diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 22cddbc67d..3d38a356f5 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -337,12 +337,12 @@ This is what happens when you choose an option.
- **Use Microsoft Azure Active Directory**
- Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. Members of the Azure Global Admins security group from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization.
+ Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. Members of the Azure Global Admins role from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization.
- >[!IMPORTANT]
- >Administrators added to the Azure Global Admins group after you join the device to Azure AD will be unable to use the Settings app.
+ > [!IMPORTANT]
+ > Administrators added to the Azure Device Administrators role after you join the device to Azure AD will be unable to use the Settings app.
>
- >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually.
+ > If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually.
- **Use Active Directory Domain Services**
diff --git a/devices/surface-hub/surface-hub-2s-setup.md b/devices/surface-hub/surface-hub-2s-setup.md
index fe61755ae3..08318020fb 100644
--- a/devices/surface-hub/surface-hub-2s-setup.md
+++ b/devices/surface-hub/surface-hub-2s-setup.md
@@ -27,7 +27,7 @@ When you first start Surface Hub 2S, the device automatically enters first time
- This option is not shown if connected using an Ethernet cable.
- You cannot connect to a wireless network in hotspots (captive portals) that redirect sign-in requests to a provider’s website.
-3. **Enter device account info.** Use **domain\user** for on-premises and hybrid environments and **user@example.com** for online environments. Select **Next.**
+3. **Enter device account info.** Use **domain\user** for on-premises and hybrid environments and **user\@example.com** for online environments. Select **Next.**
1. **Enter additional info.** If requested, provide your Exchange server address and then select **Next.**
diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md
index 5d709fb69c..ffd159f4a1 100644
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@@ -38,7 +38,8 @@ If preferred, you can manually complete the update as follows:
> [!NOTE]
>
> - Manually installing the MSI file may prompt you to restart Surface; however, restarting is optional and not required.
->- You will need to disconnect and reconnect the dock twice before the update fully completes.
+> - You will need to disconnect and reconnect the dock twice before the update fully completes.
+> - To create a log file, specify the path in the Msiexec command. For example, append /l*v %windir%\logs\ SurfaceDockFWI.log".
## Network deployment
@@ -83,7 +84,7 @@ Successful completion of Surface Dock Firmware Update results in new registry ke
| Log | Location | Notes |
| -------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Surface Dock Firmware Update log | /l*v %windir%\logs\ SurfaceDockFWI.log | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. |
+| Surface Dock Firmware Update log | /l*v %windir%\logs\Applications\SurfaceDockFWI.log | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. |
| Windows Device Install log | %windir%\inf\ setupapi.dev.log | For more information about using Device Install Log, refer [to SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-) documentation. |
diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md
index ecc4e1f38e..b9df263894 100644
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@@ -26,7 +26,6 @@ Invoices are your bill from Microsoft. A few things to note:
- **Billing profile** - Billing profiles are created during your purchase. Invoices are created for each billing profile. Billing profiles let you customize what products are purchased, how you pay for them, and who can make purchases. For more information, see [Understand billing profiles](billing-profile.md)
- **Items included** - Your invoice includes total charges for all first and third-party software and hardware products purchased under a Microsoft Customer Agreement. That includes items purchased from Microsoft Store for Business and Azure Marketplace.
- **Charges** - Your invoice provides information about products purchased and their related charges and taxes. Purchases are aggregated to provide a concise view of your bill.
-- **International customers** - Charges on invoices for international customers are converted to their local currencies. Exchange rate information is listed at the bottom of the invoice.
## Online invoice
For Store for Business customers, invoices are also available online. A few things to note:
@@ -107,9 +106,6 @@ At the bottom of the invoice, there are instructions for paying your bill. You c
### Publisher information
If you have third-party services in your bill, the name and address of each publisher is listed at the bottom of your invoice.
-### Exchange rate
-If prices were converted to your local currency, the exchange rates are listed in this section at the bottom of the invoice. All Azure charges are priced in USD and third-party services are priced in the seller's currency.
-
## Next steps
If there are Azure charges on your invoice that you would like more details on, see [Understand the Azure charges on your Microsoft Customer Agreement invoice](https://docs.microsoft.com/azure/billing/billing-understand-your-invoice-mca).
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
index bb14436095..704d0954f7 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
@@ -145,6 +145,8 @@ App-V doesn't support Visual Studio 2012.
**Workaround**: Use a newer version of Microsoft Visual Studio.
+Currently, Visual Studio 2012 doesn't support app virtualization, whether using Microsoft App-V or third party solutions such as VMWare ThinApp. While it is possible you might find that Visual Studio works well enough for your purposes when running within one of these environments, we are unable to address any bugs or issues found when running in a virtualized environment at this time.
+
## Application filename restrictions for App-V Sequencer
The App-V Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated.
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 5f1c4ea9c9..4acac6acd7 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -229,7 +229,7 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
- Specific error code is displayed.
For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- (To troubleshoot the 0x0000007B error, see [Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)](https://internal.support.services.microsoft.com/help/4343769/troubleshooting-guide-for-windows-boot-problems#0x7bstoperror))
+ [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
@@ -307,9 +307,7 @@ To troubleshoot this Stop error, follow these steps to filter the drivers:
For additional troubleshooting steps, see the following articles:
-- [Troubleshooting a Stop 0x7B in Windows](https://blogs.technet.microsoft.com/askcore/2013/08/05/troubleshooting-a-stop-0x7b-in-windows/)
-
-- [Advanced troubleshooting for "Stop error code 0x0000007B (INACCESSIBLE_BOOT_DEVICE)" errors in Windows XP](https://internal.support.services.microsoft.com/help/324103).
+- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
@@ -358,17 +356,15 @@ If the computer does not start, follow these steps:
12. Try to start the computer.
-If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following Knowledge Base article:
+If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles:
-- [969028](https://support.microsoft.com/help/969028) How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2
+- [Generate a kernel or complete crash dump](https://docs.microsoft.com/windows/client-management/generate-kernel-or-complete-crash-dump)
-For more information about page file problems in Windows 10 or Windows Server 2016, see the following Knowledge Base article:
-
-- [4133658](https://support.microsoft.com/help/4133658) Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows
+For more information about page file problems in Windows 10 or Windows Server 2016, see the following:
+- [Introduction to page files](https://docs.microsoft.com/windows/client-management/introduction-page-file)
For more information about Stop errors, see the following Knowledge Base article:
-
-- [3106831](https://support.microsoft.com/help/3106831) Troubleshooting Stop error problems for IT Pros
+- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors)
If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 294043dca3..f14ec54b3b 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -31,7 +31,7 @@ Root node for the AccountManagement configuration service provider.
Interior node.
**UserProfileManagement/EnableProfileManager**
-Enable profile lifetime mangement for shared or communal device scenarios. Default value is false.
+Enable profile lifetime management for shared or communal device scenarios. Default value is false.
Supported operations are Add, Get,Replace, and Delete. Value type is bool.
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 849b1c551d..ac08247a1f 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -116,6 +116,9 @@ Requirements:
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have the Windows 10, version 1903 feature update installed.
The default behavior for older releases is to revert to **User Credential**.
+> [!NOTE]
+> Device credential group policy setting is not supported for enrolling into Microsoft Intune.
+
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md
index cff5317a5f..fe6e32ce59 100644
--- a/windows/client-management/troubleshoot-tcpip-connectivity.md
+++ b/windows/client-management/troubleshoot-tcpip-connectivity.md
@@ -89,7 +89,7 @@ The application which is causing the reset (identified by port numbers) should b
>The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet
-```typescript
+```
10.10.10.1 10.10.10.2 UDP UDP:SrcPort=49875,DstPort=3343
10.10.10.2 10.10.10.1 ICMP ICMP:Destination Unreachable Message, Port Unreachable,10.10.10.2:3343
@@ -98,7 +98,7 @@ The application which is causing the reset (identified by port numbers) should b
During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. You should enable firewall auditing on the machine to understand if the local firewall is dropping the packet.
-```typescript
+```
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
```
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index 7d787f544d..39080a98d6 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -1,99 +1,134 @@
---
-title: Top support solutions for Windows 10
-ms.reviewer:
+title: Troubleshooting Windows 10
+description: Get links to troubleshooting articles for Windows 10 issues
+ms.reviewer: kaushika
manager: dansimp
-description: Get links to solutions for Windows 10 issues
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-ms.author: dansimp
-author: dansimp
+ms.author: kaushika
+author: kaushika-msft
ms.localizationpriority: medium
ms.topic: troubleshooting
---
-# Troubleshoot Windows 10 clients
+# Troubleshoot Windows 10 client
-This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 clients. Additional topics will be added as they become available.
+Microsoft regularly releases both updates for Windows Server. To ensure your servers can receive future updates, including security updates, it's important to keep your servers updated. Check out - [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/en-us/help/4000825/windows-10-windows-server-2016-update-history) for a complete list of released updates.
-## Troubleshooting support topics
+This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 in an enterprise or IT pro environment. Additional topics will be added as they become available.
-- [Advanced troubleshooting for Windows networking](troubleshoot-networking.md)
- - [Advanced troubleshooting wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
- - [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)
- - [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)
- - [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
- - [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
- - [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
- - [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md)
- - [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
-- [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md)
- - [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
- - [Advanced troubleshooting for Windows-based computer issues](troubleshoot-windows-freeze.md)
- - [Advanced troubleshooting for stop errors or blue screen errors](troubleshoot-stop-errors.md)
- - [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
+### Troubleshoot 802.1x Authentication
+- [Advanced Troubleshooting 802.1X Authentication](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-802-authentication)
+- [Data collection for troubleshooting 802.1X authentication](https://docs.microsoft.com/windows/client-management/data-collection-for-802-authentication)
-## Windows 10 update history
+### Troubleshoot BitLocker
+- [BitLocker overview and requirements FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq)
+- [BitLocker Upgrading FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq)
+- [BitLocker frequently asked questions (FAQ) (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq)
+- [BitLocker Key Management FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq)
+- [BitLocker To Go FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)
+- [BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq)
+- [BitLocker Security FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-security-faq)
+- [BitLocker frequently asked questions (FAQ) (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq)
+- [Using BitLocker with other programs FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq)
+- [BitLocker recovery guide (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan)
-Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates:
+### Troubleshoot Bugcheck and Stop errors
+- [Introduction to the page file](https://docs.microsoft.com/windows/client-management/introduction-page-file)
+- [How to determine the appropriate page file size for 64-bit versions of Windows](https://docs.microsoft.com/windows/client-management/determine-appropriate-page-file-size)
+- [Configure system failure and recovery options in Windows](https://docs.microsoft.com/windows/client-management/system-failure-recovery-options)
+- [Generate a kernel or complete crash dump](https://docs.microsoft.com/windows/client-management/generate-kernel-or-complete-crash-dump)
+- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors)
+- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
+- [Blue Screen Data - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/blue-screen-data)
+- [Bug Check Code Reference - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2)
-- [Windows 10 version 1809 update history](https://support.microsoft.com/help/4464619)
-- [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479)
-- [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454)
-- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124)
-- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825)
-- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824)
+### Troubleshoot Credential Guard
+- [Windows Defender Credential Guard - Known issues (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-known-issues)
+
+### Troubleshoot Disks
+- [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt)
+- [Windows and GPT FAQ](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-and-gpt-faq)
+
+### Troubleshoot Kiosk mode
+- [Troubleshoot kiosk mode issues](https://docs.microsoft.com/windows/configuration/kiosk-troubleshoot)
+
+### Troubleshoot No Boot
+- [Advanced troubleshooting for Windows boot problems](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-boot-problems)
+
+### Troubleshoot Push Button Reset
+- [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-faq)
+- [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-validation)
+- [Recovery components](https://docs.microsoft.com/windows-hardware/manufacture/desktop/recovery-strategy-for-common-customizations)
+
+### Troubleshoot Power Management
+- [Modern Standby FAQs](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-faqs)
-These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles.
+### Troubleshoot Secure Boot
+- [Secure Boot isn't configured correctly: troubleshooting](https://docs.microsoft.com/windows-hardware/manufacture/desktop/secure-boot-isnt-configured-correctly-troubleshooting)
-## Solutions related to installing Windows Updates
-- [How does Windows Update work](https://docs.microsoft.com/windows/deployment/update/how-windows-update-works)
+### Troubleshoot Setup and Install
+- [Deployment Troubleshooting and Log Files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files)
+
+
+### Troubleshoot Start Menu
+- [Troubleshoot Start menu errors](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot)
+
+
+### Troubleshoot Subscription Activation
+- [Deploy Windows 10 Enterprise licenses](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses)
+
+### Troubleshoot System Hang
+- [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze)
+
+### Troubleshoot TCP/IP Communication
+- [Collect data using Network Monitor](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-netmon)
+- [Troubleshoot TCP/IP connectivity](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-connectivity)
+- [Troubleshoot port exhaustion issues](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-port-exhaust)
+- [Troubleshoot Remote Procedure Call (RPC) errors](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-rpc-errors)
+
+### Troubleshoot User State Migration Toolkit (USMT)
+- [Common Issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues)
+- [Frequently Asked Questions](https://docs.microsoft.com/windows/deployment/usmt/usmt-faq)
+- [Log Files](https://docs.microsoft.com/windows/deployment/usmt/usmt-log-files)
+- [Return Codes](https://docs.microsoft.com/windows/deployment/usmt/usmt-return-codes)
+
+### Troubleshoot Windows Hello for Business (WHFB)
+- [Windows Hello for Business Frequently Asked Questions](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-faq)
+- [Windows Hello errors during PIN creation (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation)
+- [Event ID 300 - Windows Hello successfully created (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-event-300)
+
+
+### Troubleshoot Windows Analytics
+- [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-faq-troubleshooting)
+
+### Troubleshoot Windows Update
+- [How Windows Update works](https://docs.microsoft.com/windows/deployment/update/how-windows-update-works)
- [Windows Update log files](https://docs.microsoft.com/windows/deployment/update/windows-update-logs)
- [Windows Update troubleshooting](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting)
- [Windows Update common errors and mitigation](https://docs.microsoft.com/windows/deployment/update/windows-update-errors)
-- [Windows Update - additional resources](https://docs.microsoft.com/windows/deployment/update/windows-update-resources)
+- [Windows Update - Additional resources](https://docs.microsoft.com/windows/deployment/update/windows-update-resources)
+- [Get started with Windows Update](https://docs.microsoft.com/windows/deployment/update/windows-update-overview)
+- [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates)
-## Solutions related to installing or upgrading Windows
+### Troubleshoot Windows Upgrade
+- [Quick fixes - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/quick-fixes)
+- [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag)
+- [Troubleshoot Windows 10 upgrade errors - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/troubleshoot-upgrade-errors)
+- [Windows error reporting - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/windows-error-reporting)
+- [Upgrade error codes - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes)
+- [Log files - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/log-files)
+- [Resolution procedures - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/resolution-procedures)
-- [Quick Fixes](https://docs.microsoft.com/windows/deployment/upgrade/quick-fixes)
-- [Troubleshooting upgrade errors](https://docs.microsoft.com/windows/deployment/upgrade/troubleshoot-upgrade-errors)
-- [Resolution procedures](https://docs.microsoft.com/windows/deployment/upgrade/resolution-procedures)
-- [0xc1800118 error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
-- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
+### Troubleshoot Windows Recovery (WinRE)
+- [Windows RE troubleshooting features](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-re-troubleshooting-features)
-## Solutions related to BitLocker
+### Troubleshoot Wireless Connection
+- [Advanced Troubleshooting Wireless Network Connectivity](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-wireless-network-connectivity)
-- [BitLocker recovery guide](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan)
-- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock)
-- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker)
-- [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)
+## Other Resources
-## Solutions related to Bugchecks or Stop Errors
-- [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros)
-- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s)
-- [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues)
-- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658)
-
-
-## Solutions related to Windows Boot issues
-- [Troubleshooting Windows boot problems for IT Pros](https://support.microsoft.com/help/4343769)
-- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s)
-
-
-## Solutions related to configuring or managing the Start menu
-- [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies)
-- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
-- [Changes to Group Policy settings for Windows 10 Start](/windows/configuration/changes-to-start-policies-in-windows-10)
-- [Preinstalled system applications and Start menu may not work when you upgrade to Windows 10, Version 1511](https://support.microsoft.com/help/3152599)
-- [Start menu shortcuts aren't immediately accessible in Windows Server 2016](https://support.microsoft.com/help/3198613)
-- [Troubleshoot problems opening the Start menu or Cortana](https://support.microsoft.com/help/12385/windows-10-troubleshoot-problems-opening-start-menu-cortana)
-- [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic)
-
-## Solutions related to wireless networking and 802.1X authentication
-- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-wireless-network-connectivity)
-- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-802-authentication)
-- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))
-- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10))
-- [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002)
+### [Troubleshooting Windows Server components](https://docs.microsoft.com/en-us/windows-server/troubleshoot/windows-server-support-solutions)
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index cf28c53e4a..c9d6d3b2c0 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -255,7 +255,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
## [Preview] Global Profile Sample XML
-Global Profile is currently supported in Windows 10 Insider Preview (19H2, 20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user.
+Global Profile is currently supported in Windows 10 Insider Preview (20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user.
This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in
```xml
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index f42631e973..eaa5591a59 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -466,9 +466,7 @@ Note:
-
-
-
+
```
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index 784c5a13fd..f9405d730e 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -7,10 +7,12 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.reviewer:
manager: laurawi
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.author: greglin
ms.topic: article
---
@@ -72,27 +74,27 @@ All four of the roles specified above can be hosted on the same computer or each
```
net use y: \\PXE-1\TFTPRoot
y:
- md boot
+ md Boot
```
6. Copy the PXE boot files from the mounted directory to the \boot folder. For example:
```
- copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot
+ copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\Boot
```
7. Copy the boot.sdi file to the PXE/TFTP server.
```
- copy C:\winpe_amd64\media\boot\boot.sdi y:\boot
+ copy C:\winpe_amd64\media\boot\boot.sdi y:\Boot
```
8. Copy the bootable Windows PE image (boot.wim) to the \boot folder.
```
- copy C:\winpe_amd64\media\sources\boot.wim y:\boot
+ copy C:\winpe_amd64\media\sources\boot.wim y:\Boot
```
9. (Optional) Copy true type fonts to the \boot folder
```
- copy C:\winpe_amd64\media\Boot\Fonts y:\boot\Fonts
+ copy C:\winpe_amd64\media\Boot\Fonts y:\Boot\Fonts
```
## Step 2: Configure boot settings and copy the BCD file
@@ -107,7 +109,7 @@ All four of the roles specified above can be hosted on the same computer or each
```
bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot
- bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \boot\boot.sdi
+ bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi
bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader
```
The last command will return a GUID, for example:
@@ -119,9 +121,9 @@ All four of the roles specified above can be hosted on the same computer or each
3. Create a new boot application entry for the Windows PE image:
```
- bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions}
+ bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe
- bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions}
+ bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit /store c:\BCD /set {GUID1} systemroot \windows
bcdedit /store c:\BCD /set {GUID1} detecthal Yes
bcdedit /store c:\BCD /set {GUID1} winpe Yes
@@ -136,7 +138,7 @@ All four of the roles specified above can be hosted on the same computer or each
5. Copy the BCD file to your TFTP server:
```
- copy c:\BCD \\PXE-1\TFTPRoot\boot\BCD
+ copy c:\BCD \\PXE-1\TFTPRoot\Boot\BCD
```
Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below.
@@ -153,9 +155,9 @@ timeout 30
Windows Boot Loader
-------------------
identifier {a4f89c62-2142-11e6-80b6-00155da04110}
-device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions}
+device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
description winpe boot image
-osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions}
+osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
systemroot \Windows
detecthal Yes
winpe Yes
@@ -165,7 +167,7 @@ Setup Ramdisk Options
identifier {ramdiskoptions}
description ramdisk options
ramdisksdidevice boot
-ramdisksdipath \boot\boot.sdi
+ramdisksdipath \Boot\boot.sdi
```
>[!TIP]
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 70a3a46434..b1a4515898 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -19,29 +19,34 @@ ms.topic: article
# Set up MDT for BitLocker
This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
-- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you also can use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
-- Multiple partitions on the hard drive.
+
+- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
+- Multiple partitions on the hard drive.
To configure your environment for BitLocker, you will need to do the following:
-1. Configure Active Directory for BitLocker.
-2. Download the various BitLocker scripts and tools.
-3. Configure the operating system deployment task sequence for BitLocker.
-4. Configure the rules (CustomSettings.ini) for BitLocker.
+1. Configure Active Directory for BitLocker.
+2. Download the various BitLocker scripts and tools.
+3. Configure the operating system deployment task sequence for BitLocker.
+4. Configure the rules (CustomSettings.ini) for BitLocker.
+
+> [!NOTE]
+> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
+If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+
+> [!NOTE]
+> Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511.
->[!NOTE]
->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
-
For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-## Configure Active Directory for BitLocker
+## Configure Active Directory for BitLocker
To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
->[!NOTE]
->Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
-
-In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
+> [!NOTE]
+> Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
+
+In Windows Server version from 2008 R2 and later, you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
@@ -51,16 +56,16 @@ Figure 2. The BitLocker Recovery information on a computer object in the contoso
The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
-1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**.
-2. On the **Before you begin** page, click **Next**.
-3. On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**.
-4. On the **Select destination server** page, select **DC01.contoso.com** and click **Next**.
-5. On the **Select server roles** page, click **Next**.
-6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**:
- 1. BitLocker Drive Encryption Administration Utilities
- 2. BitLocker Drive Encryption Tools
- 3. BitLocker Recovery Password Viewer
-7. On the **Confirm installation selections** page, click **Install** and then click **Close**.
+1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**.
+2. On the **Before you begin** page, click **Next**.
+3. On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**.
+4. On the **Select destination server** page, select **DC01.contoso.com** and click **Next**.
+5. On the **Select server roles** page, click **Next**.
+6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**:
+ 1. BitLocker Drive Encryption Administration Utilities
+ 2. BitLocker Drive Encryption Tools
+ 3. BitLocker Recovery Password Viewer
+7. On the **Confirm installation selections** page, click **Install** and then click **Close**.
@@ -69,29 +74,30 @@ Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
### Create the BitLocker Group Policy
Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
-1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**.
-2. Assign the name **BitLocker Policy** to the new Group Policy.
-3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings:
- Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
- 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
- 1. Allow data recovery agent (default)
- 2. Save BitLocker recovery information to Active Directory Domain Services (default)
- 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
- 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
- 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
- Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
- 4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy.
->[!NOTE]
->If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
-
+1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**.
+2. Assign the name **BitLocker Policy** to the new Group Policy.
+3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings:
+ Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
+ 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
+ 1. Allow data recovery agent (default)
+ 2. Save BitLocker recovery information to Active Directory Domain Services (default)
+ 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
+ 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
+ 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
+ Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
+
+> [!NOTE]
+> If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
+
### Set permissions in Active Directory for BitLocker
In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
-1. On DC01, start an elevated PowerShell prompt (run as Administrator).
-2. Configure the permissions by running the following command:
- ``` syntax
+1. On DC01, start an elevated PowerShell prompt (run as Administrator).
+2. Configure the permissions by running the following command:
+
+ ```dos
cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
```
@@ -99,26 +105,29 @@ In addition to the Group Policy created previously, you need to configure permis
Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
-## Add BIOS configuration tools from Dell, HP, and Lenovo
+## Add BIOS configuration tools from Dell, HP, and Lenovo
If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.
### Add tools from Dell
-The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
-``` syntax
+The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named *cctk.exe*. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
+
+```dos
cctk.exe --tpm=on --valsetuppwd=Password1234
```
+
### Add tools from HP
The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
-``` syntax
+```dos
BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
```
+
And the sample content of the TPMEnable.REPSET file:
-``` syntax
+```txt
English
Activate Embedded Security On Next Boot
*Enable
@@ -129,25 +138,30 @@ Allow user to reject
Embedded Security Device Availability
*Available
```
+
### Add tools from Lenovo
The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:
-``` syntax
+
+```dos
cscript.exe SetConfig.vbs SecurityChip Active
```
-## Configure the Windows 10 task sequence to enable BitLocker
-When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549).
+## Configure the Windows 10 task sequence to enable BitLocker
+
+When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549).
In the following task sequence, we added five actions:
-- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
-- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf.
- **Note**
- It is common for organizations to wrap these tools in scripts to get additional logging and error handling.
-
-- **Restart computer.** Self-explanatory, reboots the computer.
-- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.
-- **Enable BitLocker.** Runs the built-in action to activate BitLocker.
+
+- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
+- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf.
+
+ > [!NOTE]
+ > It is common for organizations to wrap these tools in scripts to get additional logging and error handling.
+
+- **Restart computer.** Self-explanatory, reboots the computer.
+- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.
+- **Enable BitLocker.** Runs the built-in action to activate BitLocker.
## Related topics
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index 6d53e1e602..da74aafced 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 07/09/2018
ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index fd2e9857b0..95179814aa 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 11/29/2018
ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index c69be3c10b..6d7bf33b2a 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -63,9 +63,9 @@ The following table lists the minimum Windows 10 version that supports Delivery
-By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only (specifically, all of the devices must be behind the same NAT), but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
+In Windows 10 Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
-For more details, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md#download-mode).
+For more details, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md).
## Set up Delivery Optimization
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index 98c67ca840..a1784e6a6e 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -9,7 +9,6 @@ author: jaimeo
ms.localizationprioauthor: jaimeo
ms.audience: itpro
author: jaimeo
-ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 7ba4d88b2d..a1992d96b8 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -2,7 +2,8 @@
title: Configure VDA for Windows 10 Subscription Activation
ms.reviewer:
manager: laurawi
-ms.audience: itpro
author: greg-lindsay
+ms.audience: itpro
+author: greg-lindsay
description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
@@ -10,7 +11,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.topic: article
ms.collection: M365-modern-desktop
---
@@ -29,7 +31,7 @@ Deployment instructions are provided for the following scenarios:
- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined.
- VMs must be generation 1.
-- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx) (QMTH).
+- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
## Activation
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 2ca4a9039b..893b4f6f7c 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -18,86 +18,103 @@ ms.topic: article
---
# Activate using Active Directory-based activation
-**Applies to**
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2016
-- Windows Server 2019
+
+> Applies to
+>
+>- Windows 10
+>- Windows 8.1
+>- Windows 8
+>- Windows Server 2012 R2
+>- Windows Server 2012
+>- Windows Server 2016
+>- Windows Server 2019
**Looking for retail activation?**
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
-Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 or Windows Server 2012 R2, but after the schema is updated, older domain controllers can still activate clients.
-Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
-To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
+- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1)
+- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate)
+
+Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients.
+
+Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
+
+To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
+
The process proceeds as follows:
-1. Perform one of the following tasks:
- - Install the Volume Activation Services server role on a domain controller running Windows Server 2012 R2, and add a KMS host key by using the Volume Activation Tools Wizard.
- - Extend the domain to the Windows Server 2012 R2 schema level, and add a KMS host key by using the VAMT.
-2. Microsoft verifies the KMS host key, and an activation object is created.
-3. Client computers are activated by receiving the activation object from a domain controller during startup.
+
+1. Perform one of the following tasks:
+ - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
+ - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
+1. Microsoft verifies the KMS host key, and an activation object is created.
+1. Client computers are activated by receiving the activation object from a domain controller during startup.
-
+
**Figure 10**. The Active Directory-based activation flow
-
-For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
+
+For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
+
If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
+
Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
-When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
+
+When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
+
## Step-by-step configuration: Active Directory-based activation
-**Note**
-You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
-**To configure Active Directory-based activation on Windows Server 2012 R2, complete the following steps:**
-1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
-2. Launch Server Manager.
-3. Add the Volume Activation Services role, as shown in Figure 11.
+
+> [!NOTE]
+> You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
+
+**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
+
+1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
+1. Launch Server Manager.
+1. Add the Volume Activation Services role, as shown in Figure 11.
-
+
**Figure 11**. Adding the Volume Activation Services role
-
-4. Click the link to launch the Volume Activation Tools (Figure 12).
+
+1. Click the link to launch the Volume Activation Tools (Figure 12).
-
+
**Figure 12**. Launching the Volume Activation Tools
-
-5. Select the **Active Directory-Based Activation** option (Figure 13).
+
+1. Select the **Active Directory-Based Activation** option (Figure 13).
-
+
**Figure 13**. Selecting Active Directory-Based Activation
-
-6. Enter your KMS host key and (optionally) a display name (Figure 14).
+
+1. Enter your KMS host key and (optionally) a display name (Figure 14).
-
+
**Figure 14**. Entering your KMS host key
-
-7. Activate your KMS host key by phone or online (Figure 15).
+
+1. Activate your KMS host key by phone or online (Figure 15).
-
+
**Figure 15**. Choosing how to activate your product
-
-8. After activating the key, click **Commit**, and then click **Close**.
+
+1. After activating the key, click **Commit**, and then click **Close**.
## Verifying the configuration of Active Directory-based activation
To verify your Active Directory-based activation configuration, complete the following steps:
-1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
-2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
-3. If the computer is not joined to your domain, join it to the domain.
-4. Sign in to the computer.
-5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
-6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
- **Note**
- If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
-
+1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
+1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
+1. If the computer is not joined to your domain, join it to the domain.
+1. Sign in to the computer.
+1. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
+1. Scroll down to the **Windows activation** section, and verify that this client has been activated.
+
+ > [!NOTE]
+ > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
+
## See also
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 11ef79b654..8ceb4e28f5 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -7,7 +7,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
manager: laurawi
ms.collection: M365-modern-desktop
search.appverid:
@@ -167,7 +168,7 @@ The following policies apply to acquisition and renewal of licenses on devices:
- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license.
- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew.
- Up to five devices can be upgraded for each user license.
-- If a device the meets requirements and a licensed user signs in on that device, it will be upgraded.
+- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded.
Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
index c57477e5a0..b76cb0ec72 100644
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -160,4 +160,3 @@ When deploying new devices using Windows Autopilot, the following steps are requ
## Other configuration settings
- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started.
-
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
index 2d857f5388..f2e35ade30 100644
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -9,7 +9,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
@@ -47,7 +48,7 @@ If the expected Autopilot behavior does not occur during the out-of-box experien
### Windows 10 version 1803 and above
-To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot**. The following events may be recorded, depending on the scenario and profile configuration.
+To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot** for versions before 1903, or **Application and Services Logs –> Microsoft –> Windows –> ModernDeployment-Diagnostics-Provider –> AutoPilot** for 1903 and above. The following events may be recorded, depending on the scenario and profile configuration.
| Event ID | Type | Description |
|----------|------|-------------|
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 06c4e844c4..709a681130 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -104,27 +104,8 @@ Windows diagnostic data also helps Microsoft better understand how customers use
### Insights into your own organization
-Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better. Microsoft provides a set of solutions that leverage information shared by customers to provide insights customized for your internal use. The first of these was [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), followed by [Desktop Analytics](https://aka.ms/DADocs) (coming soon). Both help organizations with [Windows as a Service](/windows/deployment/update/wass-overview) adoption and potential compatibility challenges. For E5 customers, [Microsoft Defender Advanced Threat Protection](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
-#### Upgrade Readiness
-
-Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
-
-To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
-
-With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
-
-Use Upgrade Readiness to get:
-
-- A visual workflow that guides you from pilot to production
-- Detailed computer, driver, and application inventory
-- Powerful computer level search and drill-downs
-- Guidance and insights into application and driver compatibility issues with suggested fixes
-- Data driven application rationalization tools
-- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools
-
-The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
## How Microsoft handles diagnostic data
diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md
index ba1428445d..db1139f73b 100644
--- a/windows/privacy/gdpr-it-guidance.md
+++ b/windows/privacy/gdpr-it-guidance.md
@@ -117,23 +117,27 @@ Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced",
### Windows services where Microsoft is the processor under the GDPR
-Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Desktop Analytics](https://aka.ms/dadocs), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
>[!NOTE]
->Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)).
+>Both Desktop Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)).
-#### Windows Analytics
+#### Desktop Analytics
-[Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service.
+> [!IMPORTANT]
+> The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](/windows/deployment/update/update-compliance-get-started) will continue to be supported.
+> For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement).
-Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10.
+[Desktop Analytics](https://aka.ms/dadocs) is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of Windows Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise with data aggregated from millions of devices into the Desktop Analytics service.
-As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics.
+Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Desktop Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10.
+
+As a result, in terms of the GDPR, the organization that has subscribed to Desktop Analytics is acting as the controller, while Microsoft is the processor for Desktop Analytics.
>[!NOTE]
->The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes.
+>The IT organization must explicitly enable Desktop Analytics for a device after the organization subscribes.
>[!IMPORTANT]
->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
+>Desktop Analytics does not collect Windows Diagnostic data by itself. Instead, Desktop Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. See [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/enable-data-sharing)
#### Windows Defender ATP
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index f574f6409d..ca7e93d18b 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -261,6 +261,8 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| Source process | Protocol | Destination |
|----------------|----------|------------|
| | | login.msa.akadns6.net |
+| | | login.live.com |
+| | | account.live.com |
| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
| | | us.configsvc1.live.com.akadns.net |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
index 723a2e1e54..bb57bd6b57 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@@ -1,5 +1,5 @@
---
-title: How Windows Hello for Business works - Techincal Deep Dive
+title: How Windows Hello for Business works - Technical Deep Dive
description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works
ms.prod: w10
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 5136ececee..1bb87570ff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -580,7 +580,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
> [!IMPORTANT]
- > The user account must have a valid Intune licenese asssigned. If the user account does not have a valid Intune license, the sign-in fails.
+ > The user account must have a valid Intune licenese assigned. If the user account does not have a valid Intune license, the sign-in fails.
4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task.
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
index c1b6366ec7..77709b6ef2 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index 7bb74bdb71..4ce0666579 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 10924772a5..406d096165 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 0177ea0901..ab57ef7b30 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
index 78092912cd..b0c94843ad 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index b9b8646bf0..e4fb0170b4 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@@ -22,7 +22,6 @@ ms.reviewer:
- Windows 10
This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10.
-For an architectural overview about how BitLocker Device Encryption works with Secure Boot, see [Secure boot and BitLocker Device Encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview).
For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
index fce071badf..f4f3028fcb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 2d9a9c0ce6..09d6973301 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index 3a17290bcd..121b0d3e49 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 23276f3144..e91f6d7db8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
index 6aa957697c..5ab13673ea 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index caee851596..7968ef5030 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
index 79f29f59ec..9e8a4b17a5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
index 53ed00fa28..aca61b7f1d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index b57d24fd11..5ce2ab05e6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 16272b6213..26a7658ef1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
index 6bb6a48e28..211775fd9d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
index f5de0c1816..6cc8628157 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
index 3ec8b9d7db..ddefee9d0c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index bb6cc83966..e4e1a3ffcd 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index 56534228b9..9f41146f0d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
index a093ef4773..5d1da751a8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 1105a1bf99..72436ef74d 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@@ -20,41 +20,31 @@ ms.date: 04/24/2019
# Prepare your organization for BitLocker: Planning and policies
**Applies to**
-- Windows 10
+
+- Windows 10
This topic for the IT professional explains how can you plan your BitLocker deployment.
When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems.
-- [Audit your environment](#bkmk-audit)
-- [Encryption keys and authentication](#bkk-encrypt)
-- [TPM hardware configurations](#bkmk-tpmconfigurations)
-- [Non-TPM hardware configurations](#bkmk-nontpm)
-- [Disk configuration considerations](#bkmk-disk)
-- [BitLocker provisioning](#bkmk-prov)
-- [Used Disk Space Only encryption](#bkk-used)
-- [Active Directory Domain Services considerations](#bkmk-addscons)
-- [FIPS support for recovery password protector](#bkmk-fipssupport)
-- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
-
-## Audit your environment
+## Audit your environment
To plan your enterprise deployment of BitLocker, you must first understand your current environment. Conduct an informal audit to define your current policies, procedures, and hardware environment. Begin by reviewing your existing corporate security policies as they relate to disk encryption software. If your organization is not currently using disk encryption software, none of these policies will exist. If you are using disk encryption software, then you might need to modify your organization's policies to address the capabilities of BitLocker.
Use the following questions to help you document your organization's current disk encryption security policies:
-1. Are there policies to address which computers will use BitLocker and which computers will not use BitLocker?
-2. What policies exist to control recovery password and recovery key storage?
-3. What are the policies for validating the identity of users that need to perform BitLocker recovery?
-4. What policies exist to control who in the organization has access to recovery data?
-5. What policies exist to control computer decommissioning or retirement?
+1. Are there policies to address which computers will use BitLocker and which computers will not use BitLocker?
+2. What policies exist to control recovery password and recovery key storage?
+3. What are the policies for validating the identity of users that need to perform BitLocker recovery?
+4. What policies exist to control who in the organization has access to recovery data?
+5. What policies exist to control computer decommissioning or retirement?
-## Encryption keys and authentication
+## Encryption keys and authentication
BitLocker helps prevent unauthorized access to data on lost or stolen computers by:
-- Encrypting the entire Windows operating system volume on the hard disk.
-- Verifying the boot process integrity.
+- Encrypting the entire Windows operating system volume on the hard disk.
+- Verifying the boot process integrity.
The trusted platform module (TPM) is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
@@ -72,7 +62,7 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi
| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.|
| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.|
| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
-
+
### BitLocker authentication methods
| Authentication method | Requires user interaction | Description |
@@ -82,7 +72,7 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi
| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
| TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
| Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.|
-
+
**Will you support computers without TPM version 1.2 or higher?**
Determine whether you will support computers that do not have a TPM version 1.2 or higher in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication.
@@ -101,7 +91,7 @@ If there are areas of your organization where data residing on user computers is
The protection differences provided by multifactor authentication methods cannot be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and automated systems management processes.
-## TPM hardware configurations
+## TPM hardware configurations
In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
@@ -117,24 +107,24 @@ An endorsement key can be created at various points in the TPM’s lifecycle, bu
For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications ().
-## Non-TPM hardware configurations
+## Non-TPM hardware configurations
Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key.
Use the following questions to identify issues that might affect your deployment in a non-TPM configuration:
-- Are password complexity rules in place?
-- Do you have budget for USB flash drives for each of these computers?
-- Do your existing non-TPM devices support USB devices at boot time?
+- Are password complexity rules in place?
+- Do you have budget for USB flash drives for each of these computers?
+- Do your existing non-TPM devices support USB devices at boot time?
Test your individual hardware platforms with the BitLocker system check option while you are enabling BitLocker. The system check will ensure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material.
-## Disk configuration considerations
+## Disk configuration considerations
To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements:
-- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system
-- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size
+- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system
+- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size
Windows setup will automatically configure the disk drives of your computer to support BitLocker encryption.
@@ -142,7 +132,7 @@ Windows Recovery Environment (Windows RE) is an extensible recovery platform tha
Windows RE can also be used from boot media other than the local hard disk. If you choose not to install Windows RE on the local hard disk of BitLocker-enabled computers, you can use alternate boot methods, such as Windows Deployment Services, CD-ROM, or USB flash drive, for recovery.
-## BitLocker provisioning
+## BitLocker provisioning
In Windows Vista and Windows 7, BitLocker was provisioned post installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires that the computer have a TPM.
@@ -152,7 +142,7 @@ When using the control panel options, administrators can choose to **Turn on Bit
Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option this step takes only a few seconds and so incorporates well into regular deployment processes.
-## Used Disk Space Only encryption
+## Used Disk Space Only encryption
The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption.
@@ -162,7 +152,7 @@ Used Disk Space Only means that only the portion of the drive that contains data
Full drive encryption means that the entire drive will be encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and may contain data remnants from their previous use.
-## Active Directory Domain Services considerations
+## Active Directory Domain Services considerations
BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information:
@@ -172,29 +162,30 @@ By default, only Domain Admins have access to BitLocker recovery information, bu
The following recovery data is saved for each computer object:
-- **Recovery password**
+- **Recovery password**
A 48-digit recovery password used to recover a BitLocker-protected volume. Users enter this password to unlock a volume when BitLocker enters recovery mode.
-- **Key package data**
+- **Key package data**
With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID.
-## FIPS support for recovery password protector
+## FIPS support for recovery password protector
Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode.
->**Note:** The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
-
+> [!NOTE]
+> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
+
Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](https://support.microsoft.com/kb/947249).
But on computers running these supported systems with BitLocker enabled:
-- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm.
-- Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems.
-- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords.
-- When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode.
-- FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.
+- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm.
+- Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems.
+- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords.
+- When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode.
+- FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.
The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPs mode or not.
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index c0e83393a2..1473dadc79 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index 3d9ca8313a..3b08db0a4f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -28,7 +28,8 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
## Before you begin:
1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant.
-2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****.
+2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**.
+3. Go to **Settings > Advanced Features > Preview features** and turn Preview features **On**.
## Enable raw data streaming:
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 56c8938d8f..5f46ca3685 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -37,6 +37,9 @@ This means that if you have a mix of computers, such as member servers that run
This topic also covers related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups so that your environment remains secure without impacting application compatibility.
+> [!NOTE]
+> Implementation of this policy [could affect offline address book generation](https://support.microsoft.com/help/4055652/access-checks-fail-because-of-authz-access-denied-error-in-windows-ser) on servers running Microsoft Exchange 2016 or Microsoft Exchange 2013.
+
## Reference
The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 31bb4fd4b9..499df8dfac 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -80,7 +80,7 @@ You can disable this setting to ensure that only globally-defined lists (such as
3. Expand the tree to **Windows components > Windows Defender Antivirus**.
-4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Enabled**. Click **OK**.
+4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**.
> [!NOTE]
> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Enable controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
index 70d70defed..f37fa94b99 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
@@ -116,3 +116,6 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
- Computer model
- Processor architecture
- Whether the device is a virtual machine
+
+ > [!NOTE]
+ > Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app and select **Help** > **Send feedback** on your device. Optionally, use the **Feedback** button in the Microsoft Defender Security Center.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 6a39c1dd9a..acfa9717f3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -149,7 +149,7 @@ In this case, Tamper Protection status changes, and this feature is no longer ap
### Will there be an alert about Tamper Protection status changing in the Microsoft Defender Security Center?
-Yes. The alert is shown in [https://securitycenter.microsoft.com](https://microsoft.securitycenter.com) under **Alerts**.
+Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
In addition, your security operations team can use hunting queries, such as the following:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 33c3ad51b5..4c62952e60 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -42,7 +42,7 @@ A full scan can be useful on endpoints that have encountered a malware threat to
See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
-**Use the mpcmdrum.exe command-line utility to run a scan:**
+**Use the mpcmdrun.exe command-line utility to run a scan:**
Use the following `-scan` parameter:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
index c2c55cccf6..488a8cc411 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
@@ -37,7 +37,7 @@ The Application Identity service determines and verifies the identity of an app.
4. In the details pane, double-click **Application Identity**.
5. In **Application Identity Properties**, configure the service to start automatically.
-Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
+Membership in the local **Administrators** group, or equivalent, is the minimum access required to complete this procedure.
**To start the Application Identity service manually**
@@ -47,7 +47,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Sevices snap-in. Try either of these methods instead:
-- Open an elevated commnad prompt or PowerShell session and type:
+- Open an elevated command prompt or PowerShell session and type:
```powershell
sc.exe config appidsvc start= auto
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index a7ebe4f68b..4af4424abe 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -24,7 +24,7 @@ ms.date: 05/03/2018
- Windows 10
- Windows Server 2016
-Running Appication Control in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies.
+Running **Application Control** in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies.
Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 153465c8df..e9859af647 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -74,7 +74,9 @@ You can set several rule options within a WDAC policy. Table 2 describes each ru
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
-| **17 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. |
+| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
+| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection of enforcing user-writeability and only allowing admin-writeable locations. |
+| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. |
## Windows Defender Application Control file rule levels
@@ -88,6 +90,12 @@ Table 3. Windows Defender Application Control policy - file rule levels
|----------- | ----------- |
| **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
+| **FilePath** | Beginning with Windows 10 version 1903, this specifies rules that allow execution of binaries contained in paths that are admin-writeable only. By default, WDAC performs a user-writeability check at runtime which ensures that the current permissions on the specified filepath and its parent directories (recursively) do not allow standard users write access.
Note that filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. IT Pros should take care while crafting path rules to allow paths that they know are likely to remain to be admin-writeable only and deny execution from sub-directories where standard users can modify ACLs on the folder.
There is a defined list of SIDs which are recognized as admins (below). If a file has write permissions for a SID not in this list, the file will be flagged as user writeable.
S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
Wildcards can be used at the beginning or end of a path rule: only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. C:\\* would include C:\foo\\* ). Wildcards placed at the beginning of a path scan all directories for files with a specific name (ex. \*\bar.exe would allow C:\bar.exe and C:\foo\bar.exe). Wildcards in the middle of a path are not supported (ex. C:\\*\foo.exe). Without a wildcard, the rule will allow only a specific file (ex. C:\foo\bar.exe).
Supported macros: %WINDIR%, %SYSTEM32%, %OSDRIVE%.|
+> [!NOTE]
+> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md)
+
+| Rule level | Description |
+|----------- | ----------- |
| **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
| **Publisher** | This is a combination of the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. This rule level allows organizations to trust a certificate from a major CA (such as Symantec), but only if the leaf certificate is from a specific company (such as Intel, for device drivers). |
| **FilePublisher** | This is a combination of the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
@@ -111,51 +119,3 @@ As part of normal operations, they will eventually install software updates, or
They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by WDAC policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required).
-## Create path-based rules
-
-Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules.
-> [!NOTE]
-> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md)
-
-- New-CIPolicy parameter
- - FilePath: create path rules under path \ for anything not user-writeable (at the individual file level)
-
- ```powershell
- New-CIPolicy -FilePath .\mypolicy.xml -Level FileName -ScanPath -UserPEs
- ```
-
- Optionally, add -UserWriteablePaths to ignore user writeability
-
-- New-CIPolicyRule parameter
- - FilePathRule: create a rule where filepath string is directly set to value of \
-
- ```powershell
- New-CIPolicyRule -FilePathRule
- ```
-
- Useful for wildcards like C:\foo\\*
-
-- Usage follows the same flow as per-app rules:
-
- ```powershell
- $rules = New-CIPolicyRule …
- $rules += New-CIPolicyRule …
- …
- New-CIPolicy -FilePath .\mypolicy.xml -Rules $rules -UserPEs
- ```
-
-- Wildcards supported
- - Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe)
- - One or the other, not both at the same time
- - Does not support wildcard in the middle (ex. C:\\*\foo.exe)
- - Examples:
- - %WINDIR%\\...
- - %SYSTEM32%\\...
- - %OSDRIVE%\\...
-
-- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:
-
- ```powershell
- Set-RuleOption -Option 18 .\policy.xml
- ```
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 7fcc89b839..e58cbff714 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -21,7 +21,7 @@ ms.date: 01/08/2019
**Applies to:**
-- Windows 10 Enterprise
+- Windows 10
- Windows Server 2016
- Windows Server 2019
@@ -44,7 +44,7 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
## WDAC System Requirements
WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above.
-They can be applied to computers running Windows 10 Enterprise or Windows Server 2016 and above and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
+They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
Group Policy or Intune can be used to distribute WDAC policies.
## New and changed functionality