From fb5de43a748dc07c9d6ac00dc7263d494d562996 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 18 Jan 2017 19:31:29 -0800 Subject: [PATCH 1/9] Fixed typo, made bold text into headings --- windows/keep-secure/bitlocker-countermeasures.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 7e1f6c7414..a928d5da12 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -23,9 +23,9 @@ The sections that follow provide more detailed information about the different t ### Protection before startup -Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM andSecure Boot. Fortunately, many modern computers feature TPM. +Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM and Secure Boot. Fortunately, many modern computers feature TPM. -**Trusted Platform Module** +#### Trusted Platform Module Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify. @@ -33,7 +33,7 @@ A TPM is a microchip designed to provide basic security-related functions, prima By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key. For more info about TPM, see [Trusted Platform Module](trusted-platform-module-overview.md). -**UEFI and Secure Boot** +#### UEFI and Secure Boot No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys. From 54590e2c874ab2455b6b2cb578d54eec63c4dd8a Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 Jan 2017 06:51:48 -0800 Subject: [PATCH 2/9] update --- .../manage-identity-verification-using-microsoft-passport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index d91d7bbb04..18f8399a2b 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -93,7 +93,7 @@ When identity providers such as Active Directory or Azure AD enroll a certificat [Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy -[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533) +[What's new in Active Directory Domain Services for Windows Server 2016](https://go.microsoft.com/fwlink/p/?LinkId=708533) [Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024) From 247ec6b56f2e7e2913710a3dbff97284b30e7d90 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 Jan 2017 08:40:29 -0800 Subject: [PATCH 3/9] fix typo --- windows/deploy/provisioning-multivariant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/provisioning-multivariant.md b/windows/deploy/provisioning-multivariant.md index cbf4507a6a..3bc7652233 100644 --- a/windows/deploy/provisioning-multivariant.md +++ b/windows/deploy/provisioning-multivariant.md @@ -89,7 +89,7 @@ A variant setting that matches a **TargetState** with a lower priority is applie The **TargetState** priority is assigned based on the conditions priority and the priority evaluation rules are as followed: -1. T**TargetState** with P0 conditions is higher than **TargetState** without P0 conditions. +1. **TargetState** with P0 conditions is higher than **TargetState** without P0 conditions. 2. **TargetState** with P1 conditions is higher than **TargetState** without P0 and P1 conditions. From 305a40c77f4e472d658af151533cc2076598105a Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 Jan 2017 08:45:09 -0800 Subject: [PATCH 4/9] fix typo --- windows/manage/waas-configure-wufb.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/waas-configure-wufb.md b/windows/manage/waas-configure-wufb.md index c6e756d31b..49db389072 100644 --- a/windows/manage/waas-configure-wufb.md +++ b/windows/manage/waas-configure-wufb.md @@ -115,7 +115,7 @@ You can set your system to receive updates for other Microsoft products—known | --- | --- | | GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | | GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**DeferQualityUpdates** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | +| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | | MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate | From d5ca6efef5393bd85f78edad739d0a277cb4d6de Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 19 Jan 2017 09:40:43 -0800 Subject: [PATCH 5/9] remove >HEAD --- .../manage/change-history-for-manage-and-update-windows-10.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 89487d41ca..26af07a521 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -15,7 +15,6 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). ## January 2017 -<<<<<<< HEAD | New or changed topic | Description | | --- | --- | From 50dd9c5724df30a170154e4341a1c4263aac3d55 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 19 Jan 2017 09:55:55 -0800 Subject: [PATCH 6/9] adding HoloLens to list --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index fa13a55593..8864d2a10e 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ Welcome! This repository houses the docs that are written for IT professionals f - [Surface](https://technet.microsoft.com/itpro/surface) - [Surface Hub](https://technet.microsoft.com/itpro/surface-hub) - [Windows 10 for Education](https://technet.microsoft.com/edu/windows) +- [HoloLens](https://technet.microsoft.com/itpro/hololens) - [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop) ## Contributing From c0dcee956b606ef7c6f60bbf46b1a36b57d6845e Mon Sep 17 00:00:00 2001 From: Justinha Date: Thu, 19 Jan 2017 10:26:38 -0800 Subject: [PATCH 7/9] revsied Important formatting in tables --- windows/keep-secure/credential-guard.md | 2 +- ...ments-and-deployment-planning-guidelines-for-device-guard.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 4f93a91a34..c841849294 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -61,7 +61,7 @@ The following tables provide more information about the hardware, firmware, and | Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.

**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Important**: Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

**Important**
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.

**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide. diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index d7a51c828d..9fbef53bb2 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -54,7 +54,7 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).

**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT
**Important**: Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

**Important**
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.

**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | > **Important**  The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. From c332b079fdb7297415a0a56c1f2f7d2e395abac7 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 19 Jan 2017 10:28:29 -0800 Subject: [PATCH 8/9] fix FWLink --- windows/manage/troubleshoot-windows-store-for-business.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/troubleshoot-windows-store-for-business.md b/windows/manage/troubleshoot-windows-store-for-business.md index 55a31b14ec..d0a9381cf9 100644 --- a/windows/manage/troubleshoot-windows-store-for-business.md +++ b/windows/manage/troubleshoot-windows-store-for-business.md @@ -53,7 +53,7 @@ The private store for your organization is a page in the Windows Store app that ## Still having trouble? -If you are still having trouble using WSfB or installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799757). +If you are still having trouble using WSfB or installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799386).   From 99fed1f7541be197a20710613ed871fb5ddc6ed0 Mon Sep 17 00:00:00 2001 From: Justinha Date: Thu, 19 Jan 2017 10:41:33 -0800 Subject: [PATCH 9/9] revsied Important formatting in tables again --- windows/keep-secure/credential-guard.md | 2 +- ...ments-and-deployment-planning-guidelines-for-device-guard.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index c841849294..bdf1e9d9d1 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -61,7 +61,7 @@ The following tables provide more information about the hardware, firmware, and | Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.

**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

**Important**
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.

**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

**! Important**:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.

**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide. diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 9fbef53bb2..82bfc43574 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -54,7 +54,7 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).

**Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

**Important**
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.

**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

**! Important*:*
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.

**Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | > **Important**  The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.