From e8b352ef686b7df8c6af773b737a1d71d691df9f Mon Sep 17 00:00:00 2001 From: kevincol Date: Fri, 4 Oct 2019 17:57:38 -0700 Subject: [PATCH 01/36] Update hololens-calibration.md --- devices/hololens/hololens-calibration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md index 1296d0f4bd..a593ff68d5 100644 --- a/devices/hololens/hololens-calibration.md +++ b/devices/hololens/hololens-calibration.md @@ -97,7 +97,7 @@ You can also disable the calibration prompt by following these steps: 1. Turn off **When a new person uses this HoloLens, automatically ask to run eye calibration**. > [!IMPORTANT] -> Please understand that this setting may adversely affect hologram rendering quality and comfort. +> Please understand that this setting may adversely affect hologram rendering quality and comfort. If there is an immersive application that is using eye tracking, for instance text scrolling, then that feature will no longer work. ### HoloLens 2 eye-tracking technology From 8c3735fb936d3299c212fa5934f15e7a88bb830e Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 15 Oct 2019 09:48:32 -0700 Subject: [PATCH 02/36] Update hololens-calibration.md minor edits and including Teresa's change --- devices/hololens/hololens-calibration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md index a593ff68d5..f867bf325c 100644 --- a/devices/hololens/hololens-calibration.md +++ b/devices/hololens/hololens-calibration.md @@ -97,7 +97,7 @@ You can also disable the calibration prompt by following these steps: 1. Turn off **When a new person uses this HoloLens, automatically ask to run eye calibration**. > [!IMPORTANT] -> Please understand that this setting may adversely affect hologram rendering quality and comfort. If there is an immersive application that is using eye tracking, for instance text scrolling, then that feature will no longer work. +> This setting may adversely affect hologram rendering quality and comfort. When you turn off this setting, features that depend on eye tracking (such as text scrolling) no longer work in immersive applications. ### HoloLens 2 eye-tracking technology From 835c65f895bbcdb08cb374e635f5e2647d9215f6 Mon Sep 17 00:00:00 2001 From: DanPandre <54847950+DanPandre@users.noreply.github.com> Date: Tue, 12 Nov 2019 10:01:40 -0500 Subject: [PATCH 03/36] Clarify impacts of Intune auto-enrollment --- devices/surface-hub/surface-hub-2s-manage-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md index e71d37def0..dc071e3753 100644 --- a/devices/surface-hub/surface-hub-2s-manage-intune.md +++ b/devices/surface-hub/surface-hub-2s-manage-intune.md @@ -28,7 +28,7 @@ Surface Hub 2S allows IT administrators to manage settings and policies using a ### Auto registration — Azure Active Directory Affiliated -When affiliating Surface Hub 2S with a tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods). +During the initial setup process, when choosing to affiliate with an Azure AD tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods). Azure AD affiliation and Intune auto enrollment is required for the Surface Hub to be a "compliant device" in Intune. ## Windows 10 Team Edition settings From 42cf908bdd60cb05a92587fc38239adf285a8666 Mon Sep 17 00:00:00 2001 From: DanPandre <54847950+DanPandre@users.noreply.github.com> Date: Wed, 13 Nov 2019 09:25:49 -0500 Subject: [PATCH 04/36] Made language closer to original --- devices/surface-hub/surface-hub-2s-manage-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md index dc071e3753..d17fc2dfb1 100644 --- a/devices/surface-hub/surface-hub-2s-manage-intune.md +++ b/devices/surface-hub/surface-hub-2s-manage-intune.md @@ -28,7 +28,7 @@ Surface Hub 2S allows IT administrators to manage settings and policies using a ### Auto registration — Azure Active Directory Affiliated -During the initial setup process, when choosing to affiliate with an Azure AD tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods). Azure AD affiliation and Intune auto enrollment is required for the Surface Hub to be a "compliant device" in Intune. +During the initial setup process, when affiliating a Surface Hub with an Azure AD tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods). Azure AD affiliation and Intune auto enrollment is required for the Surface Hub to be a "compliant device" in Intune. ## Windows 10 Team Edition settings From 26b785174460fe100b5a1d5a6c21585c4232ddc2 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Wed, 4 Dec 2019 14:27:15 -0600 Subject: [PATCH 05/36] New Note added from #5469 --- .../threat-protection/microsoft-defender-atp/live-response.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 151cc9a4d1..1493afdbfe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -50,6 +50,10 @@ You'll need to enable the live response capability in the [Advanced features set >[!WARNING] >Allowing the use of unsigned scripts may increase your exposure to threats. + + > [!ÏMPORTNAT] + > The current implementation of the Live Response within Defender ATP the option "Upload file to library" button function is not available to those with only delegated permissions via DATP/RBAC roles. + Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. - **Ensure that you have the appropriate permissions**
From 42cc42f33a6ef5c5b13e5d1562b6ff8600f2a4f9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 4 Dec 2019 12:54:03 -0800 Subject: [PATCH 06/36] Update live-response.md --- .../threat-protection/microsoft-defender-atp/live-response.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 1493afdbfe..afa98aa766 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -51,7 +51,7 @@ You'll need to enable the live response capability in the [Advanced features set >Allowing the use of unsigned scripts may increase your exposure to threats. - > [!ÏMPORTNAT] + > [!ÏMPORTANT] > The current implementation of the Live Response within Defender ATP the option "Upload file to library" button function is not available to those with only delegated permissions via DATP/RBAC roles. Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. From a271cb85322b4eae59e96fd33cd68d5e3d8b3f82 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Wed, 4 Dec 2019 15:30:16 -0600 Subject: [PATCH 07/36] Suggestion taken --- .../threat-protection/microsoft-defender-atp/live-response.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 1493afdbfe..3c64fbaaa4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -52,7 +52,7 @@ You'll need to enable the live response capability in the [Advanced features set > [!ÏMPORTNAT] - > The current implementation of the Live Response within Defender ATP the option "Upload file to library" button function is not available to those with only delegated permissions via DATP/RBAC roles. + > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. From b0566d36e499f118cd7a71e85598c26cea5b9fbe Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Wed, 4 Dec 2019 15:33:11 -0600 Subject: [PATCH 08/36] Suggestion taken --- .../threat-protection/microsoft-defender-atp/live-response.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index afa98aa766..2c8fd39528 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -52,7 +52,7 @@ You'll need to enable the live response capability in the [Advanced features set > [!ÏMPORTANT] - > The current implementation of the Live Response within Defender ATP the option "Upload file to library" button function is not available to those with only delegated permissions via DATP/RBAC roles. + > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. From 28b3ebaddf6cdc56fa11c932a9233cac2e174d1a Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 5 Dec 2019 10:31:52 -0600 Subject: [PATCH 09/36] Update windows/security/threat-protection/microsoft-defender-atp/live-response.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../threat-protection/microsoft-defender-atp/live-response.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 2c8fd39528..0b762a0b99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -51,7 +51,7 @@ You'll need to enable the live response capability in the [Advanced features set >Allowing the use of unsigned scripts may increase your exposure to threats. - > [!ÏMPORTANT] + > [!IMPORTANT] > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. @@ -254,4 +254,3 @@ Each command is tracked with full details such as: - From 4bad6d069f5f0bdcc27e54b5b11ddfbf53ff804a Mon Sep 17 00:00:00 2001 From: Todd Lyon <19413953+tmlyon@users.noreply.github.com> Date: Tue, 10 Dec 2019 16:55:32 -0800 Subject: [PATCH 10/36] Update hololens-cortana.md Updated phrasing for follow and microphone button to resolve some localization issues with the voice commands. --- devices/hololens/hololens-cortana.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 0729485e7d..d7ca664169 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -56,7 +56,7 @@ To use these commands, gaze at a 3D object, hologram, or app window. | "Face me" | Turn it to face you | | "Move this" | Move it (follow your gaze) | | "Close" | Close it | -| "Follow" / "Stop following" | Make it follow you as you move around | +| "Follow me" / "Stop following" | Make it follow you as you move around | ### See it, say it @@ -64,7 +64,7 @@ Many buttons and other elements on HoloLens also respond to your voice—for exa ### Dictation mode -Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone icon or say "Start dictating." To stop dictating, select **Done** or say "Stop dictating." To delete what you just dictated, say "Delete that." +Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that." > [!NOTE] > To use dictation mode, you have to have an internet connection. From 1fd9c5a9cd785ff6314c71a848dcd1c11a37d1be Mon Sep 17 00:00:00 2001 From: Deland-Han Date: Wed, 11 Dec 2019 11:25:46 +0800 Subject: [PATCH 11/36] finish --- devices/surface-hub/TOC.md | 2 ++ devices/surface-hub/index.md | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index c0de52de12..59d2d76a0d 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -7,6 +7,7 @@ ### [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md) ### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md) ### [Adjust Surface Hub 2S brightness, volume, and input](surface-hub-2s-onscreen-display.md) +### [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d) ## Plan ### [Surface Hub 2S Site Readiness Guide](surface-hub-2s-site-readiness-guide.md) @@ -58,6 +59,7 @@ ### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md) ### [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md) ### [Technical information for 84” Microsoft Surface Hub](surface-hub-technical-84.md) +### [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d) ## Plan ### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index e4fa9986f3..f60588a000 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -30,7 +30,6 @@ Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platfor

Behind the design: Surface Hub 2S

What's new in Surface Hub 2S

Operating system essentials

-

Enable Microsoft Whiteboard on Surface Hub

From 217842d6912a4782bad64c8ea444e4f70c9a1370 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Wed, 11 Dec 2019 14:58:07 +0530 Subject: [PATCH 12/36] removed the word as meeting as per the user report #5646 . I removed the following word which written two times as meeting --- windows/security/threat-protection/fips-140-validation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 32bbf69dc2..c91f55f5cf 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -57,7 +57,7 @@ The cadence for starting module validation aligns with the feature updates of Wi ### What is the difference between “FIPS 140 validated” and “FIPS 140 compliant”? -“FIPS 140 validated” means that the cryptographic module, or a product that embeds the module, has been validated (“certified”) by the CMVP as meeting as meeting the FIPS 140-2 requirements. “FIPS 140 compliant” is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality. +“FIPS 140 validated” means that the cryptographic module, or a product that embeds the module, has been validated (“certified”) by the CMVP as meeting the FIPS 140-2 requirements. “FIPS 140 compliant” is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality. ### I need to know if a Windows service or application is FIPS 140-2 validated. @@ -7191,4 +7191,4 @@ Version 6.3.9600

\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) -\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths \ No newline at end of file +\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths From 0792939c1918f90a1305030c2ddc279dd3fb9f96 Mon Sep 17 00:00:00 2001 From: Deland-Han Date: Wed, 11 Dec 2019 17:39:09 +0800 Subject: [PATCH 13/36] finish --- mdop/mbam-v25/deploy-mbam.md | 3 ++- mdop/mbam-v25/troubleshooting-mbam-installation.md | 3 ++- windows/client-management/introduction-page-file.md | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/mdop/mbam-v25/deploy-mbam.md b/mdop/mbam-v25/deploy-mbam.md index eefee88047..a921105176 100644 --- a/mdop/mbam-v25/deploy-mbam.md +++ b/mdop/mbam-v25/deploy-mbam.md @@ -1,13 +1,14 @@ --- title: Deploying MBAM 2.5 in a stand-alone configuration description: Introducing how to deploy MBAM 2.5 in a stand-alone configuration. -author: delhan +author: Deland-Han ms.reviewer: dcscontentpm manager: dansimp ms.author: delhan ms.sitesec: library ms.prod: w10 ms.date: 09/16/2019 +manager: dcscontentpm --- # Deploying MBAM 2.5 in a standalone configuration diff --git a/mdop/mbam-v25/troubleshooting-mbam-installation.md b/mdop/mbam-v25/troubleshooting-mbam-installation.md index d58974a50e..b38d7b7818 100644 --- a/mdop/mbam-v25/troubleshooting-mbam-installation.md +++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md @@ -1,13 +1,14 @@ --- title: Troubleshooting MBAM 2.5 installation problems description: Introducing how to troubleshoot MBAM 2.5 installation problems. -author: delhan +author: Deland-Han ms.reviewer: dcscontentpm manager: dansimp ms.author: delhan ms.sitesec: library ms.prod: w10 ms.date: 09/16/2019 +manager: dcscontentpm --- # Troubleshooting MBAM 2.5 installation problems diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index 662ae5f90e..cee81bcd72 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -8,7 +8,7 @@ author: Deland-Han ms.localizationpriority: medium ms.author: delhan ms.reviewer: greglin -manager: willchen +manager: dcscontentpm --- # Introduction to page files From 214d87b5d68c42773ad84014057f52fce49c8ccc Mon Sep 17 00:00:00 2001 From: Jean-Robert Jean-Simon Date: Wed, 11 Dec 2019 11:57:56 +0100 Subject: [PATCH 14/36] Add a note about OEM Authorization and Delegated Admin Permissions (DAP) It is just a clarification for several customers who are afraid about Delegated Admin Permissions (DAP) could be part of the OEM Authorization. --- windows/deployment/windows-autopilot/registration-auth.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md index 9ae9105cbd..3c6dfece7c 100644 --- a/windows/deployment/windows-autopilot/registration-auth.md +++ b/windows/deployment/windows-autopilot/registration-auth.md @@ -9,7 +9,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop ms.topic: article @@ -75,6 +76,8 @@ Each OEM has a unique link to provide to their respective customers, which the O 4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process. + NOTE: During the OEM authorization registration process, no delegated admin permissions are granted to the OEM. + ## Summary At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked. From d5b401f302f2edbe9cb258153c542cb822ab0039 Mon Sep 17 00:00:00 2001 From: Jean-Robert Jean-Simon Date: Wed, 11 Dec 2019 12:28:22 +0100 Subject: [PATCH 15/36] Add a Q&A for Delegated Admin Permissions for OEM It is just a clarification for several customers who are afraid about Delegated Admin Permissions (DAP) could be part of the OEM Authorization. --- windows/deployment/windows-autopilot/autopilot-faq.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index b527168e97..94f7002df9 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -38,6 +38,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e | How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. | | Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. | | Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access:

1. Direct CSP: Gets direct authorization from the customer to register devices.

2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.

3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. | +| Does the OEM authorization grant Delegated Admin Permissions (DAP) on the customer tenant? | No. The OEM authorization gives only the capability to register devices. | ## Manufacturing From d7feac8adc09688f0f7b5108fc9b9999e1f5facc Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Wed, 11 Dec 2019 20:24:12 +0530 Subject: [PATCH 16/36] Renamed Enteprise to Enterprise as per user report #5654. i renamed Enteprise to Enterprise --- windows/client-management/mdm/device-update-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 13a78b2032..414a9c8515 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -635,7 +635,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise > [!Important] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise. +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Enterprise.

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. From 98ee57c44dab201112e3a93f7e76c7b7e09b7491 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 11 Dec 2019 20:10:13 +0500 Subject: [PATCH 17/36] Content Update Added a source of information to point users to use custom settings for Windows 10 devices in Intune. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4482 --- ...dows-defender-application-control-policies-using-intune.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 8a2a80de85..8319156a40 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -27,7 +27,7 @@ ms.date: 05/17/2018 - Windows 10 - Windows Server 2016 -You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. +You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure Endpoint protection profile for WDAC or a custom profile with an OMA-URI. You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. 1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. @@ -41,3 +41,5 @@ You can use Microsoft Intune to configure Windows Defender Application Control ( - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps. ![Configure WDAC](images/wdac-intune-wdac-settings.png) + +To add a custom profile with an OMA-URI see, [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/en-us/intune/configuration/custom-settings-windows-10). From c0f9b313e3c707e029293d33b65c786f17858d75 Mon Sep 17 00:00:00 2001 From: Brandon Bray <40039061+BrandonBray@users.noreply.github.com> Date: Wed, 11 Dec 2019 12:08:32 -0800 Subject: [PATCH 18/36] Add image color and brightness troubleshooting Adding specific recommendations for improving image quality with HoloLens 2. --- devices/hololens/hololens2-fit-comfort-faq.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/devices/hololens/hololens2-fit-comfort-faq.md b/devices/hololens/hololens2-fit-comfort-faq.md index 397d61bb67..cbd71f9405 100644 --- a/devices/hololens/hololens2-fit-comfort-faq.md +++ b/devices/hololens/hololens2-fit-comfort-faq.md @@ -43,6 +43,15 @@ Try adjusting the position of your device visor so the holographic frame matches - **If you need to look up to see holograms**. First, shift the back of the headband a bit higher on your head. Then use one hand to hold the headband in place and the other to gently rotate the visor so you have a good view of the holographic frame. - **If you need to look down to see holograms**. First, shift the back of the headband a bit lower on your head. Then place your thumbs under the device arms and your index fingers on top of the headband, and gently squeeze with your thumbs to rotate the visor so you have a good view of the holographic frame. +## Hologram image color or brightness does not look right + +For HoloLens 2, take the following steps to improve the quality of holograms presented in displays: + +- **Increase brightness of the display.** Holograms look best when the display is at its brightest level. +- **Bring visor closer to your eyes.** Swing the visor down to the closest position to your eyes. +- **Shift visor down.** Try moving the brow pad on your forehead down, which will result in the visor moving down closer to your nose. +- **Run eye calibration.** The display uses your IPD and eye gaze to optimize images on the display. If you don't run eye calibration, the image quality may be made worse. + ## The device slides down when I'm using it, or I need to make the headband too tight to keep it secure The overhead strap can help keep your HoloLens secure on your head, particularly if you're moving around a lot. The strap may also let you loosen the headband a bit. [Learn how to use it](hololens2-setup.md#adjust-fit). From b9f6d287451fbceaca63bc997928e594773b2d74 Mon Sep 17 00:00:00 2001 From: Brandon Bray <40039061+BrandonBray@users.noreply.github.com> Date: Wed, 11 Dec 2019 13:02:31 -0800 Subject: [PATCH 19/36] Editing improvement --- devices/hololens/hololens2-fit-comfort-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens2-fit-comfort-faq.md b/devices/hololens/hololens2-fit-comfort-faq.md index cbd71f9405..e97e03f502 100644 --- a/devices/hololens/hololens2-fit-comfort-faq.md +++ b/devices/hololens/hololens2-fit-comfort-faq.md @@ -45,7 +45,7 @@ Try adjusting the position of your device visor so the holographic frame matches ## Hologram image color or brightness does not look right -For HoloLens 2, take the following steps to improve the quality of holograms presented in displays: +For HoloLens 2, take the following steps to ensure the highest visual quality of holograms presented in displays: - **Increase brightness of the display.** Holograms look best when the display is at its brightest level. - **Bring visor closer to your eyes.** Swing the visor down to the closest position to your eyes. From 1a133a1a2437f0cafb7bbd2b4d45bc8a506b8242 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 12 Dec 2019 08:39:16 +0530 Subject: [PATCH 20/36] replaced Enteprise to Enterprise as per user report #5655. and the good intelligent report from @illfated. I replaced Enteprise to Enterprise. --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index d096ead06d..9d98a92f10 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4248,7 +4248,7 @@ ADMX Info: > [!IMPORTANT] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. From 1dc00ca8cbeeab7c1806db0d7c481c502b566b08 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 13 Dec 2019 09:43:40 +0500 Subject: [PATCH 21/36] Update policy-csp-appruntime.md --- windows/client-management/mdm/policy-csp-appruntime.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index fce0c40f17..7c7efc8c73 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -99,14 +99,5 @@ ADMX Info:

-Footnotes: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in Windows 10, version 1903. - From d704472f3687bb81e742b07091b303d71423aea4 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 13 Dec 2019 12:26:17 +0500 Subject: [PATCH 22/36] Update windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...indows-defender-application-control-policies-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 8319156a40..d5c25facfc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -27,7 +27,7 @@ ms.date: 05/17/2018 - Windows 10 - Windows Server 2016 -You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure Endpoint protection profile for WDAC or a custom profile with an OMA-URI. You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. +You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure the Endpoint protection profile for WDAC or a custom profile with an OMA-URI. You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. 1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. From 23b8259680295f8a15a3e0ad112a057e65098aa8 Mon Sep 17 00:00:00 2001 From: Jean-Robert Jean-Simon Date: Fri, 13 Dec 2019 10:43:07 +0100 Subject: [PATCH 23/36] Update windows/deployment/windows-autopilot/autopilot-faq.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/windows-autopilot/autopilot-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index 94f7002df9..756dbef593 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -38,7 +38,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e | How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. | | Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. | | Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access:

1. Direct CSP: Gets direct authorization from the customer to register devices.

2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.

3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. | -| Does the OEM authorization grant Delegated Admin Permissions (DAP) on the customer tenant? | No. The OEM authorization gives only the capability to register devices. | +| Does the OEM authorization grant Delegated Admin Permissions (DAP) on the customer tenant? | No. The OEM authorization only gives the capability to register devices. | ## Manufacturing From 64b86852b525d2500a32c6495de329a9bdb7a901 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Fri, 13 Dec 2019 10:51:41 -0800 Subject: [PATCH 24/36] Release notes link changes to HoloLens section Link for HoloLens release notes was pointing to Mixed Reality docs instead of HoloLens. Redirected. @scooley --- devices/hololens/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 6725da5e81..98835e4ce5 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -55,4 +55,4 @@ appliesto: ## Related resources * [Documentation for Holographic app development](https://developer.microsoft.com/windows/mixed-reality/development) -* [HoloLens release notes](https://developer.microsoft.com/windows/mixed-reality/release_notes) +* [HoloLens release notes](https://docs.microsoft.com/hololens/hololens-release-notes) From fc38997abb47008adc8084687c6decfdba596d14 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Fri, 13 Dec 2019 21:19:07 -0600 Subject: [PATCH 25/36] Moved note --- .../microsoft-defender-atp/live-response.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 2c8fd39528..e55674234c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -50,10 +50,6 @@ You'll need to enable the live response capability in the [Advanced features set >[!WARNING] >Allowing the use of unsigned scripts may increase your exposure to threats. - - > [!ÏMPORTANT] - > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. - Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. - **Ensure that you have the appropriate permissions**
@@ -61,6 +57,9 @@ You'll need to enable the live response capability in the [Advanced features set Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. + > [!IMPORTANT] + > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. + ## Live response dashboard overview When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as: From 98f5095e45b56eccc466f807ef1306aa1c175aa2 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Fri, 13 Dec 2019 21:44:41 -0600 Subject: [PATCH 26/36] Update --- .../microsoft-defender-atp/live-response.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 0b762a0b99..3003c707b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -50,15 +50,14 @@ You'll need to enable the live response capability in the [Advanced features set >[!WARNING] >Allowing the use of unsigned scripts may increase your exposure to threats. - - > [!IMPORTANT] - > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. - Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. - **Ensure that you have the appropriate permissions**
Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md). + > [!IMPORTANT] + > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. + Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. ## Live response dashboard overview From a3dc2db13293718a05e0b838c928d2733d608c96 Mon Sep 17 00:00:00 2001 From: illfated Date: Sat, 14 Dec 2019 20:28:51 +0100 Subject: [PATCH 27/36] Deploy WDAC/Intune: update intro description As discussed in issue ticket #4482 (Custom WDAC policy in Intune), it would be useful to add a detail on implementing a custom WDAC policy in Intune. Without this detail, the implication is that you can ONLY use the Endpoint Protection template to configure WDAC in Intune. Thank you to Air-Git for following up on this topic and the content. Proposed change: - add details missed in the previous PR #5659 (Content Update) issue ticket closure or reference: Ref. #4482 (already closed) --- ...indows-defender-application-control-policies-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index d5c25facfc..0b5a8c1c75 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -27,7 +27,7 @@ ms.date: 05/17/2018 - Windows 10 - Windows Server 2016 -You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure the Endpoint protection profile for WDAC or a custom profile with an OMA-URI. You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. +You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can either configure an Endpoint Protection profile for WDAC, or create a custom profile with an OMA-URI setting. Using an Endpoint Protection profile, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. 1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. From fc4c9e8950221df28d98c157a289b5a8f5e24caa Mon Sep 17 00:00:00 2001 From: jcjveraa <3942301+jcjveraa@users.noreply.github.com> Date: Mon, 16 Dec 2019 09:11:50 +0100 Subject: [PATCH 28/36] Typo fix Cloud clipboard helps users copy content between devices. It also manages the clipboard histroy -> history so that you can paste your old copied data. You can access it by using **Windows+V**. Set up Cloud clipboard: --- windows/whats-new/whats-new-windows-10-version-1809.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index d5b5e148ca..e5ab713e82 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -162,7 +162,7 @@ Onboard supported versions of Windows machines so that they can send sensor data ## Cloud Clipboard -Cloud clipboard helps users copy content between devices. It also manages the clipboard histroy so that you can paste your old copied data. You can access it by using **Windows+V**. Set up Cloud clipboard: +Cloud clipboard helps users copy content between devices. It also manages the clipboard history so that you can paste your old copied data. You can access it by using **Windows+V**. Set up Cloud clipboard: 1. Go to **Windows Settings** and select **Systems**. 2. On the left menu, click on **Clipboard**. From 813cb6a18290ecf4101211763d16fc5bbc810476 Mon Sep 17 00:00:00 2001 From: amorrowbellarmine <46689625+amorrowbellarmine@users.noreply.github.com> Date: Mon, 16 Dec 2019 11:27:10 -0500 Subject: [PATCH 29/36] Corrected AUMID for the Kiosk Browser The AUMID shown in this guide is incorrect. Per the instructions found at https://docs.microsoft.com/en-us/windows/configuration/find-the-application-user-model-id-of-an-installed-app, the AUMID should be the "packagefamilyname"+"!"+"package.applications.application.id". In the case of the Kiosk Bowser, the AUMID is "Microsoft.KioskBrowser_8wekyb3d8bbwe!App". Failure to include the "!App" will result in an error when the kiosk account tries to load the app. --- windows/configuration/setup-digital-signage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index e902d0cfe2..7741d3ba98 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -58,7 +58,7 @@ This procedure explains how to configure digital signage using Kiosk Browser on - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. - For **App type**, select **Universal Windows App**. - - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe`. + - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`. 11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. 12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu. - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. From 38df0e98d07b9639fdddb02107c63cde187f790f Mon Sep 17 00:00:00 2001 From: Manuel Hauch Date: Mon, 16 Dec 2019 20:21:23 +0100 Subject: [PATCH 30/36] Misnamed automation level The protection level is called "No automated response" in the UI, not "Not protected". --- .../microsoft-defender-atp/automated-investigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 28d3920de1..a4990b44f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -68,7 +68,7 @@ You can configure the following levels of automation: |Automation level | Description| |---|---| -|Not protected | Machines do not get any automated investigations run on them. | +|No automated response | Machines do not get any automated investigations run on them. | |Semi - require approval for any remediation | This is the default automation level.

An approval is needed for any remediation action. | |Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.

Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.| |Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically be remediated if needed.| From a79f1eba424566d14791299610472c7733b01967 Mon Sep 17 00:00:00 2001 From: coffeemade <39417823+coffeemade@users.noreply.github.com> Date: Tue, 17 Dec 2019 10:21:18 -0500 Subject: [PATCH 31/36] Update on-premises-deployment-surface-hub-device-accounts.md [!IMPORTANT] ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. [PS] C:\windows\system32>Get-ActiveSyncVirtualDirectory | fl name,BasicAuthEnabled Name : Microsoft-Server-ActiveSync (Default Web Site) BasicAuthEnabled : True --- .../on-premises-deployment-surface-hub-device-accounts.md | 1 + 1 file changed, 1 insertion(+) diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index d3fdb628ab..7f3793ed3f 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -49,6 +49,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 ```PowerShell New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` +[!IMPORTANT] ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. 3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. From afe5b13e0eec9466f8a57cf8af5b8ac726f78a9e Mon Sep 17 00:00:00 2001 From: Bill Mcilhargey <19168174+computeronix@users.noreply.github.com> Date: Wed, 18 Dec 2019 08:36:03 -0500 Subject: [PATCH 32/36] Added Central Store Consideration for GPOs For anyone using Central Store, added information for where to deploy the GPO templates in this setup. --- .../microsoft-defender-atp/configure-endpoints-gp.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index a5cb971e01..367c0685a8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -80,6 +80,13 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_ + If you are using a [Central Store for Group Policy Administrative Templates](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra), copy the following files from the + configuration package: + + a. Copy _AtpConfiguration.admx_ into _\\\\\\\SysVol\\\\\Policies\\PolicyDefinitions_ + + b. Copy _AtpConfiguration.adml_ into _\\\\\\\SysVol\\\\\Policies\\PolicyDefinitions\\en-US_ + 2. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11), right-click the GPO you want to configure and click **Edit**. 3. In the **Group Policy Management Editor**, go to **Computer configuration**. From d02139df5fce91e8ea531fb31c74876bbd3d417c Mon Sep 17 00:00:00 2001 From: tx5westmt <45113913+tx5westmt@users.noreply.github.com> Date: Wed, 18 Dec 2019 11:36:29 -0600 Subject: [PATCH 33/36] Grammar/Punctuation Corrections Minor grammar/punctuation updates. --- .../hello-for-business/feature-multifactor-unlock.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 3da855c332..4ddcb35964 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -31,7 +31,7 @@ ms.reviewer: Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. -Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. +Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. Which organizations can take advantage of Multi-factor unlock? Those who: * Have expressed that PINs alone do not meet their security needs. @@ -101,7 +101,7 @@ Each rule element has a **signal** element. All signal elements have a **type** | type| "wifi" (Windows 10, version 1803) #### Bluetooth -You define the bluetooth signal with additional attribute in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>". +You define the bluetooth signal with additional attributes in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>". |Attribute|Value|Required| |---------|-----|--------| @@ -117,7 +117,7 @@ Example: ``` -The **classofDevice** attribute defaults Phones and uses the values from the following table +The **classofDevice** attribute defaults to Phone and uses the values from the following table: |Description|Value| |:-------------|:-------:| @@ -138,7 +138,7 @@ The **rssiMin** attribute value signal indicates the strength needed for the dev RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. >[!IMPORTANT] ->Microsoft recommends using the default values for this policy settings. Measurements are relative, based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values. +>Microsoft recommends using the default values for this policy setting. Measurements are relative, based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values. #### IP Configuration You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements do not have attributes or nested elements. @@ -198,7 +198,7 @@ The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IP 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 ``` ##### dnsSuffix -The fully qualified domain name of your organizations internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
**Example** ``` corp.contoso.com From 33635c9386aed5ee5b831be081e4650232473a8a Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 19 Dec 2019 17:37:56 +0200 Subject: [PATCH 34/36] Remove false information about winHTTP https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2230 --- windows/deployment/upgrade/upgrade-readiness-data-sharing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index af934eec08..58e8a9e6c2 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -33,7 +33,7 @@ In order to use the direct connection scenario, set the parameter **ClientProxy= ### Connection through the WinHTTP proxy -This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. +This is the first and most simple proxy scenario. In order to set the WinHTTP proxy system-wide on your computers, you need to - Use the command netsh winhttp set proxy \:\ From dbc99ea38edc57df9629ae4ed8cc7734da41eabc Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 19 Dec 2019 23:34:12 +0500 Subject: [PATCH 35/36] Updated information for Office 2003 Added information for office 2003 and earlier file formats to be avoided to open when sent as an attachment. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4425 --- .../threat-protection/intelligence/prevent-malware-infection.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 3659eaeffb..884759126a 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -85,6 +85,8 @@ To further ensure that data is protected from malware as well as other threats: * Do not use untrusted devices to log on to email, social media, and corporate accounts. +* Do not downlaod or run old Binary / Office 2003 and ealier file formats like .doc, .ppt, .xls. These file formats allow macros to be included. This can be a security risk. + ## Software solutions Microsoft provides comprehensive security capabilities that help protect against threats. We recommend: From ce2db075fdfe0d8117f77eccf432d694c7706ece Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 19 Dec 2019 13:33:25 -0800 Subject: [PATCH 36/36] Update prevent-malware-infection.md Edits --- .../threat-protection/intelligence/prevent-malware-infection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 884759126a..7bce69882c 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -85,7 +85,7 @@ To further ensure that data is protected from malware as well as other threats: * Do not use untrusted devices to log on to email, social media, and corporate accounts. -* Do not downlaod or run old Binary / Office 2003 and ealier file formats like .doc, .ppt, .xls. These file formats allow macros to be included. This can be a security risk. +* Avoid downloading or running older apps. Some of these apps might have vulnerabilities. Also, older file formats for Office 2003 (.doc, .pps, and .xls) allow macros or run. This could be a security risk. ## Software solutions