From 4f477b059f7d55ee7ee7b8d847c4990b20130da6 Mon Sep 17 00:00:00 2001 From: Sergii Cherkashyn Date: Mon, 11 May 2020 12:21:20 -0400 Subject: [PATCH 01/14] Update network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Per multiple cases with AAD Auth support, the PKU2U policy has to be enabled on the client as well. Proposing to update the mentioned Note and add "and the client" > [!NOTE] > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 4870151b22..9fef84e4b2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -40,7 +40,7 @@ This policy isn't configured by default on domain-joined devices. This would dis - **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. > [!NOTE] - > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server. + > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. - **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. From 1b7e2385c4cda6682c3bab7d949baaf1b8baabd1 Mon Sep 17 00:00:00 2001 From: amirsc3 <42802974+amirsc3@users.noreply.github.com> Date: Tue, 12 May 2020 21:25:44 +0300 Subject: [PATCH 02/14] Update machine-tags.md Adjusting note to avoid any potential customer confusion. --- .../threat-protection/microsoft-defender-atp/machine-tags.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index e54b496b2c..23a14e3ccd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -72,7 +72,7 @@ You can also delete tags from this view. >- Windows 7 SP1 > [!NOTE] -> The maximum number of characters in a tag is 30. +> The maximum number of characters that can be set in a tag from the registry is 30. Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. From b2f9665372c38b098dd2537853df2662e386bb35 Mon Sep 17 00:00:00 2001 From: Zach Willson Date: Tue, 12 May 2020 11:32:16 -0700 Subject: [PATCH 03/14] Update policy-csp-userrights.md --- windows/client-management/mdm/policy-csp-userrights.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 09b30b65c0..719f00b4c6 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1285,12 +1285,16 @@ GP Info: This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. + GP Info: - GP English name: *Perform volume maintenance tasks* - GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* - +> [!Warning] +> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. +> +> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. From 603e52a612199228890670198806e31b49e41b32 Mon Sep 17 00:00:00 2001 From: Zach Willson Date: Tue, 12 May 2020 11:33:45 -0700 Subject: [PATCH 04/14] Update policy-csp-userrights.md --- windows/client-management/mdm/policy-csp-userrights.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 719f00b4c6..0278d07a34 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1095,6 +1095,11 @@ GP Info: - GP English name: *Increase scheduling priority* - GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* +> [!Warning] +> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. +> +> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. + @@ -1291,10 +1296,7 @@ This user right determines which users and groups can run maintenance tasks on a GP Info: - GP English name: *Perform volume maintenance tasks* - GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* -> [!Warning] -> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. -> -> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. + From 1eab3da419c5874210a5ce3ac3101204d7f8fa5e Mon Sep 17 00:00:00 2001 From: Zach Willson Date: Tue, 12 May 2020 11:35:33 -0700 Subject: [PATCH 05/14] Update policy-csp-userrights.md --- windows/client-management/mdm/policy-csp-userrights.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 0278d07a34..cd9fa29f64 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1290,7 +1290,6 @@ GP Info: This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. - GP Info: From 8e1a5afb94dc468482224c4581c7fb465d645d02 Mon Sep 17 00:00:00 2001 From: rogersoMS <44718379+rogersoMS@users.noreply.github.com> Date: Wed, 13 May 2020 08:58:33 +1000 Subject: [PATCH 06/14] Added Teams as an enlightened app @DulceMontemayor & @Dansimp @derek adam & @way vadhanasin & @rick james (ENS) as tech reviewers Microsoft Teams desktop app from build 1.3.00.12058 (rolled out ~ 10th May 2020) now has full support for WIP. I believe it should be added to this list as an enlightened app. Please cofirm with suggested tech reviewers before publishing --- .../enlightened-microsoft-apps-and-wip.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 48c612f49d..89f484d7e5 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -73,6 +73,8 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Remote Desktop +- Microsoft Teams (build 1.3.00.12058 and later) + > [!NOTE] > Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. From 61554aeb8a2c3e23236552bfb2cef1e1fef0de23 Mon Sep 17 00:00:00 2001 From: rogersoMS <44718379+rogersoMS@users.noreply.github.com> Date: Wed, 13 May 2020 10:22:47 +1000 Subject: [PATCH 07/14] Corrected Teams 'WIP enlightened' to 'WIP work only' Verified technical changes with Narendra Acharya. No additional tech reviewers are required. Corrected Teams from WIP enlightened to WIP work aware --- .../enlightened-microsoft-apps-and-wip.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 89f484d7e5..85d9523c9b 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -71,9 +71,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Messaging -- Microsoft Remote Desktop - -- Microsoft Teams (build 1.3.00.12058 and later) +- Microsoft Remote Desktop > [!NOTE] > Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. @@ -83,6 +81,8 @@ Microsoft still has apps that are unenlightened, but which have been tested and - Skype for Business +- Microsoft Teams (build 1.3.00.12058 and later) + ## Adding enlightened Microsoft apps to the allowed apps list > [!NOTE] From b832f0649f7e40ea71cbc8de9991223b7b3fb4fc Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Tue, 12 May 2020 18:10:40 -0700 Subject: [PATCH 08/14] Box update to reflect live device data --- .../microsoft-defender-atp/configure-machines-onboarding.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index 1f672b58a6..d3f378cce2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -52,6 +52,9 @@ From the **Onboarding** card, select **Onboard more machines** to create and ass >[!TIP] >Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**. +>[!NOTE] +> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**. + From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either: - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile. From 0691f6fbfcc3bc27c2331189c5cdfb1282febb25 Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Wed, 13 May 2020 16:08:30 +0200 Subject: [PATCH 09/14] Update interactive-logon-prompt-user-to-change-password-before-expiration.md The description of the value at zero is incorrect. I verified in the source of Winlogon that you never get a reminder when the value is 0, only when the password expires the same day or when it has expired already. --- ...ve-logon-prompt-user-to-change-password-before-expiration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index 300344160d..cbc2288db2 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -37,7 +37,7 @@ This policy setting determines when users are warned that their passwords are ab - Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might get locked out of the system. - Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain. -- Don't set the value to zero, which displays the password expiration warning every time the user logs on. +- When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it is already expired. ### Location From e04a974e1f0c8daadc8205abe979ad51a142b17b Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 13 May 2020 19:46:50 +0300 Subject: [PATCH 10/14] add link https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5904 --- .../surface/ethernet-adapters-and-surface-device-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index c35dbe0630..24cf375474 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -85,7 +85,7 @@ To access the firmware of a Surface device, follow these steps: When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**. -The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog. +The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.   From 00d2b4ba8c16aa7e7a75ffd16615663492e2386f Mon Sep 17 00:00:00 2001 From: Russ Rimmerman Date: Wed, 13 May 2020 15:11:18 -0500 Subject: [PATCH 11/14] Update waas-servicing-strategy-windows-10-updates.md Fixed minor typo --- .../update/waas-servicing-strategy-windows-10-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index e82f2eebde..eb2d701314 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -28,7 +28,7 @@ In the past, traditional Windows deployments tended to be large, lengthy, and ex Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like: -- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. +- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. - **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. - **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) From b4daee35004c411a642403530be8b06ecbd7704f Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 13 May 2020 14:44:43 -0700 Subject: [PATCH 12/14] Update windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...ve-logon-prompt-user-to-change-password-before-expiration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index cbc2288db2..b98d74a6bb 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -37,7 +37,7 @@ This policy setting determines when users are warned that their passwords are ab - Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might get locked out of the system. - Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain. -- When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it is already expired. +- When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it already has expired. ### Location From d09038af9608a3d24442c86231968f864397faa8 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 13 May 2020 16:19:51 -0700 Subject: [PATCH 13/14] Removed extraneous angle bracket --- .../update/waas-servicing-strategy-windows-10-updates.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index eb2d701314..ae0773920a 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -35,10 +35,10 @@ Windows 10 spreads the traditional deployment effort of a Windows upgrade, which - **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). ->[!NOTE] ->This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md). +> [!NOTE] +> This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md). > ->>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. +> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful: From 693cc50f42db700bfe509ffbc243b365e3e879e5 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 13 May 2020 16:26:27 -0700 Subject: [PATCH 14/14] Tidied cross references --- .../ethernet-adapters-and-surface-device-deployment.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index 24cf375474..abc4672793 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -28,7 +28,7 @@ Network deployment to Surface devices can pose some unique challenges for system Before you can address the concerns of how you will boot to your deployment environment or how devices will be recognized by your deployment solution, you have to use a wired network adapter. -The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters. +The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. For more information on potential conflicts with shared adapters, see [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) later in this article. Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware. @@ -67,7 +67,6 @@ For Windows 10, version 1511 and later – including the Windows Assessment and ## Manage MAC addresses with removable Ethernet adapters - Another consideration for administrators performing Windows deployment over the network is how you will identify computers when you use the same Ethernet adapter to deploy to more than one computer. A common identifier used by deployment technologies is the Media Access Control (MAC) address that is associated with each Ethernet adapter. However, when you use the same Ethernet adapter to deploy to multiple computers, you cannot use a deployment technology that inspects MAC addresses because there is no way to differentiate the MAC address of the removable adapter when used on the different computers. The simplest solution to avoid MAC address conflicts is to provide a dedicated removable Ethernet adapter for each Surface device. This can make sense in many scenarios where the Ethernet adapter or the additional functionality of the docking station will be used regularly. However, not all scenarios call for the additional connectivity of a docking station or support for wired networks. @@ -85,7 +84,7 @@ To access the firmware of a Surface device, follow these steps: When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**. -The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog. +The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374), a blog post on the Core Infrastructure and Security Blog.