From 3b4c02651c7e9f1a46f0710e3653003d5eb69495 Mon Sep 17 00:00:00 2001 From: Ed Gallagher Date: Tue, 18 Dec 2018 09:27:11 -0600 Subject: [PATCH 1/7] Updated topic for Server 2019 Added Server 2019 info. Added TPM management console deprecation info. Clarifies supported version table. --- .../tpm/trusted-platform-module-overview.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 9b287bed8c..01ca431ef2 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -17,6 +17,7 @@ ms.date: 11/29/2018 **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2019 This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. @@ -38,7 +39,7 @@ Different versions of the TPM are defined in specifications by the Trusted Compu ### Automatic initialization of the TPM with Windows 10 -Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). +Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). The TPM management console has been deprecated beginning with Windows Server 2019 and Windows 10, version 1809. In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects. @@ -69,14 +70,14 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. +> Windows 10, Windows Server 2016 and Windows server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation -| TPM version | Windows 10 | Windows Server 2016 | -|-------------|-------------|---------------------| -| TPM 1.2 | >= ver 1607 | >= ver 1607 | -| TPM 2.0 | X | X | +| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 | +|-------------|-------------|---------------------|---------------------| +| TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes | +| TPM 2.0 | Yes | Yes | Yes | ## Related topics From 6668fd6b9a10b7813b84cf3a33fc390c6016b8d2 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Tue, 18 Dec 2018 15:27:33 -0800 Subject: [PATCH 2/7] Changed "deprecated" language Changed language about deprecation and added link to deprecation announce. We try to say "no longer developing" instead of "deprecated," because there's a lot of confusion over exactly what that word means. Thanks! --- .../tpm/trusted-platform-module-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 01ca431ef2..1b2b769c35 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -39,7 +39,7 @@ Different versions of the TPM are defined in specifications by the Trusted Compu ### Automatic initialization of the TPM with Windows 10 -Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). The TPM management console has been deprecated beginning with Windows Server 2019 and Windows 10, version 1809. +Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](https://docs.microsoft.com/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809. In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects. From 07b9cff28304a00dd0338c6ecfb539f2c18c4f1e Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Wed, 19 Dec 2018 18:18:02 +0000 Subject: [PATCH 3/7] Merged PR 13472: broken video link broken video link --- windows/client-management/troubleshoot-stop-errors.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 1ec7b52b6a..1ab9a027c6 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -8,7 +8,7 @@ ms.topic: troubleshooting author: kaushika-msft ms.localizationpriority: medium ms.author: kaushika -ms.date: 11/30/2018 +ms.date: 12/19/2018 --- # Advanced troubleshooting for Stop error or blue screen error issue @@ -101,8 +101,7 @@ The memory dump file is saved at the following locations. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video: ->[!video https://www.youtube.com/watch?v=xN7tOfgNKag&feature=youtu.be] - +>[!video https://www.youtube.com/embed/xN7tOfgNKag] More information on how to use Dumpchk.exe to check your dump files: From e8592666fac7763b51ff8326a67984b0305e3526 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Wed, 19 Dec 2018 10:40:47 -0800 Subject: [PATCH 4/7] Added new podcast link --- windows/deployment/update/windows-as-a-service.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 2864e9cf63..dfa02dd117 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -25,6 +25,7 @@ Windows 10 is the most secure version of Windows yet. Learn what updates we rele The latest news:
    +
  • Modern Desktop Podcast - Episode 001 – Windows 10 Monthly Quality Updates - December 18, 2018
  • Measuring Delivery Optimization and its impact to your network - December 13, 2018
  • LTSC: What is it, and when should it be used? - November 29, 2018
  • Local Experience Packs: What are they and when should you use them? - November 14, 2018
    • @@ -134,4 +135,4 @@ Looking to learn more? These informative session replays from Microsoft Ignite 2 [THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) -[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) \ No newline at end of file +[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) From 2057377f8efe7dcda50778f6123cd5f9c6daeb6d Mon Sep 17 00:00:00 2001 From: Nathan ziehnert Date: Wed, 19 Dec 2018 11:45:19 -0700 Subject: [PATCH 5/7] Update docs linke for TPM Owner Password --- mdop/mbam-v25/mbam-25-security-considerations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mdop/mbam-v25/mbam-25-security-considerations.md b/mdop/mbam-v25/mbam-25-security-considerations.md index 76a6a6c45c..011495b9e5 100644 --- a/mdop/mbam-v25/mbam-25-security-considerations.md +++ b/mdop/mbam-v25/mbam-25-security-considerations.md @@ -32,7 +32,7 @@ This topic contains the following information about how to secure Microsoft BitL ## Configure MBAM to escrow the TPM and store OwnerAuth passwords -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. Depending on its configuration, the Trusted Platform Module (TPM) will lock itself in certain situations ─ such as when too many incorrect passwords are entered ─ and can remain locked for a period of time. During TPM lockout, BitLocker cannot access the encryption keys to perform unlock or decryption operations, requiring the user to enter their BitLocker recovery key to access the operating system drive. To reset TPM lockout, you must provide the TPM OwnerAuth password. @@ -40,7 +40,7 @@ MBAM can store the TPM OwnerAuth password in the MBAM database if it owns the TP ### Escrowing TPM OwnerAuth in Windows 8 and higher -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. In Windows 8 or higher, MBAM no longer must own the TPM to store the OwnerAuth password, as long as the OwnerAuth is available on the local machine. From 3545db834f60eb5d818ce9dffe1d51dcdd873b26 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Wed, 19 Dec 2018 10:54:14 -0800 Subject: [PATCH 6/7] Added new link --- windows/deployment/update/windows-as-a-service.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index dfa02dd117..1667e19851 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -6,7 +6,7 @@ ms.topic: landing-page ms.manager: elizapo author: lizap ms.author: elizapo -ms.date: 12/12/2018 +ms.date: 12/19/2018 ms.localizationpriority: high --- # Windows as a service @@ -25,6 +25,7 @@ Windows 10 is the most secure version of Windows yet. Learn what updates we rele The latest news:
      +
    • Driver quality in the Windows ecosystem - December 19, 2018
    • Modern Desktop Podcast - Episode 001 – Windows 10 Monthly Quality Updates - December 18, 2018
    • Measuring Delivery Optimization and its impact to your network - December 13, 2018
    • LTSC: What is it, and when should it be used? - November 29, 2018
      • From 9d8452460a2815b107bf2042a406a0eb4b7ec23e Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Wed, 19 Dec 2018 11:16:45 -0800 Subject: [PATCH 7/7] Removed locales from article links --- mdop/mbam-v25/mbam-25-security-considerations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mdop/mbam-v25/mbam-25-security-considerations.md b/mdop/mbam-v25/mbam-25-security-considerations.md index 011495b9e5..37c627b035 100644 --- a/mdop/mbam-v25/mbam-25-security-considerations.md +++ b/mdop/mbam-v25/mbam-25-security-considerations.md @@ -32,7 +32,7 @@ This topic contains the following information about how to secure Microsoft BitL ## Configure MBAM to escrow the TPM and store OwnerAuth passwords -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. Depending on its configuration, the Trusted Platform Module (TPM) will lock itself in certain situations ─ such as when too many incorrect passwords are entered ─ and can remain locked for a period of time. During TPM lockout, BitLocker cannot access the encryption keys to perform unlock or decryption operations, requiring the user to enter their BitLocker recovery key to access the operating system drive. To reset TPM lockout, you must provide the TPM OwnerAuth password. @@ -40,7 +40,7 @@ MBAM can store the TPM OwnerAuth password in the MBAM database if it owns the TP ### Escrowing TPM OwnerAuth in Windows 8 and higher -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/windows/security/information-protection/tpm/change-the-tpm-owner-password) for further details. In Windows 8 or higher, MBAM no longer must own the TPM to store the OwnerAuth password, as long as the OwnerAuth is available on the local machine.