Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox

2025-05-14 14:27:22 +00:00 · 2016-08-30 16:22:04 -07:00 · 2016-08-30 16:22:04 -07:00 · e019591f20
commit e019591f20
parent a10cc6ffcb 3aadeca2e8
6 changed files with 15 additions and 117 deletions
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@ -15,7 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
-Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
+Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
 Credential Guard offers the following features and solutions:
@ -91,7 +91,7 @@ The PC must meet the following hardware and software requirements to use Credent
 <td>TPM 2.0</td>
 </tr>
 <tr>
-<td>Windows 10 version 1511 or later</td>
+<td>Windows 10 version 1511, Windows Server 2016, or later</td>
 <td>TPM 2.0 or TPM 1.2</td>
 </tr>
 </table>
@ -114,7 +114,7 @@ The PC must meet the following hardware and software requirements to use Credent
 </tr>
 <tr class="even">
 <td align="left"><p>Virtual machine</p></td>
-<td align="left"><p>For PCs running Windows 10, version 1607, you can run Credential Guard on a Generation 2 virtual machine.</p></td>
+<td align="left"><p>For PCs running Windows 10, version 1607 or Windows Server 2016, you can run Credential Guard on a Generation 2 virtual machine.</p></td>
 </tr>
 </tr>
 <tr class="even">
@ -169,7 +169,7 @@ First, you must add the virtualization-based security features. You can do this
 > You can also add these features to an online image by using either DISM or Configuration Manager.
-In Windows 10, version 1607, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
+In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
 ``` syntax
 dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
--- a/windows/manage/diagnostics-for-mdm-devices.md
+++ b/windows/manage/diagnostics-for-mdm-devices.md
@ -1,102 +0,0 @@
 ---
 title: Diagnostics for Windows 10 devices  (Windows 10)
 description: Device Policy State log in Windows 10, Version 1607, collects info about policies.
 keywords: ["mdm", "udiag", "device policy", "mdmdiagnostics"]
 ms.prod: W10
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerMS
 ---
 # Diagnostics for Windows 10 devices  
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 (which SKUs?)
 (this isn't really MDM-managed only, is it? It can be done locally/email?)
 Two new diagnostic tools for Windows 10, version 1607, help IT administrators diagnose and resolve issues with remote devices enrolled in mobile device management (MDM): the [Device Policy State Log](#device-policy-state-log) and [UDiag](#udiag). Windows 10 for desktop editions and Windows 10 Mobile make it simple for users to export log files that you can then analyze with these tools.
 ## Export management log files
 Go to **Settings > Accounts > Work access > Export your management log files**.
 ![Export your management log files](images/export-mgt-desktop.png)
 - On desktop devices, the file is saved to C:/Users/Public/Public Documents/MDMDiagnostics/MDMDiagReport.xml
 - On phones, the file is saved to *phone*/Documents/MDMDiagnostics/MDMDiagReport.xml
 The MDMDiagReport.xml can be used with [Device Policy State Log](#device-policy-state-log) and [UDiag](#udiag) to help you resolve issues.
 ## Device Policy State Log
 The Device Policy State Log collects information on the state of policies applied to the device to help you determine which sources are applying policies or configurations to the device. Help desk personnel can use this log to diagnose and resolve issues with a remote device. 
 After you obtain the management log file from the user's device, run the mdmReportGenerator.ps1 script on log to create report. (download mdmReportGenerator.ps1 and mdmDiagnoseHelpers.psm1) This PowerShell script asks you to enter the name of the management log file and a name for the report that it will create, as shown in the following example:
 ![Enter file name for input and output](images/mdm-diag-report-powershell.png)
 The script produces the report in html format. There are two sections to the report, Configuration and Policy Information. 
 The configuration section lists the GUID of the sources that are applying configurations to the device.  
 ![Configuration source Exachange ActiveSync](images/config-source.png)
 The policy information section displays information about the specific policies that are being enforced and on the device.  For each policy, you will see the Area grouping, the Policy name, its default and current value, and the configuration source. You can compare the configuration source GUID in the policy information section to the GUIDs in the configuration section to identify the source of the policy.
 ![Policies applied by a configuration source](images/config-policy.png)
 ## UDiag
 The UDiag tool applies rules to Event Tracing for Windows (ETW) files to help determine the root cause of an issue. 
 (download UDiag)
 To analyze MDMDiagReport.xml using UDiag
 1. Open UDiag, and select Device Management.
 2. Select your source for the log files ("cab of logs" or "directory of logs")
 Investigating log content, identifying patterns, and adding a root cause analysis to the database (Advanced users/providers) 
 1. While at the 'Root Causes List' panel, click the 'Diagnose' button at the bottom. 
 2. You will then be brought to the Diagnosis panel where you can investigate and tag root causes from the content
  - Evidence Groups: When a set of logs are loaded into UDiag, the contents are processed (e.g. ETW) and organized into evidence groups. 
  - Decision Tree View: This view shows the loaded decision tree for the current topic/topic area. When a decision node is selected, a user can modify the regular expression and add/edit/delete an RCA for that node. Any RCA matches found in the current log set will have an 'RCA' label that is either Red or Yellow.
  - Evidence View: Selecting an evidence group loads its content into this evidence view. Use this view to investigate issues and determine root causes. Drag and drop lines from the Evidence View into the Decision Tree View, to build your root cause analysis pattern. ([Learn more about techniques for root cause analysis.](https://technet.microsoft.com/en-us/library/cc543298.aspx))
 	Can admin pull logs without user action? [DK] Yes via the diagnostic log CSP
 	"Run PowerShell script to process the file" – is that the user doing it? How can this workflow work in an enterprise where employees aren't computer-savvy? [DK] This is intended to be done by the help desk guy.  
 	Where did (user|admin) get mdmReportGenerator.ps1?  [DK] Publishing on DLC later this summer
 	In Viewing the report, how does the admin make sense of the source GUIDs? [DK] Correlates the value in the table with the entries at the top of the page. 
 	UDiag – where does admin get this? [DK] Publishing on DLC later this summer
 	Can admins create custom rule sets? [DK] Right now, no.  but open to feedback on this.
 Link to [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx)
 [Diagnostics capability for devices managed by any MDM provider.](https://microsoft.sharepoint.com/teams/osg_core_ens/mgmt/OSMan Wiki/MDM Diagnostics - Generating and Processing Log files.aspx)
 [Redstone spec](https://microsoft.sharepoint.com/teams/specstore/_layouts/15/WopiFrame.aspx?sourcedoc=%7b7E8742A2-03A1-451C-BA07-F2573B044CBF%7d&file=DM%20-%20MDM%20Diagnostics-RS.docx&action=default&DefaultItemOpen=1)
 ## Related topics
 [DiagnosticLog CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt219118.aspx)
 [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120.aspx)
--- a/windows/manage/mandatory-user-profile.md
+++ b/windows/manage/mandatory-user-profile.md
@ -15,8 +15,8 @@ author: jdeckerMS
 -   Windows 10
-> [!WARNING]
+> [!NOTE]
-> When a mandatory profile is applied to a PC running Windows 10, some features such as Universal Windows Platform (UWP) apps, the Start menu, Cortana, and Search, will not work correctly. This will be fixed in a future update. 
+> When a mandatory profile is applied to a PC running Windows 10, version 1511, some features such as Universal Windows Platform (UWP) apps, the Start menu, Cortana, and Search, will not work correctly. This will be fixed in a future update. 
 A mandatory user profile is a roaming user profile that has been pre-configured by an administrators to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. 
@ -40,7 +40,7 @@ The name of the folder in which you store the mandatory profile must use the cor
 | Windows 10, versions 1507 and 1511 | Windows Server 2016 | v5 |
 | Windows 10, version 1607 (also known as the Anniversary Update) | N/A | v6 |
-For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/en-us/kb/3056198).
+For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
 ## How to create a mandatory user profile
@ -58,7 +58,7 @@ First, you create a default user profile with the customizations that you want,
   >[!NOTE]
   >Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
-3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/en-us/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/en-us/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. 
+3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. 
 3. Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the following applications: 
--- a/windows/manage/waas-configure-wufb.md
+++ b/windows/manage/waas-configure-wufb.md
@ -47,14 +47,14 @@ With Windows Update for Business, you can set a device to be on either the Curre
 ## Configure when devices receive Feature Updates
-After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update.  You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatePeriodinDays` value.  
+After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update.  You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.  
 **Examples**
 | Settings | Scenario and behavior |
 | --- | --- |
-| Device is on CB</br>DeferFeatureUpdatePeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. |
+| Device is on CB</br>DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. |
-| Device is on CBB</br>DeferFeatureUpdatePeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |
+| Device is on CBB</br>DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |
 </br></br>
 **Defer Feature Updates policies**
@ -63,7 +63,7 @@ After you configure the servicing branch (CB or CBB), you can then define if, an
 | --- | --- |
 | GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
 | GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
-| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatePeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
+| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
 | MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
@ -94,7 +94,7 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda
 ## Configure when devices receive Quality Updates
-Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatePeriodinDays** value.  
+Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.  
 You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
--- a/windows/manage/waas-mobile-updates.md
+++ b/windows/manage/waas-mobile-updates.md
@ -49,7 +49,7 @@ To defer the update period or pause deferrals, the device must be configured for
 Only the following Windows Update for Business policies are supported:
 - ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdateInDays  
+- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays  
 - ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates
 In version 1607, you can defer and pause updates for devices on both the CB and CBB servicing branches.
--- a/windows/manage/waas-overview.md
+++ b/windows/manage/waas-overview.md
@ -79,7 +79,7 @@ In Windows 10, rather than receiving several updates for a single machine each m
 ## Servicing branches 
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual machines are updated. For example, an organization may have test machines that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft.
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual machines are updated. For example, an organization may have test machines that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft. For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
 The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).