-|  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
+|  | Each app from the test mobile device is listed. Select the apps that you want visible to users.You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
+|  | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) |
+|  | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. |
+|  | On this page, you select the settings that you want visible to users. |
+|  | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
+|  | This page contains several settings that you can configure:- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. |
+|  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
## Validate and export
@@ -169,4 +169,4 @@ You can create additional roles for the device and have unique configurations fo
4. Configure the settings for the role as above, but make sure on each page that you select the correct role.
- 
\ No newline at end of file
+ 
\ No newline at end of file
diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
index 1d321fd9cb..ebd4218503 100644
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@@ -66,13 +66,13 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us
1. Insert an SD card containing the provisioning package into the device.
2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
- 
+ 
3. Click **Add**.
4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
- 
+ 
### Copying the provisioning package to the device
@@ -82,7 +82,7 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us
3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
- 
+ 
## Related topics
diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md
index 571a1488af..42ff3ff229 100644
--- a/windows/configuration/mobile-devices/provisioning-nfc.md
+++ b/windows/configuration/mobile-devices/provisioning-nfc.md
@@ -31,7 +31,7 @@ All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provi
On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning.
-
+
If there is an error during NFC provisioning, the device will show a message if any of the following errors occur:
diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 711f3cfc4e..a265a544e3 100644
--- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -168,28 +168,28 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or
**To set up Apps Corner**
-1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner**.
+1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner**.
-2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done .
+2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done .
-3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back**  to the Apps Corner settings.
+3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back**  to the Apps Corner settings.
4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
-6. Press **Back**  when you're done.
+6. Press **Back**  when you're done.
**To use Apps Corner**
-1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner** > launch .
+1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner** > launch .
>[!TIP]
>Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen.
2. Give the device to someone else, so they can use the device and only the one app you chose.
-3. When they're done and you get the device back, press and hold Power , and then swipe right to exit Apps Corner.
+3. When they're done and you get the device back, press and hold Power , and then swipe right to exit Apps Corner.
## Related topics
diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
index 41fc17fe04..858de39174 100644
--- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md
+++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
@@ -36,7 +36,7 @@ On Windows 10 Mobile, the customized Start works by:
The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support.
-
+
The diagrams show:
diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md
index 326ea5b8b8..a8d47b38e2 100644
--- a/windows/configuration/provisioning-apn.md
+++ b/windows/configuration/provisioning-apn.md
@@ -53,11 +53,11 @@ For users who work in different locations, you can configure one APN to connect
5. Enter a name for the connection, and then click **Add**.
- 
+ 
6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
- 
+ 
7. The following table describes the settings available for the connection.
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 67c28a8b90..38d6791423 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -38,7 +38,7 @@ Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/win
CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
-
+
CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
@@ -66,7 +66,7 @@ You can use Windows Configuration Designer to create [provisioning packages](./p
Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
-
+
[Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
@@ -86,7 +86,7 @@ All CSPs in Windows 10 are documented in the [Configuration service provider ref
The [main CSP topic](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
-
+
The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format.
@@ -94,7 +94,7 @@ The full path to a specific configuration setting is represented by its Open Mob
The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied.
-
+
The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
@@ -104,7 +104,7 @@ The element in the tree diagram after the root node tells you the name of the CS
When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example.
-
+
After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 38b7e01c09..818a935488 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -58,7 +58,7 @@ Provisioning packages can include management instructions and policies, installa
> [!TIP]
> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
>
->
+>
## Create the provisioning package
@@ -68,11 +68,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
2. Click **Provision desktop devices**.
- 
+ 
3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
- 
+ 
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index a71916bfab..68cfcc37af 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -46,7 +46,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
2. Click **Advanced provisioning**.
- 
+ 
3. Name your project and click **Next**.
@@ -73,19 +73,19 @@ Universal apps that you can distribute in the provisioning package can be line-o
2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
- 
+ 
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
- 
+ 
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- In Microsoft Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
- 
+ 
- Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index cca8b46be8..f6f7f9876b 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -74,11 +74,11 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
2. Enter a name for the first app, and then click **Add**.
- 
+ 
3. Configure the settings for the appropriate installer type.
- 
+ 
## Add a universal app to your package
@@ -88,19 +88,19 @@ Universal apps that you can distribute in the provisioning package can be line-o
2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
- 
+ 
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
- 
+ 
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- In Microsoft Store for Business, generate the unencoded license for the app on the app's download page.
- 
+ 
- Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index 4a1bb159ac..4a9381ab1c 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -35,7 +35,7 @@ Provisioning packages can be applied to a device during the first-run experience
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
- 
+ 
2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
@@ -43,11 +43,11 @@ Provisioning packages can be applied to a device during the first-run experience
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
- 
+ 
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
- 
+ 
5. Select **Yes, add it**.
@@ -59,7 +59,7 @@ Provisioning packages can be applied to a device during the first-run experience
Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
-
+
## Mobile editions
@@ -68,13 +68,13 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account
1. Insert an SD card containing the provisioning package into the device.
2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
- 
+ 
3. Click **Add**.
4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
- 
+ 
### Copying the provisioning package to the device
@@ -84,7 +84,7 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account
3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
- 
+ 
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index b67e28b34d..0aa10c16b5 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -39,7 +39,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
- 
+ 
- The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices:
@@ -56,7 +56,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
>[!TIP]
> You can start a project in the simple wizard editor and then switch the project to the advanced editor.
>
- > 
+ > 
3. Enter a name for your project, and then select **Next**.
@@ -87,7 +87,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings.
-
+
The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md).
@@ -103,14 +103,14 @@ The process for configuring settings is similar for all settings. The following
For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
-
+
## Build package
1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**.
- 
+ 
2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**:
- **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 8a7b9c464d..1a467d4e6d 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -66,7 +66,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design
6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**.
- 
+ 
## Current Windows Configuration Designer limitations
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index e5d60aba7f..6e54b39009 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -35,7 +35,7 @@ In the XML file, you provide an **Id**, or friendly name, for each **Target**. E
A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**.
-
+
The following table describes the logic for the target definition.
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 2313b0e929..a3b4e25f84 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -124,7 +124,7 @@ For details about the settings you can customize in provisioning packages, see [
Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios.
-
+
Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators:
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index a616731808..6e01640c44 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -189,13 +189,13 @@ cmd /c InstallMyApp.bat
In Windows Configuration Designer, this looks like:
-
+
You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files.
In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting.
-
+
When you are done, [build the package](provisioning-create-package.md#build-package).
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index e4327a7b35..ed5c4ee3a3 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -108,13 +108,13 @@ You can configure Windows to be in shared PC mode in a couple different ways:
8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
> [!div class="mx-imgBorder"]
- > 
+ > 
11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
- 
+ 
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
@@ -189,7 +189,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t
1. Start with a PC on the setup screen.
- 
+ 
2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
@@ -206,7 +206,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t
On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install.
-
+
> [!NOTE]
> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index 24dbcd1b32..5a39031455 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -42,7 +42,7 @@ When troubleshooting basic Start issues (and for the most part, all other Window
- `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost`
- `get-AppXPackage -Name Microsoft.Windows.Cortana`
- 
+ 
Failure messages will appear if they aren't installed
@@ -188,7 +188,7 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded
### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted
-
+
**Cause**: This issue is known. The first-time sign-in experience is not detected and does not trigger the install of some apps.
@@ -236,11 +236,11 @@ Specifically, behaviors include
- If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing.
-
+
*Working layout on first sign-in of a new roaming user profile*
-
+
*Failing layout on subsequent sign-ins*
@@ -256,15 +256,15 @@ Specifically, behaviors include
Before the upgrade:
- 
+ 
After the upgrade the user pinned tiles are missing:
- 
+ 
Additionally, users may see blank tiles if sign-in was attempted without network connectivity.
- 
+ 
**Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676).
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index d988f11531..351f09ce8e 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -31,15 +31,15 @@ In a Start layout for Windows 10, version 1703, you can include secondary tiles
Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image:
-
+
In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image:
-
+
In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout.
-
+
**Example of secondary tiles in XML generated by Export-StartLayout**
@@ -156,7 +156,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
12. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this:
- 
+ 
13. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 83744db2ca..75fcbcdad0 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -121,7 +121,7 @@ UE-V for Windows 10, version 1607 includes a new template generator. If you are
-->
-
+
3. To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu.
diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md
index bb6d70d870..0d091fe1bb 100644
--- a/windows/configuration/ue-v/uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-for-windows.md
@@ -41,7 +41,7 @@ The diagram below illustrates how UE-V components work together to synchronize u
| **Component** | **Function** |
@@ -65,7 +65,7 @@ Use these UE-V components to create and manage custom templates for your third-p
-->
-
+
## Settings synchronized by default
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index bfc7cfa6f3..08853f5b22 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -44,7 +44,7 @@ If you want to use UE-V to synchronize user-defined settings for custom applicat
The workflow diagram below illustrates a typical UE-V deployment and the decisions you need to be prepared to make.
-
+
Update & Security --> Windows Update**.
- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update.
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index f822925011..e56e7a3b5b 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -93,11 +93,11 @@ Once the device is in the pending restart state, it will attempt to restart the
Notification users get for a quality update deadline:
-
+
Notification users get for a feature update deadline:
-
+
### Deadline with user engagement
@@ -130,17 +130,17 @@ Before the deadline the device will be in two states: auto-restart period and en
Notification users get for quality update engaged deadline:
-
+
Notification users get for a quality update deadline:
-
+
Notification users get for a feature update engaged deadline:
-
+
Notification users get for a feature update deadline:
-
+
diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md
index 93a5ab27b7..8589495141 100644
--- a/windows/deployment/update/wufb-manageupdate.md
+++ b/windows/deployment/update/wufb-manageupdate.md
@@ -40,7 +40,7 @@ If you don't need a wave deployment and have a small set of devices to manage, w
|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled|
## Suggested configuration for a wave deployment
-
+
## Early validation and testing
Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings).
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index e044463423..8aafc8f67d 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -174,7 +174,7 @@ To check your system for unsigned drivers:
5. Type **sigverif** and press ENTER.
6. The File Signature Verification tool will open. Click **Start**.
- 
+ 
7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers.
8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired.
@@ -268,7 +268,7 @@ To obtain the proper firmware drivers, search for the most updated driver versio
When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example:
-
+
### Verify disk space
@@ -280,13 +280,13 @@ In File Explorer, click on **Computer** or **This PC** on the left, then look un
The amount of space available on the system drive will be displayed under the drive. See the following example:
-
+
In the previous example, there is 703 GB of available free space on the system drive (C:).
To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example:
-
+
For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space).
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 9e7a29631c..1e87d9bff7 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -25,14 +25,14 @@ ms.topic: article
>This is a 300 level topic (moderate advanced).
>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
- [](https://go.microsoft.com/fwlink/?linkid=870142)
+ [](https://go.microsoft.com/fwlink/?linkid=870142)
## About SetupDiag
-Current downloadable version of SetupDiag: 1.6.2107.27002
->Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
+Current downloadable version of SetupDiag: 1.6.2107.27002.
+> Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
-SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
+SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
@@ -344,6 +344,10 @@ Each rule name and its associated unique rule identifier are listed with a descr
## Release notes
+07/27/2021 - SetupDiag v1.6.2107.27002 is released with 61 rules, as a standalone tool available in the Download Center.
+- This version contains compliance updates and minor bug fixes.
+- With this release and subsequent releases, the version number of the downloadable SetupDiag tool is different from the one included with Windows Setup.
+
05/06/2021 - SetupDiag v1.6.1.0 is released with 61 rules, as a standalone tool available in the Download Center.
- This version of SetupDiag is included with Windows 10, version 21H1.
- A new rule is added: UserProfileSuffixMismatch.
@@ -563,7 +567,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f
## Sample registry key
-
+
## Related topics
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 580a08b67c..1cde13e1eb 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -61,7 +61,7 @@ Click **Submit** to send your feedback.
See the following example:
-
+
After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided.
@@ -69,7 +69,7 @@ After you click Submit, that's all you need to do. Microsoft will receive your f
After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed.
-
+
## Related topics
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
index 842e478dcf..bdb7e4814a 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -59,31 +59,31 @@ When performing an operating system upgrade, Windows Setup uses phases described
1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered.
- 
+ 
2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017.
- 
+ 
3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D.
- 
+ 
4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017.
At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed.
- 
+ 
- 
+ 
- 
+ 
5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015.
**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
-
+
DU = Driver/device updates.
OOBE = Out of box experience.
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 57307ee3d0..c8a2c54c5a 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -33,9 +33,9 @@ The following table shows the methods and paths available to change the edition
> [!TIP]
> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager.
- (X) = not supported
- (green checkmark) = supported, reboot required
- (blue checkmark) = supported, no reboot required
+ (X) = not supported
+ (green checkmark) = supported, reboot required
+ (blue checkmark) = supported, no reboot required
| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
-| **Home > Pro** |  |  |  |  |  |  |
-| **Home > Pro for Workstations** |  |  |  |  |  |  |
-| **Home > Pro Education** |  |  |  |  |  |  |
-| **Home > Education** |  |  |  |  |  |  |
-| **Pro > Pro for Workstations** |  |  |  | 
(MSfB) |  |  |
-| **Pro > Pro Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro > Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
-| **Pro for Workstations > Pro Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro for Workstations > Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro for Workstations > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
-| **Pro Education > Education** |  |  |  | 
(MSfB) |  |  |
-| **Enterprise > Education** |  |  |  | 
(MSfB) |  |  |
+| **Home > Pro** |  |  |  |  |  |  |
+| **Home > Pro for Workstations** |  |  |  |  |  |  |
+| **Home > Pro Education** |  |  |  |  |  |  |
+| **Home > Education** |  |  |  |  |  |  |
+| **Pro > Pro for Workstations** |  |  |  | 
(MSfB) |  |  |
+| **Pro > Pro Education** |  |  |  | 
(MSfB) |  |  |
+| **Pro > Education** |  |  |  | 
(MSfB) |  |  |
+| **Pro > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
+| **Pro for Workstations > Pro Education** |  |  |  | 
(MSfB) |  |  |
+| **Pro for Workstations > Education** |  |  |  | 
(MSfB) |  |  |
+| **Pro for Workstations > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
+| **Pro Education > Education** |  |  |  | 
(MSfB) |  |  |
+| **Enterprise > Education** |  |  |  | 
(MSfB) |  |  |
> [!NOTE]
> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 08c4982f9c..50aad1782d 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -63,7 +63,7 @@ Ten parameters are listed in the event:
The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below.
-
+
## Related topics
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 84a87a0aac..52b489720f 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -49,7 +49,7 @@ You use a command-line option,**/hardlink** , to create a hard-link migration st
The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store.
-
+
## Local Store vs. Remote Store
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index 30930ac481..b94bc3041b 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -49,7 +49,7 @@ The following diagram shows a PC-refresh migration, also known as a computer ref
-
+
@@ -100,7 +100,7 @@ The following diagram shows a PC-replacement migration. First, the administrator
-
+
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index f32ee0d61e..10e7c2e418 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -55,7 +55,7 @@ The process proceeds as follows:
3. Client computers are activated by receiving the activation object from a domain controller during startup.
> [!div class="mx-imgBorder"]
- > 
+ > 
**Figure 10**. The Active Directory-based activation flow
@@ -80,31 +80,31 @@ When a reactivation event occurs, the client queries AD DS for the activation o
3. Add the Volume Activation Services role, as shown in Figure 11.
- 
+ 
**Figure 11**. Adding the Volume Activation Services role
4. Click the link to launch the Volume Activation Tools (Figure 12).
- 
+ 
**Figure 12**. Launching the Volume Activation Tools
5. Select the **Active Directory-Based Activation** option (Figure 13).
- 
+ 
**Figure 13**. Selecting Active Directory-Based Activation
6. Enter your KMS host key and (optionally) a display name (Figure 14).
- 
+ 
**Figure 14**. Entering your KMS host key
7. Activate your KMS host key by phone or online (Figure 15).
- 
+ 
**Figure 15**. Choosing how to activate your product
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index f9cfcf33ac..5fa4723874 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -80,39 +80,39 @@ This scenario is commonly used in larger organizations that do not find the over
2. Launch Server Manager.
3. Add the Volume Activation Services role, as shown in Figure 4.
- 
+ 
**Figure 4**. Adding the Volume Activation Services role in Server Manager
4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
- 
+ 
**Figure 5**. Launching the Volume Activation Tools
5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
- 
+ 
**Figure 6**. Configuring the computer as a KMS host
6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
- 
+ 
**Figure 7**. Installing your KMS host key
7. If asked to confirm replacement of an existing key, click **Yes**.
8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
- 
+ 
**Figure 8**. Activating the software
The KMS key can be activated online or by phone. See Figure 9.
- 
+ 
**Figure 9**. Choosing to activate online
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index b88d65def4..728b60519b 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -99,12 +99,12 @@ A MAK is used for one-time activation with Microsoft’s hosted activation servi
You can activate computers by using a MAK in two ways:
- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
- 
+ 
**Figure 16**. MAK independent activation
- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
- 
+ 
**Figure 17**. MAK proxy activation with the VAMT
diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md
index 4e2248db96..e671e92d02 100644
--- a/windows/deployment/volume-activation/add-remove-computers-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md
@@ -34,7 +34,7 @@ Before adding computers, ensure that the Windows Management Instrumentation (WMI
5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below.
To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane.
- 
+ 
**Important**
This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function.
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 87cb8d7b0f..5cbd41f410 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -45,7 +45,7 @@ Enable the VAMT to access client computers using the **Windows Firewall** Contro
Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel:
-
+
1. Open the Control Panel and double-click **Administrative Tools**.
2. Click **Windows Firewall with Advanced Security**.
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index f462f8655f..0b67293d6a 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -49,7 +49,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
- 
+ 
### Install VAMT using the ADK
@@ -73,7 +73,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
- 
+ 
For remote SQL Server, use `servername.yourdomain.com`.
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 45619726e9..91d2d8540b 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -45,7 +45,7 @@ VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type prod
VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
-
+
In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
@@ -54,7 +54,7 @@ The Isolated Lab environment is a workgroup that is physically separate from the
The following screenshot shows the VAMT graphical user interface.
-
+
VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 443e1e417b..71d990f500 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -120,7 +120,7 @@ In the core network, a centralized KMS solution is recommended. You can also use
A typical core network that includes a KMS host is shown in Figure 1.
-
+
**Figure 1**. Typical core network
@@ -140,7 +140,7 @@ If the isolated network cannot communicate with the core network’s KMS server,
If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network.
-
+
**Figure 2**. New KMS host in an isolated network
@@ -222,7 +222,7 @@ The flow of KMS activation is shown in Figure 3, and it follows this sequence:
7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again.
-
+
**Figure 3**. KMS activation flow
diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
index 2716a475b8..118a656e49 100644
--- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
@@ -25,7 +25,7 @@ In this scenario, the Volume Activation Management Tool (VAMT) is deployed in th
- Retail
The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
-
+
## In This Topic
- [Install and start VAMT on a networked host computer](#bkmk-partone)
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 84e0a8ea19..d3b906680d 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -19,7 +19,7 @@ ms.topic: article
In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario:
-
+
## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index c8e7913ed2..562251c0a9 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -51,7 +51,7 @@ You can use the VAMT to complete the activation process in products by using MAK
The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
-
+
**Figure 18**. The VAMT showing the licensing status of multiple computers
@@ -59,7 +59,7 @@ The VAMT provides an overview of the activation and licensing status of computer
The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
-
+
**Figure 19**. The VAMT showing key types and usage
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 844c46ba14..55fd4c1684 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -30,7 +30,7 @@ The current known issues with the Volume Activation Management Tool (VAMT), vers
Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here.
-
+
This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 3bda096ca5..2a0f0da2a9 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -26,13 +26,13 @@ The following posters step through various options for deploying Windows 10 with
The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format.
-[](./media/Windows10AutopilotFlowchart.pdf)
+[](./media/Windows10AutopilotFlowchart.pdf)
## Deploy Windows 10 with Microsoft Endpoint Configuration Manager
The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format.
-[](./media/Windows10DeploymentConfigManager.pdf)
+[](./media/Windows10DeploymentConfigManager.pdf)
## See also
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index a90baefd20..0e160f2943 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -42,7 +42,7 @@ Windows 10, version 1709 is available starting on 10/17/2017 in all relevant dis
For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images:
-
+
When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update.
@@ -69,7 +69,7 @@ This Semi-Annual Channel release of Windows 10 continues the Windows as a servic
See the following example for Windows 10, version 1709:
-
+
### Features on demand
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 7e6d238721..9d18e1af46 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -284,7 +284,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example:
- 
+ 
### Create the deployment task sequence
@@ -459,7 +459,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
- 
+ 
This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 603113f920..d69cc3b5db 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -331,7 +331,7 @@ WDSUTIL /Set-Server /AnswerClients:None
- **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
See the following example:
- 
+ 
5. Click **OK**.
6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
@@ -803,7 +803,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter.
-
+
In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer.
@@ -907,7 +907,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
- 
+ 
If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated.
@@ -915,7 +915,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
- 
+ 
>It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**.
@@ -976,7 +976,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example:
- 
+ 
### Create a device collection for PC1
@@ -1026,7 +1026,7 @@ In the Configuration Manager console, in the Software Library workspace under Op
4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example:
- 
+ 
>If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
@@ -1064,17 +1064,17 @@ In the Configuration Manager console, in the Software Library workspace under Op
3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**.
4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
- 
+ 
The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example:
- 
+ 
You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
- 
+ 
## Related Topics
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 319121950d..d4a667a65b 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -150,7 +150,7 @@ Hardware requirements are displayed below:
The lab architecture is summarized in the following diagram:
-
+
- Computer 1 is configured to host four VMs on a private, PoC network.
- Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
@@ -224,9 +224,9 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
- 
+ 
- 
+ 
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
@@ -449,7 +449,7 @@ Notes:
3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -482,7 +482,7 @@ Notes:
5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -506,7 +506,7 @@ Notes:
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
@@ -821,7 +821,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
- 
+ 
>If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
@@ -879,7 +879,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
See the following example:
- 
+ 
19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 447ea81cfb..16e8c70c2a 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -65,7 +65,7 @@ To support Inherited Activation, both the host computer and the VM must be runni
The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
-
+
- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
@@ -117,11 +117,11 @@ If the device is running Windows 10, version 1809 or later:
- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
- 
+ 
- 
+ 
- 
+ 
### Windows 10 Education requirements
@@ -162,7 +162,7 @@ The device is AAD joined from **Settings > Accounts > Access work or school**.
The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
-
+
When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires.
@@ -171,10 +171,10 @@ Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, versio
The following figures summarize how the Subscription Activation model works:
Before Windows 10, version 1903:
-
+
After Windows 10, version 1903:
-
+
> [!NOTE]
>
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index d132aa99a6..74e099fc82 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -115,9 +115,9 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh
Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
- 
+ 
- 
+ 
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
@@ -232,21 +232,21 @@ PS C:\autopilot>
Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
- 
- 
- 
- 
- 
- 
+ 
+ 
+ 
+ 
+ 
+ 
After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
- 
+ 
Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
> [!div class="mx-imgBorder"]
- > 
+ > 
To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
@@ -322,7 +322,7 @@ Follow these steps to run the PowerShell script:
> [!NOTE]
> Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
- 
+ 
You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
@@ -338,11 +338,11 @@ With the hardware ID captured in a file, prepare your Virtual Machine for Window
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**.
-
+
Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
-
+
## Verify subscription level
@@ -350,13 +350,13 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a
**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
-
+
If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
-
+
## Configure company branding
@@ -367,7 +367,7 @@ If you already have company branding configured in Azure Active Directory, you c
Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
-
+
When you are finished, click **Save**.
@@ -382,7 +382,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com
For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
-
+
## Register your VM
@@ -392,14 +392,14 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
- 
+ 
> [!NOTE]
> If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank.
- 
+ 
You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
@@ -407,7 +407,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
4. Click **Refresh** to verify your VM or device has been added. See the following example.
- 
+ 
### Autopilot registration using MSfB
@@ -426,11 +426,11 @@ Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.
Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
-
+
Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
-
+
## Create and assign a Windows Autopilot deployment profile
@@ -446,7 +446,7 @@ Pick one:
> [!NOTE]
> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list.
-
+
#### Create a device group
@@ -463,7 +463,7 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
3. Click **Members** and add the Autopilot VM to the group. See the following example:
> [!div class="mx-imgBorder"]
- > 
+ > 
4. Click **Create**.
@@ -472,12 +472,12 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
> [!div class="mx-imgBorder"]
-> 
+> 
Click on **Create profile** and then select **Windows PC**.
> [!div class="mx-imgBorder"]
-> 
+> 
On the **Create profile** blade, use the following values:
@@ -512,7 +512,7 @@ Click **Next** to continue with the **Assignments** settings:
2. Click the **Autopilot Lab** group, and then click **Select**.
3. Click **Next** to continue and then click **Create**. See the following example:
-
+
Click on **OK** and then click on **Create**.
@@ -529,7 +529,7 @@ First, sign in to the [Microsoft Store for Business](https://businessstore.micro
Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
-
+
Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
@@ -538,17 +538,17 @@ To CREATE the profile:
Select your device from the **Devices** list:
> [!div class="mx-imgBorder"]
-> 
+> 
On the Autopilot deployment dropdown menu, select **Create new profile**:
> [!div class="mx-imgBorder"]
-> 
+> 
Name the profile, choose your desired settings, and then click **Create**:
> [!div class="mx-imgBorder"]
-> 
+> 
The new profile is added to the Autopilot deployment list.
@@ -557,12 +557,12 @@ To ASSIGN the profile:
To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
> [!div class="mx-imgBorder"]
-> 
+> 
Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
> [!div class="mx-imgBorder"]
-> 
+> 
> [!IMPORTANT]
> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
@@ -572,7 +572,7 @@ Confirm the profile was successfully assigned to the intended device by checking
If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
> [!div class="mx-imgBorder"]
-> 
+> 
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
@@ -583,12 +583,12 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
- Turn on the device
- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
-
+
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
> [!div class="mx-imgBorder"]
-> 
+> 
Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
@@ -606,7 +606,7 @@ To use the device (or VM) for other purposes after completion of this lab, you w
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu.
> [!div class="mx-imgBorder"]
-> 
+> 
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
@@ -618,7 +618,7 @@ The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment
To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
> [!div class="mx-imgBorder"]
-> 
+> 
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
@@ -686,7 +686,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
> [!div class="mx-imgBorder"]
-> 
+> 
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@@ -696,20 +696,20 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Windows app (Win32)**:
-
+
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
> [!div class="mx-imgBorder"]
-> 
+> 
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
-
+
On the **Program Configuration** blade, supply the install and uninstall commands:
@@ -721,7 +721,7 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
> [!NOTE]
> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
+
Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
@@ -730,23 +730,23 @@ Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
> [!div class="mx-imgBorder"]
-> 
+> 
Next, configure the **Detection rules**. For our purposes, we will select manual format:
> [!div class="mx-imgBorder"]
-> 
+> 
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
-
+
Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
**Return codes**: For our purposes, leave the return codes at their default values:
> [!div class="mx-imgBorder"]
-> 
+> 
Click **OK** to exit.
@@ -757,12 +757,12 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
> [!div class="mx-imgBorder"]
-> 
+> 
You will be able to find your app in your app list:
> [!div class="mx-imgBorder"]
-> 
+> 
#### Assign the app to your Intune profile
@@ -772,7 +772,7 @@ You will be able to find your app in your app list:
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
> [!div class="mx-imgBorder"]
-> 
+> 
Select **Add Group** to open the **Add group** pane that is related to the app.
@@ -783,10 +783,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
> [!div class="mx-imgBorder"]
-> 
+> 
In the **Select groups** pane, click the **Select** button.
@@ -797,7 +797,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
> [!div class="mx-imgBorder"]
-> 
+> 
At this point, you have completed steps to add a Win32 app to Intune.
@@ -811,16 +811,16 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Office 365 Suite > Windows 10**:
-
+
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
> [!div class="mx-imgBorder"]
-> 
+> 
Click **OK**.
@@ -829,13 +829,13 @@ In the **App Suite Information** pane, enter a unique suite name, and a s
Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
> [!div class="mx-imgBorder"]
-> 
+> 
Click **OK**.
In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-
+
Click **OK** and then click **Add**.
@@ -847,7 +847,7 @@ Click **OK** and then click **Add**.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
> [!div class="mx-imgBorder"]
-> 
+> 
Select **Add Group** to open the **Add group** pane that is related to the app.
@@ -857,10 +857,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
> [!div class="mx-imgBorder"]
-> 
+> 
In the **Select groups** pane, click the **Select** button.
@@ -870,7 +870,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add Office to Intune.
@@ -878,7 +878,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
-
+
## Glossary
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 0d04abd1e0..04f798b127 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -29,7 +29,7 @@ In this topic, you also learn about different types of reference images that you
Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
-
+
The Windows 10 ADK feature selection page.
@@ -50,7 +50,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
-Source D:\Sources\SxS -LimitAccess
```
-
+
Using DISM functions in PowerShell.
@@ -77,7 +77,7 @@ In addition to these tools, there are also XML templates that manage which data
- **Custom templates.** Custom templates that you create.
- **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
-
+
A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
@@ -100,7 +100,7 @@ These are the settings migrated by the default MigUser.xml and MigApp.xml templa
Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image.
-
+
Windows Imaging and Configuration Designer.
@@ -110,7 +110,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/
Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
-
+
Windows answer file opened in Windows SIM.
@@ -120,7 +120,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht
If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy.
-
+
The updated Volume Activation Management Tool.
@@ -138,7 +138,7 @@ Windows PE is a “Lite” version of Windows 10 and was created to act as a dep
The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box.
-
+
A machine booted with the Windows ADK default Windows PE boot image.
@@ -149,7 +149,7 @@ For more details on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manuf
Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE.
-
+
A Windows 10 client booted into Windows RE, showing Advanced options.
@@ -160,7 +160,7 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows-
Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
-
+
Windows Deployment Services using multicast to deploy three machines.
@@ -176,7 +176,7 @@ Also, there are a few new features related to TFTP performance:
- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
-
+
TFTP changes are now easy to perform.
@@ -192,7 +192,7 @@ Lite Touch and Zero Touch are marketing names for the two solutions that MDT sup
-
+
The Deployment Workbench in, showing a task sequence.
@@ -203,7 +203,7 @@ For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configm
[Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
-
+
The SCM console showing a baseline configuration for a fictional client's computer security compliance.
@@ -228,7 +228,7 @@ For more information on the benefits of an MDOP subscription, see [Microsoft Des
There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
-
+
The User Experience selection screen in IEAK 11.
@@ -239,7 +239,7 @@ To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Inform
WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
-
+
The Windows Server Update Services console.
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index 930819c367..5852e85928 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -64,7 +64,7 @@ Note that this setting does not control whether your device sends diagnostic dat
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
- 
+ 
**To turn on data viewing through PowerShell**
@@ -134,7 +134,7 @@ When you're done reviewing your diagnostic data, we recommend turning off data v
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
- 
+ 
**To turn off data viewing through PowerShell**
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 3b40651ee2..dc9a127179 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -38,7 +38,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
- 
+ 
### Download the Diagnostic Data Viewer
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
@@ -54,7 +54,7 @@ You can start this app from the **Settings** panel.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
- 
-OR-
+ 
-OR-
Go to **Start** and search for _Diagnostic Data Viewer_.
@@ -73,7 +73,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
>[!Important]
>Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time.
- 
+ 
- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.
@@ -83,7 +83,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
- To signify your contribution, you’ll see this icon () if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon ().
+ To signify your contribution, you’ll see this icon () if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon ().
- **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
@@ -99,7 +99,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
>[!Important]
>This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer.
- 
+ 
## View Office Diagnostic Data
By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830).
@@ -112,7 +112,7 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
- 
+ 
## Modifying the size of your data history
By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first.
@@ -139,7 +139,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel
Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.
-
+
**To view your Windows Error Reporting diagnostic data using the Control Panel**
@@ -147,7 +147,7 @@ Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Secu
Go to **Start** and search for _Problem Reports_.
The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
-
+
## Known Issues with Diagnostic Data Viewer
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index aad2616468..f1f0d9469a 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -57,60 +57,60 @@ The following table lists management options for each setting, beginning with Wi
| Setting | UI | Group Policy | Registry |
| - | :-: | :-: | :-: |
-| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
-| [2. Cortana and Search](#bkmk-cortana) | |  |  |
-| [3. Date & Time](#bkmk-datetime) |  |  |  |
-| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
-| [5. Find My Device](#find-my-device) |  |  |  |
-| [6. Font streaming](#font-streaming) | |  |  |
-| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
-| [8. Internet Explorer](#bkmk-ie) | |  |  |
-| [9. License Manager](#bkmk-licmgr) | | |  |
-| [10. Live Tiles](#live-tiles) | |  |  |
-| [11. Mail synchronization](#bkmk-mailsync) |  | |  |
-| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
-| [13. Microsoft Edge](#bkmk-edge) | |  |  |
-| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
-| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
-| [16. OneDrive](#bkmk-onedrive) | |  |  |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
+| [2. Cortana and Search](#bkmk-cortana) | |  |  |
+| [3. Date & Time](#bkmk-datetime) |  |  |  |
+| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
+| [5. Find My Device](#find-my-device) |  |  |  |
+| [6. Font streaming](#font-streaming) | |  |  |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
+| [8. Internet Explorer](#bkmk-ie) | |  |  |
+| [9. License Manager](#bkmk-licmgr) | | |  |
+| [10. Live Tiles](#live-tiles) | |  |  |
+| [11. Mail synchronization](#bkmk-mailsync) |  | |  |
+| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
+| [13. Microsoft Edge](#bkmk-edge) | |  |  |
+| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
+| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
+| [16. OneDrive](#bkmk-onedrive) | |  |  |
| [17. Preinstalled apps](#bkmk-preinstalledapps) |  | | |
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| [18.1 General](#bkmk-general) |  |  |  |
-| [18.2 Location](#bkmk-priv-location) |  |  |  |
-| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
-| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
-| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
-| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
-| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
-| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
-| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
-| [18.10 Call history](#bkmk-priv-callhistory) |  |  |  |
-| [18.11 Email](#bkmk-priv-email) |  |  |  |
-| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
-| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
-| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
-| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
-| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
-| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
-| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
-| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
-| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
-| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
-| [18.22 Activity History](#bkmk-act-history) |  | |  |
-| [18.23 Voice Activation](#bkmk-voice-act) |  | |  |
-| [19. Software Protection Platform](#bkmk-spp) | |  |  |
-| [20. Storage Health](#bkmk-storage-health) | |  |  |
-| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
-| [22. Teredo](#bkmk-teredo) | |  |  |
-| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
-| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
-| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
-| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
-| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
-| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
-| [29. Windows Update](#bkmk-wu) | |  |  |
+| [18.1 General](#bkmk-general) |  |  |  |
+| [18.2 Location](#bkmk-priv-location) |  |  |  |
+| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
+| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
+| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
+| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
+| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
+| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
+| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
+| [18.10 Call history](#bkmk-priv-callhistory) |  |  |  |
+| [18.11 Email](#bkmk-priv-email) |  |  |  |
+| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
+| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
+| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
+| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
+| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
+| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
+| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
+| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
+| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
+| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
+| [18.22 Activity History](#bkmk-act-history) |  | |  |
+| [18.23 Voice Activation](#bkmk-voice-act) |  | |  |
+| [19. Software Protection Platform](#bkmk-spp) | |  |  |
+| [20. Storage Health](#bkmk-storage-health) | |  |  |
+| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
+| [22. Teredo](#bkmk-teredo) | |  |  |
+| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
+| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
+| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
+| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
+| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
+| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
+| [29. Windows Update](#bkmk-wu) | |  |  |
| [30. Cloud Clipboard](#bkmk-clcp) | |  | |
-| [31. Services Configuration](#bkmk-svccfg) | |  |  |
+| [31. Services Configuration](#bkmk-svccfg) | |  |  |
### Settings for Windows Server 2016 with Desktop Experience
@@ -119,20 +119,20 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | UI | Group Policy | Registry |
| - | :-: | :-: | :-: |
-| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
-| [2. Cortana and Search](#bkmk-cortana) | |  |  |
-| [3. Date & Time](#bkmk-datetime) |  |  |  |
-| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
-| [6. Font streaming](#font-streaming) | |  |  |
-| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
-| [8. Internet Explorer](#bkmk-ie) | |  |  |
-| [10. Live Tiles](#live-tiles) | |  |  |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
+| [2. Cortana and Search](#bkmk-cortana) | |  |  |
+| [3. Date & Time](#bkmk-datetime) |  |  |  |
+| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
+| [6. Font streaming](#font-streaming) | |  |  |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
+| [8. Internet Explorer](#bkmk-ie) | |  |  |
+| [10. Live Tiles](#live-tiles) | |  |  |
| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
-| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
-| [16. OneDrive](#bkmk-onedrive) | |  |  |
+| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
+| [16. OneDrive](#bkmk-onedrive) | |  |  |
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| [19. Software Protection Platform](#bkmk-spp) | |  |  |
-| [22. Teredo](#bkmk-teredo) | |  |  |
+| [19. Software Protection Platform](#bkmk-spp) | |  |  |
+| [22. Teredo](#bkmk-teredo) | |  |  |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
@@ -172,54 +172,54 @@ See the following table for a summary of the management settings for Windows Ser
| - | :-: | :-: | :-: |
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
| [2. Cortana and Search](#bkmk-cortana) | |  |  |
-| [3. Date & Time](#bkmk-datetime) |  |  |  |
+| [3. Date & Time](#bkmk-datetime) |  |  |  |
| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
-| [5. Find My Device](#find-my-device) |  |  |  |
+| [5. Find My Device](#find-my-device) |  |  |  |
| [6. Font streaming](#font-streaming) | |  |  |
-| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
| [8. Internet Explorer](#bkmk-ie) | |  |  |
| [10. Live Tiles](#live-tiles) | |  |  |
-| [11. Mail synchronization](#bkmk-mailsync) |  | |  |
+| [11. Mail synchronization](#bkmk-mailsync) |  | |  |
| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
| [13. Microsoft Edge](#bkmk-edge) | |  |  |
| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
-| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
+| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
| [16. OneDrive](#bkmk-onedrive) | |  |  |
| [17. Preinstalled apps](#bkmk-preinstalledapps) |  | | |
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| [18.1 General](#bkmk-general) |  |  |  |
-| [18.2 Location](#bkmk-priv-location) |  |  |  |
-| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
-| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
-| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
-| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
-| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
-| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
-| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
-| [18.10 Call history](#bkmk-priv-callhistory) |  |  |  |
-| [18.11 Email](#bkmk-priv-email) |  |  |  |
-| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
-| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
-| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
-| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
-| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
-| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
-| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
-| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
-| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
-| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
-| [18.22 Activity History](#bkmk-act-history) |  | |  |
-| [18.23 Voice Activation](#bkmk-voice-act) |  | |  |
+| [18.1 General](#bkmk-general) |  |  |  |
+| [18.2 Location](#bkmk-priv-location) |  |  |  |
+| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
+| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
+| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
+| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
+| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
+| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
+| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
+| [18.10 Call history](#bkmk-priv-callhistory) |  |  |  |
+| [18.11 Email](#bkmk-priv-email) |  |  |  |
+| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
+| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
+| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
+| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
+| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
+| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
+| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
+| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
+| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
+| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
+| [18.22 Activity History](#bkmk-act-history) |  | |  |
+| [18.23 Voice Activation](#bkmk-voice-act) |  | |  |
| [19. Software Protection Platform](#bkmk-spp) | |  |  |
| [20. Storage Health](#bkmk-storage-health) | |  |  |
-| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
+| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
| [22. Teredo](#bkmk-teredo) | |  |  |
-| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
+| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
-| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
+| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
-| [27. Apps for websites](#bkmk-apps-for-websites) | |  | |
-| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
+| [27. Apps for websites](#bkmk-apps-for-websites) | |  | |
+| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
| [29. Windows Update](#bkmk-wu) | |  |  |
| [30. Cloud Clipboard](#bkmk-clcp) | |  | |
| [31. Services Configuration](#bkmk-svccfg) | |  |  |
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 8ac3729427..69dba47679 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -592,7 +592,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
> **Note** You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
- 
+ 
3. Close Active Directory Users and Computers.
@@ -600,13 +600,13 @@ In this procedure, the workstations are dedicated to domain administrators. By s
5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**.
- 
+ 
6. Name the GPO, and > **OK**.
7. Expand the GPO, right-click the new GPO, and > **Edit**.
- 
+ 
8. Configure which members of accounts can log on locally to these administrative workstations as follows:
@@ -625,7 +625,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
5. Click **Add User or Group**, type **Administrators**, and > **OK**.
- 
+ 
9. Configure the proxy configuration:
@@ -633,7 +633,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**.
- 
+ 
10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows:
@@ -696,11 +696,11 @@ In this procedure, the workstations are dedicated to domain administrators. By s
1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**.
- 
+ 
2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**.
- 
+ 
3. Click **OK** to complete the configuration.
@@ -738,11 +738,11 @@ For this procedure, do not link accounts to the OU that contain workstations for
3. Right-click **Group Policy Objects**, and > **New**.
- 
+ 
4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**.
- 
+ 
5. Right-click **New GPO**, and > **Edit**.
@@ -756,7 +756,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**.
- 
+ 
**Note**
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -778,7 +778,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
- 
+ 
**Note**
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -791,7 +791,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
- 
+ 
**Note**
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -804,11 +804,11 @@ For this procedure, do not link accounts to the OU that contain workstations for
1. Right-click the workstation OU, and then > **Link an Existing GPO**.
- 
+ 
2. Select the GPO that you just created, and > **OK**.
- 
+ 
10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy.
@@ -831,7 +831,7 @@ It is a best practice to configure the user objects for all sensitive accounts i
As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it.
-
+
## Secure and manage domain controllers
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index d67808e585..6ad17afded 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -367,15 +367,15 @@ The following table shows the Group Policy and registry settings that are used t
3. In the console tree, right-click **Group Policy Objects**, and > **New**.
- 
+ 
4. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer.
- 
+ 
5. In the details pane, right-click <**gpo\_name**>, and > **Edit**.
- 
+ 
6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following:
@@ -391,7 +391,7 @@ The following table shows the Group Policy and registry settings that are used t
2. Right-click **Registry**, and > **New** > **Registry Item**.
- 
+ 
3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**.
@@ -407,7 +407,7 @@ The following table shows the Group Policy and registry settings that are used t
9. Verify this configuration, and > **OK**.
- 
+ 
8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
@@ -415,7 +415,7 @@ The following table shows the Group Policy and registry settings that are used t
2. Right-click the **Workstations** OU, and > **Link an existing GPO**.
- 
+ 
3. Select the GPO that you just created, and > **OK**.
@@ -495,11 +495,11 @@ The following table shows the Group Policy settings that are used to deny networ
4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer.
- 
+ 
5. In the details pane, right-click <**gpo\_name**>, and > **Edit**.
- 
+ 
6. Configure the user rights to deny network logons for administrative local accounts as follows:
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index e770d29de4..be0a573f71 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -52,7 +52,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice,
A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
-
+
The individual values of a SID are described in the following table.
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
index 26564af45a..293acd13c9 100644
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ b/windows/security/identity-protection/access-control/security-principals.md
@@ -42,7 +42,7 @@ The following diagram illustrates the Windows authorization and access control
**Authorization and access control process**
-
+
Security principals are closely related to the following components and technologies:
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index f055141697..9423de2923 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -52,11 +52,11 @@ On the device, perform the following steps: (add select certificate)
2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
- :::image type="content" alt-text="settings icon in mail app" source="images/mailsettings.png":::
+ :::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png":::
3. Tap **Email security**.
- :::image type="content" alt-text="email security settings" source="images/emailsecurity.png":::
+ :::image type="content" alt-text="email security settings." source="images/emailsecurity.png":::
4. In **Select an account**, select the account for which you want to configure S/MIME options.
@@ -77,7 +77,7 @@ On the device, perform the following steps: (add select certificate)
2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message.
- :::image type="content" alt-text="sign or encrypt message" source="images/signencrypt.png":::
+ :::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png":::
## Read signed or encrypted messages
@@ -93,5 +93,5 @@ When you receive a signed email, the app provide feature to install correspondin
3. Tap **Install.**
- :::image type="content" alt-text="message security information" source="images/installcert.png":::
+ :::image type="content" alt-text="message security information." source="images/installcert.png":::
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 8d0219c5dd..b122158529 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -33,7 +33,7 @@ When Windows Defender Credential Guard is enabled, Kerberos does not allow uncon
Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
-
+
## See also
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index c737034fd5..936172770d 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -45,7 +45,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details.
- 
+ 
6. Close the Group Policy Management Console.
@@ -168,7 +168,7 @@ You can view System Information to check that Windows Defender Credential Guard
Here's an example:
> [!div class="mx-imgBorder"]
- > 
+ > 
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 8a678b6ff4..fea29a3fc3 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -176,7 +176,7 @@ Certutil writes the binary information to the following registration location:
| Value | Binary contents from the certificate pin rules certificate trust list file |
| Data type | REG_BINARY |
-
+
### Deploying Enterprise Pin Rule Settings using Group Policy
@@ -203,7 +203,7 @@ Sign-in to the reference computer using domain administrator equivalent credenti
11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
- 
+ 
12. Close the **Group Policy Management Editor** to save your settings.
13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
@@ -258,7 +258,7 @@ These dates must be properly formatted and represented in UTC.
You can use Windows PowerShell to format these dates.
You can then copy and paste the output of the cmdlet into the XML file.
-
+
For simplicity, you can truncate decimal point (.) and the numbers after it.
However, be certain to append the uppercase “Z” to the end of the XML date string.
@@ -272,7 +272,7 @@ However, be certain to append the uppercase “Z” to the end of the XML date s
You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date.
-
+
## Representing a Duration in XML
@@ -280,13 +280,13 @@ Some elements may be configured to use a duration rather than a date.
You must represent the duration as an XML timespan data type.
You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file.
-
+
## Converting an XML Duration
You can convert a XML formatted timespan into a timespan variable that you can read.
-
+
## Certificate Trust List XML Schema Definition (XSD)
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index b7018e4477..f80ffec25c 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -372,11 +372,11 @@ The Group Policy object contains the policy settings needed to trigger Windows H
7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
- 
+ 
8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
- 
+ 
9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors).
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 16be1aa6bc..25d27e28d3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -38,23 +38,23 @@ Determining an adequate number of Windows Server domain controllers is important
Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:
-
+
The environment changes. The first change includes DC1 upgraded to Windows Server 2016 or later to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
-
+
The Windows Server 2016 or later domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2016 and above domain controller supports public key trust authentication. The Windows Server 2016 and above domain controller still understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 or later domain controller is added, but without deploying Windows Hello for Business to any more clients?
-
+
Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same.
-
+
Domain controllers 1 through 5 now share the public key trust authentication load where each domain controller handles 20 percent of the public key trust load but they each still handle 10 percent of the password and certificate trust authentication. These domain controllers still have a heavier load than domain controllers 6 through 10; however, the load is adequately distributed. Now look the scenario when half of the client computers are upgraded to Windows Hello for Business using a key-trust deployment.
-
+
You'll notice the distribution did not change. Each Windows Server 2016 or later domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index ab73eab4f9..f354ae19d4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -91,7 +91,7 @@ Sign-in the federation server with domain administrator equivalent credentials.
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
- 
+ 
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.
9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished.
10. Click **Enroll**.
@@ -184,7 +184,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials
1. Start **Server Manager**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
-
+
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
@@ -204,7 +204,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials
1. Start **Server Manager**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
-
+
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
@@ -456,7 +456,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
6. On the **Select server roles** page, click **Next**.
7. Select **Network Load Balancing** on the **Select features** page.
8. Click **Install** to start the feature installation.
- 
+ 
### Configure Network Load Balancing for AD FS
@@ -465,25 +465,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea
Sign-in a node of the federation farm with _Admin_ equivalent credentials.
1. Open **Network Load Balancing Manager** from **Administrative Tools**.
- 
+ 
2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.
- 
+ 
4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.
- 
+ 
7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.
- 
+ 
8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
9. In Port Rules, click Edit to modify the default port rules to use port 443.
- 
+ 
### Additional AD FS Servers
1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.
- 
+ 
## Configure DNS for Device Registration
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 0686de8a9a..57f12a0692 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -34,7 +34,7 @@ To locate the schema master role holder, open and command prompt and type:
```Netdom query fsmo | findstr -i “schema”```
-
+
The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index bafde6afc2..0bbce98b00 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -51,7 +51,7 @@ Three approaches are documented here:
1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
- 
+ 
1. On the **Compatibility** tab:
1. Clear the **Show resulting changes** check box
@@ -109,7 +109,7 @@ Three approaches are documented here:
1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
- 
+ 
1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
@@ -123,7 +123,7 @@ Three approaches are documented here:
1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
- 
+ 
1. On the Certificate Enrollment screen, click **Next**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 476aed7683..48a0d130df 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -29,7 +29,7 @@ When you set up Windows Hello in Windows 10, you may get an error during the **
The following image shows an example of an error during **Create a PIN**.
-
+
## Error mitigations
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 0ecc622ba4..2fbed0b012 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -97,20 +97,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
- 
+ 
1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
- 
+ 
> [!NOTE]
> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
- :::image type="content" alt-text="PIN reset service permissions page" source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png":::
+ :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png":::
### Configure Windows devices to use PIN reset using Group Policy
@@ -210,7 +210,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
- **Data type:** String
- **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks)
- :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy" source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
+ :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
1. Click the Save button to save the custom configuration.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 30dc6c78e6..b5361a656c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -55,7 +55,7 @@ Windows Hello for Business emulates a smart card for application compatibility.
Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
> [!div class="mx-imgBorder"]
-> 
+> 
> [!IMPORTANT]
> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index a90f1587c2..1efcc90b24 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -31,7 +31,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
## Azure AD join authentication to Azure Active Directory
-
+
| Phase | Description |
| :----: | :----------- |
@@ -42,7 +42,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Azure AD join authentication to Active Directory using a Key
-
+
| Phase | Description |
@@ -56,7 +56,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
## Azure AD join authentication to Active Directory using a Certificate
-
+
| Phase | Description |
| :----: | :----------- |
@@ -69,7 +69,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
## Hybrid Azure AD join authentication using a Key
-
+
| Phase | Description |
| :----: | :----------- |
@@ -85,7 +85,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
## Hybrid Azure AD join authentication using a Certificate
-
+
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 0fb161ccb5..20008e7565 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -37,7 +37,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
## Azure AD joined provisioning in a Managed environment
-
+
| Phase | Description |
| :----: | :----------- |
@@ -48,7 +48,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Azure AD joined provisioning in a Federated environment
-
+
| Phase | Description |
| :----: | :----------- |
@@ -58,7 +58,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment
-
+
| Phase | Description |
@@ -76,7 +76,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
-
+
| Phase | Description |
@@ -94,7 +94,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Domain joined provisioning in an On-premises Key Trust deployment
-
+
| Phase | Description |
| :----: | :----------- |
@@ -105,7 +105,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Domain joined provisioning in an On-premises Certificate Trust deployment
-
+
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 8e0a208a86..13246cec6f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -40,19 +40,19 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing
Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect).
If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks.
-
+
### Azure Active Directory Device Registration
A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview).
You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory.
-
+
### CRL Distribution Point (CDP)
Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.
-
+
The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated.
@@ -122,16 +122,16 @@ You need to host your new certificate revocation list of a web server so Azure A
1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**.
2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and click **Add Virtual Directory...**.
3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you will host the certificate revocation list. For this example, the path **c:\cdp** is used. Click **OK**.
- 
+ 
> [!NOTE]
> Make note of this path as you will use it later to configure share and file permissions.
4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Click **Enable** in the details pane.
5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**.
6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.
- 
+ 
In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Click **Apply** in the actions pane.
- 
+ 
7. Close **Internet Information Services (IIS) Manager**.
#### Create a DNS resource record for the CRL distribution point URL
@@ -139,7 +139,7 @@ You need to host your new certificate revocation list of a web server so Azure A
1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**.
2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**.
3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Click **Add Host**. Click **OK** to close the **DNS** dialog box. Click **Done**.
-
+
4. Close the **DNS Manager**.
### Prepare a file share to host the certificate revocation list
@@ -151,12 +151,12 @@ These procedures configure NTFS and share permissions on the web server to allow
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**.
-
+
4. In the **Permissions for cdp$** dialog box, click **Add**.
5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**.
7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**.
8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
-
+
9. In the **Advanced Sharing** dialog box, click **OK**.
> [!Tip]
@@ -166,7 +166,7 @@ These procedures configure NTFS and share permissions on the web server to allow
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
3. Click **Caching**. Select **No files or programs from the shared folder are available offline**.
-
+
4. Click **OK**.
#### Configure NTFS permission for the CDP folder
@@ -175,7 +175,7 @@ These procedures configure NTFS and share permissions on the web server to allow
2. Right-click the **cdp** folder and click **Properties**. Click the **Security** tab.
3. On the **Security** tab, click Edit.
5. In the **Permissions for cdp** dialog box, click **Add**.
-
+
6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**. Click **OK**.
7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**.
8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
@@ -192,11 +192,11 @@ The web server is ready to host the CRL distribution point. Now, configure the
2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash).
- 
+ 
5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
6. Type **.crl** at the end of the text in **Location**. Click **OK**.
7. Select the CDP you just created.
- 
+ 
8. Select **Include in CRLs. Clients use this to find Delta CRL locations**.
9. Select **Include in the CDP extension of issued certificates**.
10. Click **Apply** save your selections. Click **No** when ask to restart the service.
@@ -213,7 +213,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
6. Type **.crl** at the end of the text in **Location**. Click **OK**.
7. Select the CDP you just created.
- 
+ 
8. Select **Publish CRLs to this location**.
9. Select **Publish Delta CRLs to this location**.
10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box.
@@ -222,7 +222,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish**
-
+
3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**.
#### Validate CDP Publishing
@@ -230,7 +230,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
Validate your new CRL distribution point is working.
1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL.
- 
+ 
### Reissue domain controller certificates
@@ -239,9 +239,9 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
1. Sign-in a domain controller using administrative credentials.
2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-
+
4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, click **Next**.
-
+
5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Click **Enroll**.
6. After the enrollment completes, click **Finish** to close the wizard.
7. Repeat this procedure on all your domain controllers.
@@ -259,7 +259,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
4. Click the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**.
5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
-
+
## Configure and Assign a Trusted Certificate Device Configuration Profile
@@ -276,13 +276,13 @@ Steps you will perform include:
2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
4. Click the **Certification Path** tab. In the **Certification path** view, select the top most node and click **View Certificate**.
-
+
5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.
-
+
6. In the **Certificate Export Wizard**, click **Next**.
7. On the **Export File Format** page of the wizard, click **Next**.
8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
-
+
9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**.
### Create and Assign a Trust Certificate Device Configuration Profile
@@ -291,12 +291,12 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**.
2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**.
-
+
3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**.
4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**.
-
+
5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**.
-
+
6. Sign out of the Microsoft Azure Portal.
> [!NOTE]
> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
@@ -310,7 +310,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Choose **Enroll devices**.
4. Select **Windows enrollment**.
5. Under **Windows enrollment**, select **Windows Hello for Business**.
- 
+ 
6. Select **Enabled** from the **Configure Windows Hello for Business** list.
7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index b8ce7af3da..e4ada9da90 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -82,7 +82,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni
2. Click **Login** and provide Azure credentials
3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go**
4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user.
- 
+ 
## Prepare the Network Device Enrollment Services (NDES) Service Account
@@ -259,15 +259,15 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
1. Open **Server Manager** on the NDES server.
2. Click **Manage**. Click **Add Roles and Features**.
3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**.
- 
+ 
4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
- 
+ 
Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
- 
+ 
5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
- 
+ 
6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
- 
+ 
7. Click **Next** on the **Web Server Role (IIS)** page.
8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
* **Web Server > Security > Request Filtering**
@@ -275,11 +275,11 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
* **Web Server > Application Development > ASP.NET 4.5**. .
* **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
* **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
- 
+ 
9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
> [!IMPORTANT]
> .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\
- 
+ 
### Configure the NDES service account
This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation
@@ -308,7 +308,7 @@ Sign-in the NDES server with access equivalent to _Domain Admins_.
> [!NOTE]
> If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs.
-
+
#### Configure the NDES Service account for delegation
The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation.
@@ -317,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
1. Open **Active Directory Users and Computers**
2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
- 
+ 
3. Select **Trust this user for delegation to specified services only**.
4. Select **Use any authentication protocol**.
5. Click **Add**.
6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**.
- 
+ 
7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
- 
+ 
10. Click **OK**. Close **Active Directory Users and Computers**.
### Configure the NDES Role and Certificate Templates
@@ -338,21 +338,21 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
> [!NOTE]
> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
-
+
1. Click the **Configure Active Directory Certificate Services on the destination server** link.
2. On the **Credentials** page, click **Next**.
- 
+ 
3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
- 
+ 
4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
- 
+ 
5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**.
- 
+ 
6. On the **RA Information**, click **Next**.
7. On the **Cryptography for NDES** page, click **Next**.
8. Review the **Confirmation** page. Click **Configure**.
- 
+ 
8. Click **Close** after the configuration completes.
#### Configure Certificate Templates on NDES
@@ -407,18 +407,18 @@ Sign-in a workstation with access equivalent to a _domain user_.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
- 
+ 
5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
> [!IMPORTANT]
> Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
6. Start **AADApplicationProxyConnectorInstaller.exe**.
7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
- 
+ 
8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
- 
+ 
9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**.
- 
+ 
10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
#### Create a Connector Group
@@ -427,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
- 
+ 
4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
- 
+ 
5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
6. Click **Save**.
@@ -443,7 +443,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
- 
+ 
8. Select **Passthrough** from the **Pre Authentication** list.
9. Select **NDES WHFB Connectors** from the **Connector Group** list.
10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
@@ -465,7 +465,7 @@ Sign-in the NDES server with access equivalent to _local administrators_.
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
- 
+ 
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
9. Click **Enroll**
@@ -478,12 +478,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
- 
+ 
3. Click **Bindings...*** under **Actions**. Click **Add**.
- 
+ 
4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
- 
+ 
6. Select **http** from the **Site Bindings** list. Click **Remove**.
7. Click **Close** on the **Site Bindings** dialog box.
8. Close **Internet Information Services (IIS) Manager**.
@@ -509,10 +509,10 @@ Sign-in the NDES server with access equivalent to _local administrator_.
A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
-
+
Confirm the web site uses the server authentication certificate.
-
+
## Configure Network Device Enrollment Services to work with Microsoft Intune
@@ -527,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane.
- 
+ 
4. Select **Allow unlisted file name extensions**.
5. Select **Allow unlisted verbs**.
6. Select **Allow high-bit characters**.
@@ -554,7 +554,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
- 
+ 
4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
5. Sign-out of the Microsoft Endpoint Manager admin center.
@@ -564,26 +564,26 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
3. On the **Microsoft Intune** page, click **Next**.
- 
+ 
4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
5. On the **Destination Folder** page, click **Next**.
6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
- 
+ 
7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
- 
+ 
> [!NOTE]
> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
- 
+ 
> [!NOTE]
> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
- 
+ 
### Configure the Intune Certificate Connector
Sign-in the NDES server with access equivalent to _domain administrator_.
@@ -594,10 +594,10 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
> If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**.
2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply**
- 
+ 
3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
- 
+ 
> [!IMPORTANT]
> The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails.
@@ -614,7 +614,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival
1. Start the **Certification Authority** management console.
2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
- 
+ 
4. Close the **Certification Authority**
#### Enable the NDES Connector for certificate revocation
@@ -622,7 +622,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**).
2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
- 
+ 
3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
### Test the NDES Connector
@@ -641,7 +641,7 @@ Sign-in the NDES server with access equivalent to _domain admin_.
```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
- 
+ 
6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
@@ -656,7 +656,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**.
6. Provide a **Group description**, if applicable.
7. Select **Assigned** from the **Membership type** list.
- 
+ 
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
9. Click **Create**.
@@ -666,7 +666,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices**, and then click **Configuration Profiles**.
3. Select **Create Profile**.
- 
+ 
4. Select **Windows 10 and later** from the **Platform** list.
5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
@@ -689,7 +689,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
- 
+ 
17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
18. Click **Next**.
19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
@@ -702,7 +702,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Click **WHFB Certificate Enrollment**.
4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
- 
+ 
6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
7. Click **Review + Save**, and then **Save**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index e80dc75f72..9e100bc146 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -70,7 +70,7 @@ To locate the schema master role holder, open and command prompt and type:
```Netdom query fsmo | findstr -i schema```
-
+
The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
@@ -114,14 +114,14 @@ When you are ready to install, follow the **Configuring federation with AD FS**
### Create AD objects for AD FS Device Authentication
If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
-
+
> [!NOTE]
> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1.
1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
-
+
2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
@@ -132,7 +132,7 @@ If your AD FS farm is not already configured for Device Authentication (you can
> [!NOTE]
> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
-
+
The above PSH creates the following objects:
@@ -140,11 +140,11 @@ The above PSH creates the following objects:
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
-
+
4. Once this is done, you will see a successful completion message.
-
+
### Create Service Connection Point (SCP) in Active Directory
If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
@@ -155,13 +155,13 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure
> [!NOTE]
> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
-
+
2. Provide your Azure AD global administrator credentials
`PS C:>$aadAdminCred = Get-Credential`
-
+
3. Run the following PowerShell command
@@ -517,7 +517,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>
- Container Device Registration Service DKM under the above container
-
+
- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>
- read/write access to the specified AD connector account name on the new object
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index cfaf049efd..35bd16ed3e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -27,22 +27,22 @@ ms.reviewer:
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
-
+
The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**.
-
+
The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
-
+
After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment.
-
+
The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.
* A successful single factor authentication (username and password at sign-in)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 9caf362da6..e60e0b15f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -27,22 +27,22 @@ ms.reviewer:
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
-
+
The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**.
-
+
The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
-
+
After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment.
-
+
The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.
* A successful single factor authentication (username and password at sign-in)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 99491fb5c3..4e83f31ec3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -73,7 +73,7 @@ Sign-in the federation server with domain administrator equivalent credentials.
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
- 
+ 
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished.
9. Click **Enroll**.
@@ -155,7 +155,7 @@ Use the following procedures to configure AD FS when your environment uses **Win
Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
1. Start **Server Manager**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
- 
+ 
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
@@ -175,7 +175,7 @@ Use the following procedures to configure AD FS when your environment uses **Win
Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
1. Start **Server Manager**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
- 
+ 
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
@@ -262,7 +262,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
6. On the **Select server roles** page, click **Next**.
7. Select **Network Load Balancing** on the **Select features** page.
8. Click **Install** to start the feature installation
- 
+ 
### Configure Network Load Balancing for AD FS
@@ -270,25 +270,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea
Sign-in a node of the federation farm with _Admin_ equivalent credentials.
1. Open **Network Load Balancing Manager** from **Administrative Tools**.
- 
+ 
2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.
- 
+ 
4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.
- 
+ 
7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.
- 
+ 
8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
9. In Port Rules, click Edit to modify the default port rules to use port 443.
- 
+ 
### Additional AD FS Servers
1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.
- 
+ 
## Configure DNS for Device Registration
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 00fa16c254..1a2b17c308 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -69,7 +69,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup
>[!NOTE]
>Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
-
+
Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 3ff85f511f..e7d6a0cea8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -35,11 +35,11 @@ People who are currently using virtual or physical smart cards for authenticatio
When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
-
+
Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
-
+
They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
@@ -55,7 +55,7 @@ People can go to **Settings** > **Accounts** > **Work or school**, select
If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
-
+
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 87e71bc747..2b1c101fc0 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -21,7 +21,7 @@ ms.reviewer:
## Four steps to password freedom
Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom.
-
+
### 1. Develop a password replacement offering
@@ -203,24 +203,24 @@ Windows provides two ways to prevent your users from using passwords. You can us
##### Security Policy
You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
-
+
**Windows Server 2016 and earlier**
The policy name for these operating systems is **Interactive logon: Require smart card**.
-
+
**Windows 10, version 1703 or later using Remote Server Administrator Tools**
The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
-
+
When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
#### Excluding the password credential provider
You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**
-
+
The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
-
+
Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
@@ -261,7 +261,7 @@ The account options on a user account includes an option -- **Smart card is requ
> [!NOTE]
> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller.
-
+
**SCRIL setting for a user on Active Directory Users and Computers.**
When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because:
@@ -270,13 +270,13 @@ When you configure a user account for SCRIL, Active Directory changes the affect
- the user is not asked to change their password
- domain controllers do not allow passwords for interactive authentication
-
+
**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.**
> [!NOTE]
> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically.
-
+
**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.**
> [!NOTE]
@@ -286,7 +286,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect
Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users.
In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages.
-
+
> [!NOTE]
> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 5e24e71b64..2ad3bb1f3b 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -54,7 +54,7 @@ It’s important to keep in mind that there are no physical containers on disk,
The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
-
+
Containers can contain several types of key material:
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 57bbf194fc..65fa656745 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -34,13 +34,13 @@ Administrator credentials are highly privileged and must be protected. By using
The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works:
-
+
The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
-
+
As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
@@ -152,7 +152,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
2. Double-click **Restrict delegation of credentials to remote servers**.
- 
+ 
3. Under **Use the following restricted mode**:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 635a9631d6..d5c9651f0f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -34,7 +34,7 @@ Smart card support is required to enable many Remote Desktop Services scenarios.
In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.
-
+
**Remote Desktop redirection**
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 0663f9a479..63cbad9b26 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -52,7 +52,7 @@ Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CT
After receiving the SAS, the UI then generates the sign-in tile from the information received from the registered credential providers. The following graphic shows the architecture for credential providers in the Windows operating system.
-
+
**Figure 1** **Credential provider architecture**
@@ -88,7 +88,7 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor
Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
-
+
**Figure 2** **Base CSP and smart card minidriver architecture**
@@ -236,7 +236,7 @@ Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set
In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system.
-
+
**Figure 3** **Smart card selection behavior**
@@ -314,7 +314,7 @@ For other operations, the caller may be able to acquire a "verify" context again
Figure 4 shows the Cryptography architecture that is used by the Windows operating system.
-
+
**Figure 4** **Cryptography architecture**
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index ae671b4ace..dbcf86ee67 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -38,7 +38,7 @@ The following figure shows the flow of the certificate propagation service. The
**Certificate propagation service**
-
+
1. A signed-in user inserts a smart card.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index ef209588b9..a220e7e658 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -89,7 +89,7 @@ If you enable the **Allow signature keys valid for Logon** credential provider p
The following diagram illustrates how smart card sign-in works in the supported versions of Windows.
-
+
**Smart card sign-in flow**
@@ -206,21 +206,21 @@ SSL/TLS can map certificates that do not have SAN, and the mapping is done by us
**Certificate revocation list distribution points**
-
+
**UPN in Subject Alternative Name field**
-
+
**Subject and Issuer fields**
-
+
This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC.
**High-level flow of certificate processing for sign-in**
-
+
The certificate object is parsed to look for content to perform user account mapping.
@@ -236,7 +236,7 @@ The following figure illustrates the process of mapping user accounts for sign-i
**Certificate processing logic**
-
+
NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index fa36cf563f..3f72307e25 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -26,7 +26,7 @@ The smart card removal policy service is applicable when a user has signed in wi
**Smart card removal policy service**
-
+
The numbers in the previous figure represent the following actions:
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 10ffd31a84..76159c664d 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -34,7 +34,7 @@ In order to better understand how this process happens, let's look at the Window
The following shows how the logon process for an administrator differs from the logon process for a standard user.
-
+
By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
@@ -56,7 +56,7 @@ With UAC enabled, Windows 10 prompts for consent or prompts for credentials of
The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
-
+
**The credential prompt**
@@ -64,7 +64,7 @@ The credential prompt is presented when a standard user attempts to perform a ta
The following is an example of the UAC credential prompt.
-
+
**UAC elevation prompts**
@@ -81,7 +81,7 @@ The elevation prompt color-coding is as follows:
Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item.
-
+
The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
@@ -99,7 +99,7 @@ While malware could present an imitation of the secure desktop, this issue canno
The following diagram details the UAC architecture.
-
+
To better understand each component, review the table below:
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index badf574468..4468785ff0 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -24,7 +24,7 @@ This topic for the IT professional discusses the factors to consider when you de
Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram.
-
+
Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index 6fb462eb81..044f7c1fe1 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -28,7 +28,7 @@ A crucial aspect of TPM virtual smart cards is their ability to securely store a
The following diagram illustrates the secure key hierarchy and the process of accessing the user key.
-
+
The following keys are stored on the hard disk:
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index 6810a79d95..c6ad4e0710 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -62,21 +62,21 @@ On your domain server, you need to create a template for the certificate that yo
2. Click **File**, and then click **Add/Remove Snap-in**.
- 
+ 
3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
- 
+ 
4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
- 
+ 
6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
- 
+ 
7. On the **General** tab:
@@ -102,23 +102,23 @@ On your domain server, you need to create a template for the certificate that yo
12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
- 
+ 
13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
- 
+ 
15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
> **Note** It can take some time for your template to replicate to all servers and become available in this list.
- 
+ 
16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
- 
+ 
## Step 2: Create the TPM virtual smart card
@@ -128,7 +128,7 @@ In this step, you will create the virtual smart card on the client computer by u
1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
- 
+ 
2. At the command prompt, type the following, and then press ENTER:
@@ -150,11 +150,11 @@ The virtual smart card must be provisioned with a sign-in certificate for it to
2. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**.
- 
+ 
3. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1).
- 
+ 
4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 789da743aa..4d3f59ff0a 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -74,7 +74,7 @@ For more information about these Windows APIs, see:
To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card.
-
+
A TPM-based virtual smart card is labeled **Security Device** in the user interface.
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 9665848076..2c0a581e8d 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -51,7 +51,7 @@ See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EA
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
-
+
## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 2c1405d9e0..44b05da541 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -89,11 +89,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
-
+
After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
-
+
## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 393bf3b90b..66baa88e46 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -87,7 +87,7 @@ Two client-side configuration service providers are leveraged for VPN device com
The VPN client side connection flow works as follows:
> [!div class="mx-imgBorder"]
-> 
+> 
When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow:
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index e65b9b6d8b..465f79924f 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -23,7 +23,7 @@ Virtual private networks (VPNs) are point-to-point connections across a private
There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.
-
+
## Built-in VPN client
@@ -67,12 +67,12 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
> [!div class="mx-imgBorder"]
-> 
+> 
In Intune, you can also include custom XML for third-party plug-in profiles:
> [!div class="mx-imgBorder"]
-> 
+> 
## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index fcc360257b..70cec8d554 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -64,7 +64,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
-
+
The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 69940276c8..96eae8c6ac 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -312,7 +312,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
10. Set Data type to **String (XML file)**.
11. Upload the profile XML file.
12. Click **OK**.
- 
+ 
13. Click **OK**, then **Create**.
14. Assign the profile.
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index a33e2b0f3f..ea0cb1c3ae 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -53,11 +53,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
-
+
Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.
-
+
## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index bd1a32dde4..c84ab32cb0 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -59,7 +59,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune.
-
+
## LockDown VPN
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 2c1a02b8db..62a4cf6cf0 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -31,7 +31,7 @@ This guide explains how credential theft attacks occur and the strategies and co
- Respond to suspicious activity
- Recover from a breach
-
+
## Attacks that steal credentials
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index fc9b15fdef..23b9d93073 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -89,7 +89,7 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p
In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
-
+
Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup.
Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
@@ -110,7 +110,7 @@ This Kernel DMA Protection is available only for new systems beginning with Wind
You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled:
-
+
If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index 4864bdf4d4..cd0b6543e6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -34,31 +34,31 @@ This article depicts the BitLocker deployment comparison chart.
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |
|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|Cloud or on premises | Cloud | On premises | On premises |
-|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client |
|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
-|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |
-|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
+|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
-|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |
-|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | |
-|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
+|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | |
+|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index eaccfb9c9f..a72324edf4 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -298,18 +298,18 @@ This policy can be configured using GPO under **Computer Configuration** > **Adm
It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
*\./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\*
-
+
Example of customized recovery screen:
-
+
### BitLocker recovery key hints
BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
-
+
> [!IMPORTANT]
> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account.
@@ -339,7 +339,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** The hint for the Microsoft Account and the custom URL are displayed.
-
+
#### Example 2 (single recovery key with single backup)
@@ -354,7 +354,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the custom URL is displayed.
-
+
#### Example 3 (single recovery key with multiple backups)
@@ -369,7 +369,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the Microsoft Account hint is displayed.
-
+
#### Example 4 (multiple recovery passwords)
@@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
-
+
#### Example 5 (multiple recovery passwords)
@@ -429,7 +429,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** The hint for the most recent key is displayed.
-
+
## Using additional recovery information
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index c6483a8057..e8045e225c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -52,7 +52,7 @@ manage-bde -status
```
This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
-
+
The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
index 2a08e910d0..664fb40db0 100644
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@@ -58,7 +58,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
The output of such a command resembles the following.
- 
+ 
- To export BitLocker-related information:
```ps
@@ -77,7 +77,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
The output of such a command resembles the following.
- 
+ 
> [!NOTE]
> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
index d41b2c7bf1..6268e09343 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@@ -82,11 +82,11 @@ To verify that this issue has occurred, follow these steps:
1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows.
- 
+ 
If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
- 
+ 
> [!NOTE]
> GPOs that change the security descriptors of services have been known to cause this issue.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index bab9c21e3e..1def746b1f 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -45,11 +45,11 @@ To install the tool, follow these steps:
1. Accept the default installation path.
- 
+ 
1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**.
- 
+ 
1. Finish the installation.
@@ -60,7 +60,7 @@ To use TBSLogGenerator, follow these steps:
This folder contains the TBSLogGenerator.exe file.
- 
+ 
1. Run the following command:
```cmd
@@ -78,19 +78,19 @@ To use TBSLogGenerator, follow these steps:
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
```
- 
+ 
The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file.
- 
+ 
The content of this text file resembles the following.
-
+
To find the PCR information, go to the end of the file.
- 
+ 
## Use PCPTool to decode Measured Boot logs
@@ -114,4 +114,4 @@ where the variables represent the following values:
The content of the XML file resembles the following.
-
+
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index 60c34a7bb6..611dc64098 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -20,7 +20,7 @@ ms.custom: bitlocker
This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
-
+
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
@@ -43,7 +43,7 @@ For information about how to verify that Intune policies are enforcing BitLocker
Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following:
-
+
### Cause
@@ -64,7 +64,7 @@ For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure
In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
-
+
### Cause
@@ -100,7 +100,7 @@ You can resolve this issue by verifying the configuration of the disk partitions
The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.
-
+
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
@@ -108,11 +108,11 @@ To verify the configuration of the disk partitions, open an elevated Command Pro
diskpart
list volume
```
-
+
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
-
+
#### Step 2: Verify the status of WinRE
@@ -123,7 +123,7 @@ reagentc /info
```
The output of this command resembles the following.
-
+
If the **Windows RE status** is not **Enabled**, run the following command to enable it:
@@ -141,7 +141,7 @@ bcdedit /enum all
The output of this command resembles the following.
-
+
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
@@ -163,7 +163,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
- 
+ 
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
> [!NOTE]
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
@@ -192,11 +192,11 @@ Manage-bde -protectors -get %systemdrive%
In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
-
+
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
-
+
#### 2. Verify the Secure Boot state
@@ -204,9 +204,9 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **Secure Boot State** setting is **On**, as follows:
- 
+ 
1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.
- 
+ 
> [!NOTE]
> You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
@@ -290,7 +290,7 @@ If your device runs Windows 10 version 1703 or later, supports Modern Standby (a
If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
-
+
The OMA-URI references for these settings are as follows:
@@ -316,7 +316,7 @@ The Intune 1901 release provides settings that you can use to configure automati
- Support Modern Standby
- Use Windows 10 version 1803 or later
-
+
The OMA-URI references for these settings are as follows:
@@ -331,17 +331,17 @@ The OMA-URI references for these settings are as follows:
During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
-
+
-
+
You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
-
+
On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device**
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 31fc1097a4..768d8cdd75 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -53,7 +53,7 @@ By default, peripherals with DMA Remapping incompatible drivers will be blocked
## User experience
-
+
By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged.
The peripheral will continue to function normally if the user locks the screen or logs out of the system.
@@ -77,7 +77,7 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do
Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
-
+
### Using System information
@@ -85,7 +85,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
2. Check the value of **Kernel DMA Protection**.
- 
+ 
3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
@@ -113,11 +113,11 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O
DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping).
Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
-
+
*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image.
-
+
### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 721ae1e1e3..3d8754473d 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -55,7 +55,7 @@ Windows 10 supports four features to help prevent rootkits and bootkits from lo
Figure 1 shows the Windows 10 startup process.
-.png)
+.png)
**Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage**
@@ -115,7 +115,7 @@ Depending on the implementation and configuration, the server can now determine
Figure 2 illustrates the Measured Boot and remote attestation process.
-.png)
+.png)
**Figure 2. Measured Boot proves the PC’s health to a remote server**
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index 06d8c54066..dd9e12558e 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -84,7 +84,7 @@ Identity providers have flexibility in how they provision credentials on client
• **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
-
+
*Figure 1: TPM Cryptographic Key Management*
@@ -126,7 +126,7 @@ The TPM provides the following way for scenarios to use the measurements recorde
When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
-
+
*Figure 2: Process used to create evidence of boot software and configuration using a TPM*
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 4a5ddd2df2..5a5e12feb9 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -91,7 +91,7 @@ It's possible that you might revoke data from an unenrolled device only to later
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
- 
+ 
If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type:
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index a605d96688..909073181d 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -34,11 +34,11 @@ Follow these steps to associate your WIP policy with your organization's existin
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
- 
+ 
3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
- 
+ 
4. In the **Custom OMA-URI Settings** blade, click **Add**.
@@ -54,7 +54,7 @@ Follow these steps to associate your WIP policy with your organization's existin
- **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
- 
+ 
6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
@@ -73,7 +73,7 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro
The policy is deployed to the selected users' devices.
- 
+ 
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index f13e30a044..32511b9cd5 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -36,12 +36,12 @@ After you've installed and set up Configuration Manager for your organization, y
1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
- 
+ 
2. Click the **Create Configuration Item** button.
The **Create Configuration Item Wizard** starts.
- 
+ 
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
@@ -55,11 +55,11 @@ The **Create Configuration Item Wizard** starts.
5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
- 
+ 
6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
- 
+ 
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
@@ -81,7 +81,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
The **Add app rule** box appears.
- 
+ 
2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
@@ -141,7 +141,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
The **Add app rule** box appears.
- 
+ 
2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
@@ -218,7 +218,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
- 
+ 
3. Right-click in the right-hand pane, and then click **Create New Rule**.
@@ -226,33 +226,33 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
4. On the **Before You Begin** page, click **Next**.
- 
+ 
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
- 
+ 
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
- 
+ 
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
- 
+ 
8. On the updated **Publisher** page, click **Create**.
- 
+ 
9. Review the Local Security Policy snap-in to make sure your rule is correct.
- 
+ 
10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
- 
+ 
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
@@ -286,7 +286,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
The **Add app rule** box appears.
- 
+ 
2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
@@ -353,7 +353,7 @@ You can specify multiple domains owned by your enterprise by separating them wit
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
- 
+ 
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
@@ -372,7 +372,7 @@ There are no default locations included with WIP, you must add each of your netw
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
- 
+ 
@@ -431,7 +431,7 @@ There are no default locations included with WIP, you must add each of your netw
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
- 
+ 
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
@@ -440,7 +440,7 @@ There are no default locations included with WIP, you must add each of your netw
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
-
+
**To set your optional settings**
1. Choose to set any or all of the optional settings:
@@ -467,7 +467,7 @@ After you've finished configuring your policy, you can review all of your info o
**To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
- 
+ 
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 17dcaff4f3..0442c3778a 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -50,7 +50,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**:
- 
+ 
## Create a WIP policy
@@ -58,7 +58,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**.
- 
+ 
3. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
@@ -70,11 +70,11 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
- **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM.
- 
+ 
4. Click **Protected apps** and then click **Add apps**.
- 
+ 
You can add these types of apps:
@@ -89,7 +89,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**.
-
+
### Add Store apps
@@ -99,7 +99,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK**
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
-
+
To add multiple Store apps, click the ellipsis **…**.
@@ -201,7 +201,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**.
-
+
If you’re unsure about what to include for the publisher, you can run this PowerShell command:
@@ -242,7 +242,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
- 
+ 
3. Right-click in the right-hand blade, and then click **Create New Rule**.
@@ -250,7 +250,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
4. On the **Before You Begin** page, click **Next**.
- 
+ 
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
@@ -262,25 +262,25 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365.
- 
+ 
8. On the updated **Publisher** page, click **Create**.
- 
+ 
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
- 
+ 
9. Review the Local Security Policy snap-in to make sure your rule is correct.
- 
+ 
10. In the left blade, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
- 
+ 
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
@@ -320,7 +320,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
3. Right-click **Executable Rules** > **Create New Rule**.
- 
+ 
4. On the **Before You Begin** page, click **Next**.
@@ -328,11 +328,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
6. On the **Conditions** page, click **Path** and then click **Next**.
- 
+ 
7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files".
- 
+ 
8. On the **Exceptions** page, add any exceptions and then click **Next**.
@@ -351,11 +351,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
1. In **Protected apps**, click **Import apps**.
- 
+ 
Then import your file.
- 
+ 
2. Browse to your exported AppLocker policy file, and then click **Open**.
@@ -366,7 +366,7 @@ If your app is incompatible with WIP, but still needs to be used with enterprise
1. In **Client apps - App protection policies**, click **Exempt apps**.
- 
+ 
2. In **Exempt apps**, click **Add apps**.
@@ -391,7 +391,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**.
- 
+ 
|Mode |Description |
|-----|------------|
@@ -413,11 +413,11 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field.
- 
+ 
3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
- 
+ 
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations.
@@ -426,7 +426,7 @@ There are no default locations included with WIP, you must add each of your netw
To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
-
+
Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**.
@@ -558,7 +558,7 @@ Decide if you want Windows to look for additional network settings:
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
-
+
## Upload your Data Recovery Agent (DRA) certificate
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
@@ -573,12 +573,12 @@ After you create and deploy your WIP policy to your employees, Windows begins to
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
- 
+ 
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
-
+
**Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
@@ -613,7 +613,7 @@ After you've decided where your protected apps can access enterprise data on you
You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied.
-
+
## Related topics
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index 524199cf73..8d929e1db4 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -34,7 +34,7 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll
The policy is deployed to the selected users' devices.
- 
+ 
>[!NOTE]
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index b54cc7cbe1..dd3fb2529e 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -36,13 +36,13 @@ You need to add the Enterprise Context column to the **Details** tab of the Task
The **Select columns** box appears.
- 
+ 
3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box.
The **Enterprise Context** column should now be available in Task Manager.
- 
+ 
## Review the Enterprise Context
The **Enterprise Context** column shows you what each app can do with your enterprise data:
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 1e97616ee8..e2f9ce0a1f 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -38,11 +38,11 @@ In the **Website learning report**, you can view a summary of the devices that h
1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
- 
+ 
1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**.
- 
+ 
Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
@@ -75,7 +75,7 @@ The information needed for the following steps can be found using Device Health,
4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
- 
+ 
5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
@@ -87,7 +87,7 @@ The information needed for the following steps can be found using Device Health,
`O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US`
- 
+ 
6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 1ede3ef4ed..ea4b252a30 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -58,7 +58,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
- 
+ 
5. Click **Ok** to close the editor.
@@ -279,7 +279,7 @@ This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
-
+
## Troubleshooting
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index 6e6173e36d..def1ec0b93 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -17,7 +17,7 @@ ms.technology: mde
---
# Coordinated Malware Eradication
-
+
Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive.
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index e2029f3c2c..b125773d18 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -25,7 +25,7 @@ Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) fo
For clarity, fileless threats are grouped into different categories.
-
+
*Figure 1. Comprehensive diagram of fileless malware*
Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts.
@@ -56,7 +56,7 @@ It’s possible to carry out such installation via command line without requirin
Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
-
+
*Figure 2. Kovter’s registry key*
When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts.
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index ef4a133061..3b37bdf391 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -20,7 +20,7 @@ ms.technology: mde
We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format:
-
+
When our analysts research a particular threat, they'll determine what each of the components of the name will be.
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index 1f997dac95..01c216b8fe 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -35,7 +35,7 @@ Here are several telltale signs of a phishing scam:
* The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to.
- 
+ 
* There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
index 00eafc82ce..ae7c0e8363 100644
--- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
+++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
@@ -33,7 +33,7 @@ This process requires a global or application admin in the tenant.
2. Select **Grant admin consent for organization**.
3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.
- 
+ 
4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
@@ -43,13 +43,13 @@ This process requires a global or application admin in the tenant.
Azure Active Directory admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/).
-
+
More information is available in [Configure Admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow).
Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification.
-
+
Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/).
@@ -58,7 +58,7 @@ After providing consent, all users in the tenant will be able to use the applica
## Option 2 Provide admin consent by authenticating the application as an admin
This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission).
-
+
Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**.
@@ -70,20 +70,20 @@ If neither of these options resolve the issue, try the following steps (as an ad
1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
and select **delete**.
- 
+ 
2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed.
``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access``
- 
+ 
4. Review the permissions required by the application, and then select **Accept**.
5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).
- 
+ 
6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access.
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index ed4e5aaf84..2aa32ed8f6 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -39,7 +39,7 @@ Both Bondat and Gamarue have clever ways of obscuring themselves to evade detect
This image shows how a worm can quickly spread through a shared USB drive.
-
+
### *Figure worm spreading from a shared USB drive*
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index f0c6938382..83a6f5e00b 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -29,8 +29,8 @@ For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with Po
For example:
-[](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
-[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
+[](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
+[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 994ade09de..3b18ab25d3 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -45,7 +45,7 @@ Applies to:
You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
The following diagram shows the flow between the host PC and the isolated container.
-
+
## Install Application Guard
@@ -55,7 +55,7 @@ Application Guard functionality is turned off by default. However, you can quick
1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
- 
+ 
2. Select the check box next to **Microsoft Defender Application Guard** and then click **OK**.
@@ -86,7 +86,7 @@ Application Guard functionality is turned off by default. However, you can quick
> [!IMPORTANT]
> Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](/mem/intune/enrollment/device-enrollment).
-:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune":::
+:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune.":::
1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index de798293db..4ad66674a9 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -29,7 +29,7 @@ For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrus
For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
-
+
### What types of devices should use Application Guard?
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index 74525211f8..d8ff39f397 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -33,7 +33,7 @@ You can see how an employee would use standalone mode with Application Guard.
2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu.
- 
+ 
3. Wait for Application Guard to set up the isolated environment.
@@ -42,7 +42,7 @@ You can see how an employee would use standalone mode with Application Guard.
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
- 
+ 
## Application Guard in Enterprise-managed mode
@@ -64,19 +64,19 @@ Before you can use Application Guard in managed mode, you must install Windows 1
c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box.
- 
+ 
d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box.
- 
+ 
4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
5. Click **Enabled**, choose Option **1**, and click **OK**.
- 
+ 
>[!NOTE]
>Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
@@ -85,13 +85,13 @@ Before you can use Application Guard in managed mode, you must install Windows 1
After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
- 
+ 
7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists.
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
- 
+ 
### Customize Application Guard
@@ -118,7 +118,7 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
- 
+ 
3. Choose how the clipboard works:
@@ -144,7 +144,7 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
- 
+ 
3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
@@ -156,7 +156,7 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
- 
+ 
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
@@ -186,7 +186,7 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
- 
+ 
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
@@ -200,7 +200,7 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
- 
+ 
3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
@@ -217,7 +217,7 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled**, set **Options** to 2, and click **OK**.
- 
+ 
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
@@ -231,7 +231,7 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled** and click **OK**.
- 
+ 
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
@@ -245,7 +245,7 @@ You have the option to change each of these settings to work with your enterpris
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
- 
+ 
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
@@ -258,10 +258,10 @@ Once a user has the extension and its companion app installed on their enterpris
1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
- 
+ 
3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
- 
+ 
4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window**
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 80486846fb..146b20c787 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -61,7 +61,7 @@ If you believe a warning or block was incorrectly shown for a file or applicatio
When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
-
+
## Viewing Microsoft Defender SmartScreen anti-phishing events
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
index 85c404a314..89c036958f 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
@@ -60,7 +60,7 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up
- **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
- 
+ 
## How Microsoft Defender SmartScreen works when a user tries to run an app
Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization.
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index c792222c8a..c2a1d31b98 100644
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -41,7 +41,7 @@ The following procedure describes how to use Group Policy to override individual
1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting.
- 
+ 
2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you’ll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
@@ -52,12 +52,12 @@ The following procedure describes how to use Group Policy to override individual
**Note**
Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
- 
+ 
## Setting the bit field
Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:
-
+
Where the bit flags are read from right to left and are defined as:
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index f98634584d..0a9058b91d 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -130,7 +130,7 @@ You can now see which processes have DEP enabled.
-
+
*Figure 2. Processes on which DEP has been enabled in Windows 10*
@@ -168,7 +168,7 @@ One of the most common techniques used to gain access to a system is to find a v
Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts.
-
+
**Figure 3. ASLR at work**
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 220c774696..e24bb48367 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -56,13 +56,13 @@ Because mobile devices are increasingly being used to access corporate informati
Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset.
-:::image type="content" alt-text="figure 1" source="images/hva-fig1-endtoend1.png":::
+:::image type="content" alt-text="figure 1." source="images/hva-fig1-endtoend1.png":::
A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure.
The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it.
-:::image type="content" alt-text="figure 2" source="images/hva-fig2-assessfromcloud2.png":::
+:::image type="content" alt-text="figure 2." source="images/hva-fig2-assessfromcloud2.png":::
Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
@@ -94,7 +94,7 @@ In Windows 10, there are three pillars of investments:
This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware.
-:::image type="content" alt-text="figure 3" source="images/hva-fig3-endtoendoverview3.png":::
+:::image type="content" alt-text="figure 3." source="images/hva-fig3-endtoendoverview3.png":::
| Number | Part of the solution | Description |
| - | - | - |
@@ -115,7 +115,7 @@ This section describes what Windows 10 offers in terms of security defenses and
The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
-:::image type="content" alt-text="figure 4" source="images/hva-fig4-hardware.png":::
+:::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png":::
Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
@@ -230,7 +230,7 @@ The following Windows 10 services are protected with virtualization-based securi
The schema below is a high-level view of Windows 10 with virtualization-based security.
-:::image type="content" alt-text="figure 5" source="images/hva-fig5-virtualbasedsecurity.png":::
+:::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png":::
### Credential Guard
@@ -425,11 +425,11 @@ The antimalware software can search to determine whether the boot sequence conta
Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process.
-:::image type="content" alt-text="figure 6" source="images/hva-fig6-logs.png":::
+:::image type="content" alt-text="figure 6." source="images/hva-fig6-logs.png":::
When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
-:::image type="content" alt-text="figure 7" source="images/hva-fig7-measurement.png":::
+:::image type="content" alt-text="figure 7." source="images/hva-fig7-measurement.png":::
The health attestation process works as follows:
@@ -459,7 +459,7 @@ The following process describes how health boot measurements are sent to the hea
4. The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
-:::image type="content" alt-text="figure 8" source="images/hva-fig8a-healthattest8a.png":::
+:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png":::
### Device health attestation components
@@ -632,7 +632,7 @@ A solution that leverages MDM and the Health Attestation Service consists of thr
2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested.
- :::image type="content" alt-text="figure 9" source="images/hva-fig8-evaldevicehealth8.png":::
+ :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png":::
Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
@@ -671,7 +671,7 @@ The remote device health attestation process uses measured boot data to verify t
The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service.
-:::image type="content" alt-text="figure 10" source="images/hva-fig9-intune.png":::
+:::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png":::
An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the
firewall is running, and the devices patch state is compliant.
@@ -705,7 +705,7 @@ If the device is not registered, the user will get a message with instructions o
**Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
-:::image type="content" alt-text="figure 11" source="images/hva-fig10-conditionalaccesscontrol.png":::
+:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
### Office 365 conditional access control
@@ -725,7 +725,7 @@ The user will be denied access to services when sign-in credentials are changed,
Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
-:::image type="content" alt-text="figure 12" source="images/hva-fig11-office365.png":::
+:::image type="content" alt-text="figure 12." source="images/hva-fig11-office365.png":::
Clients that attempt to access Office 365 will be evaluated for the following properties:
@@ -758,7 +758,7 @@ For on-premises applications there are two options to enable conditional access
- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](https://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
-:::image type="content" alt-text="figure 13" source="images/hva-fig12-conditionalaccess12.png":::
+:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
The following process describes how Azure AD conditional access works:
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index eb88a41772..ce251bc758 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -36,7 +36,7 @@ Beginning with Windows 10 version 1607, new functionality was added to Windows 1
This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
The Privacy setting is off by default, which hides the details.
-
+
The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 426d291c10..7a58b942a4 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -157,7 +157,7 @@ The following diagram shows Security Settings and related features.
#### Security Settings Policies and Related Features
-
+
- **Scesrv.dll**
@@ -181,7 +181,7 @@ The Security Settings extension of the Local Group Policy Editor is part of the
**Security Settings Architecture**
-
+
The security settings configuration and analysis tools include a security configuration engine, which provides local computer (non-domain member) and Group Policy−based configuration and analysis of security settings policies. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.dll and scesrv.dll.
@@ -321,7 +321,7 @@ In the context of Group Policy processing, security settings policy is processed
**Multiple GPOs and Merging of Security Policy**
- 
+ 
1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
1. The security settings policies are applied to devices.
@@ -329,7 +329,7 @@ The following figure illustrates the security settings policy processing.
**Security Settings Policy Processing**
-
+
### Merging of security policies on domain controllers
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index 277bc347d1..a8362c5bda 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -380,9 +380,9 @@ This can easily be extended to other Auto-Execution Start Points keys in the reg
Use the following figures to see how you can configure those registry keys.
-
+
-
+
## Appendix C - Event channel settings (enable and channel access) methods
@@ -399,7 +399,7 @@ The following GPO snippet performs the following:
- Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel.
- Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB.
-
+
## Appendix D - Minimum GPO for WEF Client configuration
@@ -409,7 +409,7 @@ Here are the minimum steps for WEF to operate:
2. Start the WinRM service.
3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel.
-
+
## Appendix E – Annotated baseline subscription event query
diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md
index 9b1eb730a6..11b4c1a58b 100644
--- a/windows/security/threat-protection/windows-10-mobile-security-guide.md
+++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md
@@ -299,7 +299,7 @@ One of the most common techniques used by attackers to gain access to a system i
Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts.
-
+
Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system.
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index ab40f94622..582297f71b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -37,7 +37,7 @@ Refer to the below video for an overview and brief demo.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
## Policy Authorization Process
-
+
The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly.
1. Generate a supplemental policy with WDAC tooling
@@ -89,11 +89,11 @@ The general steps for expanding the S mode base policy on your Intune-managed de
> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number.
## Standard Process for Deploying Apps through Intune
-
+
Refer to [Intune Standalone - Win32 app management](/intune/apps-win32-app-management) for guidance on the existing procedure of packaging signed catalogs and app deployment.
## Optional: Process for Deploying Apps using Catalogs
-
+
Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well.
Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index f197b8f4b2..af49d0b081 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -61,7 +61,7 @@ AppLocker can be configured to display the default message but with a custom URL
The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link.
-
+
For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index 5350f5c843..9ffaf2b82c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -44,7 +44,7 @@ Because a computer's effective policy includes rules from each linked GPO, dupli
The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs.
-
+
In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
index 0f909bdf3d..a51539d046 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
@@ -30,7 +30,7 @@ To successfully deploy AppLocker policies, you need to identify your application
The following diagram shows the main points in the design, planning, and deployment process for AppLocker.
-
+
## Resources to support the deployment process
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index bc1218b82c..671bd29bf1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -46,7 +46,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
**Figure 1. Exceptions to the deployed WDAC policy**
- 
+ 
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index cb94565bff..706f2e6d6a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -45,7 +45,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
**Figure 1. Exceptions to the deployed WDAC policy**
- 
+ 
3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index b9ca84a296..761ea31822 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -39,7 +39,7 @@ ECDSA is not supported.
2. When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console.
- 
+ 
Figure 1. Manage the certificate templates
@@ -55,7 +55,7 @@ ECDSA is not supported.
8. In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
- 
+ 
Figure 2. Select constraints on the new template
@@ -71,7 +71,7 @@ When this certificate template has been created, you must publish it to the CA p
1. In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3.
- 
+ 
Figure 3. Select the new certificate template to issue
@@ -89,7 +89,7 @@ Now that the template is available to be issued, you must request one from the c
4. In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
- 
+ 
Figure 4. Get more information for your code signing certificate
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 52cac752d2..bdb0bb25f6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -142,7 +142,7 @@ To sign the existing catalog file, copy each of the following commands into an e
4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
- 
+ 
Figure 1. Verify that the signing certificate exists
@@ -182,7 +182,7 @@ To simplify the management of catalog files, you can use Group Policy preference
> [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate).
- 
+ 
Figure 2. Create a new GPO
@@ -192,7 +192,7 @@ To simplify the management of catalog files, you can use Group Policy preference
5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3.
- 
+ 
Figure 3. Create a new file
@@ -202,7 +202,7 @@ To simplify the management of catalog files, you can use Group Policy preference
7. To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used.
- 
+ 
Figure 4. Set the new file properties
@@ -235,7 +235,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c
3. Name the package, set your organization as the manufacturer, and select an appropriate version number.
- 
+ 
Figure 5. Specify information about the new package
@@ -257,7 +257,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c
- From the **Drive mode** list, select **Runs with UNC name**.
- 
+ 
Figure 6. Specify information about the standard program
@@ -285,7 +285,7 @@ After you create the deployment package, deploy it to a collection so that the c
- Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
- 
+ 
Figure 7. Specify the user experience
@@ -310,13 +310,13 @@ When catalog files have been deployed to the computers within your environment,
3. Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8.
- 
+ 
Figure 8. Select custom settings
4. In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 9.
- 
+ 
Figure 9. Set the software inventory
@@ -329,7 +329,7 @@ When catalog files have been deployed to the computers within your environment,
7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10.
- 
+ 
Figure 10. Set the path properties
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index d20e96958f..dea3b62b33 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -43,7 +43,7 @@ To deploy and manage a WDAC policy with Group Policy:
> [!NOTE]
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
- 
+ 
3. Name the new GPO. You can choose any name.
@@ -51,7 +51,7 @@ To deploy and manage a WDAC policy with Group Policy:
5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
- 
+ 
6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
@@ -60,7 +60,7 @@ To deploy and manage a WDAC policy with Group Policy:
> [!NOTE]
> This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
- 
+ 
> [!NOTE]
> You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 250600e081..29fbbe9431 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -71,7 +71,7 @@ The steps to use Intune's custom OMA-URI functionality are:
- **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
- > 
+ > 
> [!NOTE]
> For the _Policy GUID_ value, do not include the curly brackets.
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 848bfe1e62..0c319af7e6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -45,7 +45,7 @@ Most WDAC policies will evolve over time and proceed through a set of identifiab
6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
-
+
### Keep WDAC policies in a source control or document management solution
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
index 2c5382e43b..4915d3faea 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
@@ -43,7 +43,7 @@ Each of the template policies has a unique set of policy allow list rules that w
More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md).
-
+
Once the base template is selected, give the policy a name and choose where to save the application control policy on disk.
@@ -69,7 +69,7 @@ A description of each policy rule, beginning with the left-most column, is provi
| **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
> [!div class="mx-imgBorder"]
-> 
+> 
### Advanced Policy Rules Description
@@ -84,7 +84,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru
| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. |
-
+
> [!NOTE]
> We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default.
@@ -105,7 +105,7 @@ The Publisher file rule type uses properties in the code signing certificate cha
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
-
+
### Filepath Rules
@@ -123,7 +123,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
| **Internal name** | Specifies the internal name of the binary. |
> [!div class="mx-imgBorder"]
-> 
+> 
### File Hash Rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
index bca81708e6..5f96c11702 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
@@ -33,15 +33,15 @@ Prerequisite information about application control can be accessed through the [
Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation.
-
+
If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.
-
+
Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md).
-
+
## Configuring Policy Rules
@@ -60,7 +60,7 @@ There are only three policy rules that can be configured by the supplemental pol
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
-
+
## Creating custom file rules
@@ -78,7 +78,7 @@ The Publisher file rule type uses properties in the code signing certificate cha
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
-
+
### Filepath Rules
@@ -96,7 +96,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
| **Internal name** | Specifies the internal name of the binary. |
-
+
### File Hash Rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
index 2b94c7f004..09c88d84aa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
@@ -36,7 +36,7 @@ The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShe
The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules).
-
+
A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules).
@@ -50,7 +50,7 @@ Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more
The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table.
-
+
**Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2.
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
index ec6e988048..66ad01329f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
@@ -30,4 +30,4 @@ Select the policies you wish to merge into one policy using the `+ Add Policy` b
Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy.
-
+
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index 6da28ad681..ed1a7fe460 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -57,4 +57,4 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
\ No newline at end of file
+>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index 80d025f7ac..544e90142e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -76,4 +76,4 @@ This can only be done in Group Policy.
> [!NOTE]
> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
-> 
\ No newline at end of file
+> 
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 1bfddcc3f2..969d80c8bf 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -32,11 +32,11 @@ ms.technology: mde
You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
-
+
This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
-
+
Users can select the displayed information to initiate a support request:
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 919f2cb7a2..13fce0f2d5 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -56,4 +56,4 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
\ No newline at end of file
+>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index f0627d2869..f4d3053cd9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -50,7 +50,7 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
+>
## Disable the Clear TPM button
If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index c7d0fb4944..274c66bd66 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -55,4 +55,4 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
\ No newline at end of file
+>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 5cf74d9fdf..3a14dc7c26 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -52,5 +52,5 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
+>
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index 762e9c7402..87960171d1 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -63,7 +63,7 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
+>
## Hide the Ransomware protection area
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 146bdcc78e..30cc06c3d0 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -34,7 +34,7 @@ Windows 10 in S mode is streamlined for tighter security and superior performanc
The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
-
+
For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 17eb0a98fd..fe03727f33 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -31,7 +31,7 @@ In Windows 10, version 1709 and later, the app also shows information from third
In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**.
-
+
> [!NOTE]
> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
@@ -55,19 +55,19 @@ You can find more information about each section, including options for configur
> [!NOTE]
> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
-> 
+> 
## Open the Windows Security app
- Click the icon in the notification area on the taskbar.
- 
+ 
- Search the Start menu for **Windows Security**.
- 
+ 
- Open an area from Windows **Settings**.
- 
+ 
> [!NOTE]
> Settings configured with management tools, such as Group Policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index 8b55c05b3e..848345ef8b 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -52,7 +52,7 @@ DRTM lets the system freely boot into untrusted code initially, but shortly afte
This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
-
+
Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.
@@ -82,7 +82,7 @@ While Windows Defender System Guard provides advanced protection that will help
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few.
-
+
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 14695d80d0..55321967df 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -38,13 +38,13 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
- 
+ 
### Windows Security Center
Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
- 
+ 
### Registry
@@ -58,13 +58,13 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
5. Double-click **Enabled**, change the value to **1**, and click **OK**.
- 
+ 
## How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
-
+
> [!NOTE]
> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index 71f0392376..5819f886fd 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -38,7 +38,7 @@ type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./op
When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.
-
+
*Figure 1: Windows Defender Firewall*
@@ -55,7 +55,7 @@ View detailed settings for each profile by right-clicking the top-level **Window
Maintain the default settings in Windows Defender
Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
-
+
*Figure 2: Default inbound/outbound settings*
@@ -70,7 +70,7 @@ In many cases, a next step for administrators will be to customize these profile
This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
-
+
*Figure 3: Rule Creation Wizard*
@@ -131,7 +131,7 @@ To determine why some applications are blocked from communicating in the network
Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
-
+
*Figure 4: Dialog box to allow access*
@@ -148,7 +148,7 @@ Rule merging settings control how rules from different policy sources can be com
The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy.
-
+
*Figure 5: Rule merging setting*
@@ -180,11 +180,11 @@ An important firewall feature you can use to mitigate damage during an active at
Shields up can be achieved by checking **Block all
incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*.
-
+
*Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type*
-
+
*Figure 7: Legacy firewall.cpl*
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
index 0e67454be2..37d7edb647 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -32,7 +32,7 @@ The GPOs you build for the boundary zone include IPsec or connection security ru
Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
-
+
The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied.
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index bf9a3f7d47..479b2e67af 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -28,7 +28,7 @@ ms.technology: mde
To get started, open Device Configuration in Intune, then create a new profile.
Choose Windows 10 as the platform, and Endpoint Protection as the profile type.
Select Windows Defender Firewall.
-
+
>[!IMPORTANT]
>A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index 0e7f47576b..8f27c49ab5 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -32,7 +32,7 @@ In addition to the basic protection provided by the firewall rules in the previo
The following illustration shows the traffic protection needed for this design example.
-
+
1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule.
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index 6c13157e59..659827d1c6 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -34,7 +34,7 @@ By using connection security rules based on IPsec, you provide a logical barrier
The design is shown in the following illustration, with the arrows that show the permitted communication paths.
-
+
Characteristics of this design, as shown in the diagram, include the following:
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index 90d5fd2514..718505a9d7 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -22,7 +22,7 @@ Debugging packet drops is a continuous issue to Windows customers. In the past,
Typically, when investigating packet drop events, a customer would use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits 5157 or 5152.
-
+
The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from.
@@ -73,7 +73,7 @@ To enable a specific audit event, run the corresponding command in an administra
As the audit surfaces `Filter Origin` and `Interface Index`, the network admin can determine the root cause of the network packet drop and the interface it happened on.
-
+
The next sections are divided by `Filter Origin` type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, **Firewall default block filters**. Otherwise, continue to the section **Firewall rules**.
@@ -86,7 +86,7 @@ Get-NetFirewallRule -Name “”
Get-NetFirewallRule -Name " {A549B7CF-0542-4B67-93F9-EEBCDD584377} "
```
-
+
After identifying the rule that caused the drop, the network admin can now modify/disable the rule to allow the traffic they want through command prompt or using the Windows Defender UI. The network admin can find the rule in the UI with the rule’s `DisplayName`.
@@ -118,7 +118,7 @@ Get-NetIPInterface –InterfaceIndex
Get-NetIPInterface –InterfaceIndex 5
```
-
+
To learn more about the quarantine feature, see [Quarantine behavior](quarantine.md).
@@ -139,7 +139,7 @@ To generate a list of all the query user block rules, you can run the following
Get-NetFirewallRule | Where {$_.Name -like "*Query User*"}
```
-
+
The query user pop-up feature is enabled by default.
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index 8c8fb36ee5..5a6acfea96 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -38,7 +38,7 @@ The network administrators want to implement Windows Defender Firewall with Adva
The following illustration shows the traffic protection needs for this design example.
-
+
1. The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers.
diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index 7b95852c3d..265019f489 100644
--- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -41,7 +41,7 @@ The following are important factors in the implementation of your Windows Defend
The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design.
-
+
Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design.
diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md
index 87bab115a6..bd087a2124 100644
--- a/windows/security/threat-protection/windows-firewall/quarantine.md
+++ b/windows/security/threat-protection/windows-firewall/quarantine.md
@@ -196,7 +196,7 @@ Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /s
Sample drop audit with `filterOrigin` as `Quarantine Default`.
-
+
Once the drop’s filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface:
@@ -205,7 +205,7 @@ Get-NetIPInterface –InterfaceIndex
Get-NetIPInterface –InterfaceIndex 5
```
-
+
Using the interface name, event viewer can be searched for any interface related changes.
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 81a548b4ee..8fbeb35412 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -30,7 +30,7 @@ For devices that share sensitive information over the network, Windows Defender
The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
-
+
This goal provides the following benefits:
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index a50232fe28..1a7c288575 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -34,7 +34,7 @@ You can restrict access by specifying either computer or user credentials.
The following illustration shows an isolated server, and examples of devices that can and cannot communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server.
-
+
This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features:
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index d7de7d8963..5285e56ad9 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -35,7 +35,7 @@ The protection provided by domain isolation can help you comply with regulatory
The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
-
+
These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits:
diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index 4c6f3f4fb7..8cb2a35d50 100644
--- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -59,7 +59,7 @@ These procedures assume that you already have a public key infrastructure (PKI)
The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1.
-
+
**Figure 1** The Contoso corporate network
@@ -77,7 +77,7 @@ This script does the following:
- Creates the IKEv2 connection security rule called **My IKEv2 Rule**.
-**Windows PowerShell commands**
+**Windows PowerShell commands**
Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
@@ -117,7 +117,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec
>**Important:** The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
-**Windows PowerShell commands**
+**Windows PowerShell commands**
Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index 0e2b6ce11e..a0070cf114 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -46,7 +46,7 @@ In addition to the protection provided by the firewall rules and domain isolatio
The following illustration shows the traffic protection needs for this design example.
-
+
1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG).
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index f4d452b4cf..7d44e7c17c 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -32,7 +32,7 @@ You can implement a server isolation design without using domain isolation. To d
The design is shown in the following illustration, with arrows that show the permitted communication paths.
-
+
Characteristics of this design include the following:
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 3e383743a4..bf70a3a3b7 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -328,7 +328,7 @@ Windows PowerShell can create powerful, complex IPsec policies like in Netsh and
In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
-
+
### Create IPsec rules
@@ -353,7 +353,7 @@ If you want to create a custom set of quick-mode proposals that includes both AH
You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object.
-
+
In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method.
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
index f18a5180db..8e719f1364 100644
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@@ -61,12 +61,12 @@ You can download the security baselines from the [Microsoft Download Center](htt
The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines.
-[](security-compliance-toolkit-10.md)
-[](get-support-for-security-baselines.md)
+[](security-compliance-toolkit-10.md)
+[](get-support-for-security-baselines.md)
## Community
-[](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines)
+[](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines)
## Related Videos
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index cfb7427cbc..170918a4fa 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -60,12 +60,12 @@ You can download the security baselines from the [Microsoft Download Center](htt
The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines.
-[](security-compliance-toolkit-10.md)
-[](get-support-for-security-baselines.md)
+[](security-compliance-toolkit-10.md)
+[](get-support-for-security-baselines.md)
## Community
-[](/archive/blogs/secguide/)
+[](/archive/blogs/secguide/)
## Related Videos
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index 1387997652..b99b7a48ad 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -38,7 +38,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
1. Go to the article that you want to update, and then click **Edit**.
- 
+ 
2. Sign into (or sign up for) a GitHub account.
@@ -46,7 +46,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
3. Click the **Pencil** icon (in the red box) to edit the content.
- 
+ 
4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
- **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
@@ -55,11 +55,11 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
- 
+ 
6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change**.
- 
+ 
The **Comparing changes** screen shows the changes between your version of the article and the original content.
@@ -67,7 +67,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
If there are no problems, you’ll see the message, **Able to merge**.
- 
+ 
8. Click **Create pull request**.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 83e1c6b032..256dad7a3a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -48,7 +48,7 @@ This version of Window 10 includes security improvements for threat protection,
The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
-
+
##### Attack surface reduction
@@ -275,7 +275,7 @@ The WSC service now requires antivirus products to run as a protected process to
WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
-
+
#### Group Policy Security Options
@@ -288,7 +288,7 @@ A new security policy setting
We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
-
+
## Deployment
@@ -387,7 +387,7 @@ If you have shared devices deployed in your work place, **Fast sign-in** enables
3. Sign-in to a shared PC with your account. You'll notice the difference!
- 
+ 
### Web sign-in to Windows 10
@@ -402,7 +402,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS
3. On the lock screen, select web sign-in under sign-in options.
4. Click the “Sign in” button to continue.
-
+
## Windows Analytics
@@ -470,7 +470,7 @@ The OS uninstall period is a length of time that users are given when they can o
Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
-
+
### Windows Spotlight
@@ -636,7 +636,7 @@ If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, t
We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
-
+
## Remote Desktop with Biometrics
@@ -650,9 +650,9 @@ To get started, sign into your device using Windows Hello for Business. Bring up
See the following example:
-
-
-
+
+
+
## See Also
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index b05bba2289..48bf6b509b 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -31,11 +31,11 @@ Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool
Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.
-
+
Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](/windows/client-management/mdm/cleanpc-csp).
-
+
[Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages)
@@ -44,7 +44,7 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof
Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
-
+
### Windows Spotlight
@@ -279,7 +279,7 @@ Learn about the new Group Policies that were added in Windows 10, version 1703.
The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](/windows/configuration/mobile-devices/lockdown-xml).
-
+
[Learn more about the Lockdown Designer app.](/windows/configuration/mobile-devices/mobile-lockdown-designer)
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index e73c5af9bc..6410248ff6 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -46,7 +46,7 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru
We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
> [!div class="mx-imgBorder"]
-> 
+> 
With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
@@ -109,16 +109,16 @@ To try this:
See the following example:
> [!div class="mx-imgBorder"]
-> 
+> 
> [!div class="mx-imgBorder"]
-> 
+> 
> [!div class="mx-imgBorder"]
-> 
+> 
> [!div class="mx-imgBorder"]
-> 
+> 
### Windows Security Center
@@ -130,7 +130,7 @@ The WSC service now requires antivirus products to run as a protected process to
WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
-
+
### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes
@@ -195,7 +195,7 @@ We introduced a simplified assigned access configuration experience in **Setting
To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page.
-
+
Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types.
@@ -203,7 +203,7 @@ Microsoft Edge kiosk mode running in single-app assigned access has two kiosk ty
2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
-
+
Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types.
@@ -212,11 +212,11 @@ Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk typ
**Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows.
-
+
**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books.
-
+
Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
@@ -224,7 +224,7 @@ Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-ed
We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
-
+
## Faster sign-in to a Windows 10 shared pc
@@ -237,7 +237,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables
3. Sign-in to a shared PC with your account. You'll notice the difference!
- 
+ 
>[!NOTE]
>This is a private preview feature and therefore not meant or recommended for production purposes.
@@ -259,7 +259,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS
4. Click the **Sign in** button to continue.
> [!div class="mx-imgBorder"]
- > 
+ > 
>[!NOTE]
>This is a private preview feature and therefore not meant or recommended for production purposes.
@@ -271,7 +271,7 @@ Android phone users, you can finally stop emailing yourself photos. With Your Ph
For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen.
> [!div class="mx-imgBorder"]
-> 
+> 
The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**.
@@ -283,7 +283,7 @@ One of the things we’ve heard from you is that it’s hard to know when you’
* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly
* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often.
-
+
## Remote Desktop with Biometrics
@@ -293,6 +293,6 @@ To get started, sign into your device using Windows Hello for Business. Bring up
See the following example:
-
-
-
+
+
+
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 371bf97c95..74eb1725e2 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -125,7 +125,7 @@ The draft release of the [security configuration baseline settings](/archive/blo
This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
-
+
### Identity Protection
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index ac0d4984f2..692871b1c3 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -43,7 +43,7 @@ In this release, [Windows Defender System Guard](/windows/security/threat-prote
With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
- 
+ 
### Windows Defender Application Guard