@@ -31,6 +32,12 @@ ms.date: 04/16/2018
+ +**Power/EnergySaverBatteryThresholdOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+  6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + + +Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on. + +If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + +If you disable or do not configure this policy setting, users control this setting. + + + + +ADMX Info: +- GP English name: *Energy Saver Battery Threshold (on battery)* +- GP name: *EsBattThresholdDC* +- GP element: *EnterEsBattThreshold* +- GP path: *System/Power Management/Energy Saver Settings* +- GP ADMX file name: *power.admx* + + + +Supported values: 0-100. The default is 70. + + + + + + + + + +
+ + +**Power/EnergySaverBatteryThresholdPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on. + +If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + +If you disable or do not configure this policy setting, users control this setting. + + + + +ADMX Info: +- GP English name: *Energy Saver Battery Threshold (plugged in)* +- GP name: *EsBattThresholdAC* +- GP element: *EnterEsBattThreshold* +- GP path: *System/Power Management/Energy Saver Settings* +- GP ADMX file name: *power.admx* + + + +Supported values: 0-100. The default is 70. + + + + + + + + + +
+ **Power/HibernateTimeoutOnBattery** @@ -558,6 +728,438 @@ ADMX Info:
+ +**Power/SelectLidCloseActionOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the lid switch action (on battery)* +- GP name: *DCSystemLidAction_2* +- GP element: *SelectDCSystemLidAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported lid close switch actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectLidCloseActionPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the lid switch action (plugged in)* +- GP name: *ACSystemLidAction_2* +- GP element: *SelectACSystemLidAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported lid close switch actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectPowerButtonActionOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the Power button action (on battery)* +- GP name: *DCPowerButtonAction_2* +- GP element: *SelectDCPowerButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Power button actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectPowerButtonActionPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the Power button action (plugged in)* +- GP name: *ACPowerButtonAction_2* +- GP element: *SelectACPowerButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Power button actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectSleepButtonActionOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the Sleep button action (on battery)* +- GP name: *DCSleepButtonAction_2* +- GP element: *SelectDCSleepButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Sleep button actions (on battery): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ + +**Power/SelectSleepButtonActionPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button. + +If you enable this policy setting, you must select the desired action. + +If you disable this policy setting or do not configure it, users can see and change this setting. + + + + +ADMX Info: +- GP English name: *Select the Sleep button action (plugged in)* +- GP name: *ACSleepButtonAction_2* +- GP element: *SelectACSleepButtonAction* +- GP path: *System/Power Management/Button Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported Sleep button actions (plugged in): +- 0 - Take no action +- 1 - Sleep +- 2 - System hibernate sleep state +- 3 - System shutdown + + + + + + + + + + +
+ **Power/StandbyTimeoutOnBattery** @@ -683,14 +1285,291 @@ ADMX Info: +
-Footnote: + +**Power/TurnOffHybridSleepOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep. + +If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). + +If you set this policy setting to 1 or do not configure this policy setting, users control this setting. + + + + +ADMX Info: +- GP English name: *Turn off hybrid sleep (on battery)* +- GP name: *DCStandbyWithHiberfileEnable_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported values for Hybrid sleep (on battery): +- 0 - no hibernation file for sleep (default) +- 1 - hybrid sleep + + + + + + + + + + +
+ + +**Power/TurnOffHybridSleepPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting allows you to turn off hybrid sleep. + +If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). + +If you set this policy setting to 1 or do not configure this policy setting, users control this setting. + + + + +ADMX Info: +- GP English name: *Turn off hybrid sleep (plugged in)* +- GP name: *ACStandbyWithHiberfileEnable_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +The following are the supported values for Hybrid sleep (plugged in): +- 0 - no hibernation file for sleep (default) +- 1 - hybrid sleep + + + + + + + + + + +
+ + +**Power/UnattendedSleepTimeoutOnBattery** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. + +If you disable or do not configure this policy setting, users control this setting. + +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + + + + +ADMX Info: +- GP English name: *Specify the unattended sleep timeout (on battery)* +- GP name: *UnattendedSleepTimeOutDC* +- GP element: *EnterUnattendedSleepTimeOut* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +Default value for unattended sleep timeout (on battery): +300 + + + + + + + + + +
+ + +**Power/UnattendedSleepTimeoutPluggedIn** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. + +If you disable or do not configure this policy setting, users control this setting. + +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + + + + +ADMX Info: +- GP English name: *Specify the unattended sleep timeout (plugged in)* +- GP name: *UnattendedSleepTimeOutAC* +- GP element: *EnterUnattendedSleepTimeOut* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + +Default value for unattended sleep timeout (plugged in): +300 + + + + + + + + + + +
+ +Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - - - +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index ab8f25ac1d..8e9d7a15c7 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/01/2019 +ms.date: 05/08/2019 --- # Policy CSP - Update @@ -57,9 +57,24 @@ ms.date: 05/01/2019
+ > [!NOTE] > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). @@ -933,6 +949,76 @@ The following list shows the supported values:
+ +**Update/AutomaticMaintenanceWakeUp** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting allows you to configure if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. + +> [!Note] +> If the OS power wake policy is explicitly disabled, then this setting has no effect. + +If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if required. + +If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. + + + +ADMX Info: +- GP English name: *Automatic Maintenance WakeUp Policy* +- GP category English path: *Windows Components/Maintenance Scheduler* +- GP name: *WakeUpPolicy* +- GP path: *Windows Components/Maintenance Scheduler* +- GP ADMX file name: *msched.admx* + + + +Supported values: +- true - Enable +- false - Disable (Default) + + + + + + + + + +
+ **Update/BranchReadinessLevel** @@ -995,6 +1081,306 @@ The following list shows the supported values:
+ +**Update/ConfigureDeadlineForFeatureUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. + +Default value is 7. + + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineForFeatureUpdates* +- GP element: *ConfigureDeadlineForFeatureUpdates* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + +
+ + +**Update/ConfigureDeadlineForQualityUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineForQualityUpdates* +- GP element: *ConfigureDeadlineForQualityUpdates* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. + +Default value is 7. + + + + + + + + + +
+ + +**Update/ConfigureDeadlineGracePeriod** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. + + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineGracePeriod* +- GP element: *ConfigureDeadlineGracePeriod* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. + +Default value is 2. + + + + + + + + + +
+ + +**Update/ConfigureDeadlineNoAutoReboot** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart. + +When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. + + + +ADMX Info: +- GP English name: *Specify deadlines for automatic updates and restarts* +- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP name: *ConfigureDeadlineNoAutoReboot* +- GP element: *ConfigureDeadlineNoAutoReboot* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supported values: +- 1 - Enabled +- 0 (default) - Disabled + + + + + + + + + +
+ + +**Update/ConfigureFeatureUpdateUninstallPeriod** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+ + + +Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. + + + + +
+ **Update/ConfigureFeatureUpdateUninstallPeriod** @@ -3579,6 +3965,10 @@ ADMX Info: - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Update/RequireUpdateApproval](#update-requireupdateapproval) - [Update/ScheduledInstallDay](#update-scheduledinstallday) - [Update/ScheduledInstallTime](#update-scheduledinstalltime) @@ -3591,6 +3981,10 @@ ADMX Info: - [Update/AllowAutoUpdate](#update-allowautoupdate) - [Update/AllowUpdateService](#update-allowupdateservice) +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - [Update/RequireUpdateApproval](#update-requireupdateapproval) - [Update/ScheduledInstallDay](#update-scheduledinstallday) - [Update/ScheduledInstallTime](#update-scheduledinstalltime) @@ -3598,6 +3992,23 @@ ADMX Info: - [Update/RequireDeferUpgrade](#update-requiredeferupgrade) + +## Update policies supported by IoT Core + +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) + + + +## Update policies supported by IoT Enterprise + +- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) +
Footnotes: @@ -3607,4 +4018,4 @@ Footnotes: - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. \ No newline at end of file +- 6 - Added in Windows 10, version 1903. \ No newline at end of file diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index afc9f144c2..25a638d45a 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -14,12 +14,15 @@ ms.topic: article # Deploy Windows 10 Enterprise licenses +>[!IMPORTANT] +>Office 365 Enterprise E3 and Office 365 Enterprise E5 include a Windows 10 Enterprise license. This article is about the use and implementation of these licenses in a on-premises Active Directory environment. + This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD). >[!NOTE] ->Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
->Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
->Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key.
+>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. +>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. +>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. ## Firmware-embedded activation key @@ -35,9 +38,9 @@ If the device has a firmware-embedded activation key, it will be displayed in th If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: -1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
- a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
- b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
+1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: +- **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 +- **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. 3. The admin can now assign subscription licenses to users. @@ -59,7 +62,7 @@ Also in this article: You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD. -You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. +You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. @@ -72,6 +75,9 @@ For more information about integrating on-premises AD DS domains with Azure AD, - [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/) - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) +>[!NOTE] +>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers. + ## Preparing for deployment: reviewing requirements Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. @@ -151,12 +157,12 @@ Now the device is Azure AD joined to the company’s subscription. ### Step 2: Pro edition activation >[!IMPORTANT] ->If the device is running Windows 10, version 1803 or later, this step is no longer necessary when there is a firmware-embedded activation key on the device. Starting with Windows 10, version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
+>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key. >If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
-**Figure 7a - Windows 10 Pro activation in Settings**
+**Figure 7a - Windows 10 Pro activation in Settings** Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). @@ -176,16 +182,16 @@ You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &g
-**Figure 9 - Windows 10 Enterprise subscription in Settings**
+**Figure 9 - Windows 10 Enterprise subscription in Settings** If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. >[!NOTE] ->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
->Name: Windows(R), Professional edition
->Description: Windows(R) Operating System, RETAIL channel
->Partial Product Key: 3V66T
+>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following: +>Name: Windows(R), Professional edition +>Description: Windows(R) Operating System, RETAIL channel +>Partial Product Key: 3V66T ## Virtual Desktop Access (VDA) @@ -211,23 +217,20 @@ Use the following figures to help you troubleshoot when users experience these c - [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. -
-**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**
+**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings** -
-**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**
+**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings** -
-**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**
+**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings** ### Review requirements on devices diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 57bdd0311c..7fbacf8aee 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -5,9 +5,9 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: JaimeO +author: greg-lindsay ms.localizationpriority: medium -ms.author: jaimeo +ms.author: greglin ms.collection: M365-modern-desktop ms.topic: article --- @@ -37,7 +37,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | --- | --- | --- | | [Download mode](#download-mode) | DODownloadMode | 1511 | | [Group ID](#group-id) | DOGroupID | 1511 | -| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | +| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | | [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | | [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 | | [Max Cache Size](#max-cache-size) | DOMaxCacheSize | 1511 | @@ -70,7 +70,7 @@ Delivery Optimization uses locally cached updates. In cases where devices have a - The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location. >[!NOTE] ->It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices). +>It is possible to configure preferred cache devices. For more information, see [Group ID](#group-id). All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size). @@ -89,7 +89,7 @@ Additional options available that control the impact Delivery Optimization has o - [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. Administrators can further customize scenarios where Delivery Optimization will be used with the following settings: -- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled. +- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled. - [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled. - [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching. - [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. You must enable this policy to allow upload while on battery. diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 1c13688e4e..178f964ce4 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -5,9 +5,9 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: JaimeO +author: greg-lindsay ms.localizationpriority: medium -ms.author: jaimeo +ms.author: greglin ms.collection: M365-modern-desktop ms.topic: article --- diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 9ef541fce2..af88e40987 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -69,8 +69,8 @@ Click the following Microsoft Mechanics video for an overview of the updated rel ## Learn more -[Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) - +- [Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) +- [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) ## Related topics diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index d5eff8daa4..b2bade848b 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -28,6 +28,9 @@ Windows Easy Transfer is a software wizard for transferring files and settings With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store. +> [!NOTE] +> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10). + ### Migrate with the User State Migration Tool You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 03e0029f83..ddbabe01f8 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -20,6 +20,7 @@ ms.topic: article - Windows 8 - Windows Server 2012 R2 - Windows Server 2012 +- Windows Server 2016 **Looking for retail activation?** - [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index d2e6471454..fd2778c09b 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -20,6 +20,8 @@ ms.topic: article The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete.  + +From Windows 10 version 1803 onwards, you can opt out of the account setup phase. If it is skipped, settings will be applied for users when they access their desktop for the first time. ## Available settings diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md index d69c5869ba..c75f3e2df4 100644 --- a/windows/deployment/windows-autopilot/user-driven-hybrid.md +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -29,7 +29,8 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. - If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. - The device must be running Windows 10, version 1809 or later. -- The device must be connected to the Internet and have access to an Active Directory domain controller. +- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user). +- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements-network.md). - The Intune Connector for Active Directory must be installed. - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. - If using Proxy, WPAD Proxy settings option must be enabled and configured. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md index ac25a597f7..c6b59a7df4 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md @@ -19,12 +19,14 @@ ms.topic: article **Applies to: Windows 10, version 1709 and above +The Intune Service Administrator role is required to perform this task. Learn more about how to [Assign Azure Active Directory roles](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). + IT admins can perform a local Windows Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With a local Autopilot Reset, devices are returned to a fully configured or known IT-approved state. To enable local Autopilot Reset in Windows 10: -1. [Enable the policy for the feature](#enable-autopilot-reset) -2. [Trigger a reset for each device](#trigger-autopilot-reset) +1. [Enable the policy for the feature](#enable-local-autopilot-reset) +2. [Trigger a reset for each device](#trigger-local-autopilot-reset) ## Enable local Windows Autopilot Reset diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index b6be3b5acd..1df90d39e0 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -98,7 +98,7 @@ We used the following methodology to derive these network endpoints: | *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | | *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | | *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| \*.tlu.dl.delivery.mp.microsoft.com/\* | HTTP | Enables connections to Windows Update. | | *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | | arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | | au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 3cab3fb9e9..16bf511276 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -61,9 +61,6 @@ sections: text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 10240.18094 January 08, 2019 KB4480962 | Mitigated | April 25, 2019 02:00 PM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 10240.18094 January 08, 2019 KB4480962 | Resolved KB4493475 | April 09, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 10240.18158 March 12, 2019 KB4489872 | Resolved KB4493475 | April 09, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 10240.18132 February 12, 2019 KB4487018 | Resolved KB4493475 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Custom URI schemes may not start corresponding application After installing KB4489872, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer. Affected platforms:
Resolution: This issue was resolved in KB4493475. Back to top | OS Build 10240.18158 March 12, 2019 KB4489872 | Resolved KB4493475 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493475. Back to top | OS Build 10240.18132 February 12, 2019 KB4487018 | Resolved KB4493475 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. Affected platforms:
Workaround: Do one of the following:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 10240.18094 January 08, 2019 KB4480962 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding After installing KB4480962, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue was resolved in KB4493475. Back to top | OS Build 10240.18094 January 08, 2019 KB4480962 | Resolved KB4493475 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Zone transfers over TCP may fail Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail. See details > | OS Build 14393.2941 April 25, 2019 KB4493473 | Investigating | April 25, 2019 02:00 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | OS Build 14393.2931 April 25, 2019 KB4492241 | Mitigated | May 10, 2019 10:35 AM PT |
| Cluster service may fail if the minimum password length is set to greater than 14 The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters. See details > | OS Build 14393.2639 November 27, 2018 KB4467684 | Mitigated | April 25, 2019 02:00 PM PT |
| Issue using PXE to start a device from WDS There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. See details > | OS Build 14393.2848 March 12, 2019 KB4489882 | Mitigated | April 25, 2019 02:00 PM PT |
| SCVMM cannot enumerate and manage logical switches deployed on the host For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host. See details > | OS Build 14393.2639 November 27, 2018 KB4467684 | Mitigated | April 25, 2019 02:00 PM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 14393.2724 January 08, 2019 KB4480961 | Mitigated | April 25, 2019 02:00 PM PT |
| Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM. See details > | OS Build 14393.2608 November 13, 2018 KB4467691 | Mitigated | February 19, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 14393.2848 March 12, 2019 KB4489882 | Resolved KB4493473 | April 25, 2019 02:00 PM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. See details > | OS Build 14393.2879 March 19, 2019 KB4489889 | Resolved KB4493470 | April 09, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine. See details > | OS Build 14393.2724 January 08, 2019 KB4480961 | Resolved KB4493470 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 14393.2724 January 08, 2019 KB4480961 | Resolved KB4493470 | April 09, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 14393.2791 February 12, 2019 KB4487026 | Resolved KB4493470 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic. Affected platforms:
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update. Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May. Back to top | OS Build 14393.2931 April 25, 2019 KB4492241 | Mitigated | Last updated: May 10, 2019 10:35 AM PT Opened: May 10, 2019 10:35 AM PT |
After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms:
- Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:
Option 1:
Open an Administrator Command prompt and type the following:
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
Option 2:
Use the Windows Deployment Services UI to make the following adjustment:
- Open Windows Deployment Services from Windows Administrative Tools.
- Expand Servers and right-click a WDS server.
- Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3:
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension
Restart the WDSServer service after disabling the Variable Window Extension.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top
March 12, 2019
KB4489882
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
After installing KB4489882, Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.
Affected platforms:
- Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493473.
Back to top
March 12, 2019
KB4489882
KB4493473
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.
Affected platforms:
- Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493470.
Back to top
March 19, 2019
KB4489889
KB4493470
April 09, 2019
10:00 AM PT
Opened:
March 19, 2019
10:00 AM PT
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493470. Back to top | OS Build 14393.2791 February 12, 2019 KB4487026 | Resolved KB4493470 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. Affected platforms:
Workaround: Do one of the following:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 14393.2724 January 08, 2019 KB4480961 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: January 08, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons After installing KB4480961, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Affected platforms:
Resolution: This issue was resolved in KB4493470. Back to top | OS Build 14393.2724 January 08, 2019 KB4480961 | Resolved KB4493470 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding After installing KB4480961, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue was resolved in KB4493470. Back to top | OS Build 14393.2724 January 08, 2019 KB4480961 | Resolved KB4493470 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | OS Build 15063.1771 April 25, 2019 KB4492242 | Mitigated | May 10, 2019 10:35 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 15063.1563 January 08, 2019 KB4480973 | Mitigated | April 25, 2019 02:00 PM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 15063.1689 March 12, 2019 KB4489871 | Resolved KB4493436 | April 25, 2019 02:00 PM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. See details > | OS Build 15063.1716 March 19, 2019 KB4489888 | Resolved KB4493474 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 15063.1563 January 08, 2019 KB4480973 | Resolved KB4493474 | April 09, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 15063.1631 February 12, 2019 KB4487020 | Resolved KB4493474 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic. Affected platforms:
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update. Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May. Back to top | OS Build 15063.1771 April 25, 2019 KB4492242 | Mitigated | Last updated: May 10, 2019 10:35 AM PT Opened: May 10, 2019 10:35 AM PT |
| Details | Originating update | Status | History |
| Custom URI schemes may not start corresponding application After installing KB4489871, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493436. Back to top | OS Build 15063.1689 March 12, 2019 KB4489871 | Resolved KB4493436 | Resolved: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. Affected platforms:
Resolution: This issue was resolved in KB4493474. Back to top | OS Build 15063.1716 March 19, 2019 KB4489888 | Resolved KB4493474 | Resolved: April 09, 2019 10:00 AM PT Opened: March 19, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493474. Back to top | OS Build 15063.1631 February 12, 2019 KB4487020 | Resolved KB4493474 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. Affected platforms:
Workaround: Do one of the following:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 15063.1563 January 08, 2019 KB4480973 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding After installing KB4480973, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue was resolved in KB4493474. Back to top | OS Build 15063.1563 January 08, 2019 KB4480973 | Resolved KB4493474 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Zone transfers over TCP may fail Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail. See details > | OS Build 16299.1127 April 25, 2019 KB4493440 | Investigating | April 25, 2019 02:00 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | OS Build 16299.1111 April 25, 2019 KB4492243 | Mitigated | May 10, 2019 10:35 AM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 16299.904 January 08, 2019 KB4480978 | Mitigated | April 25, 2019 02:00 PM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 16299.1029 March 12, 2019 KB4489886 | Resolved KB4493440 | April 25, 2019 02:00 PM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. See details > | OS Build 16299.1059 March 19, 2019 KB4489890 | Resolved KB4493441 | April 09, 2019 10:00 AM PT |
| MSXML6 causes applications to stop responding if an exception was thrown MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 16299.904 January 08, 2019 KB4480978 | Resolved KB4493441 | April 09, 2019 10:00 AM PT |
| Stop error when attempting to start SSH from WSL A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting. See details > | OS Build 16299.1029 March 12, 2019 KB4489886 | Resolved KB4493441 | April 09, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 16299.967 February 12, 2019 KB4486996 | Resolved KB4493441 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic. Affected platforms:
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update. Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May. Back to top | OS Build 16299.1111 April 25, 2019 KB4492243 | Mitigated | Last updated: May 10, 2019 10:35 AM PT Opened: May 10, 2019 10:35 AM PT |
| Details | Originating update | Status | History |
| Custom URI schemes may not start corresponding application After installing KB4489886, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493440. Back to top | OS Build 16299.1029 March 12, 2019 KB4489886 | Resolved KB4493440 | Resolved: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. Affected platforms:
Resolution: This issue is resolved in KB4493441. Back to top | OS Build 16299.1059 March 19, 2019 KB4489890 | Resolved KB4493441 | Resolved: April 09, 2019 10:00 AM PT Opened: March 19, 2019 10:00 AM PT |
| Stop error when attempting to start SSH from WSL After applying KB4489886, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh –A) or a configuration setting. Affected platforms:
Resolution: This issue is resolved in KB4493441. Back to top | OS Build 16299.1029 March 12, 2019 KB4489886 | Resolved KB4493441 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493441. Back to top | OS Build 16299.967 February 12, 2019 KB4486996 | Resolved KB4493441 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. Affected platforms:
Workaround: Do one of the following:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 16299.904 January 08, 2019 KB4480978 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 causes applications to stop responding if an exception was thrown After installing KB4480978, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue is resolved in KB4493441. Back to top | OS Build 16299.904 January 08, 2019 KB4480978 | Resolved KB4493441 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Zone transfers over TCP may fail Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail. See details > | OS Build 17134.753 April 25, 2019 KB4493437 | Investigating | April 25, 2019 02:00 PM PT |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | OS Build 17134.730 April 25, 2019 KB4492245 | Mitigated | May 10, 2019 10:35 AM PT |
| Issue using PXE to start a device from WDS Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely. See details > | OS Build 17134.648 March 12, 2019 KB4489868 | Mitigated | April 25, 2019 02:00 PM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". See details > | OS Build 17134.523 January 08, 2019 KB4480966 | Mitigated | April 25, 2019 02:00 PM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 17134.648 March 12, 2019 KB4489868 | Resolved KB4493437 | April 25, 2019 02:00 PM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. See details > | OS Build 17134.677 March 19, 2019 KB4489894 | Resolved KB4493464 | April 09, 2019 10:00 AM PT |
| First character of the Japanese era name not recognized The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues. See details > | OS Build 17134.556 January 15, 2019 KB4480976 | Resolved KB4487029 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 17134.523 January 08, 2019 KB4480966 | Resolved KB4493464 | April 09, 2019 10:00 AM PT |
| Stop error when attempting to start SSH from WSL A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting. See details > | OS Build 17134.648 March 12, 2019 KB4489868 | Resolved KB4493464 | April 09, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 17134.590 February 12, 2019 KB4487017 | Resolved KB4493464 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic. Affected platforms:
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update. Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May. Back to top | OS Build 17134.730 April 25, 2019 KB4492245 | Mitigated | Last updated: May 10, 2019 10:35 AM PT Opened: May 10, 2019 10:35 AM PT |
After installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.
Affected platforms:
- Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:
Option 1:
Open an Administrator Command prompt and type the following:
Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
Option 2:
Use the Windows Deployment Services UI to make the following adjustment:
- Open Windows Deployment Services from Windows Administrative Tools.
- Expand Servers and right-click a WDS server.
- Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.
Option 3:
Set the following registry value to 0:
HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension
Restart the WDSServer service after disabling the Variable Window Extension.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
Back to top
March 12, 2019
KB4489868
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
After installing KB4489868, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.
Affected platforms:
- Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493437.
Back to top
March 12, 2019
KB4489868
KB4493437
April 25, 2019
02:00 PM PT
Opened:
March 12, 2019
10:00 AM PT
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions.
Affected platforms:
- Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
- Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016
Resolution: This issue was resolved in KB4493464.
Back to top
March 19, 2019
KB4489894
KB4493464
April 09, 2019
10:00 AM PT
Opened:
March 19, 2019
10:00 AM PT
After applying KB4489868, a stop error occurs when attempting to start the Secure Shell (SSH) client program from Windows Subsystem for Linux (WSL) with agent forwarding enabled using a command line switch (ssh -A) or a configuration setting.
Affected platforms:
- Client: Windows 10, version 1803; Windows 10, version 1709
- Server: Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue was resolved in KB4493464.
Back to top
March 12, 2019
KB4489868
KB4493464
April 09, 2019
10:00 AM PT
Opened:
March 12, 2019
10:00 AM PT
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493464. Back to top | OS Build 17134.590 February 12, 2019 KB4487017 | Resolved KB4493464 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. Affected platforms:
Workaround: Do one of the following:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 17134.523 January 08, 2019 KB4480966 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: January 08, 2019 10:00 AM PT |
| First character of the Japanese era name not recognized After installing KB4480976, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues. Affected platforms:
Resolution: This issue is resolved in KB4487029. Back to top | OS Build 17134.556 January 15, 2019 KB4480976 | Resolved KB4487029 | Resolved: February 19, 2019 02:00 PM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding After installing KB4480966, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue was resolved in KB4493464. Back to top | OS Build 17134.523 January 08, 2019 KB4480966 | Resolved KB4493464 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | OS Build 17763.475 May 03, 2019 KB4495667 | Mitigated | May 10, 2019 10:35 AM PT |
| Devices with some Asian language packs installed may receive an error After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F See details > | OS Build 17763.437 April 09, 2019 KB4493509 | Mitigated | May 03, 2019 10:59 AM PT |
| Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007 Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error. See details > | OS Build 17763.379 March 12, 2019 KB4489899 | Mitigated | May 02, 2019 04:47 PM PT |
| Issue using PXE to start a device from WDS Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely. See details > | OS Build 17763.379 March 12, 2019 KB4489899 | Mitigated | April 09, 2019 10:00 AM PT |
| Latest cumulative update (KB 4495667) installs automatically Reports that the optional cumulative update (KB 4495667) installs automatically. See details > | OS Build 17763.475 May 03, 2019 KB4495667 | Resolved | May 08, 2019 03:37 PM PT |
| System may be unresponsive after restart if ArcaBit antivirus software installed After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 See details > | OS Build 17763.437 April 09, 2019 KB4493509 | Resolved | May 08, 2019 03:30 PM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | OS Build 17763.379 March 12, 2019 KB4489899 | Resolved KB4495667 | May 03, 2019 12:40 PM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup. See details > | OS Build 17763.404 April 02, 2019 KB4490481 | Resolved KB4493509 | April 09, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine. See details > | OS Build 17763.253 January 08, 2019 KB4480116 | Resolved KB4493509 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | OS Build 17763.253 January 08, 2019 KB4480116 | Resolved KB4493509 | April 09, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | OS Build 17763.316 February 12, 2019 KB4487044 | Resolved KB4493509 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic. Affected platforms:
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update. Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May. Back to top | OS Build 17763.475 May 03, 2019 KB4495667 | Mitigated | Last updated: May 10, 2019 10:35 AM PT Opened: May 10, 2019 10:35 AM PT |
| Devices with some Asian language packs installed may receive an error After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\" Affected platforms:
Workaround:
Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 17763.437 April 09, 2019 KB4493509 | Mitigated | Last updated: May 03, 2019 10:59 AM PT Opened: May 02, 2019 04:36 PM PT |
| Printing from Microsoft Edge or other UWP apps, you may receive the error 0x80070007 When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\" Affected platforms:
Workaround: You can use another browser, such as Internet Explorer to print your documents. Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 17763.379 March 12, 2019 KB4489899 | Mitigated | Last updated: May 02, 2019 04:47 PM PT Opened: May 02, 2019 04:47 PM PT |
| Latest cumulative update (KB 4495667) installs automatically Due to a servicing side issue some users were offered KB4495667 (optional update) automatically and rebooted devices. This issue has been mitigated. Affected platforms:
Resolution:: This issue has been mitigated on the servicing side to prevent auto installing of this update. Customers do not need to take any action. Back to top | OS Build 17763.475 May 03, 2019 KB4495667 | Resolved | Resolved: May 08, 2019 03:37 PM PT Opened: May 05, 2019 12:01 PM PT |
| Details | Originating update | Status | History |
| System may be unresponsive after restart if ArcaBit antivirus software installed ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server). Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart. Affected platforms:
Workaround: ArcaBit has released an update to address this issue for affected platforms. For more information, see the ArcaBit support article. Resolution: This issue has been resolved. ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809 (client or server). Back to top | OS Build 17763.437 April 09, 2019 KB4493509 | Resolved | Resolved: May 08, 2019 03:30 PM PT Opened: April 09, 2019 10:00 AM PT |
| End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen may appear at startup. This is not a common setting in non-Asian regions. Affected platforms:
Resolution: This issue was resolved in KB4493509. Back to top | OS Build 17763.404 April 02, 2019 KB4490481 | Resolved KB4493509 | Resolved: April 09, 2019 10:00 AM PT Opened: April 02, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493509. Back to top | OS Build 17763.316 February 12, 2019 KB4487044 | Resolved KB4493509 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. Affected platforms:
Workaround: Do one of the following:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 17763.253 January 08, 2019 KB4480116 | Mitigated | Last updated: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons After installing KB4480116, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Affected platforms:
Resolution: This issue was resolved in KB4493509. Back to top | OS Build 17763.253 January 08, 2019 KB4480116 | Resolved KB4493509 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding After installing KB4480116, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue was resolved in KB4493509. Back to top | OS Build 17763.253 January 08, 2019 KB4480116 | Resolved KB4493509 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | April 25, 2019 KB4493453 | Mitigated | May 10, 2019 10:35 AM PT |
| System may be unresponsive after restart if ArcaBit antivirus software installed Devices with ArcaBit antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493472 | Mitigated | May 08, 2019 03:29 PM PT |
| System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493472 | Mitigated | May 03, 2019 08:50 AM PT |
| Authentication may fail for services after the Kerberos ticket expires Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires. See details > | March 12, 2019 KB4489878 | Mitigated | April 25, 2019 02:00 PM PT |
| System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart. See details > | April 09, 2019 KB4493472 | Mitigated | April 25, 2019 02:00 PM PT |
| System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup. See details > | April 09, 2019 KB4493472 | Mitigated | April 25, 2019 02:00 PM PT |
| Devices may not respond at login or Welcome screen if running certain Avast software Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart. See details > | April 09, 2019 KB4493472 | Resolved | April 25, 2019 02:00 PM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine. See details > | January 08, 2019 KB4480970 | Resolved KB4493472 | April 09, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | March 12, 2019 KB4489878 | Resolved KB4493472 | April 09, 2019 10:00 AM PT |
| NETDOM.EXE fails to run NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen. See details > | March 12, 2019 KB4489878 | Resolved KB4493472 | April 09, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | February 12, 2019 KB4486563 | Resolved KB4493472 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic. Affected platforms:
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update. Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May. Back to top | April 25, 2019 KB4493453 | Mitigated | Last updated: May 10, 2019 10:35 AM PT Opened: May 10, 2019 10:35 AM PT |
| Details | Originating update | Status | History |
| Authentication may fail for services after the Kerberos ticket expires After installing KB4489878, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails. Affected platforms:
Workaround: To mitigate this issue, use one of the following options:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | March 12, 2019 KB4489878 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application After installing KB4489878, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493472. Back to top | March 12, 2019 KB4489878 | Resolved KB4493472 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| NETDOM.EXE fails to run After installing KB4489878, NETDOM.EXE fails to run, and the on-screen error, “The command failed to complete successfully.” appears. Affected platforms:
Resolution: This issue is resolved in KB4493472. Back to top | March 12, 2019 KB4489878 | Resolved KB4493472 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms:
Resolution: This issue is resolved in KB4493472. Back to top | February 12, 2019 KB4486563 | Resolved KB4493472 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Internet Explorer 11 authentication issue with multiple concurrent logons After installing KB4480970, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Affected platforms:
Resolution: This issue is resolved in KB4493472. Back to top | January 08, 2019 KB4480970 | Resolved KB4493472 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | April 25, 2019 KB4493443 | Mitigated | May 10, 2019 10:35 AM PT |
| System may be unresponsive after restart if ArcaBit antivirus software installed Devices with ArcaBit antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493446 | Mitigated | May 08, 2019 03:29 PM PT |
| System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493446 | Mitigated | May 03, 2019 08:50 AM PT |
| Issue using PXE to start a device from WDS There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. See details > | March 12, 2019 KB4489881 | Mitigated | April 25, 2019 02:00 PM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. See details > | January 08, 2019 KB4480963 | Mitigated | April 25, 2019 02:00 PM PT |
| System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup. See details > | April 09, 2019 KB4493446 | Mitigated | April 18, 2019 05:00 PM PT |
| Devices may not respond at login or Welcome screen if running certain Avast software Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart. See details > | April 09, 2019 KB4493446 | Resolved | April 25, 2019 02:00 PM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine. See details > | January 08, 2019 KB4480963 | Resolved KB4493446 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding. MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | January 08, 2019 KB4480963 | Resolved KB4493446 | April 09, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer. See details > | March 12, 2019 KB4489881 | Resolved KB4493446 | April 09, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | February 12, 2019 KB4487000 | Resolved KB4493446 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic. Affected platforms:
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update. Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May. Back to top | April 25, 2019 KB4493443 | Mitigated | Last updated: May 10, 2019 10:35 AM PT Opened: May 10, 2019 10:35 AM PT |
| Details | Originating update | Status | History |
| Issue using PXE to start a device from WDS After installing KB4489881, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. Affected platforms:
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options: Option 1: Open an Administrator Command prompt and type the following: Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No Option 2: Use the Windows Deployment Services UI to make the following adjustment:
Option 3: Set the following registry value to 0: HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension Restart the WDSServer service after disabling the Variable Window Extension. Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | March 12, 2019 KB4489881 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application After installing KB4489881, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493446. Back to top | March 12, 2019 KB4489881 | Resolved KB4493446 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms
Resolution: This issue is resolved in KB4493446. Back to top | February 12, 2019 KB4487000 | Resolved KB4493446 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. Affected platforms:
Workaround: Do one of the following:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | January 08, 2019 KB4480963 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: January 08, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons After installing KB4480963, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Affected platforms:
Resolution: This issue is resolved in KB4493446. Back to top | January 08, 2019 KB4480963 | Resolved KB4493446 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding. After installing KB4480963, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue is resolved in KB4493446. Back to top | January 08, 2019 KB4480963 | Resolved KB4493446 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details >
KB4493471
08:51 AM PT
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details >
KB4493471
02:00 PM PT
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details >
KB4489880
02:00 PM PT
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
See details >
KB4487023
KB4493471
10:00 AM PT
NETDOM.EXE fails to run and the error, “The command failed to complete successfully.” appears on screen.
See details >
KB4489880
KB4493471
10:00 AM PT
| Details | Originating update | Status | History |
| Authentication may fail for services after the Kerberos ticket expires After installing KB4489880, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails. Affected platforms:
Workaround: To mitigate this issue, use one of the following options:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | March 12, 2019 KB4489880 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| NETDOM.EXE fails to run After installing KB4489880, NETDOM.EXE fails to run, and the on-screen error, “The command failed to complete successfully.” appears. Affected platforms:
Resolution: This issue is resolved in KB4493471. Back to top | March 12, 2019 KB4489880 | Resolved KB4493471 | Resolved: April 09, 2019 10:00 AM PT Opened: March 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms
Resolution: This issue is resolved in KB4493471. Back to top | February 12, 2019 KB4487023 | Resolved KB4493471 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. See details > | April 25, 2019 KB4493462 | Mitigated | May 10, 2019 10:35 AM PT |
| System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493451 | Mitigated | May 03, 2019 08:51 AM PT |
| Issue using PXE to start a device from WDS There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. See details > | March 12, 2019 KB4489891 | Mitigated | April 25, 2019 02:00 PM PT |
| System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart. See details > | April 09, 2019 KB4493451 | Mitigated | April 25, 2019 02:00 PM PT |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. See details > | January 08, 2019 KB4480975 | Mitigated | April 25, 2019 02:00 PM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine. See details > | January 08, 2019 KB4480975 | Resolved KB4493451 | April 09, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). See details > | January 08, 2019 KB4480975 | Resolved KB4493451 | April 09, 2019 10:00 AM PT |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. See details > | February 12, 2019 KB4487025 | Resolved KB4493451 | April 09, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Layout and cell size of Excel sheets may change when using MS UI Gothic When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic. Affected platforms:
Workaround: Until a resolution is released, we recommend switching to a different Japanese font, such as Yu Gothic or MS Mincho. Alternatively, you can uninstall the optional update. Next steps: Microsoft is working on a resolution and estimates a solution will be available in mid-May. Back to top | April 25, 2019 KB4493462 | Mitigated | Last updated: May 10, 2019 10:35 AM PT Opened: May 10, 2019 10:35 AM PT |
| Details | Originating update | Status | History |
| Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. Affected platforms
Resolution: This issue is resolved in KB4493451. Back to top | February 12, 2019 KB4487025 | Resolved KB4493451 | Resolved: April 09, 2019 10:00 AM PT Opened: February 12, 2019 10:00 AM PT |
| Details | Originating update | Status | History |
| Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. Affected platforms:
Workaround: Do one of the following:
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | January 08, 2019 KB4480975 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: January 08, 2019 10:00 AM PT |
| Internet Explorer 11 authentication issue with multiple concurrent logons After installing KB4480975, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
Affected platforms:
Resolution: This issue is resolved in KB4493451. Back to top | January 08, 2019 KB4480975 | Resolved KB4493451 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| MSXML6 may cause applications to stop responding After installing KB4480975, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode(). The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. Affected platforms:
Resolution: This issue is resolved in KB4493451. Back to top | January 08, 2019 KB4480975 | Resolved KB4493451 | Resolved: April 09, 2019 10:00 AM PT Opened: January 08, 2019 10:00 AM PT |
| Message | Date |
| Reminder: Windows 10 update servicing cadence This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence: +
| May 10, 2019 10:00 AM PT |
| Take action: Install servicing stack update for Windows Server 2008 SP2 for SHA-2 code sign support A standalone update, KB4493730, that introduce SHA-2 code sign support for the servicing stack (SSU) was released today as a security update. | April 19, 2019 10:00 AM PT |
| The benefits of Windows 10 Dynamic Update Dynamic Update can help organizations and end users alike ensure that their Windows 10 devices have the latest feature update content (as part of an in-place upgrade)—and preserve precious features on demand (FODs) and language packs (LPs) that may have been previously installed. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index b315be80ea..63b387c407 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -20,6 +20,7 @@ ms.date: 03/01/2019 **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2019 ## Enable Windows Defender Credential Guard @@ -134,8 +135,7 @@ DG_Readiness_Tool_v3.5.ps1 -Ready ``` > [!NOTE] - -For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. +> For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. - We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible. @@ -157,13 +157,14 @@ To disable Windows Defender Credential Guard, you can use the following set of p 1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). 2. Delete the following registry settings: - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags +3. If you also wish to disable virtualization-based security delete the following registry settings: - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures - > [!IMPORTANT] > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. -3. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: +4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: ``` syntax mountvol X: /s @@ -171,18 +172,20 @@ To disable Windows Defender Credential Guard, you can use the following set of p bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: - bcdedit /set hypervisorlaunchtype off mountvol X: /d ``` -2. Restart the PC. -3. Accept the prompt to disable Windows Defender Credential Guard. -4. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. +5. Restart the PC. +6. Accept the prompt to disable Windows Defender Credential Guard. +7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. > [!NOTE] -> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS +> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings: + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + bcdedit /set vsmlaunchtype off > [!NOTE] > Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs. diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index ebb6eed030..680fe15627 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -24,21 +24,21 @@ ms.date: 08/20/2018 ## How many is adequate -How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controllers load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged. +How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 includes the KDC AS Requests performance counter. You can use these counters to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication--it remains unchanged. Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 domain controller. -Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario. +Determining an adequate number of Windows Server 2016 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2016) to a deployment of existing domain controllers (Windows Server 2008R2 or Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario: -Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following. +Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:  -The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following. +The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:  -The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients. +The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients?  @@ -63,7 +63,7 @@ The preceding was an example to show why it's unrealistic to have a "one-size-fi ## Determining total AS Request load -Each organization needs to have an baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this. +Each organization needs to have a baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this. Pick a site where you plan to upgrade the clients to Windows Hello for Business public key trust. Pick a time when authentication traffic is most significant--Monday morning is great time as everyone is returning to the office. Enable the performance counter on *all* the domain controllers in that site. Collect KDC AS Requests performance counters for two hours: * A half-hour before you expect initial authentication (sign-ins and unlocks) to be significant @@ -75,29 +75,29 @@ For example, if employees are scheduled to come into the office at 9:00am. Your > [!NOTE] > To capture all the authentication traffic. Ensure that all computers are powered down to get the most accurate authentication information (computers and services authenticate at first power up--you need to consider this authentication in your evaluation). -Aggregate the performance data of all domain controllers. Look for the maximum KDC AS Requests for each domain controller. Find the median time when the maximum number of requests occurred for the site, this should represent when the site is experience the highest amount of authentication. +Aggregate the performance data of all domain controllers. Look for the maximum KDC AS Requests for each domain controller. Find the median time when the maximum number of requests occurred for the site, this should represent when the site is experiencing the highest amount of authentication. -Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller's authentication number for the median time by the total authentication. Multiple the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent. +Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller's authentication number for the median time by the total authentication. Multiply the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent. -Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller is to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business. +Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller are to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business. ## Monitoring Authentication -Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment to where you can form a statement such as +Using the same methods previously described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. This gives you a baseline for your environment from which you can form a statement such as ```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."``` -Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. +Where _n_ equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment. Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 domain controllers. If there is only one Windows Server 2016 domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible. -Increasing the number of number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication for which each domain controller is responsible decrease. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on. +Increasing the number of domain controllers distributes the volume of authentication, but doesn't change it. Therefore, as you add more domain controllers, the burden of authentication, for which each domain controller is responsible, decreases. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on. ## Strategy The simplest strategy you can employ is to upgrade one domain controller and monitor the single domain controller as you continue to phase in new Windows Hello for Business key-trust clients until it reaches a 70 or 80 percent threshold. -Then, upgrade a second domain controller. Monitor the authentication on both domain controllers to determine how the authentication distributes between the two domain controllers. Introduce more Windows Hello for Business clients while monitoring the authentication on the two upgraded domain controllers. Once those reach your environments designated capacity, then upgrade another domain controller. +Then, upgrade a second domain controller. Monitor the authentication on both domain controllers to determine how the authentication distributes between the two domain controllers. Introduce more Windows Hello for Business clients while monitoring the authentication on the two upgraded domain controllers. Once those reach your environment's designated capacity, you can upgrade another domain controller. Repeat until your deployment for that site is complete. Now, monitor authentication across all your domain controllers like you did the very first time. Determine the distribution of authentication for each domain controller. Identify the percentage of distribution for which it is responsible. If a single domain controller is responsible for 70 percent of more of the authentication, you may want to consider adding a domain controller to reduce the distribution of authentication volume. -However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It's not the best load balancer, however, it is a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application. +However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically-configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario. Instead, manually distribute the authentication to different domain controllers among all the services or applications. Alternatively, try simply using the domain name rather than a specific domain controller. Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It's not the best load balancer, however, it is a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md index 561df3ca7b..cc631cea1a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md @@ -23,7 +23,7 @@ ms.date: 08/19/2018 - Certificate trust -On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. +On-premises deployments must use an on-premises MFA Server that provides an AD FS Multifactor authentication adapter. It can be an Azure Multi-Factor Authentication Server or a third-party MFA solution. >[!TIP] >Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. @@ -80,7 +80,7 @@ The following services are required: Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. -#### Configure the IIS Server’s Certificate +#### Configure the IIS Server Certificate The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. @@ -171,9 +171,9 @@ To do this, please follow the instructions mentioned in the previous [Install th Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. -#### Configure the IIS Server’s Certificate +#### Set the IIS Server Certificate -To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section. +To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server-certificate) section. #### Create WebServices SDK user account diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 2e3ac6b145..a1981cd9c2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -28,7 +28,7 @@ Windows Hello for Business involves configuring distributed technologies that ma * [Active Directory](#active-directory) * [Public Key Infrastructure](#public-key-infrastructure) * [Azure Active Directory](#azure-active-directory) -* [Multi-factor Authentication Services](#multi-factor-authentication-services) +* [Multifactor Authentication Services](#multifactor-authentication-services) New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration. @@ -80,7 +80,7 @@ If you do have an existing public key infrastructure, please review [Certificati ### Section Review ### > [!div class="checklist"] -> * Miniumum Windows Server 2012 Certificate Authority. +> * Minimum Windows Server 2012 Certificate Authority. > * Enterprise Certificate Authority. > * Functioning public key infrastructure. @@ -128,7 +128,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multufactor Authentiation features and settings. +> * Configure Azure Multifactor Authentication features and settings. > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server 2016 Active Directory Federation Services, if necessary. @@ -141,7 +141,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. New Installation Baseline (*You are here*) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index bab9bcf458..273991ec82 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -28,13 +28,13 @@ Your environment is federated and you are ready to configure device registration > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. -Use this three phased approach for configuring device registration. +Use this three-phased approach for configuring device registration. 1. [Configure devices to register in Azure](#configure-azure-for-device-registration) 2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization) 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices) > [!NOTE] -> Before proceeding, you should familiarize yourself with device regisration concepts such as: +> Before proceeding, you should familiarize yourself with device registration concepts such as: > * Azure AD registered devices > * Azure AD joined devices > * Hybrid Azure AD joined devices @@ -100,7 +100,7 @@ Federation server proxies are computers that run AD FS software that have been c Use the [Setting of a Federation Proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. ### Deploy Azure AD Connect -Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. @@ -514,7 +514,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Azure Device Registration (*You are here*) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index f8613819f5..c622ab65bb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -37,10 +37,10 @@ This baseline provides detailed procedures to move your environment from an on-p ## Federated Baseline ## The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. -Regardless of the baseline you choose, you’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. > [!div class="nextstepaction"] -> [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +> [Prerequisites](hello-hybrid-cert-trust-prereqs.md) @@ -48,7 +48,7 @@ Regardless of the baseline you choose, you’re next step is to familiarize your ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. Overview (*You are here*) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index d9874f88c3..4a4a80eced 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -80,7 +80,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: > * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. -> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. +> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL. ### Section Review ### @@ -124,7 +124,7 @@ If your organization uses Azure MFA on a per-consumption model (no licenses), th Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. #### Azure MFA User States #### -After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. +After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. ### Azure MFA via ADFS ### Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section. @@ -135,7 +135,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multifactor Authentiation features and settings. +> * Configure Azure Multifactor Authentication features and settings. > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. @@ -148,7 +148,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. New Installation Baseline (*You are here*) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 9a49d7ab15..f7ec72d697 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -38,7 +38,7 @@ Begin configuring device registration to support Hybrid Windows Hello for Busine To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/) -Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark. +Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark. @@ -47,7 +47,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. Configure Azure Device Registration (*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 2c4dc3093c..617e922f94 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -26,7 +26,7 @@ ms.date: 08/19/2018 You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect -Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). > [!NOTE] @@ -38,7 +38,7 @@ Next, you need to synchronizes the on-premises Active Directory with Azure Activ ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. [Overview](hello-hybrid-key-trust.md) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. Configure Directory Synchronization (*You are here*) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index f59a78c750..e7e22f7c8f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -85,7 +85,7 @@ Organizations using older directory synchronization technology, such as DirSync ## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. ### Section Review ### > [!div class="checklist"] @@ -97,7 +97,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat ## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multi-factor Authentication service or they can use multi-factor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multi-factor authentication into AD FS. +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. ### Section Review > [!div class="checklist"] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 303b6ce403..129be903cb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -34,10 +34,10 @@ The new deployment baseline helps organizations who are moving to Azure and Offi This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. -You’re next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. +Your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. > [!div class="nextstepaction"] -> [Prerequistes](hello-hybrid-key-trust-prereqs.md) +> [Prerequisites](hello-hybrid-key-trust-prereqs.md) @@ -45,7 +45,7 @@ You’re next step is to familiarize yourself with the prerequisites needed for ## Follow the Windows Hello for Business hybrid key trust deployment guide 1. Overview (*You are here*) -2. [Prerequistes](hello-hybrid-key-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 1700566e52..996e8121b8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -77,7 +77,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers. Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller. +The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. #### Device registration @@ -101,7 +101,6 @@ Cloud only and hybrid deployments provide many choices for multi-factor authenti > * Azure Active Directory Premium > * Enterprise Mobility Suite > * Enterprise Cloud Suite ->* A per-user and per-authentication consumption-based model that is billed monthly against Azure monetary commitment (Read [Multi-Factor Authentication Pricing](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) for more information) #### Directory synchronization @@ -136,7 +135,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in ### Cloud -Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional. +Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional. ## Planning a Deployment @@ -150,13 +149,13 @@ Choose the deployment model based on the resources your users access. Use the f If your organization does not have on-premises resources, write **Cloud Only** in box **1a** on your planning worksheet. -If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet. +If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users' access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet. If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet. >[!NOTE] >If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results. >```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords``` ->* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then you environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type. +>* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type. >* If the command returns a value, compare that value with the values below. The value indicates the deployment model you should implement > * If the value begins with **azureADName:** – write **Hybrid** in box **1a**on your planning worksheet. > * If the value begins with **enterpriseDrsName:** – write **On-Premises** in box **1a** on your planning worksheet. @@ -197,7 +196,7 @@ If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet. -If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credential remain on the on-premises network. +If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credentials remain on the on-premises network. ### Multifactor Authentication @@ -274,7 +273,7 @@ Public key infrastructure prerequisites already exist in your planning worksheet If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments do not use a public key infrastructure. -If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. +If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section. The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index c9ba5464a6..9ea0ddd3dc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -529,7 +529,7 @@ Disable-BitLocker -MountPoint E:,F:,G: ``` ## See also -- [Prepare your organization for BitLocker: Planning and p\\olicies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md) - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) - [BitLocker overview](bitlocker-overview.md) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 4932416954..33ced2e6e3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/29/2019 +ms.date: 05/13/2019 --- # Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -21,7 +21,7 @@ ms.date: 04/29/2019 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) -Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device. +Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device. ## Differences between MDM and MAM for WIP @@ -98,7 +98,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK**  -To add multiple Store apps, click the elipsis **…**. +To add multiple Store apps, click the ellipsis **…**. If you don't know the Store app publisher or product name, you can find them by following these steps. @@ -187,7 +187,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo |