| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |
Added the following node in Windows 10, version 1803:
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 746ae03946..ddc0530800 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -77,14 +77,13 @@ Here's a list of changes that were made to this article for Windows 10, version
## Management options for each setting
-
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
### Settings for Windows 10 Enterprise edition
-See the following table for a summary of the management settings for Windows 10 Enterprise, version 1709 and Windows 10 Enterprise, version 1703.
+The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1703.
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index db15a838fa..2df4f8952f 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -248,6 +248,7 @@
##### [Security Update Status report](update/update-compliance-security-update-status.md)
##### [Feature Update Status report](update/update-compliance-feature-update-status.md)
##### [Windows Defender AV Status report](update/update-compliance-wd-av-status.md)
+##### [Delivery Optimization in Update Compliance](update/update-compliance-delivery-optimization.md)
##### [Update Compliance Perspectives](update/update-compliance-perspectives.md)
### [Device Health](update/device-health-monitor.md)
#### [Get started with Device Health](update/device-health-get-started.md)
diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md
index 3526ae3850..f14b1981bc 100644
--- a/windows/deployment/update/device-health-using.md
+++ b/windows/deployment/update/device-health-using.md
@@ -4,7 +4,7 @@ description: Explains how to begin usihg Device Health.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.date: 10/10/2017
+ms.date: 03/21/20178
ms.pagetype: deploy
author: jaimeo
---
@@ -90,6 +90,142 @@ Clicking a listed driver on the Driver-Induced OS Crashes blade opens a driver p
The driver version table can help you determine whether deploying a newer version of the driver might help you reduce the crash rate. In the example shown above, the most commonly installed driver version (19.15.1.5) has a crash rate of about one-half of one percent--this is low, so this driver is probably fine. However, driver version 19.40.0.3 has a crash rate of almost 20%. If that driver had been widely deployed, updating it would substantially reduce the overal number of crashes in your organization.
+## App Reliability
+
+The App Reliability report shows you useful data on app usage and behavior so that you can identify apps that are misbehaving and then take steps to resolve the problem.
+
+### App reliability events
+
+The default view includes the **Devices with events** count, which shows the number of devices in your organization that have logged a reliability event for a given app over the last 14 days. A "reliability event" occurs when an app either exits unexpectedly or stops responding. The table also includes a **Devices with Usage** count. This enables you to see how widely used the app was over the same period to put the Devices with Events count into perspective.
+
+
+
+When you click a particular app, the detailed **App reliability** view opens. The first element in the view is the App Information summary:
+
+
+
+This table contains:
+
+- App name
+- Publisher
+- Devices with usage: the number of unique devices that logged any usage of the app
+- Devices with events: the number of unique devices that logged any reliability event for the app
+- % with events: the ratio of "devices with events" to "devices with usage"
+- % with events (commercial average): the ratio of "devices with events" to "devices with usage" in data collected from deployments with a mix of operating system versions and device models that is similar to yours. This can help you decide if a given app is having problems specifically in your environment or more generally in many environments.
+
+#### Trend section
+Following the App Information summary is the trend section:
+
+
+
+With these trend graphs you can more easily detect if an issue is growing, shrinking, or steady. The trend graph on the left shows the number of devices that logged any reliability event for the app. The trend graph on the right shows the ratio of "devices with events" to "devices with usage."
+
+Each graph displays two lines:
+
+- Trailing window: in this line, each day’s value reflects reliability events that occurred in the 14 days leading up to that day. This is useful for gauging the long-term trend with reduced volatility due to weekends and small populations.
+- Single day: Each day’s value reflects reliability events that occurred in a single day. This is useful if an issue is quickly emerging (or being resolved).
+
+#### App and OS versions table
+The next element in the view is the App and OS versions table:
+
+
+
+
+This table breaks out the metrics by combinations of App and OS version. This enables you to identify patterns in that might indicate devices needing an update or configuration change.
+
+For example, if the table shows that a later version of an app is more reliable than an earlier version in your environment, then prioritizing deployment of the later version is likely the best path forward. If you are already running the latest version of the app, but reliability events are increasing, then you might need to do some troubleshooting, or seek support from Microsoft or the app vendor.
+
+By default the table is limited to the most-used version combinations in your environment. To see all version combinations click anywhere in the table.
+
+
+#### Reliability event history table
+
+The next element in the view is the reliability event history table:
+
+
+
+This table shows the most detailed information. Although Device Health is not a debugging tool, the details available in this table can help with troubleshooting by providing the specific devices, versions, and dates of the reliability events.
+
+This view also includes the **Diagnostic Signature** column. This value can be helpful when you are working with product support or troubleshooting on your own. The value (also known as Failure ID or Failure Name) is the same identifier used to summarize crash statistics for Microsoft and partner developers.
+
+The Diagnostic Signature value contains the type of reliability event, error code, DLL name, and function name involved. You can use this information to narrow the scope of troubleshooting. For example, a value like *APPLICATION_HANG_ThreadHang_Contoso-Add-In.dll!GetRegistryValue()* implies that the app stopped responding when Contoso-Add-In was trying to read a registry value. In this case you might prioritize updating or disabling the add-in, or using Process Monitor to identify the registry value it was trying to read, which could lead to a resolution through antivirus exclusions, fixing missing keys, or similar remedies.
+
+
+By default the table is limited to a few recent rows. To see all rows click anywhere in the table.
+
+
+### FAQs and limitations
+
+#### Why does a particular app not appear in the views?
+When we allow reliability events from all processes, the list of apps fills with noisy processes which don't feel like meaningful end-user apps (for example, taskhost.exe or odd-test-thing.exe). In order to draw focus to the apps which matter most to users, App Reliability uses a series of filters to limit what appears in the list. The filter criteria include the following:
+
+- Filter out background processes which have no detected user interaction.
+- Filter out operating system processes which, despite having user interaction, do not feel like apps (for example, Logonui.exe, Winlogon.exe). **Known limitation:** Some processes which may feel like apps are not currently detected as such (and are therefore filtered out as OS processes). These include Explorer.exe, Iexplore.exe, Microsoftedge.exe, and several others.
+- Remove apps which are not widely used in your environment. **Known limitation:** This might result in an app that you consider important being filtered out when that app is not among the 30 most widely used in your environment.
+
+
+We welcome your suggestions and feedback on this filtering process at the [Device Health Tech Community](https://aka.ms/community/DeviceHealth).
+
+#### Why are there multiple names and entries for the same app?
+For example, you might see *Skype for Business*, *‘skype for business’*, and *Lync* listed separately, but you only use *Skype for Business*. Or you might see *MyApp Pro* and *MyApp Professional* listed separately, even though they feel like the same thing.
+
+
+
+#### Clicking an app in the App Reliability Events blade sometimes results a List view of records instead of the App Reliability view
+To work around this, click the **App Reliability** tab above the results to see the expected view.
+
+
+
+
+#### Clicking "See all…" from the App Reliability Events blade followed by clicking an app from the expanded list results in raw records instead of the App Reliability view
+To work around this, replace all of the text in the Log Search query box with the following:
+
+*DHAppReliability | where AppFileDisplayName == ""*
+
+For example:
+
+*DHAppReliability | where AppFileDisplayName == "Microsoft Outlook"*
+
+
+
+## Login Health
+
+Login Health provides reports on Windows login attempts in your environment, including metrics on the login methods being used (such as Windows Hello, face recognition, fingerprint recognition, PIN, or password), the rates and patterns of login success and failure, and the specific reasons logins have failed.
+
+The Login Health blades appear in the Device Health dashboard:
+
+
+
+
+### Login Errors
+The **Login errors** blade displays data on the frequency and type of errors, with statistics on specific errors. They are generally categorized into user-generated (caused by bad input) or non-user-generated (might need IT intervention) errors. Click any individual error to see all instances of the error's occurence for the specified time period.
+
+### Login Metrics by Type
+The **Login metrics by type** blade shows the success rate for your devices, as well as the success rate for other environments with a mix of operating system versions and device models similar to yours (the **Commercial average success rate**).
+
+In the table (by type) you can gauge how broadly each login type is attempted, the number of devices that prefer the type (most used), and the success rate. If migration from passwords to an alternative such as Hello: PIN is going well, you would see high usage and high success rates for the new type.
+
+Click any of the login types to see detailed login health data for that type:
+
+
+
+This view shows trends over time of usage, preferred credentials, and success rate along with the most frequent errors and frequently failing devices for that login type.
+
+Click a specific login error in this view to see a list of all instances for that error and login type within the specified time range:
+
+
+
+Included in this view are device attributes and error attributes such as the following:
+
+- LogonStatus/LogonSubStatus: Status code for the login attempt
+- SignInFailureReason: Known failure reasons evaluated from status or sub-status
+- SuggestedSignInRemediation: Suggested remediation that was presented to the user at the time of error
+
+The filters in the left pane allow you to filter errors to a particular operating system, device model, or other parameters. Alternatively, clicking the most frequently failing models from the Login Health perspective will take you to a list of error instances filtered to the login type and specified device model within the specified time range.
+
+>[!NOTE]
+> Windows Hello: Face authentication errors are not currently included in the login health reports.
+
diff --git a/windows/deployment/update/images/app-reliability-app-OS-version.png b/windows/deployment/update/images/app-reliability-app-OS-version.png
new file mode 100644
index 0000000000..c281dcc316
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-app-OS-version.png differ
diff --git a/windows/deployment/update/images/app-reliability-app-detail.png b/windows/deployment/update/images/app-reliability-app-detail.png
new file mode 100644
index 0000000000..8c402bb91f
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-app-detail.png differ
diff --git a/windows/deployment/update/images/app-reliability-event-history.png b/windows/deployment/update/images/app-reliability-event-history.png
new file mode 100644
index 0000000000..f28ab02908
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-event-history.png differ
diff --git a/windows/deployment/update/images/app-reliability-main.png b/windows/deployment/update/images/app-reliability-main.png
new file mode 100644
index 0000000000..18a1bd7f31
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-main.png differ
diff --git a/windows/deployment/update/images/app-reliability-tab.png b/windows/deployment/update/images/app-reliability-tab.png
new file mode 100644
index 0000000000..17eae401f4
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-tab.png differ
diff --git a/windows/deployment/update/images/app-reliability-trend-view.png b/windows/deployment/update/images/app-reliability-trend-view.png
new file mode 100644
index 0000000000..2d26df93d3
Binary files /dev/null and b/windows/deployment/update/images/app-reliability-trend-view.png differ
diff --git a/windows/deployment/update/images/login-health-detail-failure.png b/windows/deployment/update/images/login-health-detail-failure.png
new file mode 100644
index 0000000000..76865225a1
Binary files /dev/null and b/windows/deployment/update/images/login-health-detail-failure.png differ
diff --git a/windows/deployment/update/images/login-health-detail.png b/windows/deployment/update/images/login-health-detail.png
index 2d3871fc42..45867cefc5 100644
Binary files a/windows/deployment/update/images/login-health-detail.png and b/windows/deployment/update/images/login-health-detail.png differ
diff --git a/windows/deployment/update/images/login-health.png b/windows/deployment/update/images/login-health.png
index fd4f6740bd..e250351fb5 100644
Binary files a/windows/deployment/update/images/login-health.png and b/windows/deployment/update/images/login-health.png differ
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index 97ea94c567..92c577feea 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -1,5 +1,5 @@
---
-title: DO in Update Compliance (Windows 10)
+title: Delivery Optimization in Update Compliance (Windows 10)
description: new Delivery Optimization data displayed in Update Compliance
ms.prod: w10
ms.mktglfcycl: deploy
@@ -7,14 +7,15 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
-ms.date: 03/23/2018
+ms.date: 03/27/2018
---
-# DO in Update Compliance
+# Delivery Optimization in Update Compliance
+The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
## Delivery Optimization Status
-The Delivery Optimization Status section provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. There are three blades in the Delivery Optimization Status:
+The Delivery Optimization Status section includes three blades:
- The **Device Configuration** blade shows a breakdown of download configuration for each device
- The **Content Distribution (%)** blade shows the percentage of bandwidth savings for each category
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index d5f526f94f..10032d6303 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -6,10 +6,10 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
-author: DaniHalfin
-ms.localizationpriority: high
-ms.author: daniha
-ms.date: 09/08/2017
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 03/26/2018
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
@@ -36,7 +36,7 @@ Prepare the Active Directory Federation Services deployment by installing and up
Sign-in the federation server with _local admin_ equivalent credentials.
1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
-2. Ensure the latest server updates to the federation server includes [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658).
+2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
>[!IMPORTANT]
>The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 866c851a11..0ed566fedc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
-ms.date: 02/23/2018
+ms.date: 03/26/2018
---
# Configure Device Registration for Hybrid Windows Hello for Business
@@ -88,7 +88,7 @@ Once you have your AD FS design ready, review [Deploying a Federation Server far
> [!IMPORTANT]
> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures.
-The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update. If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
+The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
#### ADFS Web Proxy ###
Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 6b742dba4b..ed3b027ada 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
-ms.date: 11/08/2017
+ms.date: 03/26/2018
---
# Hybrid Windows Hello for Business Prerequisites
@@ -80,12 +80,12 @@ Organizations using older directory synchronization technology, such as DirSync
## Federation ##
Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
-The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658), which is automatically downloaded and installed through Windows Update. If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
+The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
### Section Review ###
> [!div class="checklist"]
> * Windows Server 2016 Active Directory Federation Services
-> * Minimum update of [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658)
+> * Minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 5109222155..622367ea79 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
-ms.date: 10/23/2017
+ms.date: 03/26/2018
---
# Hybrid Windows Hello for Business Provisioning
@@ -48,12 +48,14 @@ The provisioning flow has all the information it needs to complete the Windows H
The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory.
> [!IMPORTANT]
-> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval.
+> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
+
+> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval.
> **This synchronization latency delays the the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
> [!NOTE]
-> Microsoft is actively investigating ways to reduce the syncrhonization latency and delays in certificate enrollment with the goal to make certificate enrollment occur real-time.
+> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning.
After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 4acb7d887b..732ecc5a7e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
localizationpriority: high
author: mikestephens-MS
ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 03/26/2018
---
# Configure Windows Hello for Business: Active Directory Federation Services
@@ -36,11 +36,6 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials.
```
-The `Set-AdfsCertificateAuthority` cmdlet should show the following warning:
->WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured.
-
-This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in.
-
>[!NOTE]
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 3ade5c7cd8..52ec97995f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
-ms.date: 10/20/2017
+ms.date: 03/26/2018
---
# Windows Hello for Business Key Trust New Installation
@@ -70,7 +70,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
## Configure a Production Public Key Infrastructure
-If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
+If you do not have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 96d449f9d3..c8fbfbe290 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -10,7 +10,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
-ms.date: 12/04/2017
+ms.date: 03/26/2018
---
# Windows Hello for Business
@@ -43,12 +43,12 @@ The table shows the minimum requirements for each deployment.
| Key trustGroup Policy managed | Certificate trustMixed managed | Key trustModern managed | Certificate trustModern managed |
| --- | --- | --- | --- |
-| Windows 10, version 1511 or later| Windows 10, version 1703 or later (domain joined)Windows 10, version 1511 or later (cloud joined) | Windows 10, version 1511 or later | Windows 10, version 1511 or later |
+| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
-| N/A | Windows Server 2016 AD FS with KB4022723 update (domain joined), andWindows Server 2012 or later Network Device Enrollment Service (cloud joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
+| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) (hybrid Azure AD joined clients),
andWindows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
| Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter| Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter | Azure MFA tenant, orAD FS w/Azure MFA adapter, orAD FS w/Azure MFA Server adapter, orAD FS w/3rd Party MFA Adapter |
| Azure Account | Azure Account | Azure Account | Azure Account |
| Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
@@ -65,7 +65,7 @@ The table shows the minimum requirements for each deployment.
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
-| Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) | Windows Server 2016 AD FS with [KB4022723 update](https://support.microsoft.com/en-us/help/4022723) |
+| Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) |
| AD FS with Azure MFA Server, orAD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, orAD FS with 3rd Party MFA Adapter |
| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index da1578c94d..827025586d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
-ms.date: 10/10/2017
+ms.date: 03/26/2018
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
@@ -36,7 +36,7 @@ Prepare the Active Directory Federation Services deployment by installing and up
Sign-in the federation server with _local admin_ equivalent credentials.
1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
-2. Ensure the latest server updates to the federation server includes [KB4034658 (14393.1593)](https://support.microsoft.com/en-us/help/4034658).
+2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
>[!IMPORTANT]
>The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 6fb47a926e..61dc742a69 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -9,13 +9,12 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
localizationpriority: high
-ms.date: 10/20/2017
+ms.date: 03/26/2018
---
# Planning a Windows Hello for Business Deployment
**Applies to**
- Windows 10
-- Windows 10 Mobile
> This guide only applies to Windows 10, version 1511 or higher.
@@ -176,7 +175,7 @@ A successful Windows Hello for Business requires all devices to register with th
If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1c** on your planning worksheet.
-If box **1a** on your planning worksheet reads **on-premises**, write **AF FS** in box **1c** on your planning worksheet.
+If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1c** on your planning worksheet.
### Key Registration
@@ -184,7 +183,7 @@ All users provisioning Windows Hello for Business have their public key register
If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, write **Azure** in box **1d** on your planning worksheet.
-If box **1a** on your planning worksheet reads **on-premises**, write **AF FS** in box **1d** on your planning worksheet.
+If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** in box **1d** on your planning worksheet.
### Directory Synchronization
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
index 1b64be5e1d..09d483458c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
@@ -84,7 +84,7 @@ Configure the **Maximum lifetime for user ticket renewal** setting to 7 days.
### Potential impact
-None. This is the default configuration.
+Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate.
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 1da2319b09..67f8c2bdd0 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -117,6 +117,66 @@ Configuration for onboarded machines: diagnostic data reporting frequency | ./De
>[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
+### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
+
+1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
+
+ a. Select **Endpoint management** > **Clients** on the **Navigation pane**.
+
+ b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
+
+ 
+
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
+
+3. Login to the [Microsoft Azure portal](https://portal.azure.com).
+
+4. From the Intune blade, choose **Device configuration**.
+
+ 
+
+5. Under **Manage**, choose **Profiles** and click **Create Profile**.
+
+ 
+
+6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
+
+ 
+
+7. Click **Settings** > **Configure**.
+
+ 
+
+8. Under Custom OMA-URI Settings, click **Add**.
+
+ 
+
+9. Enter the following values, then click **OK**.
+
+ 
+
+ - **Name**: Type a name for the setting.
+ - **Description**: Type a description for the setting.
+ - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
+ - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
+
+10. Save the settings by clicking **OK**.
+
+11. Click **Create**.
+
+ 
+
+12. To deploy the Profile, click **Assignments**.
+
+ 
+
+13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
+
+ 
+
+14. Click **Save** to finish deploying the Configuration Profile.
+
+ 
### Offboard and monitor endpoints
diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index c44eb648d5..05d249bdc3 100644
--- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
-ms.date: 10/16/2017
+ms.date: 03/27/2018
---
# Create custom alerts using the threat intelligence (TI) application program interface (API)
@@ -184,6 +184,21 @@ Content-Type: application/json;
```
If successful, you should get a 201 CREATED response containing the representation of the newly created indicators of compromise in the payload.
+The API currently supports the following IOC types:
+
+- Sha1
+- Sha256
+- Md5
+- FileName
+- IpAddress
+- DomainName
+
+And the following operators:
+
+- Equals
+- StartWith
+- EndWith
+- Contains
## Bulk upload of alert definitions and IOCs
Bulk upload of multiple entities can be done by sending an HTTP POST request to `/{resource}/Actions.BulkUpload`.
|
