Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

2025-05-12 13:27:23 +00:00 · 2020-02-19 19:26:42 +00:00 · 2020-02-19 19:26:42 +00:00 · ef2f6353e9
commit ef2f6353e9
parent 982686e7ed af2cce9f8d
10 changed files with 265 additions and 41 deletions
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@ -61,7 +61,9 @@
 ## [Troubleshoot HoloLens](hololens-troubleshooting.md)
 ## [Known issues](hololens-known-issues.md)
 ## [Frequently asked questions](hololens-faq.md)
 ## [Frequently asked security questions](hololens-faq-security.md)
 ## [Hololens services status](hololens-status.md)
 ## [SCEP Whitepaper](scep-whitepaper.md)
 # [Release Notes](hololens-release-notes.md)
 # [Give us feedback](hololens-feedback.md)
--- a/devices/hololens/hololens-FAQ.md
+++ b/devices/hololens/hololens-FAQ.md
@ -43,6 +43,7 @@ This FAQ addresses the following questions and issues:
 - [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker)
 - [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi)
 - [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start)
 - [HoloLens Management Questions](#hololens-management-questions)
 - [How do I delete all spaces?](#how-do-i-delete-all-spaces)
 - [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator)
@ -204,6 +205,21 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe
 [Back to list](#list)
 ## HoloLens Management Questions
 1. **Can I use SCCM to manage the HoloLens?**
    1. No. An MDM must be used to manage the HoloLens
 1. **Can I use Active Directory to manage HoloLens user accounts?**
    1. No, Azure AD must be used to manage user accounts.
 1. **Is the HoloLens capable of ADCS auto enrollment?**
    1. No
 1. **Can the HoloLens participate in WNA/IWA?**
    1. No
 1. **Does the HoloLens support branding?**
    1. No. However, one work around is to create a custom app and enable Kiosk mode. The custom app can have branding which can then launch other apps (such as Remote Assist). Another option is to change all of the users profile pictures in AAD to your company logo. (However, this may not be desirable for all scenarios)
 1. **What logging capabilities are available on HL1 and HL2?**
    1. Are the logging capabilities on HL1/HL2 similar to Windows computers?
 ## How do I delete all spaces?
 *Coming soon*
--- a/devices/hololens/hololens-commercial-infrastructure.md
+++ b/devices/hololens/hololens-commercial-infrastructure.md
@ -10,6 +10,7 @@ ms.topic: article
 ms.localizationpriority: high
 ms.date: 1/23/2020
 ms.reviewer: 
 audience: ITPro
 manager: bradke
 appliesto:
 - HoloLens (1st gen)
@ -50,12 +51,12 @@ HoloLens does support a limited set of cloud disconnected experiences.
 ### HoloLens Specific Network Requirements
-Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md).
+Make sure that [this list](hololens-offline.md) of endpoints are allowed on your network firewall. This will enable HoloLens to function properly.
 ### Remote Assist Specific Network Requirements
 1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network).
-**Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.**
+**(Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).**
 1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams).
 ### Guides Specific Network Requirements
@ -65,17 +66,17 @@ Guides only require network access to download and use the app.
 ## Azure Active Directory Guidance
 >[!NOTE]
->This step is only necessary if your company plans on managing the HoloLens and mixed reality apps.
+>This step is only necessary if your company plans on managing the HoloLens.
 1. Ensure that you have an Azure AD License.
-Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information.
+Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for additional information.
 1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
 1. Ensure that your company’s users are in Azure Active Directory (Azure AD).
 Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory).
-1. We suggest that users who will be need similar licenses are added to a group.
+1. We suggest that users who need similar licenses are added to the same group.
    1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
    1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal)
@ -100,10 +101,10 @@ These steps ensure that your company’s users (or a group of users) can add dev
 ### Ongoing device management
 >[!NOTE]
->This step is only necessary if your company plans on managing the HoloLens and mixed reality apps.
+>This step is only necessary if your company plans to manage the HoloLens.
 Ongoing device management will depend on your mobile device management infrastructure.  Most have the same general functionality but the user interface may vary widely.
-1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices)).
+1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. A list of CSPs for HoloLens can be found [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices).
 1. [Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant. For example, you can create a policy that requires Bitlocker be enabled.
@ -144,7 +145,7 @@ Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololen
 ### Certificates
-You can distribute certifcates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you.
+You can distribute certifcates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certificates for HoloLens Authentication, PFX or SCEP may be right for you.
 Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep).
@ -161,8 +162,8 @@ Directions for upgrading to the commercial suite can be found [here](https://doc
 1. Check your app settings
    1. Log into your Microsoft Store Business account
-    1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”*
+    1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”**
-    1. If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
+    1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
 1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile)
@ -183,4 +184,4 @@ Certificates can be deployed via you MDM (see "certificates" in the [MDM Section
 ## Next (Optional) Step: [Configure HoloLens using a provisioning package](hololens-provisioning.md)
-## Next Step: [Enroll your device](hololens-enroll-mdm.md)
+## Next Step: [Enroll your device](hololens-enroll-mdm.md)
--- a/devices/hololens/hololens-faq-security.md
+++ b/devices/hololens/hololens-faq-security.md
@ -0,0 +1,126 @@
 ---
 title: Frequently Asked Security Questions
 description: security questions frequently asked about the hololens
 ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
 author: pawinfie
 ms.author: pawinfie
 ms.date: 02/19/2020
 keywords: hololens, Windows Mixed Reality, security
 ms.prod: hololens
 ms.sitesec: library
 ms.topic: article
 audience: ITPro
 ms.localizationpriority: high
 manager: bradke
 appliesto:
 - HoloLens 1 (1st gen)
 - HoloLens 2
 ---
 # Frequently Asked Security Questions
 ## HoloLens 1st Gen Security Questions
 1. **What type of wireless is used?**
    1. 802.11ac and Bluetooth 4.1 LE
 1. **What type of architecture is incorporated?  For example: point to point, mesh or something else?**
    1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points.
    1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices.
 1. **What is FCC ID?**
    1. C3K1688
 1. **What frequency range and channels does the device operate on and is it configurable?**
    1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
    1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range.
 1. **Can the device blacklist or white list specific frequencies?**
    1. This is not controllable by the user/device
 1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
    1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs.
 1. **What is the duty cycle/lifetime for normal operation?**
    1. 2-3hrs of active use and up to 2 weeks of standby time
    1. Battery lifetime is unavailable.
 1. **What is transmit and receive behavior when a tool is not in range?**
    1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect.
 1. **What is deployment density per square foot?**
    1. This is dependent on your network infrastructure.
 1. **Can device use the infrastructure as a client?**
    1. Yes
 1. **What protocol is used?**
    1. HoloLens does not use any proprietary protocols
 1. **OS update frequency – What is the frequency of OS updates for the HL?  Is there a set schedule?  Does Microsoft release security patches as needed, etc.**
    1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device.
 1. **OS hardening – What options are there to harden the OS?  Can we remove or shutdown unnecessary apps or services?**
    1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted.
 1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?**
    1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed.
 1. **What is the frequency of updates to apps in the store for HoloLens?**
    1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well.
 1. **Is there a secure boot capability for the HoloLens?**
    1. Yes
 1. **Is there an ability to disable or disconnect peripheral support from the device?**
    1. Yes
 1. **Is there an ability to control or disable the use of ports on the device?**
    1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
 1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
    1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
    1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
 1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time?  Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc.  When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
    1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
 1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
    1. No
 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
    1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client.
    1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices.
 1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
    1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.
 ## HoloLens 2nd Gen Security Questions
 1. **What type of wireless is used?**
    1. 802.11ac and Bluetooth 5.0
 1. **What type of architecture is incorporated?  For example: point to point, mesh or something else?**
    1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points.
    1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices.
 1. **What is FCC ID?**
    1. C3K1855
 1. **What frequency range and channels does the device operate on and is it configurable?**
    1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
 1. **Can the device blacklist or white list specific frequencies?**
    1. This is not controllable by the user/device
 1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
    1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region’s regulatory rules.
 1. **What is the duty cycle/lifetime for normal operation?**
    1. *Currently unavailable.*
 1. **What is transmit and receive behavior when a tool is not in range?**
    1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect.
 1. **What is deployment density per square foot?**
    1. This is dependent on your network infrastructure.
 1. **Can device use the infrastructure as a client?**
    1. Yes
 1. **What protocol is used?**
    1. HoloLens does not use any proprietary protocols
 1. **OS update frequency – What is the frequency of OS updates for the HL?  Is there a set schedule?  Does Microsoft release security patches as needed, etc.**
    1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device.
 1. **OS hardening – What options are there to harden the OS?  Can we remove or shutdown unnecessary apps or services?**
    1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted.
 1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?**
    1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed.
 1. **What is the frequency of updates to apps in the store for HoloLens?**
    1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well.
 1. **Is there a secure boot capability for the HoloLens?**
    1. Yes
 1. **Is there an ability to disable or disconnect peripheral support from the device?**
    1. Yes
 1. **Is there an ability to control or disable the use of ports on the device?**
    1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
 1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
    1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
    1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
 1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time?  Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc.  When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
    1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
 1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
    1. No
 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
    1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client.
    1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices.
 1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
    1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.
--- a/devices/hololens/hololens-licenses-requirements.md
+++ b/devices/hololens/hololens-licenses-requirements.md
@ -10,6 +10,7 @@ ms.topic: article
 ms.localizationpriority: high
 ms.date: 1/23/2020
 ms.reviewer: 
 audience: ITPro
 manager: bradke
 appliesto:
 - HoloLens (1st gen)
@ -35,16 +36,6 @@ You may need to upgrade your HoloLens 1st Gen Device to Windows Holographic for
 - Acquire a HoloLens Enterprise license XML file
 - Apply the XML file to the HoloLens. You can do this through a [Provisioning package](hololens-provisioning.md) or through your [Mobile Device Manager](https://docs.microsoft.com/intune/configuration/holographic-upgrade)
 Some of the HoloLens configurations you can apply in a provisioning package:
 - Apply certificates to the device
 - Set up a Wi-Fi connection
 - Pre-configure out of box questions like language and locale
 - (HoloLens 2) bulk enroll in mobile device management
 - (HoloLens v1) Apply key to enable Windows Holographic for Business
 Follow [this guide](hololens-provisioning.md) to create and apply a provisioning package to HoloLens.
 ### Remote Assist License Requirements
 Make sure you have the required licensing and device. Updated licensing and product requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/requirements).
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@ -54,7 +54,7 @@ Provisioning packages can include management instructions and policies, customiz
 ### 1. Install Windows Configuration Designer on your PC. (There are two ways to do this).
 1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22)
-2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
+2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
 ### 2. Create the Provisioning Package
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@ -6,6 +6,7 @@ ms.sitesec: library
 ms.assetid: 88bf50aa-0bac-4142-afa4-20b37c013001
 author: scooley
 ms.author: scooley
 audience: ITPro
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 07/15/2019
@ -13,14 +14,16 @@ ms.date: 07/15/2019
 # Deploy HoloLens in a commercial environment
-You can deploy and configure HoloLens at scale in a commercial setting.  This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time.
+You can deploy and configure HoloLens at scale in a commercial setting. This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time.
 This document also assumes that the HoloLens has been evaluated by security teams as safe to use on the corporate network. Frequently asked security questions can be found [here](hololens-faq-security.md)
 ## Overview of Deployment Steps
 1. [Determine what features you need](hololens-requirements.md#step-1-determine-what-you-need)
 1. [Determine what licenses you need](hololens-licenses-requirements.md)
 1. [Configure your network for HoloLens](hololens-commercial-infrastructure.md).
-    1. This section includes bandwidth requirements, URL and Ports that need to be whitelisted on your firewall, Azure AD guidance, Mobile Device Management Guidance, app deployment/management guidance, and certificate guidance.
+    1. This section includes bandwidth requirements, URL, and ports that need to be whitelisted on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance.
 1. (Optional) [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 1. [Enroll Device](hololens-enroll-mdm.md)
 1. [Set up ring based updates for HoloLens](hololens-updates.md)
@ -40,37 +43,35 @@ Kiosk mode is a way to restrict the apps that a user has access to. This means t
 **What Kiosk Mode do I require?**
-There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered:
+There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple, specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered:
-1. **Do different users who are require different experiences/restrictions?** Example, User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to guides… etc.
+1. **Do different users require different experiences/restrictions?** Consider the following example: User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to Guides.
    1. If yes, you will require the following:
-        1. Azure AD Accounts as the method of signing into the devices.
+        1. Azure AD Accounts as the method of signing into the device.
-        1. Multi-app kiosk mode.
+        1. **Multi-app** kiosk mode.
    1. If no, continue to question two
 1. **Do you require a multi-app experience?**
-    1. If yes, Multi-app kiosk is mode is needed
+    1. If yes, **Multi-app** kiosk is mode is needed
-    1. If your answer to question 1 and 2 are both no, Single-app kiosk mode can be used
+    1. If your answer to question 1 and 2 are both no, **single-app** kiosk mode can be used
-**How to set up Kiosk Mode**
+**How to Configure Kiosk Mode:**
 There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc.
 ### Apps
-This deployment guide will cover the following types of apps:
+The majority of the steps found in this document will also apply to the following apps:
 1. Remote Assist
 2. Guides
 3. Customer Apps
 Each step in this document will include instructions for each specific app.
 ### Type of identity
 Determine the type of identity that will be used to sign into the device.
 1. **Local Accounts:** This account is local to the device (like a local admin account on a windows PC). This will allow only 1 user to log into the device.
-2. **MSA:** This will be a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device.
+2. **MSA:** This is a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device.
 3. **Azure Active Directory (Azure AD) accounts:** This is an account created in Azure AD. This grants your corporation the ability to manage the HoloLens device. This will allow multiple users to log into the HoloLens 1st Gen Commercial Suite/the HoloLens 2 device.
 ### Determine your enrollment method
@ -87,17 +88,27 @@ Determine the type of identity that will be used to sign into the device.
  More information can be found [here](hololens-enroll-mdm.md)
-### Determine if you need a provisioning package
+### Determine if you need to create a provisioning package
-There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device, however, there are some scenarios where using a provisioning package is the better choice:
+There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device. However, there are some scenarios where using a provisioning package is the better choice:
-1. You want to skip the Out of Box Experience (OOBE)
+1. You want to configure the HoloLens to skip the Out of Box Experience (OOBE)
 1. You are having trouble deploying certificate in a complex network. The majority of the time you can deploy certificates using MDM (even in complex environments). However, some scenarios require certificates to be deployed through the provisioning package.
 Some of the HoloLens configurations you can apply in a provisioning package:
 - Apply certificates to the device
 - Set up a Wi-Fi connection
 - Pre-configure out of box questions like language and locale
 - (HoloLens 2) bulk enroll in mobile device management
 - (HoloLens v1) Apply key to enable Windows Holographic for Business
 If you decide to use provisioning packages, follow [this guide](hololens-provisioning.md).
 ## Next Step: [Determine what licenses you need](hololens-licenses-requirements.md)
 ## Get support
 Get support through the Microsoft support site.
-[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f).
+[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f)
--- a/devices/hololens/images/mdm-enrollment-error.png
+++ b/devices/hololens/images/mdm-enrollment-error.png
--- a/devices/hololens/scep-whitepaper.md
+++ b/devices/hololens/scep-whitepaper.md
@ -0,0 +1,77 @@
 ---
 title: SCEP Whitepaper
 description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP.
 ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
 author: pawinfie
 ms.author: pawinfie
 ms.date: 02/12/2020
 keywords: hololens, Windows Mixed Reality, security
 ms.prod: hololens
 ms.sitesec: library
 ms.topic: article
 audience: ITPro
 ms.localizationpriority: high
 appliesto:
 - HoloLens 1 (1st gen)
 - HoloLens 2
 ---
 # SCEP Whitepaper
 ## High Level
 ### How the SCEP Challenge PW is secured
 We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we’ve configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes.
 We then pass that to the device and then the device generates it’s CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert.  If any portion of this check fails then the certificate request is rejected.
 ## Behind the scenes
 ### Intune Connector has a number of responsibilities
 1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server.
 1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS.
 1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.**
    >[!NOTE]
    >The connector communication with Intune is strictly outbound traffic.
 1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge.  The challenge is generated in Intune itself.
    1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period.
        >[!NOTE]
        >The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key.  The device cannot decrypt the challenge
    1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob.
        1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device.
            >[!NOTE]
            >The above process takes place on the NDES server running the Policy Module.  No interaction with the Intune cloud service takes place.
    1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device.  This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune.
    1. The mobile device must be enrolled in Intune. If not, we reject the request as well
    1. The Intune connector disables the standard NDES challenge password request URL on the NDES server.
    1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5.  
        >[!NOTE]
        >The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy.
        1. The mobile device talks only to the NDES URI
        1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet.
    1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service.
        >[!NOTE]
        > if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out.
 1. Connector traffic with Intune cloud service consists of the following operations:
    1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup.
    1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial,  also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors’ SC_Online_Issuing  certificate from Intune.  Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won’t be any requests to process.  We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet.
 1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications.
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@ -43,8 +43,8 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo
 - All clients are running Windows 10 version 1903 or above;
 - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
-> [!NOTE]
+    > [!NOTE]
-> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) 
+    > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM). 
 - Some, but not all, apps are deployed using MEMCM;
 - Most users are local administrators on their devices;