-
-
-
AMD
[http://support.amd.com/en-us/download](http://support.amd.com/en-us/download)
[http://support.amd.com/download](http://support.amd.com/download)
Intel
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
5
S0
50
Ready
[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.
-
- **Figure 6** - The “Who owns this PC?” page in initial Windows 10 setup
-
-2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 7**.
-
- 
-
- **Figure 7** - The “Choose how you’ll connect” page in initial Windows 10 setup
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 8**.
-
- 
-
- **Figure 8** - The “Let’s get you signed in” page in initial Windows 10 setup
-
-Now the device is Azure AD joined to the company’s subscription.
-
-**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up**
-
-1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 9**.
-
- 
-
- **Figure 9** - Connect to work or school configuration in Settings
-
-2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 10**.
-
- 
-
- **Figure 10** - Set up a work or school account
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 11**.
-
- 
-
- **Figure 11** - The “Let’s get you signed in” dialog box
-
-Now the device is Azure AD joined to the company’s subscription.
-
-#### Step 2: Sign in using Azure AD account
-
-Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 12**. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device.
-
-
-
-**Figure 12** - Sign in by using Azure AD account
-
-#### Step 3: Verify that Pro Education edition is enabled
-
-You can verify the Windows 10 Pro Education in **Settings > Update & Security > Activation**, as illustrated in **Figure 13**.
-
-
-
-**Figure 13** - Windows 10 Pro Education in Settings
-
-
-
-If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
-## Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10 Pro Education upgrade. The most common problems that users may experience are as follows:
-
-- The existing Windows 10 Pro, version 1607 operating system is not activated.
-
-- The Windows 10 Pro Education upgrade has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-
-
-**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education upgrade is active.
-
-
-
-
-
-**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education upgrade is active.
-
-
| Expand a category. |  |
| Select a setting. |  |
| Enter a value for the setting. Click **Add** if the button is displayed. |  |
| Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed. |  |
| When the setting is configured, it is displayed in the **Selected customizations** pane. |  |
| **Version**(1 byte) | **Leading** (1 byte) | **Order**(1 byte) | **Total**(1 byte) | **Chunk payload**(N bytes) |
| Exit code | Meaning | Suggested fix - |
|---|---|---|
| 0 | Success | - |
| 1 | Unexpected error occurred while executing the script | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again. - |
| 2 | Error when logging to console. $logMode = 0. | Try changing the $logMode value to **1** and try again. - |
| 3 | Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. - |
| 4 | Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. - |
| 5 | Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. - |
| 6 | The commercialID parameter is set to unknown. Modify the script. | Set the value for CommercialID in runconfig.bat file. - |
| 8 | Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. | Verify that the configuration script has access to this location. - |
| 9 | Error when writing CommercialId to registry. | Verify that the configuration script has access to this location. - |
| 10 | Error when writing CommercialDataOptIn to registry. | Verify that the configuration script has access to this location. - |
| 11 | Function -SetupCommercialId: Unexpected failure. | Verify that the configuration script has access to this location. - |
| 12 | Can’t connect to Microsoft – Vortex. Check your network/proxy settings. | Verify that the required endpoints are whitelisted correctly. - |
| 13 | Can’t connect to Microsoft – setting. | Verify that the required endpoints are whitelisted correctly. - |
| 14 | Can’t connect to Microsoft – compatexchange. | Verify that the required endpoints are whitelisted. - |
| 15 | Error connecting to Microsoft:Unexpected failure. | - |
| 16 | Machine requires reboot. | The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. - |
| 17 | Function -CheckRebootRequired: Unexpected failure. | The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. - |
| 18 | Outdated compatibility update KB package. Update via Windows Update/WSUS. | -The configuration script detected a version of the Compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Analytics solution. Use the latest version of the Compatibility update for Windows 7 SP1/Windows 8.1. - |
| 19 | The compatibility update failed with unexpected exception. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again. - |
| 20 | Error writing RequestAllAppraiserVersions registry key. | This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. - |
| 21 | Function – SetRequestAllAppraiserVersions: Unexpected failure. | This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. - |
| 22 | RunAppraiser failed with unexpected exception. | Check %windir%\System32 directory for a file called CompatTelRunner.exe. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file. - |
| 23 | Error finding system variable %WINDIR%. | Make sure that this environment variable is available on the machine. - |
| 24 | SetIEDataOptIn failed when writing IEDataOptIn to registry. | Verify that the deployment script in running in a context that has access to the registry key. - |
| 25 | SetIEDataOptIn failed with unexpected exception. | The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again. - |
| 26 | The operating system is Server or LTSB SKU. | The script does not support Server or LTSB SKUs. - |
| 27 | The script is not running under System account. | The Upgrade Analytics configuration script must be run as system. - |
| 28 | Could not create log file at the specified logPath. | Make sure the deployment script has access to the location specified in the logPath parameter. - |
| 29 | Connectivity check failed for proxy authentication. | Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). - |
| 30 | Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled. | The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). - |
| 31 | There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. | Use the Windows Task Manager to check if CompatTelRunner.exe is running, and wait until it has completed to rerun the script. -**The Upgrade Analytics task is scheduled to run daily at 3 a.m.** + |
| Exit code | Meaning + | |
| 0 | Success + | |
| 1 | Unexpected error occurred while executing the script + | |
| 2 | Error when logging to console. $logMode = 0. + | |
| 3 | Error when logging to console and file. $logMode = 1. + | |
| 4 | Error when logging to file. $logMode = 2. + | |
| 5 | Error when logging to console and file. $logMode = unknown. + | |
| 6 | The commercialID parameter is set to unknown. Modify the script. + | |
| 7 | Function -CheckCommercialId: Unexpected failure. + | |
| 8 | Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. + | |
| 9 | Error when writing CommercialId to registry. + | |
| 10 | Error when writing CommercialDataOptIn to registry. + | |
| 11 | Function -SetupCommercialId: Unexpected failure. + | |
| 12 | Can’t connect to Microsoft – Vortex. Check your network/proxy settings. + | |
| 13 | Can’t connect to Microsoft – setting. Check your network/proxy settings. + | |
| 14 | Can’t connect to Microsoft – compatexchange. Check your network/proxy settings. + | |
| 15 | Error connecting to Microsoft. Check your network/proxy settings. + | |
| 16 | Machine requires reboot. + | |
| 17 | Function -CheckRebootRequired: Unexpected failure. + | |
| 18 | Outdated compatibility update KB package. Update via Windows Update/WSUS. + | |
| 19 | This machine doesn’t have the proper KBs installed. Make sure you have recent compatibility update KB downloaded. + | |
| 20 | Error writing RequestAllAppraiserVersions registry key. + | |
| 21 | Function – SetRequestAllAppraiserVersions: Unexpected failure. + | |
| 22 | RunAppraiser failed with unexpected exception. + | |
| 23 | Error finding system variable %WINDIR%. + | |
| 24 | SetIEDataOptIn failed when writing IEDataOptIn to registry. + | |
| 25 | SetIEDataOptIn failed with unexpected exception. + | |
| 26 | The operating system is LTSB SKU. The script does not support LTSB SKUs. + | |
| 27 | The operating system is Server SKU. The script does not support Server SKUs. |
| Topic | Description | Time - - |
| [About MDT](#about-mdt) | A high-level overview of the Microsoft Deployment Toolkit (MDT). | Informational - |
| [Install MDT](#install-mdt) | Download and install MDT. | 40 minutes - |
| [Create a deployment share and reference image](#create-a-deployment-share-and-reference-image) | A reference image is created to serve as the template for deploying new images. | 90 minutes - |
| [Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt) | The reference image is deployed in the PoC environment. | 60 minutes - |
| [Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10) | Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. | 60 minutes - |
| [Replace a computer with Windows 10](#replace-a-computer-with-windows-10) | Back up an existing client computer, then restore this backup to a new computer. | 60 minutes - |
| [Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities) | Log locations and troubleshooting hints. | Informational - |
- - New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB - Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 - Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso - Start-VM REFW10X64-001 - vmconnect localhost REFW10X64-001 --
| Topic | Description | Time - - |
| [Install prerequisites](#install-prerequisites) | Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK. | 60 minutes - |
| [Install System Center Configuration Manager](#install-system-center-configuration-manager) | Download System Center Configuration Manager, configure prerequisites, and install the package. | 45 minutes - |
| [Download MDOP and install DaRT](#download-mdop-and-install-dart) | Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10. | 15 minutes - |
| [Prepare for Zero Touch installation](#prepare-for-zero-touch-installation) | Prerequisite procedures to support Zero Touch installation. | 60 minutes - |
| [Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager) | Use the MDT wizard to create the boot image in Configuration Manager. | 20 minutes - |
| [Create a Windows 10 reference image](#create-a-windows-10-reference-image) | This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image. | 0-60 minutes - |
| [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image) | Add a Windows 10 operating system image and distribute it. | 10 minutes - |
| [Create a task sequence](#Create a task sequence) | Create a Configuration Manager task sequence with MDT integration using the MDT wizard | 15 minutes - |
| [Finalize the operating system configuration](#finalize-the-operating-system-configuration) | Enable monitoring, configure rules, and distribute content. | 30 minutes - |
| [Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager) | Deploy Windows 10 using Configuration Manager deployment packages and task sequences. | 60 minutes - |
| [Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager) | Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT | 90 minutes - |
| [Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager) | Replace a client computer with Windows 10 using Configuration Manager. | 90 minutes - - |
-
-5. Click **OK**.
-6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
-
- ```
- cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
-
- abortpxe.com
- bootmgfw.efi
- bootmgr.exe
- pxeboot.com
- pxeboot.n12
- wdsmgfw.efi
- wdsnbp.com
- ```
- >If these files are not present, type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
-
- ```
- Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
- ```
-
- The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the C:\RemoteInstall\SMSBoot\x64 directory. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the C:\RemoteInstall directory is being populated with necessary files:
-
- Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"
-
- Once the files are present in C:\RemoteInstall, you can close the cmtrace tool.
-
-### Create a branding image file
-
-1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image.
-2. Type the following command at an elevated Windows PowerShell prompt:
-
- ```
- copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp"
- ```
- >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image.
-
-
-## Create a boot image for Configuration Manager
-
-1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**.
-2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**.
- - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later.
-3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**.
-4. On the Options page, under **Platform** choose **x64**, and click **Next**.
-5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**.
-6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image.
-7. Click **Finish**.
-8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**.
-9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**.
-10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```
- Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
- ```
- >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
-
- ```
- STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C)
- ```
-11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Doublt-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
-12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab.
-13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**.
-14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
-
- ```
- cmd /c dir /s /b C:\RemoteInstall\SMSImages
-
- C:\RemoteInstall\SMSImages\PS100004
- C:\RemoteInstall\SMSImages\PS100005
- C:\RemoteInstall\SMSImages\PS100006
- C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
- C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
- C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
- ```
-
- >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT.
-
-## Create a Windows 10 reference image
-
-If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section.
-
-1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
-
- ```
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
- ```
-2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
-
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
-
-4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-
-5. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
+ >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
- >[!IMPORTANT]
- >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+ >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
@@ -87,18 +85,16 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
- >[!IMPORTANT]
- >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
+ >**Important**
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
- >[!NOTE]
- >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. +
+ >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
- >[!IMPORTANT]
- >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+ >**Important** Windows 8.1 Windows 8.1 Certified Bootkits and Without TPM, boot integrity checking is not available Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings Brute Force Secure by default, and can be improved with account lockout Group Policy Secure by default, and can be improved with account lockout and device lockout Group Policy settings DMA If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in Hyberfil.sys Secure by default; hyberfil.sys secured on encrypted volume Secure by default; hyberfil.sys secured on encrypted volume Memory Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication Windows 10 Windows 10 Certified Bootkits and Without TPM, boot integrity checking is not available Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings Brute Force Secure by default, and can be improved with account lockout Group Policy Secure by default, and can be improved with account lockout and device lockout Group Policy settings DMA If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in Secure by default; certified devices do not expose vulnerable DMA busses. Hyberfil.sys Secure by default; hyberfil.sys secured on encrypted volume Secure by default; hyberfil.sys secured on encrypted volume Memory Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication Password protect the firmware and ensure Secure Boot is enabled. If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
+>**Important** If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
**To manually create an EFS DRA certificate**
@@ -36,13 +36,13 @@ The recovery process included in this topic only works for desktop devices. WIP
The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
- >[!IMPORTANT]
- >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
+ >**Important** Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+>**Important** Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
->[!NOTE]
->If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+>**Note** For example:
```json
{
@@ -109,8 +106,7 @@ If you don't know the publisher or product name, you can find them for both desk
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
- >[!NOTE]
- >Your PC and phone must be on the same wireless network.
+ >**Note** For example: Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+>**Important** Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a store app rule to your policy
For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
@@ -94,8 +94,8 @@ If you don't know the publisher or product name, you can find them for both desk
1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
- >[!NOTE]
- >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+ >**Note**
+ >**Important** For example:
```json
{
@@ -125,8 +124,8 @@ If you don't know the publisher or product name, you can find them for both desk
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
- >[!NOTE]
- >Your PC and phone must be on the same wireless network.
+ >**Note**
+ >**Important** For example:
```json
{
@@ -371,9 +369,9 @@ After you've added a protection mode to your apps, you'll need to decide where t
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
->[!IMPORTANT]
->Every WIP policy should include policy that defines your enterprise network locations.
The policy is deployed to the selected users' devices.
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
## Related topics
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
index f2e1b3c91c..f6b1ea7f6e 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
@@ -78,7 +78,4 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US` Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks. Trusted Platform Module (TPM) Trusted Platform Module (TPM) 2.0 Required to support health attestation and necessary for additional key protections for virtualization-based security. The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats. Symbolic name: MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED Message: The antimalware engine has uploaded a file for further analysis. Description: A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing. Enforcement mode SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default. SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow. SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow. AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule. For example: If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work. If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. |
-|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md) If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
-
-## Signing in using Azure AD
-Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx)
-
-## Cortana and privacy
-We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](http://windows.microsoft.com/windows-10/cortana-privacy-faq) topic.
-
-Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
-
-## See also
-- [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818)
-
-- [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384)
-
-- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US)
-
-- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)
diff --git a/windows/manage/cortana-at-work-policy-settings.md b/windows/manage/cortana-at-work-policy-settings.md
deleted file mode 100644
index 83f10f7d3e..0000000000
--- a/windows/manage/cortana-at-work-policy-settings.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization (Windows 10)
-description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
-**Applies to:**
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
->[!NOTE]
->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
-
-|Group policy |MDM policy |Description |
-|-------------|-----------|------------|
-|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked. **NOTE** **In Windows 10, version 1511** **In Windows 10, version 1607 and later** **In Windows 10, version 1511** **In Windows 10, version 1607 and later** Use this setting if you only want to support Azure AD in your organization.|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required. **NOTE** **In Windows 10 Pro edition** **In Windows 10 Enterprise edition** **IMPORTANT** If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana.
-
-## Create a custom Answer Page for Cortana
-You must create special reports, known as _Answer Pages_, to display the most commonly asked answers in Cortana. For example, if you want Cortana to quickly show sales data to your employees, you can create a 2016 sales data Answer Page that shows sales data, with various pivots, in Cortana.
-
-After you’ve finished creating your Answer Page, you can continue to the included testing scenarios.
-
- >[!NOTE]
- >It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
-
-**To create a custom sales data Answer Page for Cortana**
-1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
-
- 
-
-2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**.
-
- A blank report page appears.
-
-3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list.
-
- 
-
-4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**.
-
- 
-
- The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders.
-
-5. In the **Visualizations** pane, click the paint roller icon again, expand **Page Information**, type _Sales data 2016_ into the **Name** box, turn on **Q&A**, and then add alternate report names (separated by commas) into the text box.
-
- The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns.
-
- 
-
-6. Click **File**, click **Save as**, and save the report as _Sales data 2016_.
-
- Because this is part of the Retail Analysis Sample, it will automatically be included as part of the dataset you included for Cortana. However, you will still need to log in and out of Windows 10, or otherwise restart Cortana, before the new content appears.
-
-## Test Scenario: Use Cortana to show info from Power BI in your organization
-Now that you’ve set up your device, you can use Cortana to show your info from within Power BI.
-
-**To use Cortana with Power BI**
-1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-2. Type _This year in sales_.
-
- Cortana shows you the available results.
-
- 
-
-3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**.
-
- Cortana returns your custom report.
-
- 
-
->[!NOTE]
->For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/).
diff --git a/windows/manage/cortana-at-work-scenario-1.md b/windows/manage/cortana-at-work-scenario-1.md
deleted file mode 100644
index 4a9714a455..0000000000
--- a/windows/manage/cortana-at-work-scenario-1.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook (Windows 10)
-description: A test scenario walking you through signing in and managing the notebook.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This scenario turns on Azure AD and let's your employee use Cortana to manage an entry in the notebook.
-
-## Turn on Azure AD
-This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account.
-
-1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**.
-
-2. Click your email address.
-
- A dialog box appears, showing the associated account info.
-
-3. Click your email address again, and then click **Sign out**.
-
- This signs out the Microsoft account, letting you continue to add and use the Azure AD account.
-
-4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request.
-
-5. Click **Sign-In** and follow the instructions.
-
-6. When you’re asked to sign in, you’ll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com.
-
- >[!IMPORTANT]
- >If there’s no Azure AD account listed, you’ll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it.
-
-## Use Cortana to manage the notebook content
-This process helps you to manage the content Cortana shows in your Notebook.
-
-1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, scroll down and click **Weather**.
-
-2. In the **Weather** settings, scroll down to the **Cities your tracking** area, and then click **Add a city**.
-
-3. Add *Redmond, Washington*, double-click the search result, click **Add**, and then click **Save**.
-
- 
-
-4. Click on the **Home** icon and scroll to the weather forecast for Redmond, Washington.
-
- 
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-scenario-2.md b/windows/manage/cortana-at-work-scenario-2.md
deleted file mode 100644
index fb7b00d578..0000000000
--- a/windows/manage/cortana-at-work-scenario-2.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Test scenario 2 - Perform a quick search with Cortana at work (Windows 10)
-description: A test scenario about how to perform a quick search with Cortana at work.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Test scenario 2 - Perform a quick search with Cortana at work
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This scenario helps you perform a quick search using Cortana, both by typing and through voice commands.
-
-## Search using Cortana
-This process helps you use Cortana at work to perform a quick search.
-
-1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-2. Type *Weather in New York*.
-
- You should see the weather in New York, New York at the top of the search results.
-
- 
-
-## Search with Cortana, by using voice commands
-This process helps you to use Cortana at work and voice commands to perform a quick search.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
-
-2. Say *What's the weather in Chicago?* Cortana tells you and shows you the current weather in Chicago.
-
- 
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-scenario-3.md b/windows/manage/cortana-at-work-scenario-3.md
deleted file mode 100644
index 89610c7093..0000000000
--- a/windows/manage/cortana-at-work-scenario-3.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Test scenario 3 - Set a reminder for a specific location using Cortana at work (Windows 10)
-description: A test scenario about how to set a location-based reminder using Cortana at work.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Test scenario 3 - Set a reminder for a specific location using Cortana at work
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house.
-
->[!NOTE]
->You can set each reminder location individually as you create the reminders, or you can go into the **About me** screen and add both **Work** and **Home** addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario. Additionally, if you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page.
-
-## Create a reminder for a specific location
-This process helps you to create a reminder based on a specific location.
-
-1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
-
-2. Click the **+** sign, add a subject for your reminder, such as _Remember to file expense report receipts_, and then click **Place**.
-
- 
-
-3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
-
- 
-
-4. Click **Done**.
-
- >[!NOTE]
- >If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the **Favorites list** in Windows Maps.
-
-5. Choose to be reminded the **Next time you arrive at the location** or on a specific day of the week from the drop-down box.
-
-6. Take a picture of your receipts and store them locally on your device.
-
-7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
-
- The photo is stored with the reminder.
-
- 
-
-8. Review the reminder info, and then click **Remind**.
-
- The reminder is saved and ready to be triggered.
-
- 
-
-## Create a reminder for a specific location by using voice commands
-This process helps you to use Cortana at work and voice commands to create a reminder for a specific location.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
-
-2. Say _Remind me to grab my expense report receipts before I leave home_.
-
- Cortana opens a new reminder task and asks if it sounds good.
-
- 
-
-3. Say _Yes_ so Cortana can save the reminder.
-
- 
-
-## Edit or archive an existing reminder
-This process helps you to edit or archive and existing or completed reminder.
-
-1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
-
- 
-
-2. Click the pending reminder you want to edit.
-
- 
-
-3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click **Save** to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-scenario-4.md b/windows/manage/cortana-at-work-scenario-4.md
deleted file mode 100644
index 56f1f6af66..0000000000
--- a/windows/manage/cortana-at-work-scenario-4.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Test scenario 4 - Use Cortana at work to find your upcoming meetings (Windows 10)
-description: A test scenario about how to use Cortana at work to find your upcoming meetings.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Test scenario 4 - Use Cortana at work to find your upcoming meetings
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally.
-
->[!NOTE]
->If you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page.
-
-## Find out about upcoming meetings
-This process helps you find your upcoming meetings.
-
-1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
-
-2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-3. Type _Show me my meetings for tomorrow_.
-
- You’ll see all your meetings scheduled for the next day.
-
- 
-
-## Find out about upcoming meetings by using voice commands
-This process helps you to use Cortana at work and voice commands to find your upcoming meetings.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
-
-2. Say _Show me what meeting I have at 3pm tomorrow_.
-
- >[!IMPORTANT]
- >Make sure that you have a meeting scheduled for the time you specify here.
-
- 
-
-
diff --git a/windows/manage/cortana-at-work-scenario-5.md b/windows/manage/cortana-at-work-scenario-5.md
deleted file mode 100644
index 8373a4f4c2..0000000000
--- a/windows/manage/cortana-at-work-scenario-5.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Test scenario 5 - Use Cortana to send email to a co-worker (Windows 10)
-description: A test scenario about how to use Cortana at work to send email to a co-worker.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Test scenario 5 - Use Cortana to send email to a co-worker
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally.
-
-## Send an email to a co-worker
-This process helps you to send a quick message to a co-worker from the work address book.
-
-1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
-
-2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
-3. Type _Send an email to <contact_name>_.
-
- Where _<contact_name>_ is the name of someone in your work address book.
-
-4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**.
-
- 
-
-## Send an email to a co-worker by using voice commands
-This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book.
-
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
-
-2. Say _Send an email to <contact_name>_.
-
- Where _<contact_name>_ is the name of someone in your work address book.
-
-3. Add your email message by saying, _Hello this is a test email using Cortana at work._
-
- The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**.
-
- 
-
-4. Say _Send it_.
-
- The email is sent.
-
- 
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-scenario-6.md b/windows/manage/cortana-at-work-scenario-6.md
deleted file mode 100644
index ac15463824..0000000000
--- a/windows/manage/cortana-at-work-scenario-6.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10)
-description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
-
-This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana.
-
-## Use Cortana and WIP to protect your organization’s data
-
-1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
-
-2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_.
-
-3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
- Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
-
-4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_.
-
-5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
-
- Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you.
diff --git a/windows/manage/cortana-at-work-testing-scenarios.md b/windows/manage/cortana-at-work-testing-scenarios.md
deleted file mode 100644
index 41f734e006..0000000000
--- a/windows/manage/cortana-at-work-testing-scenarios.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Testing scenarios using Cortana in your business or organization (Windows 10)
-description: A list of suggested testing scenarios that you can use to test Cortana in your organization.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Testing scenarios using Cortana in your business or organization
-**Applies to:**
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
-
-- Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana.
-
-- Set a reminder and have it remind you when you’ve reached a specific location.
-
-- Search for your upcoming meetings on your work calendar.
-
-- Send an email to a co-worker from your work email app.
-
-- Use WIP to secure content on a device and then try to manage your organization’s entries in the notebook.
-
->[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-voice-commands.md b/windows/manage/cortana-at-work-voice-commands.md
deleted file mode 100644
index 766a5914ad..0000000000
--- a/windows/manage/cortana-at-work-voice-commands.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Set up and test custom voice commands in Cortana for your organization (Windows 10)
-description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Set up and test custom voice commands in Cortana for your organization
-**Applies to:**
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
-
->[!NOTE]
->For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions).
-
-## High-level process
-Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
-
-To enable voice commands in Cortana
-
-1. **Extend your LOB app.** Add a custom VCD file to your app package. This file defines what capabilities are available to Cortana from the app, letting you tell Cortana what vocal commands should be understood and handled by your app and how the app should start when the command is vocalized.
-
- Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
-
- - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana).
-
- - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana).
-
-2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
-
-## Test Scenario: Use voice commands in a Windows Store app
-While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
-
-**To get a Windows Store app**
-1. Go to the Windows Store, scroll down to the **Collections** area, click **Show All**, and then click **Better with Cortana**.
-
-2. Click **Uber**, and then click **Install**.
-
-3. Open Uber, create an account or sign in, and then close the app.
-
-**To set up the app with Cortana**
-1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
-
-2. Click on **Connected Services**, click **Uber**, and then click **Connect**.
-
- 
-
-**To use the voice-enabled commands with Cortana**
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
-
-2. Say _Uber get me a taxi_.
-
- Cortana changes, letting you provide your trip details for Uber.
-
-## See also
-- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)
\ No newline at end of file
diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md
index 102272ce54..87f206380e 100644
--- a/windows/manage/customize-and-export-start-layout.md
+++ b/windows/manage/customize-and-export-start-layout.md
@@ -17,7 +17,9 @@ localizationpriority: high
- Windows 10
->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
+**Looking for consumer information?**
+
+- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout.
@@ -27,8 +29,7 @@ When a full Start layout is applied, the users cannot pin, unpin, or uninstall a
When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
->[!NOTE]
->Partial Start layout is only supported on Windows 10, version 1511 and later.
+**Note** Partial Start layout is only supported on Windows 10, version 1511 and later.
@@ -49,7 +50,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display.
-2. Create a new user account that you will use to customize the Start layout.
+ 2. Create a new user account that you will use to customize the Start layout.
**To customize Start**
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
index 47b68d045b..80e8f90299 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@@ -17,14 +17,16 @@ localizationpriority: high
- Windows 10
->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
+**Looking for consumer information?**
+
+- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain.
->[!WARNING]
->When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps.
+**Warning**
+When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps.
@@ -44,15 +46,15 @@ Three features enable Start and taskbar layout control:
- The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
- >[!NOTE]
- >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
+ **Note**
+ To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
-- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
@@ -122,10 +118,7 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
-## Related topics
+##Related topics
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md
index 9e4831a223..3cbeacb088 100644
--- a/windows/keep-secure/allow-log-on-locally.md
+++ b/windows/keep-secure/allow-log-on-locally.md
@@ -1,5 +1,5 @@
---
-title: Allow log on locally - security policy setting (Windows 10)
+title: Allow log on locally (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055
ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
-# Allow log on locally - security policy setting
+# Allow log on locally
**Applies to**
- Windows 10
diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md
index bf932d459d..55939649d4 100644
--- a/windows/keep-secure/app-behavior-with-wip.md
+++ b/windows/keep-secure/app-behavior-with-wip.md
@@ -129,6 +129,3 @@ This table includes info about how enlightened apps might behave, based on your
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md
index f338698789..6f6a7b8805 100644
--- a/windows/keep-secure/back-up-files-and-directories.md
+++ b/windows/keep-secure/back-up-files-and-directories.md
@@ -1,5 +1,5 @@
---
-title: Back up files and directories - security policy setting (Windows 10)
+title: Back up files and directories (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
-# Back up files and directories - security policy setting
+# Back up files and directories
**Applies to**
- Windows 10
diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
index 10963dd930..3f72f93ba5 100644
--- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
@@ -1,6 +1,6 @@
---
-title: Back up the TPM recovery information to AD DS (Windows 10)
-description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information.
+title: Backup the TPM recovery Information to AD DS (Windows 10)
+description: This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,19 +9,556 @@ ms.pagetype: security
author: brianlic-msft
---
-# Back up the TPM recovery information to AD DS
+# Backup the TPM recovery Information to AD DS
**Applies to**
- Windows 10, version 1511
- Windows 10, version 1507
**Does not apply to**
+- Windows 10, version 1607 or later
-- Windows 10, version 1607 or later
+This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
-With Windows 10, versions 1511 and 1507, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](https://technet.microsoft.com/library/dn466534(v=ws.11).aspx).
+## About administering TPM remotely
-## Related topics
+Backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer. For example, administrators might want to reset the TPM to the manufacturer’s defaults when they decommission or repurpose computers, without having to be present at the computer.
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
-- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
\ No newline at end of file
+You can use AD DS to store TPM owner information for use in recovery situations where the TPM owner has forgotten the password or where you must take control of the TPM. There is only one TPM owner password per computer; therefore, the hash of the TPM owner password can be stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of **ms-TPM-OwnerInformation**.
+
+> **Note:** The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64–encoded. The actual owner password is not stored.
+
+Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+This topic contains procedures, some of which are dependent on Visual Basic scripts, to recover TPM information and decommission TPM on remote computers. Sample scripts are available, which you can customize to meet the requirements of your environment.
+
+In this topic:
+
+1. [Check status of prerequisites](#bkmk-prereqs)
+2. [Set permissions to back up password information](#bkmk-setperms)
+3. [Configure Group Policy to back up TPM recovery information in AD DS](#bkmk-configuregp)
+4. [Use AD DS to recover TPM information](#bkmk-useit)
+5. [Sample scripts](#bkmk-adds-tpm-scripts)
+
+## Check status of prerequisites
+
+Before you begin your backup, ensure that the following prerequisites are met:
+
+1. All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with the updated schema.
+
+ > **Tip:** For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+2. You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions.
+
+## Set permissions to back up password information
+
+This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#bkmk-add-tpmselfwriteace) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added.
+
+This script is run on the domain controller that you will use to administer the TPM recovery information, and it operates under the following assumptions:
+
+- You have domain administrator credentials to set permissions for the top-level domain object.
+- Your target domain is the same as the domain for the user account that is running the script. For example, running the script as TESTDOMAIN\\admin will extend permissions for TESTDOMAIN.
+
+ > **Note:** You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example:
+ `LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com`
+
+- Your domain is configured so that permissions are inherited from the top-level domain object to targeted computer objects.
+
+ Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions.
+ You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute.
+
+**To add an ACE to allow TPM recovery information backup**
+
+1. Open the sample script **Add-TPMSelfWriteACE.vbs**.
+
+ The script contains a permission extension, and you must modify the value of **strPathToDomain** by using your domain name.
+
+2. Save your modifications to the script.
+3. Type the following at a command prompt, and then press ENTER:
+
+ **cscript Add-TPMSelfWriteACE.vbs**
+
+This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows the computer (SELF) to write to the **ms-TPM-OwnerInformation** attribute for computer objects in the domain.
+Complete the following procedure to check that the correct permissions are set and to remove TPM and BitLocker ACEs from the top-level domain, if necessary.
+
+**Manage ACEs configured on TPM schema objects**
+
+1. Open the sample script **List-ACEs.vbs**.
+2. Modify **List-ACEs.vbs**.
+
+ You must modify:
+ - Value of **strPathToDomain**: Use your domain name.
+ - Filter options: The script sets a filter to address BitLocker and TPM schema objects, so you must modify **If IsFilterActive ()** if you want to list or remove other schema objects.
+
+3. Save your modifications to the script.
+4. Type the following at a command prompt, and then press ENTER:
+
+ **cscript List-ACEs.vbs**
+
+ With this script you can optionally remove ACEs from BitLocker and TPM schema objects on the top-level domain.
+
+## Configure Group Policy to back up TPM recovery information in AD DS
+
+Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain.
+
+**To enable local policy setting to back up TPM recovery information to AD DS**
+
+1. Sign in to a domain-joined computer by using a domain account that is a member of the local Administrators group.
+2. Open the Local Group Policy Editor (gpedit.msc), and in the console tree, navigate to **Computer Configuration\\Administrative Templates\\System**.
+3. Click **Trusted Platform Module Services**.
+4. Double-click **Turn on TPM backup to Active Directory Domain Services**.
+5. Click **Enabled**, and then click **OK**.
+> **Important:** When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.
+
+## Use AD DS to recover TPM information
+
+When you need to recover the TPM owner information from AD DS and use it to manage the TPM, you need to read the **ms-TPM-OwnerInformation** object from AD DS, and then manually create a TPM owner password backup file that can be supplied when TPM owner credentials are required.
+
+**To obtain TPM owner backup information from AD DS and create a password file**
+
+1. Sign in to a domain controller by using domain administrator credentials.
+2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#bkmk-get-tpmownerinfo), to a location on your computer.
+3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
+4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.
+
+ The expected output is a string that is the hash of the password that you created earlier.
+ > **Note:** If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute.
+
+ The only exception to this requirement is that if users are the Creator Owner of computer objects that they join to the domain, they can possibly read the TPM owner information for their computer objects.
+
+5. Open Notepad or another text editor, and copy the following code sample into the file, and replace *TpmOwnerPasswordHash* with the string that you recorded in the previous step.
+
+ ``` syntax
+
+
+
-
+
-**Table 1.** How to choose the best countermeasures for Windows 8.1
-
-
-
-
-
without TPM
-
-
(with TPM)
-
-
-
-
Rootkits
-
-
-
-
Sign-in
-
-
-
-
Attacks
-
-
-
-
Attacks
-
-
-
-
Remanence
Attacks
-
-
+
-**Table 2.** How to choose the best countermeasures for Windows 10
+**Figure 3.** How to choose the best countermeasures for Windows 8
+
+
+
+**Figure 4.** How to choose the best countermeasures for Windows 8.1
The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of
DMA ports is infrequent in the non-developer space.
diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
index d7147d12a9..65dcdf6805 100644
--- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
@@ -24,7 +24,7 @@ localizationpriority: high
You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
-1. Login to the [Azure management portal](https://ms.portal.azure.com).
+1. Login to the [Azure management portal](https://manage.windowsazure.com).
2. Select **Active Directory**.
@@ -53,12 +53,14 @@ You need to add an application in your Azure Active Directory (AAD) tenant then
13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
-14. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=
-
-
-
-
-
without TPM
-
-
(with TPM)
-
-
-
-
Rootkits
-
-
-
-
Sign-in
-
-
-
-
Attacks
Can be additionally secured by deploying policy to restrict DMA devices:
-
-
-
-
Attacks
-
-
-
-
Remanence
Attacks
The most effective mitigation, which we advise for high-security devices, is to configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
-
- An Azure login page appears.
- > [!NOTE]
- > - Replace *tenant ID* with your actual tenant ID.
- > - Keep the *clientSecret* as is. This is a dummy value, but the parameter must appear.
+14. Open a web browser and connect to the following URL:
+```text
+https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=
+ > **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector```
+ >
+- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
+- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet.
+- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide.
## Configure HP ArcSight
-The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). For more information, see the ArcSight FlexConnector Developer's guide.
+The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
-1. Save the [WDATP-connector.jsonparser.properties file](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file into the connector installation folder. The
+1. Copy the *wdatp-connector.jsonparser.properties* file into the `Type in the name of the client property file. It must match the client property file.
Events URL
- Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
- **For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+ `https://DataAccess-PRD.trafficmanager.net:444/api/alerts`
Authentication Type
OAuth 2
@@ -89,8 +78,7 @@ The following steps assume that you have completed all the required steps in [Be
Select *wdatp-connector.properties*.
diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index 19e99c915d..0000000000
--- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Configure email notifications in Windows Defender ATP
-description: Send email notifications to specified recipients to receive new alerts based on severity with Windows Defender ATP on Windows 10 Enterprise, Pro, and Education editions.
-keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-localizationpriority: high
----
-
-# Configure email notifications
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
-
-> [!NOTE]
-> Only users with full access can configure email notifications.
-
-You can set the alert severity levels that trigger notifications. When you turn enable the email notifications feature, it’s set to high and medium alerts by default.
-
-You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
-
-The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
-
-## Set up email notifications for alerts
-The email notifications feature is turned off by default. Turn it on to start receiving email notifications.
-
-1. On the navigation pane, select **Preferences Setup** > **Email Notifications**.
-2. Toggle the setting between **On** and **Off**.
-3. Select the alert severity level that you’d like your recipients to receive:
- - **High** – Select this level to send notifications for high-severity alerts.
- - **Medium** – Select this level to send notifications for medium-severity alerts.
- - **Low** - Select this level to send notifications for low-severity alerts.
-4. In **Email recipients to notify on new alerts**, type the email address then select the + sign.
-5. Click **Save preferences** when you’ve completed adding all the recipients.
-
-Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email.
-
-## Remove email recipients
-
-1. Select the trash bin icon beside the email address you’d like to remove.
-2. Click **Save preferences**.
-
-## Troubleshoot email notifications for alerts
-This section lists various issues that you may encounter when using email notifications for alerts.
-
-**Problem:** Intended recipients report they are not getting the notifications.
-
-**Solution:** Make sure that the notifications are not blocked by email filters:
-
-1. Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
-2. Check that your email security product is not blocking the email notifications from Windows Defender ATP.
-3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications.
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index c842ea1668..b5b16faf54 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -37,14 +37,14 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
- 
+ 
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
a. Select **Policy** > **Configuration Policies** > **Add**.
- 
+ 
b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
@@ -56,7 +56,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
e. Type the following values then select **OK**:
-
+
- **Setting name**: Type a name for the setting.
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 8b193b46c6..8faa5dafdb 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -51,10 +51,6 @@ You can use System Center Configuration Manager’s existing functionality to cr
a. Choose a predefined device collection to deploy the package to.
-> [!NOTE]
-> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading.
-
-
### Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 50903ddc26..a2643013c6 100644
--- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
5. Press the **Enter** key or click **OK**.
-For for information on how you can manually validate that the endpoint is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
+For for information on how you can manually validate that the endpoint is compliant and correctly reports telemetry see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
## Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
index cca969958e..18864595b3 100644
--- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -21,7 +21,7 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
+Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
Windows Defender ATP supports the following deployment tools and methods:
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 38a3f1edc2..c24886d168 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -22,7 +22,7 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
+The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
index ee6c76e9b7..60e1c00469 100644
--- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -25,9 +25,9 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
## Before you begin
-- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
-- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).
-- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
+- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk
+- Contact the Windows Defender ATP team to get your refresh token
+- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
@@ -56,8 +56,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
Refresh Token
- You can use the Windows Defender ATP events URL or the restutil tool to get obtain a refresh token.
+
For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). **To get your refresh token using the restutil tool:** a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\Paste the refresh token that your Windows Defender ATP contact provided, or run the `restutil` tool to get it.
Endpoint URL
- Depending on the location of your datacenter, select either the EU or the US URL: **For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts **For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
-
+ https://DataAccess-PRD.trafficmanager.net:444/api/alerts
HTTP Method
diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/keep-secure/create-a-pagefile.md
index 804d32f022..a8c65abbab 100644
--- a/windows/keep-secure/create-a-pagefile.md
+++ b/windows/keep-secure/create-a-pagefile.md
@@ -1,5 +1,5 @@
---
-title: Create a pagefile - security policy setting (Windows 10)
+title: Create a pagefile (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting.
ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea
ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
-# Create a pagefile - security policy setting
+# Create a pagefile
**Applies to**
- Windows 10
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index 4bd92ff06f..06392494c0 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -19,8 +19,8 @@ If you don’t already have an EFS DRA certificate, you’ll need to create and
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
->[!IMPORTANT]
->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
+ Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager.
- >[!NOTE]
- >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
+ >**Note**
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
**To verify your data recovery certificate is correctly set up on a WIP client computer**
@@ -73,8 +73,7 @@ The recovery process included in this topic only works for desktop devices. WIP
**To quickly recover WIP-protected desktop data after unenrollment**
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
->[!IMPORTANT]
->To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
+>**Important**
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
@@ -94,9 +93,6 @@ It's possible that you might revoke data from an unenrolled device only to later
The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
## Related topics
- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx)
diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md
index 6f5b802707..930d2bc4d7 100644
--- a/windows/keep-secure/create-applocker-default-rules.md
+++ b/windows/keep-secure/create-applocker-default-rules.md
@@ -27,7 +27,3 @@ You can perform this task by using the Group Policy Management Console for an Ap
1. Open the AppLocker console.
2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules.
3. Click **Create Default Rules**.
-
-## Related topics
-
-- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
index 64602d97ae..45ed365fe2 100644
--- a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
@@ -111,10 +111,6 @@ The final step to making your VPN configuration work with WIP, is to link your t
3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices.
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
-
diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md
index f0c94d6dba..44bf2930a2 100644
--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@@ -44,11 +44,10 @@ During the policy-creation process in Intune, you can choose the apps you want t
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
->[!IMPORTANT]
->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
+If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
#### Add a store app rule to your policy
For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
@@ -77,8 +76,8 @@ If you don't know the publisher or product name, you can find them for both desk
**To find the Publisher and Product Name values for Store apps without installing them**
1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
- >[!NOTE]
- >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+ >**Note**
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
@@ -95,10 +94,8 @@ If you don't know the publisher or product name, you can find them for both desk
4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
- >[!IMPORTANT]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
-
- For example:
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
@@ -126,10 +122,8 @@ If you don't know the publisher or product name, you can find them for both desk
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
- >[!IMPORTANT]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
-
- For example:
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
``` json
{
@@ -354,9 +348,9 @@ After you've added a protection mode to your apps, you'll need to decide where t
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
->[!IMPORTANT]
->Every WIP policy should include policy that defines your enterprise network locations.
->Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+>**Important**
+- Every WIP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
**To define where your protected apps can find and send enterprise data on you network**
@@ -471,9 +465,6 @@ After you've decided where your protected apps can access enterprise data on you
2. Click **Save Policy**.
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
## Related topics
- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
index 350d5e1f54..468b8308d4 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -20,8 +20,8 @@ localizationpriority: high
System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
->[!IMPORTANT]
->If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies.
+>**Important**
+If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies.
## Add a WIP policy
After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
@@ -62,8 +62,8 @@ During the policy-creation process in System Center Configuration Manager, you c
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
->[!IMPORTANT]
->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
+WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
@@ -112,9 +112,8 @@ If you don't know the publisher or product name, you can find them for both desk
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
- >[!IMPORTANT]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
- >For example:
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+ Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
@@ -142,9 +141,8 @@ If you don't know the publisher or product name, you can find them for both desk
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
- >[!IMPORTANT]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
- >For example:
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
->Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+>**Important**
+- Every WIP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
**To define where your protected apps can find and send enterprise data on you network**
@@ -494,15 +492,13 @@ After you've finished configuring your policy, you can review all of your info o
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
+
## Deploy the WIP policy
After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
- [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
## Related topics
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md
index 80474a70be..3cbb5be9a5 100644
--- a/windows/keep-secure/create-wmi-filters-for-the-gpo.md
+++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md
@@ -51,7 +51,7 @@ First, create the WMI filter and configure it to look for a specified version (o
select * from Win32_OperatingSystem where Version like "6.%"
```
- This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 10 and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following:
+ This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". To specify multiple versions, combine them with or, as shown in the following:
``` syntax
... where Version like "6.1%" or Version like "6.2%"
@@ -65,16 +65,16 @@ First, create the WMI filter and configure it to look for a specified version (o
... where ProductType="1" or ProductType="3"
```
- The following complete query returns **true** for all devices running Windows 10, and returns **false** for any server operating system or any other client operating system.
+ The following complete query returns **true** for all devices running Windows 8, and returns **false** for any server operating system or any other client operating system.
``` syntax
- select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
+ select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="1"
```
- The following query returns **true** for any device running Windows Server 2016, except domain controllers:
+ The following query returns **true** for any device running Windows Server 2012, except domain controllers:
``` syntax
- select * from Win32_OperatingSystem where Version like "10.%" and ProductType="3"
+ select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="3"
```
9. Click **OK** to save the query to the filter.
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index c038a4d588..7045d584b4 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -123,7 +123,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
-#### Add the virtualization-based security features
+##### Add the virtualization-based security features
Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
@@ -156,7 +156,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
-#### Enable virtualization-based security and Credential Guard
+##### Enable virtualization-based security and Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
@@ -195,9 +195,10 @@ Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
+
### Remove Credential Guard
-If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
+If you have to remove Credential Guard on a PC, you need to do the following:
1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
@@ -241,10 +242,9 @@ If you have to remove Credential Guard on a PC, you can use the following set of
For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
-
-#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+**Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
-You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot
@@ -917,7 +917,6 @@ write-host $tmp -Foreground Red
- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
- [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
-- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
- [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
- [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
index 990e0ac396..112382f305 100644
--- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
@@ -56,12 +56,10 @@ Click the name of the machine to see details about that machine. For more inform
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
## Status
-The **Status** tile informs you if the service is active or if there are issues and the unique number of machines (endpoints) reporting to the service over the past 30 days.
+The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days.
-For more information on the service status, see [Check the Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md).
-
## Machines reporting
The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md
index c9977fec21..075fba2473 100644
--- a/windows/keep-secure/deploy-wip-policy-using-intune.md
+++ b/windows/keep-secure/deploy-wip-policy-using-intune.md
@@ -33,9 +33,6 @@ The added people move to the **Selected Groups** list on the right-hand pane.
3. After you've picked all of the employees and groups that should get the policy, click **OK**.
**Binary Name:** onedrive.exe
**App Type:** Desktop app|
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** notepad.exe
**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
-|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app |
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app |
\ No newline at end of file
diff --git a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md
index 8f914cd9f0..6476c88d16 100644
--- a/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md
+++ b/windows/keep-secure/export-an-applocker-policy-from-a-gpo.md
@@ -16,7 +16,7 @@ author: brianlic-msft
This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.
-Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference device.
+Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference device
To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md
index ff64be6d0f..b91386f0c0 100644
--- a/windows/keep-secure/guidance-and-best-practices-wip.md
+++ b/windows/keep-secure/guidance-and-best-practices-wip.md
@@ -22,10 +22,8 @@ This section includes info about the enlightened Microsoft apps, including how t
## In this section
|Topic |Description |
|------|------------|
-|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
-|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behaviors. |
-|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). |
-|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP). |
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+|[Windows Information Protection (WIP) overview](wip-enterprise-overview.md) |High-level overview info about why to use WIP, the enterprise scenarios, and how to turn it off. |
+|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
+|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
+|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). |
\ No newline at end of file
diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
deleted file mode 100644
index 032e04c1ad..0000000000
--- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: How to use single sign on (SSO) over VPN and Wi-Fi connections (Windows 10)
-description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: justinha
----
-
-# How to use single sign on (SSO) over VPN and Wi-Fi connections
-
-This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The scenario is:
-
-- You connect to a network using Wi-Fi or VPN.
-- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately.
-
-For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication.
-
-At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session.
-Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource.
-For VPN, the VPN stack saves its credential as the session default.
-For WiFi, EAP does it.
-
-The credentials are put in Credential Manager as a "`*Session`" credential.
-A "`*Session`" credential implies that it is valid for the current user session.
-The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
-
-When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
-For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
-
-The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
-If the app is not UWP, it does not matter.
-But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
-If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
-This behavior helps prevent credentials from being misused by untrusted third parties.
-
-## Intranet zone
-
-For the Intranet zone, by default it only allows single-label names, such as Http://finance.
-If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx).
-
-### Setting the ZoneMap
-
-The ZoneMap is controlled using a registry that can be set through MDM.
-By default, single-label names such as http://finance are already in the intranet zone.
-For multi-label names, such as http://finance.net, the ZoneMap needs to be updated.
-
-## MDM Policy
-
-OMA URI example:
-
-./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/`
+All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise.
|Task |Description |
@@ -28,7 +28,4 @@ This list provides all of the tasks and settings that are required for the opera
|Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
|Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. |
|Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
-|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. |
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. |
\ No newline at end of file
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 55a3242e78..0fd2edc0d3 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -61,7 +61,7 @@ Before you configure endpoints, the telemetry and diagnostics service must be en
### Telemetry and diagnostics settings
You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization.
-By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
+By default, this service is enabled, but it's good practice to check to ensure that you'll get telemetry from them.
**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
@@ -113,4 +113,4 @@ When Windows Defender is not the active antimalware in your organization and you
## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
-If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).
+If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information on how to validate and enable the Windows Defender ELAM driver see, [Ensure the Windows Defender ELAM driver is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-windows-defender-elam-driver-is-enabled).
diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
index 2a7a40abd6..9205bb0153 100644
--- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -23,7 +23,6 @@ localizationpriority: high
You need to onboard to Windows Defender ATP before you can use the service.
-For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
## In this section
Topic | Description
diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md
index c3ad6bf5a3..f0ae686b47 100644
--- a/windows/keep-secure/overview-create-wip-policy.md
+++ b/windows/keep-secure/overview-create-wip-policy.md
@@ -23,8 +23,4 @@ Microsoft Intune and System Center Configuration Manager helps you create and de
|------|------------|
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
-|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
\ No newline at end of file
diff --git a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md
index cf75c935f9..31c04c1c61 100644
--- a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -48,13 +48,13 @@ BitLocker helps prevent unauthorized access to data on lost or stolen computers
- Encrypting the entire Windows operating system volume on the hard disk.
- Verifying the boot process integrity.
-The trusted platform module (TPM) is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
+The trusted platform module (TPM)is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
-### BitLocker key protectors
+**BitLocker key protectors**
| Key protector | Description |
| - | - |
@@ -65,7 +65,7 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi
| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.|
| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
-### BitLocker authentication methods
+**BitLocker authentication methods**
| Authentication method | Requires user interaction | Description |
| - | - | - |
@@ -97,9 +97,22 @@ The protection differences provided by multifactor authentication methods cannot
In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
-### TPM 1.2 states and initialization
+### TPM states of existence
-For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM, which brings it to an enabled, activated, and owned state. This is the state that BitLocker requires before it can use the TPM.
+For each of the TPM states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.
+
+| State | Description |
+| - | - |
+| Enabled| Most features of the TPM are available.
The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken.|
+| Disabled | The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization.
The TPM may be enabled and disabled multiple times within a boot period.|
+| Activated| Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence which requires a reboot.|
+| Deactivated| Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence which requires a reboot.|
+| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.|
+| Un-owned| The TPM does not have a storage root key and may or may not have an endorsement key.|
+
+>**Important:** BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. When the TPM is in this state and only when it is in this state, all operations are available.
+
+The state of the TPM exists independent of the computer’s operating system. Once the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled.
### Endorsement keys
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
index a37553eb2c..dc661d0dbd 100644
--- a/windows/keep-secure/protect-enterprise-data-using-wip.md
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -93,8 +93,7 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
- >[!NOTE]
- >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+ > **Note**
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works
WIP helps address your everyday challenges in the enterprise. Including:
@@ -138,7 +137,3 @@ You can turn off all Windows Information Protection and restrictions, decrypting
After deciding to use WIP in your enterprise, you need to:
- [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
-
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index ac0409286d..b2d8f3634a 100644
--- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -364,7 +364,7 @@ The following table details the hardware requirements for both virtualization-ba
-
@@ -455,7 +455,7 @@ The device health attestation solution involves different components that are TP
### Trusted Platform Module
-This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
+*It’s all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.
diff --git a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index f1f62943e3..aaf71600b1 100644
--- a/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -33,7 +33,8 @@ Windows PowerShell or the manage-bde command line interface is the preferred met
>**Note:** Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
-For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
+For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde –WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This occurs because Full
+Encryption requires an end marker for the volume and dynamically expanding VHDs do not have a static end of volume marker.
### Active Directory-based protector
@@ -56,22 +57,28 @@ BitLocker encryption is available for disks before or after addition to a cluste
1. Install the BitLocker Drive Encryption feature if it is not already installed.
2. Ensure the disk is formatted NTFS and has a drive letter assigned to it.
-3. Identify the name of the cluster with Windows PowerShell.
+3. Enable BitLocker on the volume using your choice of protector. A password protector is used in the Windows PowerShell script example below.
+
+ ``` syntax
+ Enable-BitLocker E: -PasswordProtector -Password $pw
+ ```
+
+4. Identify the name of the cluster with Windows PowerShell.
``` syntax
Get-Cluster
```
-4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
+5. Add an **ADAccountOrGroup**protector to the volume using the cluster name using a command such as:
``` syntax
- Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
+ Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
- >**Warning:** You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
+ >**Warning:** You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.
-5. Repeat the preceding steps for each disk in the cluster.
-6. Add the volume(s) to the cluster.
+6. Repeat steps 1-6 for each disk in the cluster.
+7. Add the volume(s) to the cluster.
### Turning on BitLocker for a clustered disk using Windows PowerShell
@@ -90,26 +97,28 @@ When the cluster service owns a disk resource already, it needs to be set into m
Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
```
-4. Identify the name of the cluster with Windows PowerShell.
+4. Enable BitLocker on the volume using your choice of protector. A password protector is used in the example below.
+
+ ``` syntax
+ Enable-BitLocker E: -PasswordProtector -Password $pw
+ ```
+
+5. Identify the name of the cluster with Windows PowerShell
``` syntax
Get-Cluster
```
-5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
+6. Add an **ADAccountOrGroup** protector with the Cluster Name Object (CNO) to the volume using a command such as:
``` syntax
- Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
+ Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
+
```
- >**Warning:** You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
+ >**Warning:** You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster.
-6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode:
-
- ``` syntax
- Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource
- ```
-
-7. Repeat the preceding steps for each disk in the cluster.
+7. Repeat steps 1-6 for each disk in the cluster.
+8. Add the volume(s) to the cluster
### Adding BitLocker encrypted volumes to a cluster using manage-bde
diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md
deleted file mode 100644
index bf9a7ac22a..0000000000
--- a/windows/keep-secure/recommended-network-definitions-for-wip.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) (Windows 10)
-description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral Resources, WIP and Enterprise Cloud Resources
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
----
-
-# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
-
-**Applies to:**
-
-- Windows 10, version 1607
-- Windows 10 Mobile
-
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
-
-We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
-
-## Recommended Enterprise Cloud Resources
-This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.
-
-|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
(Replace "contoso" with your domain name(s) |
-|-----------------------------|---------------------------------------------------------------------|
-|Office 365 for Business |
|
-|Yammer |
|
-|Microsoft Dynamics |contoso.crm.dynamics.com |
-|Visual Studio Online |contoso.visualstudio.com |
-|Power BI |contoso.powerbi.com |
-
-## Recommended Neutral Resources
-We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP).
-
-
\ No newline at end of file
diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/keep-secure/remove-computer-from-docking-station.md
index 1823951ae4..ee3b81a7d3 100644
--- a/windows/keep-secure/remove-computer-from-docking-station.md
+++ b/windows/keep-secure/remove-computer-from-docking-station.md
@@ -1,5 +1,5 @@
---
-title: Remove computer from docking station - security policy setting (Windows 10)
+title: Remove computer from docking station (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting.
ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30
ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
-# Remove computer from docking station - security policy setting
+# Remove computer from docking station
**Applies to**
- Windows 10
diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
index fad266b5ee..d2bbb021bb 100644
--- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -26,7 +26,7 @@ This article describes the following:
The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
->**Note** If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+>**Note** If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
## Hardware, firmware, and software requirements for Device Guard
diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md
index 874036e3b6..e3b6c29aa7 100644
--- a/windows/keep-secure/requirements-for-deploying-applocker-policies.md
+++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md
@@ -24,7 +24,7 @@ The following requirements must be met or addressed before you deploy your AppLo
### Deployment plan
-An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)).
+An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+
\ No newline at end of file
diff --git a/windows/keep-secure/tools-to-use-with-applocker.md b/windows/keep-secure/tools-to-use-with-applocker.md
index a5346774ab..5d2d69ff81 100644
--- a/windows/keep-secure/tools-to-use-with-applocker.md
+++ b/windows/keep-secure/tools-to-use-with-applocker.md
@@ -24,7 +24,7 @@ The following tools can help you administer the application control policies cre
- **Generate Default Rules tool**
- AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). For a list of the default rules, see [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules).
+ AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md).
- **Automatically Generate AppLocker Rules wizard**
diff --git a/windows/keep-secure/tpm-fundamentals.md b/windows/keep-secure/tpm-fundamentals.md
index efb080c89c..92a6fe9b1d 100644
--- a/windows/keep-secure/tpm-fundamentals.md
+++ b/windows/keep-secure/tpm-fundamentals.md
@@ -13,7 +13,6 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016
This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
@@ -31,65 +30,109 @@ For info about which versions of Windows support which versions of the TPM, see
The following sections provide an overview of the technologies that support the TPM:
-- [Measured Boot with support for attestation](#measured-boot-with-support-for-attestation)
-
-- [TPM-based Virtual Smart Card](#tpm-based-virtual-smart-card)
-
-- [TPM-based certificate storage](#tpm-based-certificate-storage)
-
-- [TPM Cmdlets](#tpm-cmdlets)
-
-- [Physical presence interface](#physical-presence-interface)
-
-- [TPM 1.2 states and initialization](#tpm-12-states-and-initialization)
-
-- [Endorsement keys](#endorsement-keys)
-
-- [TPM Key Attestation](#key-attestation)
-
-- [How the TPM mitigates dictionary attacks](#how-the-tpm-mitigates-dictionary-attacks)
+- [TPM-based Virtual Smart Card](#bkmk-vsc)
+- [Measured Boot with support for attestation](#bkmk-measuredboot)
+- [Automated provisioning and management of the TPM](#bkmk-autoprov)
+- [TPM-based certificate storage](#bkmk-tpmcs)
+- [Physical presence interface](#bkmk-physicalpresenceinterface)
+- [TPM Cmdlets](#bkmk-tpmcmdlets)
+- [TPM Owner Authorization Value](#bkmk-authvalue)
+- [States of existence in a TPM](#bkmk-stateex)
+- [Endorsement keys](#bkmk-endorsementkeys)
+- [TPM Key Attestation](#bkmk-ketattestation)
+- [How the TPM mitigates dictionary attacks](#bkmk-howtpmmitigates)
+- [How do I check the state of my TPM?](#bkmk-checkstate)
+- [What can I do if my TPM is in reduced functionality mode?](#bkmk-fixrfm)
The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings:
-[TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
+[Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
-## Measured Boot with support for attestation
+## Automated provisioning and management of the TPM
+
+TPM provisioning can be streamlined to make it easier to deploy systems that are ready for BitLocker and other TPM-dependent features. These enhancements include simplifying the TPM state model to report **Ready**, **Ready with reduced functionality**, or **Not ready**. You can also automatically provision TPMs in the **Ready** state, remote provisioning to remove the requirement for the physical presence of a technician for the initial deployment. In addition, the TPM stack is available in the Windows Preinstallation Environment (Windows PE).
+
+A number of management settings have been added for easier management and configuration of the TPM through Group Policy. The primary new settings include Active Directory-based backup of TPM owner authentication, the level of owner authentication that should be stored locally on the TPM, and the software-based TPM lockout settings for standard users. For more info about backing up owner authentication to Windows Server 2008 R2 AD DS domains, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
+
+## Measured Boot with support for attestation
The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
-## TPM-based Virtual Smart Card
+## TPM-based Virtual Smart Card
-The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a
+The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a
Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
-## TPM-based certificate storage
+## TPM-based certificate storage
The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx).
-## TPM Cmdlets
+## TPM Owner Authorization Value
+
+For Windows 8 a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object.
+This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8.
+
+If your computer is not being joined to a domain the TPM owner authorization value will be stored in the local computer registry. Using BitLocker to encrypt the operating system drive will protect the owner authorization value from being disclosed when the computer is at rest, but there is a risk that a malicious user could obtain the TPM owner authorization value when the computer is unlocked. Therefore, we recommend that in this situation you configure your computer to automatically lock after 30 seconds of inactivity. If automatic locking is not used, then you should consider removing full owner authorization from the computer registry.
+
+**Registry information**
+
+Registry key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\TPM
+DWORD: OSManagedAuthLevel
+
+| Value Data | Setting |
+| - | - |
+| 0 | None|
+| 2 | Delegated|
+| 4 | Full|
+
+>**Note:** If the operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.
+
+## TPM Cmdlets
If you are using PowerShell to script and manage your computers, you can now manage the TPM using Windows PowerShell as well. To install the TPM cmdlets use the following command:
`dism /online /enable-feature /FeatureName:tpm-psh-cmdlets`
+For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
-For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+## Physical presence interface
-## Physical presence interface
+The TCG specifications for TPMs require physical presence to perform some TPM administrative functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the
+TPM interface to confirm or reject changes to TPM status. This typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. Here are some are examples of TPM administrative tasks that require physical presence:
-For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning the TPM on, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them.
+- Activating the TPM
+- Clearing the existing owner information from the TPM without the owner’s password
+- Deactivating the TPM
+- Disabling the TPM temporarily without the owner’s password
-## TPM 1.2 states and initialization
+## States of existence in a TPM
-For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM, which brings it to an enabled, activated, and owned state.
+For each of these TPM 1.2 states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.
-## Endorsement keys
+These states of existence do not apply for Trusted Platform Module 2.0 because it cannot be turned off from within the operating system environment.
-For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM.
+| State | Description |
+| - | - |
+| Enabled| Most features of the TPM are available.
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
-| Windows Server 2016
Windows Server 2012 R2
Windows Server 2012| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
+| Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016. |
+| Windows Server 2012 R2| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
| Windows 8.1| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Only the Enterprise edition supports AppLocker|
| Windows RT 8.1| No| No| N/A||
+| Windows Server 2012 Standard| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL||
+| Windows Server 2012 Datacenter| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL||
| Windows 8 Pro| No| No| N/A||
| Windows 8 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL||
| Windows RT| No| No| N/A| |
diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/keep-secure/restore-files-and-directories.md
index bf78f4ff41..e8bb7e6f85 100644
--- a/windows/keep-secure/restore-files-and-directories.md
+++ b/windows/keep-secure/restore-files-and-directories.md
@@ -1,5 +1,5 @@
---
-title: Restore files and directories - security policy setting (Windows 10)
+title: Restore files and directories (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting.
ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d
ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
-# Restore files and directories - security policy setting
+# Restore files and directories
**Applies to**
- Windows 10
diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md
index 6b82a956c7..8bd5183126 100644
--- a/windows/keep-secure/security-technologies.md
+++ b/windows/keep-secure/security-technologies.md
@@ -11,23 +11,21 @@ author: brianlic-msft
# Security technologies
-As an IT professional, you can use these topics to learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
+Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile.
-| Section | Description |
+| Topic | Description |
|-|-|
| [Access control](access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
-| [AppLocker](applocker-overview.md)| Describes AppLocker, and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
-| [BitLocker](bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
-| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
-| [Security auditing](security-auditing-overview.md)| Describes how the IT professional can use the security auditing features in Windows, and how organizations can benefit from using these technologies, to enhance the security and manageability of networks.|
-| [Security policy settings](security-policy-settings.md)| Provides a collection of reference topics that describe the common scenarios, architecture, and processes for security settings.|
-| [Smart Cards](smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
-| [Trusted Platform Module](trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
-| [User Account Control](user-account-control-overview.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
-| [Virtual Smart Cards](virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
-| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Provides information about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
-| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| Provides information about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
-| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
+| [AppLocker](applocker-overview.md)| This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
+| [BitLocker](bitlocker-overview.md)| This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.|
+| [Encrypted Hard Drive](encrypted-hard-drive.md) | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
+| [Security auditing](security-auditing-overview.md)| Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.|
+| [Security policy settings](security-policy-settings.md)| This reference topic describes the common scenarios, architecture, and processes for security settings.|
+| [Trusted Platform Module](trusted-platform-module-overview.md)| This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.|
+| [User Account Control](user-account-control-overview.md)| User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
+| [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
+| [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| This topic provides an overview of Windows Defender, including a list of system requirements and new features.|
+| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
diff --git a/windows/keep-secure/select-types-of-rules-to-create.md b/windows/keep-secure/select-types-of-rules-to-create.md
index 35f8ffd6b2..00ae11caf5 100644
--- a/windows/keep-secure/select-types-of-rules-to-create.md
+++ b/windows/keep-secure/select-types-of-rules-to-create.md
@@ -55,7 +55,7 @@ In the Woodgrove Bank example, the line-of-business app for the Bank Tellers bus
### Determine how to allow system files to run
-Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
+Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
diff --git a/windows/keep-secure/service-status-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-status-windows-defender-advanced-threat-protection.md
deleted file mode 100644
index 6c8623a564..0000000000
--- a/windows/keep-secure/service-status-windows-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Check the Windows Defender ATP service status
-description: Check Windows Defender ATP service status, see if the service is experiencing issues and review previous issues that have been resolved.
-keywords: dashboard, service, issues, service status, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-localizationpriority: high
----
-
-# Check the Windows Defender Advanced Threat Protection service status
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
-
-You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
-
-You can view details on the service status by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane.
-
-The **Service health** details page has the following tabs:
-
-- **Current issues**
-- **Status History**
-
-## Current issues
-The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service status is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
-
-- Date and time for when the issue was detected
-- A short description of the issue
-- Update time
-- Summary of impact
-- Preliminary root cause
-- Next steps
-- Expected resolution time
-
-Updates on the progress of an issue is reflected on the page as the issue gets resolved. You'll see updates on information such as an updated estimate resolution time or next steps.
-
-When an issue is resolved, it gets recorded in the **Status history** tab.
-
-## Status history
-The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved.
-
-### Related topic
-- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/keep-secure/shut-down-the-system.md
index 4cde410c2d..0c4f6b24a7 100644
--- a/windows/keep-secure/shut-down-the-system.md
+++ b/windows/keep-secure/shut-down-the-system.md
@@ -1,5 +1,5 @@
---
-title: Shut down the system - security policy setting (Windows 10)
+title: Shut down the system (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.
ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf
ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
-# Shut down the system - security policy setting
+# Shut down the system
**Applies to**
- Windows 10
diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md
index 348aa4eb2d..83e27c9e00 100644
--- a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md
@@ -1,5 +1,5 @@
---
-title: Shutdown Clear virtual memory pagefile - security policy setting (Windows 10)
+title: Shutdown Clear virtual memory pagefile (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting.
ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9
ms.prod: w10
@@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
-# Shutdown: Clear virtual memory pagefile - security policy setting
+# Shutdown: Clear virtual memory pagefile
**Applies to**
- Windows 10
diff --git a/windows/keep-secure/smart-card-architecture.md b/windows/keep-secure/smart-card-architecture.md
index 41b2dcc225..84d38741cf 100644
--- a/windows/keep-secure/smart-card-architecture.md
+++ b/windows/keep-secure/smart-card-architecture.md
@@ -74,7 +74,7 @@ Credential providers must be registered on a computer running Windows, and they
## Smart card subsystem architecture
-Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
+Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](http://www.pcscworkgroup.com/specifications/overview.php). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
### Base CSP and smart card minidriver architecture
diff --git a/windows/keep-secure/smart-card-smart-cards-for-windows-service.md b/windows/keep-secure/smart-card-smart-cards-for-windows-service.md
index 1c4f17a7f2..a0c0edd3dc 100644
--- a/windows/keep-secure/smart-card-smart-cards-for-windows-service.md
+++ b/windows/keep-secure/smart-card-smart-cards-for-windows-service.md
@@ -14,7 +14,7 @@ Applies To: Windows 10, Windows Server 2016
This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
-The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications website](https://www.pcscworkgroup.com/).
+The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications Overview](http://www.pcscworkgroup.com/specifications/overview.php).
The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description:
diff --git a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md
index 993c5d1aea..b60489c882 100644
--- a/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/keep-secure/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -1,6 +1,6 @@
---
-title: Understanding PCR banks on TPM 2.0 devices (Windows 10)
-description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices.
+title: Switch PCR banks on TPM 2.0 devices (Windows 10)
+description: A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties.
ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,13 +9,10 @@ ms.pagetype: security
author: brianlic-msft
---
-# Understanding PCR banks on TPM 2.0 devices
+# Switch PCR banks on TPM 2.0 devices
**Applies to**
- Windows 10
-- Windows Server 2016
-
-For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This topic provides background about what happens when you switch PCR banks on TPM 2.0 devices.
A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes – the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a PCR bank.
@@ -24,7 +21,7 @@ PCR\[N\] = HASHalg( PCR\[N\] || ArgumentOfExtend )
The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. This computed digest becomes the new value of the PCR.
-The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputinggroup.org/pc-client-platform-tpm-profile-ptp-specification/) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation.
+The [TCG PC Client Specific Platform TPM Profile for TPM 2.0](https://go.microsoft.com/fwlink/p/?LinkId=746577) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation.
Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log.
@@ -32,7 +29,8 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i
To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows 10 uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
-It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match.
+It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the
+same system configuration otherwise, the PCR values will not match.
## What happens when PCR banks are switched?
@@ -43,7 +41,3 @@ As a result, if the currently used PCR bank is switched all keys that have been
## What can I do to switch PCRs when BitLocker is already active?
Before switching PCR banks you should suspend or disable BitLocker – or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor.
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md
index cca0a2fa52..45737291cf 100644
--- a/windows/keep-secure/testing-scenarios-for-wip.md
+++ b/windows/keep-secure/testing-scenarios-for-wip.md
@@ -163,7 +163,4 @@ You can try any of the processes included in these scenarios, but you should foc
-
The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken.|
+| Disabled| The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization.
The TPM can be enabled and disabled multiple times within a start-up period. |
+| Activated| Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart.|
+| Deactivated| Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart.|
+| Owned| Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data.|
+| Unowned| The TPM does not have a storage root key, and it may or may not have an endorsement key.|
+
+>**Important:** Applications cannot use the TPM until the state is enabled, activated, and owned. All operations are available only when the TPM is in this state.
+
+The state of the TPM exists independently of the computer’s operating system. When the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled.
-## Key attestation
+## Endorsement keys
+
+For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. If the
+TPM does not contain an endorsement key, the application might cause the TPM to generate one automatically as part of the setup.
+An endorsement key can be created at various points in the TPM’s lifecycle, but it needs to be created only once for the lifetime of the TPM. The existence of an endorsement key is a requirement before TPM ownership can be taken.
+
+## Key attestation
TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
-## How the TPM mitigates dictionary attacks
+## How the TPM mitigates dictionary attacks
When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided.
@@ -101,9 +144,8 @@ Because many entities can use the TPM, a single authorization success cannot res
TPM 2.0 has well defined dictionary attack logic behavior. This is in contrast to TPM 1.2 for which the dictionary attack logic was set by the manufacturer, and the logic varied widely throughout the industry.
-> [!WARNING]
-> For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
-
+>**Warning:** For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
+
For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
@@ -123,15 +165,35 @@ For example, when BitLocker is used with a TPM plus PIN configuration, it needs
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
-- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s dictionary attack is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
+Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s dictionary attack is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
-- Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
+Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
-- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password.
+The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password.
-## Related topics
+## How do I check the state of my TPM?
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
+You can check the state of the TPM on a PC by running the Trusted Platform Module snap-in (tpm.msc). The **Status** heading tells you the state of your TPM. The TPM can be in one of the following states: **Ready for use**, **Ready for use, with reduced functionality**, and **Not ready for use**. To take advantage of most of the TPM features in Windows 10, the TPM must be **Ready for use**.
+
+## What can I do if my TPM is in reduced functionality mode?
+
+If your TPM is in reduced functionality mode, some features that rely on the TPM will not function correctly. This is most often caused by doing a clean installation of Windows 10 on a device where Windows 8.1, Windows 8, or Windows 7 had previously been installed on the same hardware. If your TPM is in reduced functionality mode, the Status heading in the Trusted Platform Module snap-in shows **The TPM is ready for use, with reduced functionality**.
+You can fix this by clearing the TPM.
+
+**To clear the TPM**
+
+1. Open the Trusted Platform Module snap-in (tpm.msc).
+2. Click **Clear TPM**, and then click **Restart.**
+3. When the PC is restarting, you might be prompted to press a button on the keyboard to clear the TPM.
+4. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
+
+>**Note:** Clearing the TPM causes you to lose all TPM keys and data protected by those keys, such as a virtual smart card. You should not perform this procedure on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
+
+## Additional resources
+
+- [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md)
+- [Trusted Platform Module Services Group Policy Settings](trusted-platform-module-services-group-policy-settings.md)
- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
-- [TPM WMI providers](https://msdn.microsoft.com/library/aa376476.aspx)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
\ No newline at end of file
+- [Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients](ad-ds-schema-extensions-to-support-tpm-backup.md)
+- [TPM WMI providers](https://go.microsoft.com/fwlink/p/?LinkId=93478)
+- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](http://technet.microsoft.com/library/jj592683.aspx)
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
index 20d05b68d2..0b34d5a9a8 100644
--- a/windows/keep-secure/tpm-recommendations.md
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -12,21 +12,26 @@ author: brianlic-msft
# TPM recommendations
-**Applies to**
-
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 10 Mobile
+- Windows Server 2016
+- Windows 10 IoT Core (IoT Core)
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
-For a basic feature description of TPM, see the [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md).
+## Overview
-## TPM design and implementation
+Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. It has a security-related crypto-processor that is designed to carry out cryptographic operations in a variety of devices and form factors. It includes multiple physical security mechanisms to help prevent malicious software from tampering with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
+1. Generate, store, use, and protected cryptographic keys,
+2. Use TPM technology for platform device authentication by using a unique endorsement key (EK), and
+3. Help enhance platform integrity by taking and storing security measurements.
+
+The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
-TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
@@ -34,6 +39,9 @@ OEMs implement the TPM as a component in a trusted computing platform, such as a
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
+>**Note:** Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
## TPM 1.2 vs. 2.0 comparison
From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
@@ -43,23 +51,16 @@ From an industry standard, Microsoft has been an industry leader in moving and s
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
-
- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
-
- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
- - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
-
- - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
-
+ - TPM 2.0 supports SHA-256 as well as ECC, the latter being critical to drive signing and key generation performance.
- TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](http://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
-
- Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
- TPM 2.0 offers a more **consistent experience** across different implementations.
- TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
-
- TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
@@ -68,24 +69,22 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
There are three implementation options for TPMs:
-- Discrete TPM chip as a separate component in its own semiconductor package
-
-- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
-
+- Discrete TPM chip as a separate component in its own semiconductor package
+- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
-Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
+Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
-## Is there any importance for TPM for consumers?
+## Is there any importance for TPM for consumer?
-For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a component of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
+For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a components of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
## TPM 2.0 Compliance for Windows 10
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
-- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) page).
-
+- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+
### IoT Core
- TPM is optional on IoT Core.
@@ -96,28 +95,212 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
## TPM and Windows Features
-The following table defines which Windows features require TPM support.
+The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly.
-| Windows Features | Windows 10 TPM 1.2 | Windows 10 TPM 2.0 | Details |
-|-------------------------|----------------------|----------------------|----------|
-| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure boot. |
-| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. |
-| Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. |
-| Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. |
-| Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. |
-| Device Guard / Configurable Code Integrity | See next column | Recommended | |
-| Credential Guard | Required | Required | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. |
-| Device Health Attestation | Required | Required | |
-| Windows Hello | Not Required | Recommended | |
-| UEFI Secure Boot | Not Required | Recommended | |
-| Platform Key Storage provider | Required | Required | |
-| Virtual Smart Card | Required | Required | |
-| Certificate storage (TPM bound) | Required | Required | |
-
-## OEM Status on TPM 2.0 system availability and certified parts
+
+
+
+## Chipset options for TPM 2.0
+There is a vibrant ecosystem of TPM manufacturers.
+### Discrete TPM
+
+
+
+
+Windows Features
+Windows 7/8/8.1 TPM 1.2
+Windows 10 TPM 1.2
+Windows 10 TPM 2.0
+Details
+
+
+Measured Boot
+Required
+Required
+Required
+Measured boot requires TPM 1.2 or 2.0 and UEFI Secure boot.
+
+
+Bitlocker
+Required
+Required
+Required
+TPM 1.2 or later required or a removable USB memory device such as a flash drive.
+
+
+Passport: Domain AADJ Join
+n/a
+Required
+Required
+Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support.
+
+
+Passport: MSA or Local Account
+n/a
+Required
+Required
+TPM 2.0 is required with HMAC and EK certificate for key attestation support.
+
+
+Device Encryption
+n/a
+Not Required
+Required
+TPM 2.0 is required for all InstantGo devices.
+
+
+Device Guard / Configurable Code Integrity
+n/a
+Optional
+Optional
+
+
+
+Credential Guard
+n/a
+Required
+Required
+For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.
+
+
+Device Health Attestation
+n/a
+Required
+Required
+
+
+
+Windows Hello
+n/a
+Not Required
+Not Required
+
+
+
+UEFI Secure Boot
+Not Required
+Not Required
+Not Required
+
+
+
+Platform Key Storage provider
+n/a
+Required
+Required
+
+
+
+Virtual Smart Card
+n/a
+Required
+Required
+
+
+
+
+Certificate storage (TPM bound)
+n/a
+Required
+Required
+
+
+
+
+### Integrated TPM
+
+
+
+
+Supplier
+
+
+
+
+
+
-Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. For more information, contact your OEM or hardware vendor.
+### Firmware TPM
+
+
+
+
+Supplier
+Chipset
+
+
+
+Intel
+
+
+
+
+## OEM Feedback and Status on TPM 2.0 system availability
-## Related topics
+### Certified TPM parts
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
+Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification.
+
+### Windows 7 32-bit support
+
+Even though Windows 7 shipped before the TPM 2.0 spec or products existed, Microsoft backported TPM 2.0 support to Windows 7 64-bit and released it in summer 2014 as a downloadable Windows hotfix for UEFI based Windows 7 systems. Microsoft is not currently planning to backport support to Windows 7 32-bit support.
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index e95197be01..e3c1d51f68 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Troubleshoot Windows Defender ATP onboarding issues
description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service.
-keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics
+keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, telemetry and diagnostics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -65,7 +65,7 @@ Event ID | Error Type | Resolution steps
5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
+
+
+
+Supplier
+Chipset
+
+
+AMD
+
+
+
+
+Qualcomm
+
+
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator.
15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
-15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy) for instructions.
+15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
@@ -124,7 +124,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
- [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection)
-- [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy)
+- [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled)
### View agent onboarding errors in the endpoint event log
@@ -214,7 +214,7 @@ First, you should check that the service is set to start automatically when Wind
### Ensure the endpoint has an Internet connection
-The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
+The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
@@ -222,31 +222,98 @@ To ensure that sensor has service connectivity, follow the steps described in th
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
-### Ensure that Windows Defender is not disabled by a policy
-**Problem**: The Windows Defender ATP service does not start after onboarding.
+### Ensure the Windows Defender ELAM driver is enabled
+If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
-**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service.
+**Check the ELAM driver status:**
-**Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
+1. Open a command-line prompt on the endpoint:
-- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are set to ```0``` or that the settings are cleared:
+ a. Click **Start**, type **cmd**, and select **Command prompt**.
- - ```DisableAntiSpyware```
- - ```DisableAntiVirus```
+2. Enter the following command, and press Enter:
+ ```
+ sc qc WdBoot
+ ```
+ If the ELAM driver is enabled, the output will be:
- For example, in Group Policy:
+ ```
+ [SC] QueryServiceConfig SUCCESS
- ```
-Event ID: 2050
Filename <uploaded filename>
Sha256: <file SHA>
Event ID: 3002
diff --git a/windows/keep-secure/trusted-platform-module-overview.md b/windows/keep-secure/trusted-platform-module-overview.md
index ba05130ce1..a1b3a32c2d 100644
--- a/windows/keep-secure/trusted-platform-module-overview.md
+++ b/windows/keep-secure/trusted-platform-module-overview.md
@@ -1,6 +1,6 @@
---
title: Trusted Platform Module Technology Overview (Windows 10)
-description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
+description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
ms.assetid: face8932-b034-4319-86ac-db1163d46538
ms.prod: w10
ms.mktglfcycl: deploy
@@ -14,70 +14,64 @@ author: brianlic-msft
**Applies to**
- Windows 10
-- Windows Server 2016
-This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
+This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM.
-## Feature description
+## Feature description
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
- Generate, store, and limit the use of cryptographic keys.
-
- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
-
- Help ensure platform integrity by taking and storing security measurements.
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.
-Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
+Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the TCG Web site (
diff --git a/windows/keep-secure/using-event-viewer-with-applocker.md b/windows/keep-secure/using-event-viewer-with-applocker.md
index 7a3b0f4f8d..1b1b80e64f 100644
--- a/windows/keep-secure/using-event-viewer-with-applocker.md
+++ b/windows/keep-secure/using-event-viewer-with-applocker.md
@@ -46,7 +46,7 @@ The following table contains information about the events that you can use to de
| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.|
-| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.|
+| 8007| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.|
| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.|
| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|
| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.|
diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md
deleted file mode 100644
index f4046b30a6..0000000000
--- a/windows/keep-secure/using-owa-with-wip.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: Using Outlook Web Access with Windows Information Protection (WIP) (Windows 10)
-description: Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
----
-
-# Using Outlook Web Access with Windows Information Protection (WIP)
-**Applies to:**
-
-- Windows 10, version 1607
-- Windows 10 Mobile
-
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
-
-Because Outlook Web Access (OWA) can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP):
-
-|Option |OWA behavior |
-|-------|-------------|
-|Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. |
-|Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. |
-|Do all of the following:
|Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal. |
-|Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
-
->[!NOTE]
->These limitations don’t apply to Outlook 2016 or to the Office 365 Mail and Calendar apps. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings.
-
-
-
-
-
diff --git a/windows/keep-secure/windows-credential-theft-mitigation-guide-abstract.md b/windows/keep-secure/windows-credential-theft-mitigation-guide-abstract.md
deleted file mode 100644
index 44a10d1bbe..0000000000
--- a/windows/keep-secure/windows-credential-theft-mitigation-guide-abstract.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-title: Windows 10 Credential Theft Mitigation Guide Abstract (Windows 10)
-description: Provides a summary of the Windows 10 credential theft mitigation guide.
-ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: justinha
----
-
-# Windows 10 Credential Theft Mitigation Guide Abstract
-
-**Applies to**
-- Windows 10
-
-This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](http://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows 10 credential theft mitigation guide.docx).
-This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
-
-- Identify high-value assets
-- Protect against known and unknown threats
-- Detect pass-the-hash and related attacks
-- Respond to suspicious activity
-- Recover from a breach
-
-
-
-## Attacks that steal credentials
-
-Learn about the different types of attacks that are used to steal credentials, and the factors that can place your organization at risk.
-The types of attacks that are covered include:
-
-- Pass the hash
-- Kerberos pass the ticket
-- Kerberos golden ticket and silver ticket
-- Key loggers
-- Shoulder surfing
-
-## Credential protection strategies
-
-This part of the guide helps you consider the mindset of the attacker, with prescriptive guidance about how to prioritize high-value accounts and computers.
-You'll learn how to architect a defense against credential theft:
-
-- Establish a containment model for account privileges
-- Harden and restrict administrative hosts
-- Ensure that security configurations and best practices are implemented
-
-## Technical countermeasures for credential theft
-
-Objectives and expected outcomes are covered for each of these countermeasures:
-
-- Use Windows 10 with Credential Guard
-- Restrict and protect high-privilege domain accounts
-- Restrict and protect local accounts with administrative privileges
-- Restrict inbound network traffic
-
-Many other countermeasures are also covered, such as using Microsoft Passport and Windows Hello, or multifactor authentication.
-
-## Detecting credential attacks
-
-This sections covers how to detect the use of stolen credentials and how to collect computer events to help you detect credential theft.
-
-## Responding to suspicious activity
-
-Learn Microsoft's recommendations for responding to incidents, including how to recover control of compromised accounts, how to investigate attacks, and how to recover from a breach.
-
-
diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md
index 0a9feddff7..7a77dece05 100644
--- a/windows/keep-secure/windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md
@@ -21,8 +21,6 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
->
>For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
@@ -32,7 +30,7 @@ Windows Defender ATP uses the following combination of technology built into Win
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
collect and process behavioral signals from the operating system
(for example, process, registry, file, and network communications)
- and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.
+ and sends this telemetry to your private, isolated, cloud instance of Windows Defender ATP.
- **Cloud security analytics**: Leveraging big-data, machine-learning, and
@@ -47,7 +45,7 @@ Windows Defender ATP uses the following combination of technology built into Win
and augmented by threat intelligence provided by partners, threat
intelligence enables Windows Defender ATP to identify attacker
tools, techniques, and procedures, and generate alerts when these
- are observed in collected sensor data.
+ are observed in collected telemetry.
The following diagram shows these Windows Defender ATP service
components:
@@ -93,6 +91,3 @@ Topic | Description
[Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
[Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP.
-
-## Related topic
-[Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)
diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md
index a31f43f6ee..8abf7c0806 100644
--- a/windows/keep-secure/windows-defender-block-at-first-sight.md
+++ b/windows/keep-secure/windows-defender-block-at-first-sight.md
@@ -30,9 +30,6 @@ It is enabled by default when certain pre-requisite settings are also enabled. I
When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
-> [!NOTE]
-> The Block at first sight feature only use the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file.
-
If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file.
In many cases this process can reduce the response time to new malware from hours to seconds.
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
index 58ecb02cde..7ad3e53061 100644
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-in-windows-10.md
@@ -18,7 +18,7 @@ author: jasesso
Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This topic provides an overview of Windows Defender, including a list of system requirements and new features.
-For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
+For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
Take advantage of Windows Defender by configuring settings and definitions using the following tools:
- Microsoft Active Directory *Group Policy* for settings
diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md
deleted file mode 100644
index b4ebd4ced4..0000000000
--- a/windows/keep-secure/wip-app-enterprise-context.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
-description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Task Manager, app context, enterprise context
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: high
----
-
-# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
-**Applies to:**
-
-- Windows 10, version 1607
-- Windows 10 Mobile
-
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
-
-Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly.
-
-## Viewing the Enterprise Context column in Task Manager
-You need to add the Enterprise Context column to the **Details** tab of the Task Manager.
-
-1. Make sure that you have an active WIP policy deployed and turned on in your organization.
-
-2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**.
-
- The **Select columns** box appears.
-
- 
-
-3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box.
-
- The **Enterprise Context** column should now be available in Task Manager.
-
- 
-
-## Review the Enterprise Context
-The **Enterprise Context** column shows you what each app can do with your enterprise data:
-
-- **Domain.** Shows the employee's work domain (such as, corp.contoso.com). This app is considered work-related and can freely touch and open work data and resources.
-
-- **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources.
-
-- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
-
- >[!IMPORTANT]
- >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
-
-
-
-
-
-
diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md
index c6fd38667f..9c528133ef 100644
--- a/windows/keep-secure/working-with-applocker-rules.md
+++ b/windows/keep-secure/working-with-applocker-rules.md
@@ -89,7 +89,6 @@ The following table describes how a publisher condition is applied.
| Option | The publisher condition allows or denies… |
-|---|---|
| **All signed files** | All files that are signed by any publisher.|
| **Publisher only**| All files that are signed by the named publisher.|
| **Publisher and product name**| All files for the specified product that are signed by the named publisher.|
@@ -124,7 +123,7 @@ When you choose the file hash rule condition, the system computes a cryptographi
## AppLocker default rules
-AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md).
+AppLocker allows you to generate default rules for each rule collection.
Executable default rule types include:
diff --git a/windows/manage/.vscode/settings.json b/windows/manage/.vscode/settings.json
deleted file mode 100644
index 20af2f68a6..0000000000
--- a/windows/manage/.vscode/settings.json
+++ /dev/null
@@ -1,3 +0,0 @@
-// Place your settings in this file to overwrite default and user settings.
-{
-}
\ No newline at end of file
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index d68415cde7..54af0df920 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -1,21 +1,7 @@
# [Manage and update Windows 10](index.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
-## [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
-### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md)
-#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md)
-#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
-#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md)
-#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md)
-#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md)
-#### [Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-6.md)
-### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md)
-### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md)
-### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md)
-### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work-voice-commands.md)
-### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work-policy-settings.md)
-### [Send feedback about Cortana at work back to Microsoft](cortana-at-work-feedback.md)
+## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
## [Update Windows 10 in the enterprise](waas-update-windows-10.md)
-### [Quick guide to Windows as a service](waas-quick-start.md)
### [Overview of Windows as a service](waas-overview.md)
### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
@@ -38,15 +24,13 @@
### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
-### [Changes to Group Policy settings for Windows 10 Start menu](changes-to-start-policies-in-windows-10.md)
+### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
## [Windows Spotlight on the lock screen](windows-spotlight.md)
## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
### [Customize and export Start layout](customize-and-export-start-layout.md)
-### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
-### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)
### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
diff --git a/windows/manage/administrative-tools-in-windows-10.md b/windows/manage/administrative-tools-in-windows-10.md
index a7d5203f8a..3db6a42541 100644
--- a/windows/manage/administrative-tools-in-windows-10.md
+++ b/windows/manage/administrative-tools-in-windows-10.md
@@ -26,6 +26,9 @@ The tools in the folder might vary depending on which edition of Windows you are
These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool.
+**Tip**
+If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.
+
- [Component Services]( https://go.microsoft.com/fwlink/p/?LinkId=708489)
@@ -46,8 +49,7 @@ These tools were included in previous versions of Windows and the associated doc
- [Windows Firewall with Advanced Security](https://go.microsoft.com/fwlink/p/?LinkId=708503)
- [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507)
->[!TIP]
->If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.
+
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index c9e8313b65..50f89c5dea 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -12,27 +12,6 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
->If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
-
-## January 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | New |
-| [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) |
-| [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. |
-
-
-
-## December 2016
-
-| New or changed topic | Description |
-| --- | --- |
-| [Quick guide to Windows as a service](waas-quick-start.md) | New |
-| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Added video demonstration of the latest in modern management for Windows 10 |
-| [Windows Store for Business overview](windows-store-for-business-overview.md) | Updated list of supported markets. |
-
## November 2016
| New or changed topic | Description |
diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md
index 6cba8aeed7..743009e354 100644
--- a/windows/manage/changes-to-start-policies-in-windows-10.md
+++ b/windows/manage/changes-to-start-policies-in-windows-10.md
@@ -1,5 +1,5 @@
---
-title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10)
+title: Changes to Group Policy settings for Windows 10 Start (Windows 10)
description: Windows 10 has a brand new Start experience.
ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
keywords: ["group policy", "start menu", "start screen"]
diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md
index 04ba35f499..b28734a5f6 100644
--- a/windows/manage/configure-devices-without-mdm.md
+++ b/windows/manage/configure-devices-without-mdm.md
@@ -104,14 +104,11 @@ When you run Windows ICD, you have several options for creating your package.
6. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
7. Click **Enroll into Active Directory**.
8. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
-
> [!WARNING]
> If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
- >
- >- Use a least-privileged domain account to join the device to the domain.
- >- Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
- >- [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
-
+ - Use a least-privileged domain account to join the device to the domain.
+ - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
+ - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
9. Click **Finish**.
10. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
11. Click **Create**.
diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/manage/configure-windows-10-taskbar.md
index bd5e26f4ba..8f9c046ff2 100644
--- a/windows/manage/configure-windows-10-taskbar.md
+++ b/windows/manage/configure-windows-10-taskbar.md
@@ -17,14 +17,14 @@ Starting in Windows 10, version 1607, administrators can pin additional apps to
You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path (the local path to the application).
-If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar.
+If you specify an app to be pinned that is not installed on the computer, it won't appear on the taskbar.
-The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user.
+The order of apps in the xml file dictates order of apps on taskbar from left to right, to the right of any existing apps pinned by user.
> [!NOTE]
> In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
-The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square).
+The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
@@ -41,21 +41,21 @@ To configure the taskbar:
3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
>[!IMPORTANT]
->If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
+>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
### Tips for finding AUMID and Desktop Application Link Path
In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path.
The easiest way to find this data for an application is to:
-1. Pin the application to the Start menu on a reference or testing PC.
+1. Pin the application to the Start menu
2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet.
3. Open the generated XML file.
-4. Look for an entry corresponding to the app you pinned.
+4. Look for an entry corresponding to the app you pinned .
5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`.
-### Sample taskbar configuration XML file
+### Sample taskbar configuration XML
```xml
@@ -75,7 +75,7 @@ The easiest way to find this data for an application is to:
```
-### Sample taskbar configuration added to Start layout XML file
+### Sample taskbar configuration added to Start layout XML
```xml
@@ -139,7 +139,7 @@ The `
settings-win.data.microsoft.com |
| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
-| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
### Data use and access
diff --git a/windows/manage/connect-to-remote-aadj-pc.md b/windows/manage/connect-to-remote-aadj-pc.md
index 8424e7c1c3..b05c575380 100644
--- a/windows/manage/connect-to-remote-aadj-pc.md
+++ b/windows/manage/connect-to-remote-aadj-pc.md
@@ -25,7 +25,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
-- Ensure [Remote Credential Guard](../keep-secure/remote-credential-guard.md), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
+- Ensure [Remote Credential Guard](../keep-secure/remote-credential-guard.md), a new feature in Windows 10, version 1607, is turned off on the client PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
diff --git a/windows/manage/cortana-at-work-crm.md b/windows/manage/cortana-at-work-crm.md
deleted file mode 100644
index 834bde8a92..0000000000
--- a/windows/manage/cortana-at-work-crm.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization (Windows 10)
-description: How to set up Cortana to help your salespeople get proactive insights on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
-**Applies to:**
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company.
-
->[!NOTE]
->For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/p/?LinkId=746819).
-
-
-
-## Turn on Cortana with Dynamics CRM in your organization
-You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](http://go.microsoft.com/fwlink/p/?LinkId=746817)?
-
-**To turn on Cortana with Dynamics CRM**
-
-1. Go to **Settings**, and then click **Administration**.
-
-2. Choose **System Settings**, and then click the **Previews** tab.
-
-3. Read the license terms, and if you agree, select the **I’ve read and agree to the license terms** check box.
-
-4. For each preview feature you want to enable, click **Yes**.
-
-## Turn on Cortana with Dynamics CRM on your employees’ devices
-You must tell your employees to turn on Cortana, before they’ll be able to use it with Dynamics CRM.
-
-**To turn on local Cortana with Dynamics CRM**
-
-1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
-
-2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**.
-
- 
-
- The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen.
-
-## Turn off Cortana with Dynamics CRM
-Cortana can only access data in Dynamics CRM when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off.
-
-**To turn off Cortana with Dynamics CRM**
-1. Go to **Settings**, and then click **Administration**.
-
-2. Choose **System Settings**, and then click the **Previews** tab.
-
-3. Click **No** for **Cortana**.
-
- All Dynamics CRM functionality related to Cortana is turned off in your organization.
\ No newline at end of file
diff --git a/windows/manage/cortana-at-work-feedback.md b/windows/manage/cortana-at-work-feedback.md
deleted file mode 100644
index ca24c22703..0000000000
--- a/windows/manage/cortana-at-work-feedback.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Send feedback about Cortana at work back to Microsoft (Windows 10)
-description: How to send feedback to Microsoft about Cortana at work.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Send feedback about Cortana at work back to Microsoft
-**Applies to:**
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-We ask that you report bugs and issues. To provide feedback, you can click the **Feedback** icon in the Cortana window. When you send this form to Microsoft it also includes troubleshooting info, in case you run into problems.
-
-
-
-If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Preview feedback app. For info about the Insider Preview feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc).
-
diff --git a/windows/manage/cortana-at-work-o365.md b/windows/manage/cortana-at-work-o365.md
deleted file mode 100644
index d58663dc00..0000000000
--- a/windows/manage/cortana-at-work-o365.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-title: Set up and test Cortana with Office 365 in your organization (Windows 10)
-description: How to connect Cortana to Office 365 so your employees are notified about regular meetings, unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Set up and test Cortana with Office 365 in your organization
-**Applies to:**
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, do meeting prep work like researching people in LinkedIn or getting documents ready, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips.
-
-But Cortana works even harder when she connects to Office 365, helping employees to be notified about unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late.
-
-
-
-We’re continuing to add more and more capabilities to Cortana so she can become even more helpful with your productivity-related tasks, such as emailing, scheduling, and other tasks that are important to help you be successful.
-
->[!NOTE]
->For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379).
-
-## Before you begin
-There are a few things to be aware of before you start using Cortana with Office 365 in your organization.
-
-- **Software requirements.** O365 integration with Cortana is available in all countries/regions where Cortana is supported for consumers today. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, it will also become available to organizations.
-
-- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana’s notebook. They must also authorize Cortana to access Office 365 on their behalf.
-
-- **Office 365 Trust Center.** Cortana isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana treats your data](http://go.microsoft.com/fwlink/p/?LinkId=536419).
-
-- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](http://go.microsoft.com/fwlink/p/?LinkId=620763).
-
-## Turn on Cortana with Office 365 on employees’ devices
-You must tell your employees to turn on Cortana before they’ll be able to use it with Office 365.
-
-**To turn on local Cortana with Office 365**
-
-1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
-
-2. Click on **Connected Services**, click **Office 365**, and then click **Connect**.
-
- 
-
- The employee can also disconnect by clicking **Disconnect** from the **Office 365** screen.
-
-## Turn off Cortana with Office 365
-Cortana can only access data in your Office 365 org when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off in the Office 365 admin center.
-
-**To turn off Cortana with Office 365**
-1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account.
-
-2. Go to the [Office 365 admin center](https://support.office.com/en-us/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547).
-
-3. Expand **Service Settings**, and select **Cortana**.
-
-4. Click **Cortana** to toggle Cortana off.
-
- All Office 365 functionality related to Cortana is turned off in your organization and your employees are unable to use her at work.
-
-
-
-
-
-
diff --git a/windows/manage/cortana-at-work-overview.md b/windows/manage/cortana-at-work-overview.md
deleted file mode 100644
index 96064364c3..0000000000
--- a/windows/manage/cortana-at-work-overview.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Cortana integration in your business or enterprise (Windows 10)
-description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Cortana integration in your business or enterprise
-**Applies to:**
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-## Who is Cortana?
-Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work.
-Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
-
-Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
-
-
-
-## Where is Cortana available for use in my organization?
-You can use Cortana at work in all countries/regions where Cortana is supported for consumers. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, she will also become available to enterprise customers.
-
-Cortana is available on Windows 10, Windows Insider Program and with limited functionality on Windows Phone 8.1, Windows Insider Program.
-
-## Required hardware and software
-Cortana requires the following hardware and software to successfully run the included scenario in your organization.
-
-|Hardware |Description |
-|---------|------------|
-|Microphone |For speech interaction with Cortana. If you don't have a microphone, you can still interact with Cortana by typing in the Cortana Search Box in the taskbar. |
-|Windows Phone |For location-specific reminders. You can also use a desktop device to run through this scenario, but location accuracy is usually better on phones. |
-|Desktop devices |For non-phone-related scenarios. |
-
-
-|Software |Minimum version |
-|---------|------------|
-|Client operating system |
This setting only applies to Windows 10 for desktop devices. |
-|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled).|
-|None|System/AllowLocation|Specifies whether to allow app access to the Location service.
Cortana won’t work if this setting is turned off (disabled).
Cortana still works if this setting is turned off (disabled).|
-|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
This setting only applies to Windows 10 Mobile.|
-|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.
This setting can’t be managed.
Cortana won't work if this setting is turned off (disabled).|
-|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/manage/cortana-at-work-powerbi.md b/windows/manage/cortana-at-work-powerbi.md
deleted file mode 100644
index 98b90f572f..0000000000
--- a/windows/manage/cortana-at-work-powerbi.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Set up and test Cortana for Power BI in your organization (Windows 10)
-description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data.
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-localizationpriority: high
----
-
-# Set up and test Cortana for Power BI in your organization
-**Applies to:**
-
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
-
->[!Note]
->Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/).
-
-## Before you begin
-To use this walkthrough, you’ll need:
-
-- **Windows 10**. You’ll need to be running at least Windows 10 with the latest version from the Windows Insider Program.
-
-- **Cortana**. You need to have Cortana turned on and be logged into your account.
-
-- **Power BI account with data**. You can use an existing Power BI account, or else you can get a trial account by signing up at http://powerbi.com. Just make sure that either way, you enter some data that you can use.
-
-- **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account.
-
- **To connect your account to Windows**
- a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**.
-
- b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows.
-
-## Set up your test environment for Cortana for Power BI
-Before you can start this testing scenario, you must first set up your test environment and data, and then you must turn on and set up Cortana to connect and work with Power BI.
-
-**To set up your test environment with Cortana and Power BI**
-
-1. Go to http://powerbi.com and sign-in with the same O365 credentials you used in the Set up and use Cortana with Office 365 topic.
-
-2. Expand the left rail by clicking the **Show the navigation pane** icon.
-
- 
-
-3. Click **Get Data** from the left-hand navigation in Power BI.
-
- 
-
-4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
-
- 
-
-5. Click **Retail Analysis Sample**, and then click **Connect**.
-
- 
-
- The sample data is imported and you’re returned to the **Power BI** screen.
-
-6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
-
- 
-
-7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
-
- 
-
-8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
-
-9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
-
- 
-
- >[!NOTE]
- >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.