Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into v-jak-sec01

2025-05-15 14:57:23 +00:00 · 2017-02-03 10:38:01 -08:00 · 2017-02-03 10:38:01 -08:00 · ecb9815081
commit ecb9815081
parent 5038cfdcd0 46db4da862
6 changed files with 11 additions and 12 deletions
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@ -106,6 +106,7 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server
 To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.

 **If you use a proxy server or other method to block URLs**
+
 If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”:
 - `http(s)://*.update.microsoft.com`
 - `http://download.windowsupdate.com` 
--- a/windows/deploy/upgrade-analytics-get-started.md
+++ b/windows/deploy/upgrade-analytics-get-started.md
@ -127,7 +127,7 @@ The Upgrade Analytics deployment script does the following:

 3.  Checks whether the computer has a pending restart.  

-4.  Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
+4.  Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14913 or later is required).

 5.  If enabled, turns on verbose mode for troubleshooting.

--- a/windows/deploy/usmt-overview.md
+++ b/windows/deploy/usmt-overview.md
@ -35,7 +35,7 @@ USMT provides the following benefits to businesses that are deploying Windows op
 -   Increases employee satisfaction with the migration experience.

 ## Limitations
-USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [Windows Easy Transfer](https://go.microsoft.com/fwlink/p/?LinkId=140248).
+USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](http://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.

 There are some scenarios in which the use of USMT is not recommended. These include:

--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@ -1,4 +1,4 @@
-[s,,---
+---
 title: Protect derived domain credentials with Credential Guard (Windows 10)
 description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
@ -9,6 +9,7 @@ ms.pagetype: security
 localizationpriority: high
 author: brianlic-msft
 ---
+
 # Protect derived domain credentials with Credential Guard

 **Applies to**
@ -19,9 +20,9 @@ Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard u

 By enabling Credential Guard, the following features and solutions are provided:

-   **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
+-   **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
 -   **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
-,-   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
+-   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.

 ## How it works

@ -60,7 +61,7 @@ The Virtualization-based security requires:
 When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 

 >[!WARNING] 
-> Enabling Credential Guard on domain controllers is not supported <br>
+> Enabling Credential Guard on domain controllers is not supported. <br>
 > The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. 

 >[!NOTE]
--- a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
+++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
@ -124,8 +124,6 @@ To sign the existing catalog file, copy each of the following commands into an e

 After the catalog file is signed, add the signing certificate to a code integrity policy, as described in the following steps.

-<!-- All options below need to be confirmed. -->
-
 1.  If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect.

 2.  If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a code integrity policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
@ -134,7 +132,7 @@ After the catalog file is signed, add the signing certificate to a code integrit

    > **Note**&nbsp;&nbsp;Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.

-3.  Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for *<policypath>* and *<certpath>*:
+3.  Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for `<policypath>` and `<certpath>`:

    ` Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User `

--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@ -25,8 +25,9 @@ If you want to minimize connections from Windows to Microsoft services, or confi

 You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.

-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.

+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.

 ## What's new in Windows 10, version 1607 and Windows Server 2016

@ -1359,5 +1360,3 @@ You can turn off automatic updates by doing one of the following. This is not re
    -   **5**. Turn off automatic updates.

 To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
-
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying.