From cd2bab5011665d5af5e975264b1dd251f055d25e Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 23 Sep 2019 13:37:56 +0300 Subject: [PATCH 01/68] added note about info which might not be available https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4756 --- .../microsoft-defender-atp-mac-resources.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index e8697f63a3..c740aff96d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -116,3 +116,6 @@ In the Microsoft Defender ATP portal, you'll see two categories of information: - Computer model - Processor architecture - Whether the device is a virtual machine + + > [!NOTE] + > Certain device information might be subject to upcoming releases.Please leverage MDATP for Mac app "Help > Send feedback" on your device or "Feedback button" in Microsoft Defender Security Center to share what specific functionality is the most important for your organization. From b6d75735e922d1185a8a5abff77a6008a5f041f6 Mon Sep 17 00:00:00 2001 From: John Kennedy Date: Mon, 23 Sep 2019 15:47:34 -0700 Subject: [PATCH 02/68] Update appv-release-notes-for-appv-for-windows.md Updating information re: VS support, as per Paul Chapman's request. --- .../app-v/appv-release-notes-for-appv-for-windows.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index daf1783e49..df0106d502 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -145,6 +145,8 @@ App-V doesn't support Visual Studio 2012. **Workaround**: Use a newer version of Microsoft Visual Studio. +Today, we do not support app virtualization with Visual Studio, whether using Microsoft’s App-V or third party solutions such as VMWare’s ThinApp. While it is possible that customers might find that Visual Studio works well enough for their purposes when running within one of these environments, at this time we are unable to address any bugs or issues found when running in a virtualized environment. + ## Application filename restrictions for App-V Sequencer The App-V Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. From 113478956863d87220ca2174eafdd2f3b3820418 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 24 Sep 2019 15:44:59 +0300 Subject: [PATCH 03/68] Update windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp-mac-resources.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index c740aff96d..c2150bffa6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -118,4 +118,4 @@ In the Microsoft Defender ATP portal, you'll see two categories of information: - Whether the device is a virtual machine > [!NOTE] - > Certain device information might be subject to upcoming releases.Please leverage MDATP for Mac app "Help > Send feedback" on your device or "Feedback button" in Microsoft Defender Security Center to share what specific functionality is the most important for your organization. + > Certain device information might be subject to upcoming releases. Please leverage MDATP for Mac app "Help > Send feedback" on your device or the "Feedback button" in Microsoft Defender Security Center to share what specific functionality is the most important for your organization. From b049de0793884add0e500e495dad66cea3ff37fe Mon Sep 17 00:00:00 2001 From: Andreas Stenhall Date: Thu, 26 Sep 2019 12:54:41 +0200 Subject: [PATCH 04/68] Corrected command value Corrected command value, must be 17 and not "Enabled:Allow Supplemental Policies". Option 17 do activate "Enabled:Allow Supplemental Policies" but the syntax of the command is not correct. --- ...oy-multiple-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 40326f9ba8..a9c5251d57 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -52,7 +52,7 @@ New-CIPolicy -MultiplePolicyFormat -foo –bar Optionally, you can choose to make the new base policy supplementable (allow supplemental policies). ```powershell -Set-RuleOption -FilePath Enabled:Allow Supplemental Policies +Set-RuleOption -FilePath 17 ``` For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers. From 9a0f10bf5534427f2afc6452fbcbdaaa36eea53e Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 27 Sep 2019 15:25:01 -0700 Subject: [PATCH 05/68] Update microsoft-defender-atp-mac-resources.md rewrite for clarity --- .../microsoft-defender-atp-mac-resources.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index c2150bffa6..5bb7d573e1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -118,4 +118,4 @@ In the Microsoft Defender ATP portal, you'll see two categories of information: - Whether the device is a virtual machine > [!NOTE] - > Certain device information might be subject to upcoming releases. Please leverage MDATP for Mac app "Help > Send feedback" on your device or the "Feedback button" in Microsoft Defender Security Center to share what specific functionality is the most important for your organization. + > Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app" **Help** > **Send feedback** on your device. Optionally, use the **Feedback** button in the Microsoft Defender Security Center. From 259ab6338e4d756a0b11486e499b0fd7246fd711 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Tue, 1 Oct 2019 19:38:21 +0200 Subject: [PATCH 06/68] Update activate-using-active-directory-based-activation-client.md Tidied up markdown. Changed wording a few places. Changed numbering style according to best practices found elsewhere. Added a few line shifts for improved readability. --- ...ctive-directory-based-activation-client.md | 121 ++++++++++-------- 1 file changed, 69 insertions(+), 52 deletions(-) diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 2ca4a9039b..893b4f6f7c 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -18,86 +18,103 @@ ms.topic: article --- # Activate using Active Directory-based activation -**Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2016 -- Windows Server 2019 + +> Applies to +> +>- Windows 10 +>- Windows 8.1 +>- Windows 8 +>- Windows Server 2012 R2 +>- Windows Server 2012 +>- Windows Server 2016 +>- Windows Server 2019 **Looking for retail activation?** -- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) -Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 or Windows Server 2012 R2, but after the schema is updated, older domain controllers can still activate clients. -Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. -To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. +- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1) +- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate) + +Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients. + +Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. + +To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. + The process proceeds as follows: -1. Perform one of the following tasks: - - Install the Volume Activation Services server role on a domain controller running Windows Server 2012 R2, and add a KMS host key by using the Volume Activation Tools Wizard. - - Extend the domain to the Windows Server 2012 R2 schema level, and add a KMS host key by using the VAMT. -2. Microsoft verifies the KMS host key, and an activation object is created. -3. Client computers are activated by receiving the activation object from a domain controller during startup. + +1. Perform one of the following tasks: + - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard. + - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT. +1. Microsoft verifies the KMS host key, and an activation object is created. +1. Client computers are activated by receiving the activation object from a domain controller during startup. ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) - + **Figure 10**. The Active Directory-based activation flow - -For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. + +For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. + If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. + Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days. -When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. + +When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. + ## Step-by-step configuration: Active Directory-based activation -**Note**   -You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings. -**To configure Active Directory-based activation on Windows Server 2012 R2, complete the following steps:** -1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. -2. Launch Server Manager. -3. Add the Volume Activation Services role, as shown in Figure 11. + +> [!NOTE] +> You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings. + +**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:** + +1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. +1. Launch Server Manager. +1. Add the Volume Activation Services role, as shown in Figure 11. ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) - + **Figure 11**. Adding the Volume Activation Services role - -4. Click the link to launch the Volume Activation Tools (Figure 12). + +1. Click the link to launch the Volume Activation Tools (Figure 12). ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg) - + **Figure 12**. Launching the Volume Activation Tools - -5. Select the **Active Directory-Based Activation** option (Figure 13). + +1. Select the **Active Directory-Based Activation** option (Figure 13). ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg) - + **Figure 13**. Selecting Active Directory-Based Activation - -6. Enter your KMS host key and (optionally) a display name (Figure 14). + +1. Enter your KMS host key and (optionally) a display name (Figure 14). ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg) - + **Figure 14**. Entering your KMS host key - -7. Activate your KMS host key by phone or online (Figure 15). + +1. Activate your KMS host key by phone or online (Figure 15). ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) - + **Figure 15**. Choosing how to activate your product - -8. After activating the key, click **Commit**, and then click **Close**. + +1. After activating the key, click **Commit**, and then click **Close**. ## Verifying the configuration of Active Directory-based activation To verify your Active Directory-based activation configuration, complete the following steps: -1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. -2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. -3. If the computer is not joined to your domain, join it to the domain. -4. Sign in to the computer. -5. Open Windows Explorer, right-click **Computer**, and then click **Properties**. -6. Scroll down to the **Windows activation** section, and verify that this client has been activated. - **Note**
- If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. - +1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. +1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. +1. If the computer is not joined to your domain, join it to the domain. +1. Sign in to the computer. +1. Open Windows Explorer, right-click **Computer**, and then click **Properties**. +1. Scroll down to the **Windows activation** section, and verify that this client has been activated. + + > [!NOTE] + > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. + ## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) + +- [Volume Activation for Windows 10](volume-activation-windows-10.md) From 2cc0a99efe677dc629b47e5e20c4063721202ba7 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 2 Oct 2019 14:02:29 +0300 Subject: [PATCH 07/68] Update windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp-mac-resources.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 5bb7d573e1..c1ab883f1e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -118,4 +118,4 @@ In the Microsoft Defender ATP portal, you'll see two categories of information: - Whether the device is a virtual machine > [!NOTE] - > Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app" **Help** > **Send feedback** on your device. Optionally, use the **Feedback** button in the Microsoft Defender Security Center. + > Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app and select **Help** > **Send feedback** on your device. Optionally, use the **Feedback** button in the Microsoft Defender Security Center. From 9b7449bf2991b04212e8dc49633c27a96d08d3b8 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Oct 2019 18:10:36 +0500 Subject: [PATCH 08/68] Minor updates As requested by user, I have updated the log defining path and logs location. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5023 --- devices/surface/surface-dock-firmware-update.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index cee582be7a..98a2ee4215 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -38,7 +38,8 @@ If preferred, you can manually complete the update as follows: > [!NOTE] > > - Manually installing the MSI file may prompt you to restart Surface; however, restarting is optional and not required. ->- You will need to disconnect and reconnect the dock twice before the update fully completes. +> - You will need to disconnect and reconnect the dock twice before the update fully completes. +> - To create a log file, specify the path in the Msiexec command. For example, append /l*v %windir%\logs\ SurfaceDockFWI.log". ## Network deployment @@ -73,11 +74,12 @@ Successful completion of Surface Dock Firmware Update results in new registry ke ## Event logging + **Table 1. Event logging for Surface Dock Firmware Update** | Log | Location | Notes | | -------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Surface Dock Firmware Update log | /l*v %windir%\logs\ SurfaceDockFWI.log | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | +| Surface Dock Firmware Update log | /l*v %windir%\logs\Applications\ SurfaceDockFWI.log | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | | Windows Device Install log | %windir%\inf\ setupapi.dev.log | For more information about using Device Install Log, refer [to SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-) documentation. | From 1059e7ce92ec476dceb09ee237eb07ba66271bbc Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Oct 2019 16:50:38 +0500 Subject: [PATCH 09/68] Update devices/surface/surface-dock-firmware-update.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- devices/surface/surface-dock-firmware-update.md | 1 - 1 file changed, 1 deletion(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 98a2ee4215..57fa2fc9c9 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -74,7 +74,6 @@ Successful completion of Surface Dock Firmware Update results in new registry ke ## Event logging - **Table 1. Event logging for Surface Dock Firmware Update** | Log | Location | Notes | From fb3fef4502c60c1b6308f36954aed5fee2003e27 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Oct 2019 16:50:50 +0500 Subject: [PATCH 10/68] Update devices/surface/surface-dock-firmware-update.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- devices/surface/surface-dock-firmware-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 57fa2fc9c9..63cef9355e 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -78,7 +78,7 @@ Successful completion of Surface Dock Firmware Update results in new registry ke | Log | Location | Notes | | -------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Surface Dock Firmware Update log | /l*v %windir%\logs\Applications\ SurfaceDockFWI.log | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | +| Surface Dock Firmware Update log | /l*v %windir%\logs\Applications\SurfaceDockFWI.log | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | | Windows Device Install log | %windir%\inf\ setupapi.dev.log | For more information about using Device Install Log, refer [to SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-) documentation. | From be878785c4d6a445e4330750831b9d889516800e Mon Sep 17 00:00:00 2001 From: Narkis Engler <41025789+narkissit@users.noreply.github.com> Date: Fri, 4 Oct 2019 10:52:55 -0700 Subject: [PATCH 11/68] Update waas-delivery-optimization.md The link it taking users to the middle of the page (Download Mode) and then they miss the top part of the page with the rest of the reference... It should link to the top of the reference page. --- windows/deployment/update/waas-delivery-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 64deb7803d..49f48d3420 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -65,7 +65,7 @@ The following table lists the minimum Windows 10 version that supports Delivery By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only (specifically, all of the devices must be behind the same NAT), but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. -For more details, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md#download-mode). +For more details, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md). ## Set up Delivery Optimization From 0d36f3a82695fd518dead0a89f47eff48da949b0 Mon Sep 17 00:00:00 2001 From: LittleWhite-tb Date: Sun, 6 Oct 2019 15:20:04 +0200 Subject: [PATCH 12/68] Use a Boot folder for case sensitive TFTP servers I just noticed that the bootloader looks after a BCD file as follow : '\Boot\BCD'. Thus, if you are using a case sensitive TFTP server, you need to place the BCD file in a Boot folder instead of a 'boot' folder. If you do this, you need to change all the paths specified in the BCD file, still because of the case sensitive server (otherwise, it won't find the sdi/wim files). --- ...nfigure-a-pxe-server-to-load-windows-pe.md | 30 ++++++++++--------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 784c5a13fd..f9405d730e 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -7,10 +7,12 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.reviewer: manager: laurawi -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.author: greglin ms.topic: article --- @@ -72,27 +74,27 @@ All four of the roles specified above can be hosted on the same computer or each ``` net use y: \\PXE-1\TFTPRoot y: - md boot + md Boot ``` 6. Copy the PXE boot files from the mounted directory to the \boot folder. For example: ``` - copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot + copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\Boot ``` 7. Copy the boot.sdi file to the PXE/TFTP server. ``` - copy C:\winpe_amd64\media\boot\boot.sdi y:\boot + copy C:\winpe_amd64\media\boot\boot.sdi y:\Boot ``` 8. Copy the bootable Windows PE image (boot.wim) to the \boot folder. ``` - copy C:\winpe_amd64\media\sources\boot.wim y:\boot + copy C:\winpe_amd64\media\sources\boot.wim y:\Boot ``` 9. (Optional) Copy true type fonts to the \boot folder ``` - copy C:\winpe_amd64\media\Boot\Fonts y:\boot\Fonts + copy C:\winpe_amd64\media\Boot\Fonts y:\Boot\Fonts ``` ## Step 2: Configure boot settings and copy the BCD file @@ -107,7 +109,7 @@ All four of the roles specified above can be hosted on the same computer or each ``` bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options" bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot - bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \boot\boot.sdi + bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader ``` The last command will return a GUID, for example: @@ -119,9 +121,9 @@ All four of the roles specified above can be hosted on the same computer or each 3. Create a new boot application entry for the Windows PE image: ``` - bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} + bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe - bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} + bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} bcdedit /store c:\BCD /set {GUID1} systemroot \windows bcdedit /store c:\BCD /set {GUID1} detecthal Yes bcdedit /store c:\BCD /set {GUID1} winpe Yes @@ -136,7 +138,7 @@ All four of the roles specified above can be hosted on the same computer or each 5. Copy the BCD file to your TFTP server: ``` - copy c:\BCD \\PXE-1\TFTPRoot\boot\BCD + copy c:\BCD \\PXE-1\TFTPRoot\Boot\BCD ``` Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store <BCD file location> /enum all. See the following example. Note: Your GUID will be different than the one shown below. @@ -153,9 +155,9 @@ timeout 30 Windows Boot Loader ------------------- identifier {a4f89c62-2142-11e6-80b6-00155da04110} -device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} +device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} description winpe boot image -osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions} +osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} systemroot \Windows detecthal Yes winpe Yes @@ -165,7 +167,7 @@ Setup Ramdisk Options identifier {ramdiskoptions} description ramdisk options ramdisksdidevice boot -ramdisksdipath \boot\boot.sdi +ramdisksdipath \Boot\boot.sdi ``` >[!TIP] From 9d6982e03d5fca5899e0ed5f2cb1ad4a4377d1da Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 9 Oct 2019 13:08:07 -0700 Subject: [PATCH 13/68] Update appv-release-notes-for-appv-for-windows.md adding copyedits --- .../app-v/appv-release-notes-for-appv-for-windows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index df0106d502..ffea71ae34 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -145,7 +145,7 @@ App-V doesn't support Visual Studio 2012. **Workaround**: Use a newer version of Microsoft Visual Studio. -Today, we do not support app virtualization with Visual Studio, whether using Microsoft’s App-V or third party solutions such as VMWare’s ThinApp. While it is possible that customers might find that Visual Studio works well enough for their purposes when running within one of these environments, at this time we are unable to address any bugs or issues found when running in a virtualized environment. +Currently, Visual Studio 2012 doesn't support app virtualization, whether using Microsoft App-V or third party solutions such as VMWare ThinApp. While it is possible you might find that Visual Studio works well enough for your purposes when running within one of these environments, we are unable to address any bugs or issues found when running in a virtualized environment at this time. ## Application filename restrictions for App-V Sequencer The App-V Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. From 15440d5f1cce50331f83279be5a1082d27a226d9 Mon Sep 17 00:00:00 2001 From: ShrCaJesmo <54860945+ShrCaJesmo@users.noreply.github.com> Date: Thu, 10 Oct 2019 11:39:01 -0400 Subject: [PATCH 14/68] Updates the path of the evt logs for 1903+ devices Seems like the events for autopilot were moved to their own provider, ModernDeployment, in 1903. Adding the new path to prevent future confusion/arguments --- windows/deployment/windows-autopilot/troubleshooting.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index 2d857f5388..11203c40ac 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -9,7 +9,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop ms.topic: article @@ -47,7 +48,7 @@ If the expected Autopilot behavior does not occur during the out-of-box experien ### Windows 10 version 1803 and above -To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot**. The following events may be recorded, depending on the scenario and profile configuration. +To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot** pre-1903, or **Application and Services Logs –> Microsoft –> Windows –> ModernDeployment-Diagnostics-Provider –> AutoPilot** for 1903 and up. The following events may be recorded, depending on the scenario and profile configuration. | Event ID | Type | Description | |----------|------|-------------| From 5bcfb09b45a9c7c9e524361d0ccf86e8a3a89114 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Sat, 12 Oct 2019 15:58:27 +0200 Subject: [PATCH 15/68] Update prepare-your-organization-for-bitlocker-planning-and-policies.md Updated Notes markdown. Removed all inline HTML anchors and updated TOC anchors accordingly. --- ...ion-for-bitlocker-planning-and-policies.md | 88 ++++++++++--------- 1 file changed, 45 insertions(+), 43 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 1105a1bf99..e1319973a2 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -20,41 +20,42 @@ ms.date: 04/24/2019 # Prepare your organization for BitLocker: Planning and policies **Applies to** -- Windows 10 + +- Windows 10 This topic for the IT professional explains how can you plan your BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. -- [Audit your environment](#bkmk-audit) -- [Encryption keys and authentication](#bkk-encrypt) -- [TPM hardware configurations](#bkmk-tpmconfigurations) -- [Non-TPM hardware configurations](#bkmk-nontpm) -- [Disk configuration considerations](#bkmk-disk) -- [BitLocker provisioning](#bkmk-prov) -- [Used Disk Space Only encryption](#bkk-used) -- [Active Directory Domain Services considerations](#bkmk-addscons) -- [FIPS support for recovery password protector](#bkmk-fipssupport) -- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) +- [Audit your environment](#audit-your-environment) +- [Encryption keys and authentication](#encryption-keys-and-authentication) +- [TPM hardware configurations](#tpm-hardware-configurations) +- [Non-TPM hardware configurations](#non-tpm-hardware-configurations) +- [Disk configuration considerations](#disk-configuration-considerations) +- [BitLocker provisioning](#bitlocker-provisioning) +- [Used Disk Space Only encryption](#used-disk-space-only-encryption) +- [Active Directory Domain Services considerations](#active-directory-domain-services-considerations) +- [FIPS support for recovery password protector](#fips-support-for-recovery-password-protector) +- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) -## Audit your environment +## Audit your environment To plan your enterprise deployment of BitLocker, you must first understand your current environment. Conduct an informal audit to define your current policies, procedures, and hardware environment. Begin by reviewing your existing corporate security policies as they relate to disk encryption software. If your organization is not currently using disk encryption software, none of these policies will exist. If you are using disk encryption software, then you might need to modify your organization's policies to address the capabilities of BitLocker. Use the following questions to help you document your organization's current disk encryption security policies: -1. Are there policies to address which computers will use BitLocker and which computers will not use BitLocker? -2. What policies exist to control recovery password and recovery key storage? -3. What are the policies for validating the identity of users that need to perform BitLocker recovery? -4. What policies exist to control who in the organization has access to recovery data? -5. What policies exist to control computer decommissioning or retirement? +1. Are there policies to address which computers will use BitLocker and which computers will not use BitLocker? +2. What policies exist to control recovery password and recovery key storage? +3. What are the policies for validating the identity of users that need to perform BitLocker recovery? +4. What policies exist to control who in the organization has access to recovery data? +5. What policies exist to control computer decommissioning or retirement? -## Encryption keys and authentication +## Encryption keys and authentication BitLocker helps prevent unauthorized access to data on lost or stolen computers by: -- Encrypting the entire Windows operating system volume on the hard disk. -- Verifying the boot process integrity. +- Encrypting the entire Windows operating system volume on the hard disk. +- Verifying the boot process integrity. The trusted platform module (TPM) is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. @@ -72,7 +73,7 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi | Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.| | Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.| | Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| - + ### BitLocker authentication methods | Authentication method | Requires user interaction | Description | @@ -82,7 +83,7 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi | TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. | | TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.| | Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.| - + **Will you support computers without TPM version 1.2 or higher?** Determine whether you will support computers that do not have a TPM version 1.2 or higher in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication. @@ -101,7 +102,7 @@ If there are areas of your organization where data residing on user computers is The protection differences provided by multifactor authentication methods cannot be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and automated systems management processes. -## TPM hardware configurations +## TPM hardware configurations In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. @@ -117,24 +118,24 @@ An endorsement key can be created at various points in the TPM’s lifecycle, bu For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (). -## Non-TPM hardware configurations +## Non-TPM hardware configurations Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key. Use the following questions to identify issues that might affect your deployment in a non-TPM configuration: -- Are password complexity rules in place? -- Do you have budget for USB flash drives for each of these computers? -- Do your existing non-TPM devices support USB devices at boot time? +- Are password complexity rules in place? +- Do you have budget for USB flash drives for each of these computers? +- Do your existing non-TPM devices support USB devices at boot time? Test your individual hardware platforms with the BitLocker system check option while you are enabling BitLocker. The system check will ensure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material. -## Disk configuration considerations +## Disk configuration considerations To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements: -- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system -- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size +- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system +- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size Windows setup will automatically configure the disk drives of your computer to support BitLocker encryption. @@ -142,7 +143,7 @@ Windows Recovery Environment (Windows RE) is an extensible recovery platform tha Windows RE can also be used from boot media other than the local hard disk. If you choose not to install Windows RE on the local hard disk of BitLocker-enabled computers, you can use alternate boot methods, such as Windows Deployment Services, CD-ROM, or USB flash drive, for recovery. -## BitLocker provisioning +## BitLocker provisioning In Windows Vista and Windows 7, BitLocker was provisioned post installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires that the computer have a TPM. @@ -152,7 +153,7 @@ When using the control panel options, administrators can choose to **Turn on Bit Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option this step takes only a few seconds and so incorporates well into regular deployment processes. -## Used Disk Space Only encryption +## Used Disk Space Only encryption The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption. @@ -162,7 +163,7 @@ Used Disk Space Only means that only the portion of the drive that contains data Full drive encryption means that the entire drive will be encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and may contain data remnants from their previous use. -## Active Directory Domain Services considerations +## Active Directory Domain Services considerations BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information: @@ -172,29 +173,30 @@ By default, only Domain Admins have access to BitLocker recovery information, bu The following recovery data is saved for each computer object: -- **Recovery password** +- **Recovery password** A 48-digit recovery password used to recover a BitLocker-protected volume. Users enter this password to unlock a volume when BitLocker enters recovery mode. -- **Key package data** +- **Key package data** With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID. -## FIPS support for recovery password protector +## FIPS support for recovery password protector Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode. ->**Note:**  The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.  - +> [!NOTE] +> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. + Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](https://support.microsoft.com/kb/947249). But on computers running these supported systems with BitLocker enabled: -- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. -- Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. -- When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. -- FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. +- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. +- Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. +- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. +- When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. +- FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPs mode or not. From 87e82231588c792aa0839f754cf5b4b09b82902a Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Sat, 12 Oct 2019 17:33:38 +0200 Subject: [PATCH 16/68] Update set-up-mdt-for-bitlocker.md Added spacing for Notes markdown. Changed code block syntax to dos. Removed bullet point regarding 'Turn on TPM Backup to A...', as it is deprecated. --- .../set-up-mdt-for-bitlocker.md | 130 ++++++++++-------- 1 file changed, 72 insertions(+), 58 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 70a3a46434..73ba50eafc 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -19,29 +19,34 @@ ms.topic: article # Set up MDT for BitLocker This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment: -- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you also can use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password. -- Multiple partitions on the hard drive. + +- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password. +- Multiple partitions on the hard drive. To configure your environment for BitLocker, you will need to do the following: -1. Configure Active Directory for BitLocker. -2. Download the various BitLocker scripts and tools. -3. Configure the operating system deployment task sequence for BitLocker. -4. Configure the rules (CustomSettings.ini) for BitLocker. +1. Configure Active Directory for BitLocker. +2. Download the various BitLocker scripts and tools. +3. Configure the operating system deployment task sequence for BitLocker. +4. Configure the rules (CustomSettings.ini) for BitLocker. + +> [!NOTE] +> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds). +If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. + +> [!NOTE] +> Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511. ->[!NOTE] ->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. - For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). -## Configure Active Directory for BitLocker +## Configure Active Directory for BitLocker To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory. ->[!NOTE] ->Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. - -In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. +> [!NOTE] +> Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. + +In Windows Server version from 2008 R2 and onwards, you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. ![figure 2](../images/mdt-09-fig02.png) @@ -51,16 +56,16 @@ Figure 2. The BitLocker Recovery information on a computer object in the contoso The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell): -1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**. -2. On the **Before you begin** page, click **Next**. -3. On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**. -4. On the **Select destination server** page, select **DC01.contoso.com** and click **Next**. -5. On the **Select server roles** page, click **Next**. -6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**: - 1. BitLocker Drive Encryption Administration Utilities - 2. BitLocker Drive Encryption Tools - 3. BitLocker Recovery Password Viewer -7. On the **Confirm installation selections** page, click **Install** and then click **Close**. +1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**. +2. On the **Before you begin** page, click **Next**. +3. On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**. +4. On the **Select destination server** page, select **DC01.contoso.com** and click **Next**. +5. On the **Select server roles** page, click **Next**. +6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**: + 1. BitLocker Drive Encryption Administration Utilities + 2. BitLocker Drive Encryption Tools + 3. BitLocker Recovery Password Viewer +7. On the **Confirm installation selections** page, click **Install** and then click **Close**. ![figure 3](../images/mdt-09-fig03.png) @@ -69,29 +74,30 @@ Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities. ### Create the BitLocker Group Policy Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile. -1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**. -2. Assign the name **BitLocker Policy** to the new Group Policy. -3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings: - Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives - 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings: - 1. Allow data recovery agent (default) - 2. Save BitLocker recovery information to Active Directory Domain Services (default) - 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives - 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. - 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. - Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services - 4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy. ->[!NOTE] ->If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. - +1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**. +2. Assign the name **BitLocker Policy** to the new Group Policy. +3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings: + Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives + 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings: + 1. Allow data recovery agent (default) + 2. Save BitLocker recovery information to Active Directory Domain Services (default) + 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives + 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. + 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. + Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services + +> [!NOTE] +> If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. + ### Set permissions in Active Directory for BitLocker In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01. -1. On DC01, start an elevated PowerShell prompt (run as Administrator). -2. Configure the permissions by running the following command: - ``` syntax +1. On DC01, start an elevated PowerShell prompt (run as Administrator). +2. Configure the permissions by running the following command: + + ```dos cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs ``` @@ -99,26 +105,29 @@ In addition to the Group Policy created previously, you need to configure permis Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01. -## Add BIOS configuration tools from Dell, HP, and Lenovo +## Add BIOS configuration tools from Dell, HP, and Lenovo If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper. ### Add tools from Dell -The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool: -``` syntax +The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named *cctk.exe*. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool: + +```dos cctk.exe --tpm=on --valsetuppwd=Password1234 ``` + ### Add tools from HP The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool: -``` syntax +```dos BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234 ``` + And the sample content of the TPMEnable.REPSET file: -``` syntax +```txt English Activate Embedded Security On Next Boot *Enable @@ -129,25 +138,30 @@ Allow user to reject Embedded Security Device Availability *Available ``` + ### Add tools from Lenovo The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools: -``` syntax + +```dos cscript.exe SetConfig.vbs SecurityChip Active ``` -## Configure the Windows 10 task sequence to enable BitLocker -When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). +## Configure the Windows 10 task sequence to enable BitLocker + +When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we added five actions: -- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. -- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. - **Note**   - It is common for organizations to wrap these tools in scripts to get additional logging and error handling. - -- **Restart computer.** Self-explanatory, reboots the computer. -- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. -- **Enable BitLocker.** Runs the built-in action to activate BitLocker. + +- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. +- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. + + > [!NOTE] + > It is common for organizations to wrap these tools in scripts to get additional logging and error handling. + +- **Restart computer.** Self-explanatory, reboots the computer. +- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. +- **Enable BitLocker.** Runs the built-in action to activate BitLocker. ## Related topics From 6bdc5a07ae4b18d7a1ccb13c87c155fe12c6ee2d Mon Sep 17 00:00:00 2001 From: Onur Date: Sun, 13 Oct 2019 21:58:33 +0300 Subject: [PATCH 17/68] Update metadata with correct author via https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5154#issuecomment-541215386 --- windows/deployment/update/windows-update-troubleshooting.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index ac0087fb59..9d93ebbe55 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -4,9 +4,11 @@ description: Learn how to troubleshoot Windows Update ms.prod: w10 ms.mktglfcycl: ms.sitesec: library -audience: itpro author: greg-lindsay +audience: itpro +author: jaimeo ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay +ms.audience: itpro +author: jaimeo ms.date: 09/18/2018 ms.reviewer: manager: laurawi From 8865d851f01b841baca2cd12465044a5b783dc18 Mon Sep 17 00:00:00 2001 From: Hiroshi Yoshioka <40815708+hyoshioka0128@users.noreply.github.com> Date: Mon, 14 Oct 2019 14:53:31 +0900 Subject: [PATCH 18/68] =?UTF-8?q?Typo=20"**user@example.com**"=E2=86=92"**?= =?UTF-8?q?user\@example.com**"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit bold with escape characters https://docs.microsoft.com/ja-jp/surface-hub/surface-hub-2s-setup --- devices/surface-hub/surface-hub-2s-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/surface-hub-2s-setup.md b/devices/surface-hub/surface-hub-2s-setup.md index 76e5ac1055..4514749ad4 100644 --- a/devices/surface-hub/surface-hub-2s-setup.md +++ b/devices/surface-hub/surface-hub-2s-setup.md @@ -27,7 +27,7 @@ When you first start Surface Hub 2S, the device automatically enters first time - This option is not shown if connected using an Ethernet cable. - You cannot connect to a wireless network in hotspots (captive portals) that redirect sign-in requests to a provider’s website. -3. **Enter device account info.** Use **domain\user** for on-premises and hybrid environments and **user@example.com** for online environments. Select **Next.** +3. **Enter device account info.** Use **domain\user** for on-premises and hybrid environments and **user\@example.com** for online environments. Select **Next.** ![* Enter device account info *](images/sh2-run2.png)
1. **Enter additional info.** If requested, provide your Exchange server address and then select **Next.** From 2582b5b44622ec4ca62c57b39472533680ea0ec3 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 14 Oct 2019 15:50:42 +0300 Subject: [PATCH 19/68] fixed broken URL https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5138 --- windows/deployment/vda-subscription-activation.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 7ba4d88b2d..a1992d96b8 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -2,7 +2,8 @@ title: Configure VDA for Windows 10 Subscription Activation ms.reviewer: manager: laurawi -ms.audience: itpro author: greg-lindsay +ms.audience: itpro +author: greg-lindsay description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA keywords: upgrade, update, task sequence, deploy ms.prod: w10 @@ -10,7 +11,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.topic: article ms.collection: M365-modern-desktop --- @@ -29,7 +31,7 @@ Deployment instructions are provided for the following scenarios: - VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. - VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. - VMs must be generation 1. -- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx) (QMTH). +- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). ## Activation From 46d7f58ce08ed5ad2a828d54aed717f30250be03 Mon Sep 17 00:00:00 2001 From: ShrCaJesmo <54860945+ShrCaJesmo@users.noreply.github.com> Date: Mon, 14 Oct 2019 10:01:24 -0400 Subject: [PATCH 20/68] Update windows/deployment/windows-autopilot/troubleshooting.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/windows-autopilot/troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index 11203c40ac..f2e35ade30 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -48,7 +48,7 @@ If the expected Autopilot behavior does not occur during the out-of-box experien ### Windows 10 version 1803 and above -To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot** pre-1903, or **Application and Services Logs –> Microsoft –> Windows –> ModernDeployment-Diagnostics-Provider –> AutoPilot** for 1903 and up. The following events may be recorded, depending on the scenario and profile configuration. +To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot** for versions before 1903, or **Application and Services Logs –> Microsoft –> Windows –> ModernDeployment-Diagnostics-Provider –> AutoPilot** for 1903 and above. The following events may be recorded, depending on the scenario and profile configuration. | Event ID | Type | Description | |----------|------|-------------| From 9868699bb2e65158af7aa46d2b91e12ec47b1fc5 Mon Sep 17 00:00:00 2001 From: hubalazs <10714856+hubalazs@users.noreply.github.com> Date: Tue, 15 Oct 2019 13:34:34 +0200 Subject: [PATCH 21/68] Fixed typo (Techincal) --- .../hello-for-business/hello-how-it-works-tech-deep-dive.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md index 723a2e1e54..bb57bd6b57 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md @@ -1,5 +1,5 @@ --- -title: How Windows Hello for Business works - Techincal Deep Dive +title: How Windows Hello for Business works - Technical Deep Dive description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works ms.prod: w10 From 152d14dccbcc272d1787ef0e07be701af1115f02 Mon Sep 17 00:00:00 2001 From: Nikita Potapenko Date: Tue, 15 Oct 2019 14:43:08 +0300 Subject: [PATCH 22/68] Fix code snippet --- windows/client-management/troubleshoot-tcpip-connectivity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md index cff5317a5f..fe6e32ce59 100644 --- a/windows/client-management/troubleshoot-tcpip-connectivity.md +++ b/windows/client-management/troubleshoot-tcpip-connectivity.md @@ -89,7 +89,7 @@ The application which is causing the reset (identified by port numbers) should b >The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet -```typescript +``` 10.10.10.1 10.10.10.2 UDP UDP:SrcPort=49875,DstPort=3343 10.10.10.2 10.10.10.1 ICMP ICMP:Destination Unreachable Message, Port Unreachable,10.10.10.2:3343 @@ -98,7 +98,7 @@ The application which is causing the reset (identified by port numbers) should b During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. You should enable firewall auditing on the machine to understand if the local firewall is dropping the packet. -```typescript +``` auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable ``` From 72cb4153dbe5fa1e9673eab2202e97d790115b34 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 15 Oct 2019 17:57:56 +0500 Subject: [PATCH 23/68] Update windows-defender-application-control.md --- .../windows-defender-application-control.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 3605322e2c..b3bbec14d2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -18,7 +18,7 @@ ms.date: 01/08/2019 **Applies to:** -- Windows 10 Enterprise +- Windows 10 - Windows Server 2016 - Windows Server 2019 @@ -41,7 +41,7 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs ## WDAC System Requirements WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above. -They can be applied to computers running Windows 10 Enterprise or Windows Server 2016 and above and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. +They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. Group Policy or Intune can be used to distribute WDAC policies. ## New and changed functionality From 13c9f397d21b09be8bc12731ab1e50577d97964f Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 15 Oct 2019 09:43:06 -0700 Subject: [PATCH 24/68] Update prepare-your-organization-for-bitlocker-planning-and-policies.md removing in-topic links as there's already an "in this topic" navigation on the right side of the page. Everything else is good to go --- ...rganization-for-bitlocker-planning-and-policies.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index e1319973a2..6e2f30a20e 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -27,17 +27,6 @@ This topic for the IT professional explains how can you plan your BitLocker depl When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. -- [Audit your environment](#audit-your-environment) -- [Encryption keys and authentication](#encryption-keys-and-authentication) -- [TPM hardware configurations](#tpm-hardware-configurations) -- [Non-TPM hardware configurations](#non-tpm-hardware-configurations) -- [Disk configuration considerations](#disk-configuration-considerations) -- [BitLocker provisioning](#bitlocker-provisioning) -- [Used Disk Space Only encryption](#used-disk-space-only-encryption) -- [Active Directory Domain Services considerations](#active-directory-domain-services-considerations) -- [FIPS support for recovery password protector](#fips-support-for-recovery-password-protector) -- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) - ## Audit your environment To plan your enterprise deployment of BitLocker, you must first understand your current environment. Conduct an informal audit to define your current policies, procedures, and hardware environment. Begin by reviewing your existing corporate security policies as they relate to disk encryption software. If your organization is not currently using disk encryption software, none of these policies will exist. If you are using disk encryption software, then you might need to modify your organization's policies to address the capabilities of BitLocker. From 4e94b024c168d917254bf67ad96ee12bf1b7fa9a Mon Sep 17 00:00:00 2001 From: DanPandre <54847950+DanPandre@users.noreply.github.com> Date: Tue, 15 Oct 2019 14:17:03 -0400 Subject: [PATCH 25/68] Correcting admin role language Global admin is a role not a security group in Azure. The additional note referred to global admin role, but actually means the Device Administrator role (global admin role works fine regardless of role changes after OOBE). --- devices/surface-hub/first-run-program-surface-hub.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 22cddbc67d..0ba6f9c905 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -337,10 +337,10 @@ This is what happens when you choose an option. - **Use Microsoft Azure Active Directory** - Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. Members of the Azure Global Admins security group from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization. + Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. Members of the Azure Global Admins role from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization. >[!IMPORTANT] - >Administrators added to the Azure Global Admins group after you join the device to Azure AD will be unable to use the Settings app. + >Administrators added to the Azure Device Administrators role after you join the device to Azure AD will be unable to use the Settings app. > >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually. From bb2c59639dad8c48ffc1e2ee00de42455d60c150 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 15 Oct 2019 13:22:49 -0700 Subject: [PATCH 26/68] Update set-up-mdt-for-bitlocker.md --- .../deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 73ba50eafc..b1a4515898 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -46,7 +46,7 @@ To enable BitLocker to store the recovery key and TPM information in Active Dire > [!NOTE] > Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. -In Windows Server version from 2008 R2 and onwards, you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. +In Windows Server version from 2008 R2 and later, you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. ![figure 2](../images/mdt-09-fig02.png) From b8c9abad7c78b03c2aafc3e39141524471bded19 Mon Sep 17 00:00:00 2001 From: hubalazs <10714856+hubalazs@users.noreply.github.com> Date: Tue, 15 Oct 2019 22:58:47 +0200 Subject: [PATCH 27/68] Fixed typo (mangement) --- windows/client-management/mdm/accountmanagement-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 294043dca3..f14ec54b3b 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -31,7 +31,7 @@ Root node for the AccountManagement configuration service provider. Interior node. **UserProfileManagement/EnableProfileManager** -Enable profile lifetime mangement for shared or communal device scenarios. Default value is false. +Enable profile lifetime management for shared or communal device scenarios. Default value is false. Supported operations are Add, Get,Replace, and Delete. Value type is bool. From 5357026a1593e728c6017a9b5d1a236cda404f9b Mon Sep 17 00:00:00 2001 From: Andreas Stenhall Date: Wed, 16 Oct 2019 08:38:01 +0200 Subject: [PATCH 28/68] Update deploy-multiple-windows-defender-application-control-policies.md --- ...oy-multiple-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index a9c5251d57..57220733e6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -52,7 +52,7 @@ New-CIPolicy -MultiplePolicyFormat -foo –bar Optionally, you can choose to make the new base policy supplementable (allow supplemental policies). ```powershell -Set-RuleOption -FilePath 17 +Set-RuleOption -FilePath -Option 17 ``` For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers. From 2557e933196d45d23599d48145060a7e53e2fd3a Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 16 Oct 2019 10:55:09 +0200 Subject: [PATCH 29/68] MSD ATP portal: URL correction 2 Ref. issue ticket #5015. Thanks to In-FinIT, both for reporting it in the first place and for noticing that the link URL is still wrong. (This is only a correction for the link URL, no other changes.) --- ...event-changes-to-security-settings-with-tamper-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 8324650680..59d0091a87 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -149,7 +149,7 @@ In this case, Tamper Protection status changes, and this feature is no longer ap ### Will there be an alert about Tamper Protection status changing in the Microsoft Defender Advanced Threat Protection portal? -Yes. The alert is shown in [https://securitycenter.microsoft.com](https://microsoft.securitycenter.com) under **Alerts**. +Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**. In addition, your security operations team can use hunting queries, such as the following: From 8bf6bcb532446183ac50ee7ffa2443a5df75480e Mon Sep 17 00:00:00 2001 From: hubalazs <10714856+hubalazs@users.noreply.github.com> Date: Wed, 16 Oct 2019 11:37:47 +0200 Subject: [PATCH 30/68] Fixed typo (asssigned) --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 5136ececee..1bb87570ff 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -580,7 +580,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role. ![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png) > [!IMPORTANT] - > The user account must have a valid Intune licenese asssigned. If the user account does not have a valid Intune license, the sign-in fails. + > The user account must have a valid Intune licenese assigned. If the user account does not have a valid Intune license, the sign-in fails. 4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task. From 997c135ec99ccd9ef50f6f3db04ef79c81c64cdf Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 16 Oct 2019 13:54:53 -0700 Subject: [PATCH 31/68] Adding `l` in Application --- .../audit-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index aed91aa7a0..d3974de495 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -21,7 +21,7 @@ ms.date: 05/03/2018 - Windows 10 - Windows Server 2016 -Running Appication Control in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies. +Running Application Control in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies. Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). From 2a1630822c9833417543a87d959638eab5f21c4f Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Wed, 16 Oct 2019 16:23:27 -0700 Subject: [PATCH 32/68] Update filepath rules documentation Clarify wildcard syntax and new -Level options --- .../select-types-of-rules-to-create.md | 58 +++---------------- 1 file changed, 9 insertions(+), 49 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 287c247293..9abcd191f4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -70,7 +70,9 @@ You can set several rule options within a WDAC policy. Table 2 describes each ru | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.| | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. | -| **17 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. | +| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. | +| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection of enforcing user-writeability and only allowing admin-writeable locations. | +| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. | ## Windows Defender Application Control file rule levels @@ -84,6 +86,12 @@ Table 3. Windows Defender Application Control policy - file rule levels |----------- | ----------- | | **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | | **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. | +| **FilePath** | Beginning with Windows 10 version 1903, this specifies rules that allow execution of binaries contained in paths that are admin-writeable only. By default, WDAC performs a user-writeability check at runtime which ensures that the current permissions on the specified filepath and its parent directories (recursively) do not allow standard users write access.
Note that filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. IT Pros should take care while crafting path rules to allow paths that they know are likely to remain to be admin-writeable only and deny execution from sub-directories where standard users can modify ACLs on the folder.
There is a defined list of SIDs which are recognized as admins (below). If a file has write permissions for a SID not in this list, the file will be flagged as user writeable.
S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
Wildcards can be used at the beginning or end of a path rule: only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. C:\\* would include C:\foo\\* ). Wildcards placed at the beginning of a path scan all directories for files with a specific name (ex. \*\bar.exe would allow C:\bar.exe and C:\foo\bar.exe). Wildcards in the middle of a path are not supported (ex. C:\\*\foo.exe). Without a wildcard, the rule will allow only a specific file (ex. C:\foo\bar.exe).
Supported macros: %WINDIR%, %SYSTEM32%, %OSDRIVE%.| +> [!NOTE] +> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md) + +| Rule level | Description | +|----------- | ----------- | | **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. | | **Publisher** | This is a combination of the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. This rule level allows organizations to trust a certificate from a major CA (such as Symantec), but only if the leaf certificate is from a specific company (such as Intel, for device drivers). | | **FilePublisher** | This is a combination of the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. | @@ -107,51 +115,3 @@ As part of normal operations, they will eventually install software updates, or They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by WDAC policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required). -## Create path-based rules - -Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. -> [!NOTE] -> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md) - -- New-CIPolicy parameter - - FilePath: create path rules under path \ for anything not user-writeable (at the individual file level) - - ```powershell - New-CIPolicy -FilePath .\mypolicy.xml -Level FileName -ScanPath -UserPEs - ``` - - Optionally, add -UserWriteablePaths to ignore user writeability - -- New-CIPolicyRule parameter - - FilePathRule: create a rule where filepath string is directly set to value of \ - - ```powershell - New-CIPolicyRule -FilePathRule - ``` - - Useful for wildcards like C:\foo\\* - -- Usage follows the same flow as per-app rules: - - ```powershell - $rules = New-CIPolicyRule … - $rules += New-CIPolicyRule … - … - New-CIPolicy -FilePath .\mypolicy.xml -Rules $rules -UserPEs - ``` - -- Wildcards supported - - Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) - - One or the other, not both at the same time - - Does not support wildcard in the middle (ex. C:\\*\foo.exe) - - Examples: - - %WINDIR%\\... - - %SYSTEM32%\\... - - %OSDRIVE%\\... - -- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: - - ```powershell - Set-RuleOption -Option 18 .\policy.xml - ``` - From fca86bc47249cbd21aa5a1e25030f11b303cbb26 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 16 Oct 2019 16:49:42 -0700 Subject: [PATCH 33/68] Update windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../audit-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index d3974de495..10a2c6c988 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -21,7 +21,7 @@ ms.date: 05/03/2018 - Windows 10 - Windows Server 2016 -Running Application Control in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies. +Running **Application Control** in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies. Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). From a6751ceccdd84e14668c2be0e884bb7c56ef0cfe Mon Sep 17 00:00:00 2001 From: DanPandre <54847950+DanPandre@users.noreply.github.com> Date: Thu, 17 Oct 2019 08:27:10 -0400 Subject: [PATCH 34/68] Update devices/surface-hub/first-run-program-surface-hub.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- devices/surface-hub/first-run-program-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 0ba6f9c905..063e49f00d 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -339,7 +339,7 @@ This is what happens when you choose an option. Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. Members of the Azure Global Admins role from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization. - >[!IMPORTANT] + > [!IMPORTANT] >Administrators added to the Azure Device Administrators role after you join the device to Azure AD will be unable to use the Settings app. > >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually. From cc0a18a48df2813ea731011d18253870744630d3 Mon Sep 17 00:00:00 2001 From: DanPandre <54847950+DanPandre@users.noreply.github.com> Date: Thu, 17 Oct 2019 08:29:33 -0400 Subject: [PATCH 35/68] Update devices/surface-hub/first-run-program-surface-hub.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- devices/surface-hub/first-run-program-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 063e49f00d..7f517520fa 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -340,7 +340,7 @@ This is what happens when you choose an option. Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. Members of the Azure Global Admins role from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization. > [!IMPORTANT] - >Administrators added to the Azure Device Administrators role after you join the device to Azure AD will be unable to use the Settings app. + > Administrators added to the Azure Device Administrators role after you join the device to Azure AD will be unable to use the Settings app. > >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually. From b39f4f4bdfdcbc445ffbad1ec9b0888c68595f02 Mon Sep 17 00:00:00 2001 From: DanPandre <54847950+DanPandre@users.noreply.github.com> Date: Thu, 17 Oct 2019 08:29:47 -0400 Subject: [PATCH 36/68] Update devices/surface-hub/first-run-program-surface-hub.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- devices/surface-hub/first-run-program-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 7f517520fa..3d38a356f5 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -342,7 +342,7 @@ This is what happens when you choose an option. > [!IMPORTANT] > Administrators added to the Azure Device Administrators role after you join the device to Azure AD will be unable to use the Settings app. > - >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually. + > If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually. - **Use Active Directory Domain Services** From 281d3cc623e7043a546561913cec0f107aebe9fe Mon Sep 17 00:00:00 2001 From: Cern McAtee Date: Thu, 17 Oct 2019 15:13:14 -0700 Subject: [PATCH 37/68] Removed int'l exchange rate info --- store-for-business/billing-understand-your-invoice-msfb.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md index ecc4e1f38e..b9df263894 100644 --- a/store-for-business/billing-understand-your-invoice-msfb.md +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -26,7 +26,6 @@ Invoices are your bill from Microsoft. A few things to note: - **Billing profile** - Billing profiles are created during your purchase. Invoices are created for each billing profile. Billing profiles let you customize what products are purchased, how you pay for them, and who can make purchases. For more information, see [Understand billing profiles](billing-profile.md) - **Items included** - Your invoice includes total charges for all first and third-party software and hardware products purchased under a Microsoft Customer Agreement. That includes items purchased from Microsoft Store for Business and Azure Marketplace. - **Charges** - Your invoice provides information about products purchased and their related charges and taxes. Purchases are aggregated to provide a concise view of your bill. -- **International customers** - Charges on invoices for international customers are converted to their local currencies. Exchange rate information is listed at the bottom of the invoice. ## Online invoice For Store for Business customers, invoices are also available online. A few things to note: @@ -107,9 +106,6 @@ At the bottom of the invoice, there are instructions for paying your bill. You c ### Publisher information If you have third-party services in your bill, the name and address of each publisher is listed at the bottom of your invoice. -### Exchange rate -If prices were converted to your local currency, the exchange rates are listed in this section at the bottom of the invoice. All Azure charges are priced in USD and third-party services are priced in the seller's currency. - ## Next steps If there are Azure charges on your invoice that you would like more details on, see [Understand the Azure charges on your Microsoft Customer Agreement invoice](https://docs.microsoft.com/azure/billing/billing-understand-your-invoice-mca). From b4a08af55470e3129bc8041b6539f6e537dfc642 Mon Sep 17 00:00:00 2001 From: Kaushik Ainapure Date: Fri, 18 Oct 2019 19:02:13 +0530 Subject: [PATCH 38/68] Update troubleshooting landing page revamp troubleshooting links --- .../windows-10-support-solutions.md | 179 +++++++++++------- 1 file changed, 107 insertions(+), 72 deletions(-) diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 7d787f544d..39080a98d6 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -1,99 +1,134 @@ --- -title: Top support solutions for Windows 10 -ms.reviewer: +title: Troubleshooting Windows 10 +description: Get links to troubleshooting articles for Windows 10 issues +ms.reviewer: kaushika manager: dansimp -description: Get links to solutions for Windows 10 issues ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -ms.author: dansimp -author: dansimp +ms.author: kaushika +author: kaushika-msft ms.localizationpriority: medium ms.topic: troubleshooting --- -# Troubleshoot Windows 10 clients +# Troubleshoot Windows 10 client -This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 clients. Additional topics will be added as they become available. +Microsoft regularly releases both updates for Windows Server. To ensure your servers can receive future updates, including security updates, it's important to keep your servers updated. Check out - [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/en-us/help/4000825/windows-10-windows-server-2016-update-history) for a complete list of released updates. -## Troubleshooting support topics +This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 in an enterprise or IT pro environment. Additional topics will be added as they become available. -- [Advanced troubleshooting for Windows networking](troubleshoot-networking.md)
- - [Advanced troubleshooting wireless network connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
- - [Advanced troubleshooting 802.1X authentication](advanced-troubleshooting-802-authentication.md)
- - [Data collection for troubleshooting 802.1X authentication](data-collection-for-802-authentication.md)
- - [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md)
- - [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
- - [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
- - [Troubleshoot port exhaustion](troubleshoot-tcpip-port-exhaust.md)
- - [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
-- [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md)
- - [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
- - [Advanced troubleshooting for Windows-based computer issues](troubleshoot-windows-freeze.md)
- - [Advanced troubleshooting for stop errors or blue screen errors](troubleshoot-stop-errors.md)
- - [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
+### Troubleshoot 802.1x Authentication +- [Advanced Troubleshooting 802.1X Authentication](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-802-authentication) +- [Data collection for troubleshooting 802.1X authentication](https://docs.microsoft.com/windows/client-management/data-collection-for-802-authentication) -## Windows 10 update history +### Troubleshoot BitLocker +- [BitLocker overview and requirements FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq) +- [BitLocker Upgrading FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq) +- [BitLocker frequently asked questions (FAQ) (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq) +- [BitLocker Key Management FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-key-management-faq) +- [BitLocker To Go FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-to-go-faq) +- [BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq) +- [BitLocker Security FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-security-faq) +- [BitLocker frequently asked questions (FAQ) (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq) +- [Using BitLocker with other programs FAQ (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq) +- [BitLocker recovery guide (Windows 10)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan) -Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates: +### Troubleshoot Bugcheck and Stop errors +- [Introduction to the page file](https://docs.microsoft.com/windows/client-management/introduction-page-file) +- [How to determine the appropriate page file size for 64-bit versions of Windows](https://docs.microsoft.com/windows/client-management/determine-appropriate-page-file-size) +- [Configure system failure and recovery options in Windows](https://docs.microsoft.com/windows/client-management/system-failure-recovery-options) +- [Generate a kernel or complete crash dump](https://docs.microsoft.com/windows/client-management/generate-kernel-or-complete-crash-dump) +- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors) +- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) +- [Blue Screen Data - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/blue-screen-data) +- [Bug Check Code Reference - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2) -- [Windows 10 version 1809 update history](https://support.microsoft.com/help/4464619) -- [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479) -- [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454) -- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124) -- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825) -- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824) +### Troubleshoot Credential Guard +- [Windows Defender Credential Guard - Known issues (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-known-issues) + +### Troubleshoot Disks +- [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) +- [Windows and GPT FAQ](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-and-gpt-faq) + +### Troubleshoot Kiosk mode +- [Troubleshoot kiosk mode issues](https://docs.microsoft.com/windows/configuration/kiosk-troubleshoot) + +### Troubleshoot No Boot +- [Advanced troubleshooting for Windows boot problems](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-boot-problems) + +### Troubleshoot Push Button Reset +- [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-faq) +- [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-validation) +- [Recovery components](https://docs.microsoft.com/windows-hardware/manufacture/desktop/recovery-strategy-for-common-customizations) + +### Troubleshoot Power Management +- [Modern Standby FAQs](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-faqs) -These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles. +### Troubleshoot Secure Boot +- [Secure Boot isn't configured correctly: troubleshooting](https://docs.microsoft.com/windows-hardware/manufacture/desktop/secure-boot-isnt-configured-correctly-troubleshooting) -## Solutions related to installing Windows Updates -- [How does Windows Update work](https://docs.microsoft.com/windows/deployment/update/how-windows-update-works) +### Troubleshoot Setup and Install +- [Deployment Troubleshooting and Log Files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files) + + +### Troubleshoot Start Menu +- [Troubleshoot Start menu errors](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot) + + +### Troubleshoot Subscription Activation +- [Deploy Windows 10 Enterprise licenses](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses) + +### Troubleshoot System Hang +- [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze) + +### Troubleshoot TCP/IP Communication +- [Collect data using Network Monitor](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-netmon) +- [Troubleshoot TCP/IP connectivity](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-connectivity) +- [Troubleshoot port exhaustion issues](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-port-exhaust) +- [Troubleshoot Remote Procedure Call (RPC) errors](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-rpc-errors) + +### Troubleshoot User State Migration Toolkit (USMT) +- [Common Issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues) +- [Frequently Asked Questions](https://docs.microsoft.com/windows/deployment/usmt/usmt-faq) +- [Log Files](https://docs.microsoft.com/windows/deployment/usmt/usmt-log-files) +- [Return Codes](https://docs.microsoft.com/windows/deployment/usmt/usmt-return-codes) + +### Troubleshoot Windows Hello for Business (WHFB) +- [Windows Hello for Business Frequently Asked Questions](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-faq) +- [Windows Hello errors during PIN creation (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation) +- [Event ID 300 - Windows Hello successfully created (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-event-300) + + +### Troubleshoot Windows Analytics +- [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-faq-troubleshooting) + +### Troubleshoot Windows Update +- [How Windows Update works](https://docs.microsoft.com/windows/deployment/update/how-windows-update-works) - [Windows Update log files](https://docs.microsoft.com/windows/deployment/update/windows-update-logs) - [Windows Update troubleshooting](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting) - [Windows Update common errors and mitigation](https://docs.microsoft.com/windows/deployment/update/windows-update-errors) -- [Windows Update - additional resources](https://docs.microsoft.com/windows/deployment/update/windows-update-resources) +- [Windows Update - Additional resources](https://docs.microsoft.com/windows/deployment/update/windows-update-resources) +- [Get started with Windows Update](https://docs.microsoft.com/windows/deployment/update/windows-update-overview) +- [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates) -## Solutions related to installing or upgrading Windows +### Troubleshoot Windows Upgrade +- [Quick fixes - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/quick-fixes) +- [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) +- [Troubleshoot Windows 10 upgrade errors - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/troubleshoot-upgrade-errors) +- [Windows error reporting - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/windows-error-reporting) +- [Upgrade error codes - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes) +- [Log files - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/log-files) +- [Resolution procedures - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/resolution-procedures) -- [Quick Fixes](https://docs.microsoft.com/windows/deployment/upgrade/quick-fixes) -- [Troubleshooting upgrade errors](https://docs.microsoft.com/windows/deployment/upgrade/troubleshoot-upgrade-errors) -- [Resolution procedures](https://docs.microsoft.com/windows/deployment/upgrade/resolution-procedures) -- [0xc1800118 error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) -- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) +### Troubleshoot Windows Recovery (WinRE) +- [Windows RE troubleshooting features](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-re-troubleshooting-features) -## Solutions related to BitLocker +### Troubleshoot Wireless Connection +- [Advanced Troubleshooting Wireless Network Connectivity](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-wireless-network-connectivity) -- [BitLocker recovery guide](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan) -- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) -- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker) -- [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) +## Other Resources -## Solutions related to Bugchecks or Stop Errors -- [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros) -- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) -- [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues) -- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658) - - -## Solutions related to Windows Boot issues -- [Troubleshooting Windows boot problems for IT Pros](https://support.microsoft.com/help/4343769) -- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) - - -## Solutions related to configuring or managing the Start menu -- [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies) -- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) -- [Changes to Group Policy settings for Windows 10 Start](/windows/configuration/changes-to-start-policies-in-windows-10) -- [Preinstalled system applications and Start menu may not work when you upgrade to Windows 10, Version 1511](https://support.microsoft.com/help/3152599) -- [Start menu shortcuts aren't immediately accessible in Windows Server 2016](https://support.microsoft.com/help/3198613) -- [Troubleshoot problems opening the Start menu or Cortana](https://support.microsoft.com/help/12385/windows-10-troubleshoot-problems-opening-start-menu-cortana) -- [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic) - -## Solutions related to wireless networking and 802.1X authentication -- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-wireless-network-connectivity) -- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-802-authentication) -- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10)) -- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10)) -- [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002) +### [Troubleshooting Windows Server components](https://docs.microsoft.com/en-us/windows-server/troubleshoot/windows-server-support-solutions) From d442c701877d61f7fac3be4cdedfae114a261af6 Mon Sep 17 00:00:00 2001 From: Felix Reichmann <54814163+Van-Fouran@users.noreply.github.com> Date: Fri, 18 Oct 2019 22:15:00 +0200 Subject: [PATCH 39/68] Information DOES NOT apply to Windows 10 The first section of this article applies to windows 10. The linked article where you should find further information DOES NOT apply to windows 10 (https://github.com/MicrosoftDocs/windows-driver-docs/pull/1764 and https://github.com/MicrosoftDocs/windows-driver-docs/issues/1753). So the statement, "see Secure boot and BitLocker Device Encryption overview", is incorrect in this context. Since the sentence does not make sense without a linked page I deleted the whole sentence. I would propose either to delete the whole sentence like in my pull request or to link another appropriate page. --- .../bitlocker/bitlocker-device-encryption-overview-windows-10.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index b9b8646bf0..f22d7064d5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -22,7 +22,6 @@ ms.reviewer: - Windows 10 This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10. -For an architectural overview about how BitLocker Device Encryption works with Secure Boot, see [Secure boot and BitLocker Device Encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview). For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies. From 01a0578d4eeeec0d19764617f80efa4465d270a8 Mon Sep 17 00:00:00 2001 From: turingcompl33t Date: Sat, 19 Oct 2019 11:21:30 -0400 Subject: [PATCH 40/68] Fix Typo "mpcmdrum.exe" should be "mpcmdrun.exe" --- .../run-scan-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 33c3ad51b5..4c62952e60 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -42,7 +42,7 @@ A full scan can be useful on endpoints that have encountered a malware threat to See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan. -**Use the mpcmdrum.exe command-line utility to run a scan:** +**Use the mpcmdrun.exe command-line utility to run a scan:** Use the following `-scan` parameter: From 62fbd14775892151a09bb96a4be63013ac0143d9 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 20 Oct 2019 22:52:19 +0500 Subject: [PATCH 41/68] Update lock-down-windows-10-to-specific-apps.md --- .../configuration/lock-down-windows-10-to-specific-apps.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index f42631e973..eaa5591a59 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -466,9 +466,7 @@ Note: - - - + ``` From 220a88f465d31db183def13efc5fc75a15af1429 Mon Sep 17 00:00:00 2001 From: illfated Date: Mon, 21 Oct 2019 04:15:06 +0200 Subject: [PATCH 42/68] MDATP/Raw Data Streaming: turn Preview features On Description: As noted in issue ticket #5166 (Has Data Export been retired?), streaming Advanced Hunting events to your Storage account is only available if you turn on the Preview feature switch in Settings -> Advanced Features. Thanks to Daniel Snelling (dancs85) for reporting this issue. Proposed change: - Add a required procedural step to turn on **Preview features** Additional notes: The format and placement of this information is very much subject to change before merging into the existing document page, depending on factual feedback from the document author or manager. issue ticket closure or reference: Closes #5166 --- .../microsoft-defender-atp/raw-data-export-storage.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index 3d9ca8313a..3b08db0a4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -28,7 +28,8 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w ## Before you begin: 1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant. -2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****. +2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights**. +3. Go to **Settings > Advanced Features > Preview features** and turn Preview features **On**. ## Enable raw data streaming: From e35fecc2423170ce70a2f8b23b4824353b219fde Mon Sep 17 00:00:00 2001 From: Cody <46697052+CGREEN95@users.noreply.github.com> Date: Sun, 20 Oct 2019 22:54:37 -0700 Subject: [PATCH 43/68] Fix Typo (Line 171) Move 'the' after 'meets'. --- windows/deployment/windows-10-subscription-activation.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 11ef79b654..8ceb4e28f5 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -7,7 +7,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay manager: laurawi ms.collection: M365-modern-desktop search.appverid: @@ -167,7 +168,7 @@ The following policies apply to acquisition and renewal of licenses on devices: - Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. - If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. - Up to five devices can be upgraded for each user license. -- If a device the meets requirements and a licensed user signs in on that device, it will be upgraded. +- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. From c74474fc37fe08857f17876d6ded15e8a1d4a6b9 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 21 Oct 2019 15:58:15 +0500 Subject: [PATCH 44/68] Update network-access-restrict-clients-allowed-to-make-remote-sam-calls.md --- ...access-restrict-clients-allowed-to-make-remote-sam-calls.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index 56c8938d8f..5f46ca3685 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -37,6 +37,9 @@ This means that if you have a mix of computers, such as member servers that run This topic also covers related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups so that your environment remains secure without impacting application compatibility. +> [!NOTE] +> Implementation of this policy [could affect offline address book generation](https://support.microsoft.com/help/4055652/access-checks-fail-because-of-authz-access-denied-error-in-windows-ser) on servers running Microsoft Exchange 2016 or Microsoft Exchange 2013. + ## Reference The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. From c4b7c7c8f9186c26484153c029d80c996f0031f5 Mon Sep 17 00:00:00 2001 From: JC <47532346+Jcoetsee@users.noreply.github.com> Date: Mon, 21 Oct 2019 19:25:00 +0200 Subject: [PATCH 45/68] change made to "disable local list merging" This relates to https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5035 --- ...nfigure-local-policy-overrides-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index 31bb4fd4b9..499df8dfac 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -80,7 +80,7 @@ You can disable this setting to ensure that only globally-defined lists (such as 3. Expand the tree to **Windows components > Windows Defender Antivirus**. -4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Enabled**. Click **OK**. +4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**. > [!NOTE] > If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Enable controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). From 9e9d79e2dd14c41b813a381681dbaeb18a5f3cc4 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 6 Oct 2019 13:58:51 +0200 Subject: [PATCH 46/68] Windows/Deployment: add Peer Cache Enterprise note Description: Based on community feedback and recommendation, this document can be improved by adding notes regarding Delivery Optimization and endpoints. Thanks to Stephen Leuthold for providing feedback and the information. See also issue ticket "Delivery Optimization" (#4638). Proposed changes: - add a note containing the text suggested by SLeuthold - add MarkDown compatibility quote spacing (33) Caveats: - The added text does not necessarily have to be in the form of a Note. - The added text can, if required, be placed somewhere else on the page. issue ticket closure or reference: Closes #4638 --- .../feature-update-maintenance-window.md | 71 ++++++++++--------- 1 file changed, 37 insertions(+), 34 deletions(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 0fbe54bae5..213f3c3f5a 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -38,10 +38,10 @@ If you’re not suppressing computer restarts and the feature update will be ins For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. ->[!NOTE] +> [!NOTE] > The following settings must be shorter in duration than the shortest maintenance window applied to the computer. ->- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** ->- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** +> - **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** +> - **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** ### Step 3: Enable Peer Cache @@ -49,6 +49,9 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc [Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). +> [!NOTE] +> In the enterprise, content delivery optimization via caching and peering solutions is imperative to mitigate the risk of interrupting business operations. It is important when downloading large payloads from the cloud (feature updates, quality updates, and so on). Most smaller organizations may have this enabled by default, but larger enterprises may need to plan an implementation to logically group different sites via AD Site or SCCM boundary group, as the egress/ingress point may be a data center in another location, rather than an internet connection local to them. Otherwise they will peer with clients potentially not in the same physical location. + ### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. @@ -102,8 +105,8 @@ loss of business information, or other pecuniary loss) arising out of the use of or documentation, even if Microsoft has been advised of the possibility of such damages. ``` ->[!NOTE] ->If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. +> [!NOTE] +> If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. ## Manually deploy feature updates @@ -133,20 +136,20 @@ Before you deploy the feature updates, you can download the content as a separat - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - >[!NOTE] - >The deployment package source location that you specify cannot be used by another software deployment package. + > [!NOTE] + > The deployment package source location that you specify cannot be used by another software deployment package. - >[!IMPORTANT] - >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + > [!IMPORTANT] + > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - >[!IMPORTANT] - >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + > [!IMPORTANT] + > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. Click **Next**. 4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). - >[!NOTE] - >The Distribution Points page is available only when you create a new software update deployment package. + > [!NOTE] + > The Distribution Points page is available only when you create a new software update deployment package. 5. On the **Distribution Settings** page, specify the following settings: - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. @@ -163,8 +166,8 @@ Before you deploy the feature updates, you can download the content as a separat - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - >[!NOTE] - >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + > [!NOTE] + > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. Click **Next**. 7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. @@ -195,52 +198,52 @@ After you determine which feature updates you intend to deploy, you can manually - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - >[!IMPORTANT] + > [!IMPORTANT] > After you create the software update deployment, you cannot later change the type of deployment. - >[!NOTE] - >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + > [!NOTE] + > A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. - >[!WARNING] - >Before you can use this option, computers and networks must be configured for Wake On LAN. + > [!WARNING] + > Before you can use this option, computers and networks must be configured for Wake On LAN. - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. 6. On the Scheduling page, configure the following settings: - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - >[!NOTE] - >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + > [!NOTE] + > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - >[!NOTE] - >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + > [!NOTE] + > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. - >[!NOTE] - >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). + > [!NOTE] + > The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). 7. On the User Experience page, configure the following settings: - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - >[!IMPORTANT] - >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + > [!IMPORTANT] + > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. - >[!NOTE] - >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + > [!NOTE] + > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. 8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. - >[!NOTE] - >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. + > [!NOTE] + > You can review recent software updates alerts from the Software Updates node in the Software Library workspace. 9. On the Download Settings page, configure the following settings: - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. @@ -248,8 +251,8 @@ After you determine which feature updates you intend to deploy, you can manually - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - >[!NOTE] - >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + > [!NOTE] + > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). 10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. 11. Click **Next** to deploy the feature update(s). From d3b7b88ecb88f5370c98fd70837a8d08eca45f0d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 6 Oct 2019 17:44:06 +0200 Subject: [PATCH 47/68] Update windows/deployment/update/feature-update-maintenance-window.md - add an Oxford comma Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deployment/update/feature-update-maintenance-window.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 213f3c3f5a..d81400c002 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -4,7 +4,8 @@ description: Learn how to deploy feature updates during a maintenance window ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.author: greglin ms.date: 07/09/2018 @@ -49,7 +50,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc [Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). -> [!NOTE] +> In any enterprise, content delivery optimization via caching and peering solutions is imperative to mitigate the risk of interrupting business operations. It is important when downloading large payloads from the cloud (feature updates, quality updates, and so on). Most smaller organizations may have this enabled by default, but larger enterprises may need to plan an implementation to logically group different sites via AD Site or SCCM boundary group, as the egress/ingress point may be a data center in another location, rather than an Internet connection local to them. Otherwise they will peer with clients potentially not in the same physical location. > In the enterprise, content delivery optimization via caching and peering solutions is imperative to mitigate the risk of interrupting business operations. It is important when downloading large payloads from the cloud (feature updates, quality updates, and so on). Most smaller organizations may have this enabled by default, but larger enterprises may need to plan an implementation to logically group different sites via AD Site or SCCM boundary group, as the egress/ingress point may be a data center in another location, rather than an internet connection local to them. Otherwise they will peer with clients potentially not in the same physical location. ### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) From aa498077fda1dd8e848d7e9bc186ff53c6f88033 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 6 Oct 2019 17:47:14 +0200 Subject: [PATCH 48/68] Update windows/deployment/update/feature-update-maintenance-window.md - highlight the keyword "Required" - add a missing "the" Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index d81400c002..0a8a120e61 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -203,7 +203,7 @@ After you determine which feature updates you intend to deploy, you can manually > After you create the software update deployment, you cannot later change the type of deployment. > [!NOTE] - > A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + > A software update group deployed as **Required** will be downloaded in the background and honor BITS settings, if configured. - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. From eff38d1336120894ad2eee2219872ad4d9ee8feb Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 6 Oct 2019 18:03:22 +0200 Subject: [PATCH 49/68] Update windows/deployment/update/feature-update-maintenance-window.md - added already existing corrections from JohanFreelancer9 - change the link from docs.microsoft.com to its Github counterpart --- windows/deployment/update/feature-update-maintenance-window.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 0a8a120e61..189bde6642 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -228,7 +228,7 @@ After you determine which feature updates you intend to deploy, you can manually - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. > [!NOTE] - > The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). + > The actual installation deadline time is the specific time that you configure plus a random amount of time up to two hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting **Disable deadline randomization** to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://github.com/MicrosoftDocs/SCCMdocs/blob/master/sccm/core/clients/deploy/about-client-settings.md#computer-agent). 7. On the User Experience page, configure the following settings: - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). From 310e9cbeaaca6e304ae2369ff6bcfa10d2c747a0 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 6 Oct 2019 18:41:59 +0200 Subject: [PATCH 50/68] Update feature-update-maintenance-window.md - re-add the removed `> [!NOTE]` line for the new note - properly remove an added line which should have been replaced - remove trailing spaces (redundant blank space at the end of the lines) --- .../feature-update-maintenance-window.md | 226 +++++++++--------- 1 file changed, 113 insertions(+), 113 deletions(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 189bde6642..ad5ba452f9 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -9,7 +9,7 @@ author: greg-lindsay ms.localizationpriority: medium ms.author: greglin ms.date: 07/09/2018 -ms.reviewer: +ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop ms.topic: article @@ -25,22 +25,22 @@ Use the following information to deploy feature updates during a maintenance win ### Step 1: Configure maintenance windows -1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. -2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). -3. On the **Home** tab, in the **Properties** group, choose **Properties**. -4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. -5. Complete the `` Schedule dialog. -6. Select from the Apply this schedule to drop-down list. +1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. +2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). +3. On the **Home** tab, in the **Properties** group, choose **Properties**. +4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. +5. Complete the `` Schedule dialog. +6. Select from the Apply this schedule to drop-down list. 7. Choose **OK** and then close the **\ Properties** dialog box. ### Step 2: Review computer restart device settings -If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. +If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. > [!NOTE] -> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. +> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. > - **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** > - **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** @@ -48,14 +48,14 @@ For example, by default, 90 minutes will be honored before the system is reboote Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. -[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). +> [!NOTE] > In any enterprise, content delivery optimization via caching and peering solutions is imperative to mitigate the risk of interrupting business operations. It is important when downloading large payloads from the cloud (feature updates, quality updates, and so on). Most smaller organizations may have this enabled by default, but larger enterprises may need to plan an implementation to logically group different sites via AD Site or SCCM boundary group, as the egress/ingress point may be a data center in another location, rather than an Internet connection local to them. Otherwise they will peer with clients potentially not in the same physical location. -> In the enterprise, content delivery optimization via caching and peering solutions is imperative to mitigate the risk of interrupting business operations. It is important when downloading large payloads from the cloud (feature updates, quality updates, and so on). Most smaller organizations may have this enabled by default, but larger enterprises may need to plan an implementation to logically group different sites via AD Site or SCCM boundary group, as the egress/ingress point may be a data center in another location, rather than an internet connection local to them. Otherwise they will peer with clients potentially not in the same physical location. ### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) -If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. %systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini @@ -64,7 +64,7 @@ If you’re deploying **Feature update to Windows 10, version 1709** or later, b Priority=Normal ``` -You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. ``` #Parameters @@ -85,181 +85,181 @@ $iniSetupConfigSlogan "@ #Build SetupConfig content with settings -foreach ($k in $iniSetupConfigKeyValuePair.Keys) +foreach ($k in $iniSetupConfigKeyValuePair.Keys) { $val = $iniSetupConfigKeyValuePair[$k] - + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") } -#Write content to file +#Write content to file New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force -Disclaimer -Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is -provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without -limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk -arising out of the use or performance of the sample script and documentation remains with you. In no event shall -Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable -for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, -loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script or documentation, even if Microsoft has been advised of the possibility of such damages. ``` > [!NOTE] -> If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. +> If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. ## Manually deploy feature updates The following sections provide the steps to manually deploy a feature update. ### Step 1: Specify search criteria for feature updates -There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. 3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. -4. Save the search for future use. +4. Save the search for future use. ### Step 2: Download the content for the feature update(s) -Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. 2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. - The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: - **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. > [!NOTE] - > The deployment package source location that you specify cannot be used by another software deployment package. + > The deployment package source location that you specify cannot be used by another software deployment package. > [!IMPORTANT] - > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. > [!IMPORTANT] - > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. - Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). > [!NOTE] - > The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: + > The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: - - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - - For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). - Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + > [!NOTE] > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. - Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. #### To monitor content status -1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. -2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. -3. Select the feature update package that you previously identified to download the feature updates. +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. 4. On the **Home** tab, in the Content group, click **View Status**. -### Step 3: Deploy the feature update(s) -After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. 3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. - The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: - - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - > [!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. - + > After you create the software update deployment, you cannot later change the type of deployment. + > [!NOTE] > A software update group deployed as **Required** will be downloaded in the background and honor BITS settings, if configured. - - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. > [!WARNING] - > Before you can use this option, computers and networks must be configured for Wake On LAN. + > Before you can use this option, computers and networks must be configured for Wake On LAN. - - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. 6. On the Scheduling page, configure the following settings: - - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - > [!NOTE] - > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - > [!NOTE] - > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + > [!NOTE] + > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. > [!NOTE] - > The actual installation deadline time is the specific time that you configure plus a random amount of time up to two hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting **Disable deadline randomization** to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://github.com/MicrosoftDocs/SCCMdocs/blob/master/sccm/core/clients/deploy/about-client-settings.md#computer-agent). -7. On the User Experience page, configure the following settings: - - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). - - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + > The actual installation deadline time is the specific time that you configure plus a random amount of time up to two hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting **Disable deadline randomization** to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. > [!IMPORTANT] > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. > [!NOTE] - > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. > [!NOTE] - > You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: - - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + > You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. > [!NOTE] - > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). -10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. -11. Click **Next** to deploy the feature update(s). + > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). ### Step 4: Monitor the deployment status After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: -1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. -2. Click the software update group or software update for which you want to monitor the deployment status. -3. On the **Home** tab, in the **Deployment** group, click **View Status**. +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. From 6d2ae5f01d8ace626350bef915db7f8db9836dae Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Sat, 12 Oct 2019 02:02:33 +0200 Subject: [PATCH 51/68] Update feature-update-maintenance-window.md - formatting and correction suggestions - 2 code block syntax names added --- .../update/feature-update-maintenance-window.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index ad5ba452f9..8ea4e0760e 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -25,12 +25,12 @@ Use the following information to deploy feature updates during a maintenance win ### Step 1: Configure maintenance windows -1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. +1. In the Configuration Manager console, choose **Assets and Compliance > Device Collections**. 2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). 3. On the **Home** tab, in the **Properties** group, choose **Properties**. -4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. -5. Complete the `` Schedule dialog. -6. Select from the Apply this schedule to drop-down list. +4. In the **Maintenance Windows** tab of the **`` Properties** dialog box, choose the **New** icon. +5. Complete the **`` Schedule** dialog. +6. Select **Apply this schedule** from the drop-down list. 7. Choose **OK** and then close the **\ Properties** dialog box. ### Step 2: Review computer restart device settings @@ -59,14 +59,14 @@ If you’re deploying **Feature update to Windows 10, version 1709** or later, b %systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini -``` +```ini [SetupConfig] Priority=Normal ``` You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. -``` +```PowerShell #Parameters Param( [string] $PriorityValue = "Normal" From 925d1c1eff85b026da08bff71fe651d91a1f9d7e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sat, 12 Oct 2019 02:15:27 +0200 Subject: [PATCH 52/68] Update windows/deployment/update/feature-update-maintenance-window.md - rephrase the Note text, based on MS Docs style guide Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/update/feature-update-maintenance-window.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 8ea4e0760e..3a57b80ed7 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -51,7 +51,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc [Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). > [!NOTE] -> In any enterprise, content delivery optimization via caching and peering solutions is imperative to mitigate the risk of interrupting business operations. It is important when downloading large payloads from the cloud (feature updates, quality updates, and so on). Most smaller organizations may have this enabled by default, but larger enterprises may need to plan an implementation to logically group different sites via AD Site or SCCM boundary group, as the egress/ingress point may be a data center in another location, rather than an Internet connection local to them. Otherwise they will peer with clients potentially not in the same physical location. +> Content delivery optimization via caching and peering solutions can avoid interruptions to business operations, especially when you download large payloads from the cloud (such as feature or quality updates). To avoid peering with clients that are not in the same physical location, you can logically group different sites via AD Site or SCCM boundary group, as the egress/ingress point may be a data center in another location, rather than a local internet connection. ### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) From 44ebc6107bc7c62dade2857f90bdce8541161987 Mon Sep 17 00:00:00 2001 From: Scottduf Date: Mon, 21 Oct 2019 14:33:10 -0700 Subject: [PATCH 53/68] Update enroll-a-windows-10-device-automatically-using-group-policy.md Device credential automatic enrollment isnt supported by Intune. Added a note to call this out. --- ...oll-a-windows-10-device-automatically-using-group-policy.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 849b1c551d..ac08247a1f 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -116,6 +116,9 @@ Requirements: > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have the Windows 10, version 1903 feature update installed. The default behavior for older releases is to revert to **User Credential**. +> [!NOTE] +> Device credential group policy setting is not supported for enrolling into Microsoft Intune. + When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). From 905eb3a0110d9e40cbc4932ee98bc63c43749401 Mon Sep 17 00:00:00 2001 From: Onur Date: Tue, 22 Oct 2019 01:38:46 +0300 Subject: [PATCH 54/68] Revise metadata with correct owner of BitLocker articles --- .../bitlocker/bcd-settings-and-bitlocker.md | 2 +- .../information-protection/bitlocker/bitlocker-and-adds-faq.md | 2 +- .../bitlocker/bitlocker-basic-deployment.md | 2 +- .../bitlocker/bitlocker-countermeasures.md | 2 +- .../bitlocker/bitlocker-deployment-and-administration-faq.md | 2 +- .../bitlocker-device-encryption-overview-windows-10.md | 2 +- .../bitlocker/bitlocker-frequently-asked-questions.md | 2 +- .../bitlocker/bitlocker-group-policy-settings.md | 2 +- .../bitlocker/bitlocker-how-to-deploy-on-windows-server.md | 2 +- .../bitlocker/bitlocker-how-to-enable-network-unlock.md | 2 +- .../bitlocker/bitlocker-key-management-faq.md | 2 +- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- .../bitlocker/bitlocker-network-unlock-faq.md | 2 +- .../bitlocker/bitlocker-overview-and-requirements-faq.md | 2 +- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- .../information-protection/bitlocker/bitlocker-security-faq.md | 2 +- .../information-protection/bitlocker/bitlocker-to-go-faq.md | 2 +- .../information-protection/bitlocker/bitlocker-upgrading-faq.md | 2 +- ...-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md | 2 +- .../bitlocker-use-bitlocker-recovery-password-viewer.md | 2 +- .../bitlocker/bitlocker-using-with-other-programs-faq.md | 2 +- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index c1b6366ec7..77709b6ef2 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md index 7bb74bdb71..4ce0666579 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 10924772a5..406d096165 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 0177ea0901..ab57ef7b30 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md index 78092912cd..b0c94843ad 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index f22d7064d5..e4fb0170b4 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index fce071badf..f4f3028fcb 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 2d9a9c0ce6..09d6973301 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 3a17290bcd..121b0d3e49 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 23276f3144..e91f6d7db8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md index 6aa957697c..5ab13673ea 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index caee851596..7968ef5030 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md index 79f29f59ec..9e8a4b17a5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index a4733f2848..a426da3ed2 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index b57d24fd11..5ce2ab05e6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 16272b6213..26a7658ef1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md index 6bb6a48e28..211775fd9d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md index f5de0c1816..6cc8628157 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md index 3ec8b9d7db..ddefee9d0c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index bb6cc83966..e4e1a3ffcd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 56534228b9..9f41146f0d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md index a093ef4773..5d1da751a8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 6e2f30a20e..72436ef74d 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index c0e83393a2..1473dadc79 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro From 94fdb443e1b4acdc6d53a261d17888980ce5cf76 Mon Sep 17 00:00:00 2001 From: juanand Date: Tue, 22 Oct 2019 16:27:08 +0200 Subject: [PATCH 55/68] Remove references to Upgrade Readiness Remove section that refers to deprecated Upgrade Readiness in favor of brief pointers to Desktop Analytics and Advanced Threat Protection. --- ...ws-diagnostic-data-in-your-organization.md | 21 +------------------ 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 06c4e844c4..2ad39bdc03 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -104,27 +104,8 @@ Windows diagnostic data also helps Microsoft better understand how customers use ### Insights into your own organization -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better. Microsoft provides a set of solutions that leverage information shared by customers to provide insights customized for your internal use. The first of these was [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), followed by [Desktop Analytics](https://aka.ms/DADocs) starting 31st Jan 2020, both helping organizations with [Windows as a Service](/windows/deployment/update/wass-overview) adoption and potential compatibility challenges. Another example is [Microsoft Defender Advanced Threat Protection](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. -#### Upgrade Readiness - -Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. - -With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer, driver, and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. ## How Microsoft handles diagnostic data From a91da61830194cbe81f90a49ddd2b8559f168654 Mon Sep 17 00:00:00 2001 From: David Cabrera Date: Tue, 22 Oct 2019 15:38:31 -0700 Subject: [PATCH 56/68] Remove GlobalProfile from 19H2 Consider #5248 --- windows/configuration/kiosk-xml.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index cf28c53e4a..c9d6d3b2c0 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -255,7 +255,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` ## [Preview] Global Profile Sample XML -Global Profile is currently supported in Windows 10 Insider Preview (19H2, 20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. +Global Profile is currently supported in Windows 10 Insider Preview (20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in ```xml From 956012d1cc3747d61727ddf236d6e914ed2eb348 Mon Sep 17 00:00:00 2001 From: Adam Gross Date: Tue, 22 Oct 2019 21:11:35 -0500 Subject: [PATCH 57/68] Updated Links I updated the links as several have changed. However, I couldn't find an updated link for - [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. --- .../windows-autopilot/add-devices.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index 6d2dc8e363..2bc033a64b 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -9,7 +9,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop ms.topic: article @@ -26,15 +27,15 @@ Before deploying a device using Windows Autopilot, the device must be registered ## OEM registration -When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/windowsforbusiness/windows-autopilot). +When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/microsoft-365/windows/windows-autopilot). Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). ## Reseller, distributor, or partner registration -Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/en-us/cloud-solution-provider), they too can register devices on behalf of the customer. +Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/membership/cloud-solution-provider), they too can register devices on behalf of the customer. -As with OEMs, CSP parnters must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks. +As with OEMs, CSP parnters must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://docs.microsoft.com/partner-center/), either directly through the web site or via available APIs that can automate the same tasks. Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox. @@ -42,9 +43,9 @@ Windows Autopilot does not require delegated administrator permissions when esta If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot. -For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. +For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. -Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. +Also note that when using the [Windows Autopilot for existing devices](hhttps://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. ## Manual registration @@ -94,9 +95,9 @@ The commands can also be run remotely, as long as WMI permissions are in place a Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism. -- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers. +- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot). This is the preferred mechanism for all customers. - [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. -- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. +- [Microsoft 365 Business & Office 365 Admin](https://docs.microsoft.com/microsoft-365/business/add-autopilot-devices-and-profile). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. - [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings. A summary of each platform's capabilities is provided below. @@ -124,7 +125,7 @@ A summary of each platform's capabilities is provided below. -Intune +Intune YES - 500 at a time max\* YES\* 4K HH From bc6c0a04a33d57bd1d9e04b36cc41d4ac7f52021 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 23 Oct 2019 11:37:32 -0700 Subject: [PATCH 58/68] Fixing typo in docs on configuring applocker service. --- .../applocker/configure-the-application-identity-service.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index c2c55cccf6..488a8cc411 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -37,7 +37,7 @@ The Application Identity service determines and verifies the identity of an app. 4. In the details pane, double-click **Application Identity**. 5. In **Application Identity Properties**, configure the service to start automatically. -Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. +Membership in the local **Administrators** group, or equivalent, is the minimum access required to complete this procedure. **To start the Application Identity service manually** @@ -47,7 +47,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Sevices snap-in. Try either of these methods instead: -- Open an elevated commnad prompt or PowerShell session and type: +- Open an elevated command prompt or PowerShell session and type: ```powershell sc.exe config appidsvc start= auto From d40ae0ae9843bdaed4ba155c00eecb391f2699d6 Mon Sep 17 00:00:00 2001 From: davguent <53222866+davguent@users.noreply.github.com> Date: Wed, 23 Oct 2019 19:07:10 -0400 Subject: [PATCH 59/68] Update waas-delivery-optimization.md Updated to specifically add PRO SKU which offers same functionality. Current revision implies Windows Pro doesn't support DO which is not correct. --- windows/deployment/update/waas-delivery-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 49f48d3420..2c8e745bb2 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -63,7 +63,7 @@ The following table lists the minimum Windows 10 version that supports Delivery -By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only (specifically, all of the devices must be behind the same NAT), but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +In Windows 10 Enterprise, Professional and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. For more details, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md). From c7ab910290cd746d17742fb32d6b521798f47c58 Mon Sep 17 00:00:00 2001 From: Kaushik Ainapure Date: Thu, 24 Oct 2019 18:59:03 +0530 Subject: [PATCH 60/68] Updating archived links - [Generate a kernel or complete crash dump](https://docs.microsoft.com/windows/client-management/generate-kernel-or-complete-crash-dump) For more information about page file problems in Windows 10 or Windows Server 2016, see the following: - [Introduction to page files](https://docs.microsoft.com/windows/client-management/introduction-page-file) For more information about Stop errors, see the following Knowledge Base article: - [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/en-us/windows/client-management/troubleshoot-stop-errors) --- .../advanced-troubleshooting-boot-problems.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 5f1c4ea9c9..41b529153b 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -229,7 +229,7 @@ If the system gets stuck during the kernel phase, you experience multiple sympto - Specific error code is displayed. For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. - (To troubleshoot the 0x0000007B error, see [Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)](https://internal.support.services.microsoft.com/help/4343769/troubleshooting-guide-for-windows-boot-problems#0x7bstoperror)) + [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/en-us/windows/client-management/troubleshoot-inaccessible-boot-device) - The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. @@ -307,9 +307,7 @@ To troubleshoot this Stop error, follow these steps to filter the drivers: For additional troubleshooting steps, see the following articles: -- [Troubleshooting a Stop 0x7B in Windows](https://blogs.technet.microsoft.com/askcore/2013/08/05/troubleshooting-a-stop-0x7b-in-windows/) - -- [Advanced troubleshooting for "Stop error code 0x0000007B (INACCESSIBLE_BOOT_DEVICE)" errors in Windows XP](https://internal.support.services.microsoft.com/help/324103). +- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/en-us/windows/client-management/troubleshoot-inaccessible-boot-device) To fix problems that occur after you install Windows updates, check for pending updates by using these steps: @@ -358,17 +356,15 @@ If the computer does not start, follow these steps: 12. Try to start the computer. -If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following Knowledge Base article: +If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles: -- [969028](https://support.microsoft.com/help/969028) How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2 +- [Generate a kernel or complete crash dump](https://docs.microsoft.com/windows/client-management/generate-kernel-or-complete-crash-dump) -For more information about page file problems in Windows 10 or Windows Server 2016, see the following Knowledge Base article: - -- [4133658](https://support.microsoft.com/help/4133658) Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows +For more information about page file problems in Windows 10 or Windows Server 2016, see the following: +- [Introduction to page files](https://docs.microsoft.com/windows/client-management/introduction-page-file) For more information about Stop errors, see the following Knowledge Base article: - -- [3106831](https://support.microsoft.com/help/3106831) Troubleshooting Stop error problems for IT Pros +- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/en-us/windows/client-management/troubleshoot-stop-errors) If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines: From a891263eca3097af82b4ba1efa0cf326be96c443 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 24 Oct 2019 10:42:52 -0700 Subject: [PATCH 61/68] Update advanced-troubleshooting-boot-problems.md --- .../advanced-troubleshooting-boot-problems.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 41b529153b..4acac6acd7 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -229,7 +229,7 @@ If the system gets stuck during the kernel phase, you experience multiple sympto - Specific error code is displayed. For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/en-us/windows/client-management/troubleshoot-inaccessible-boot-device) + [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) - The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. @@ -307,7 +307,7 @@ To troubleshoot this Stop error, follow these steps to filter the drivers: For additional troubleshooting steps, see the following articles: -- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/en-us/windows/client-management/troubleshoot-inaccessible-boot-device) +- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device) To fix problems that occur after you install Windows updates, check for pending updates by using these steps: @@ -364,7 +364,7 @@ For more information about page file problems in Windows 10 or Windows Server 20 - [Introduction to page files](https://docs.microsoft.com/windows/client-management/introduction-page-file) For more information about Stop errors, see the following Knowledge Base article: -- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/en-us/windows/client-management/troubleshoot-stop-errors) +- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors) If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines: From ab858864300319e6f13db7177a3444063d66b035 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Thu, 24 Oct 2019 11:00:17 -0700 Subject: [PATCH 62/68] Update waas-delivery-optimization.md --- windows/deployment/update/waas-delivery-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 2c8e745bb2..2152d896f3 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -63,7 +63,7 @@ The following table lists the minimum Windows 10 version that supports Delivery -In Windows 10 Enterprise, Professional and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +In Windows 10 Enterprise, Professional, and Education editions, Delivery Optimization is enabled by default for peer-to-peer sharing on the local network (NAT). Specifically, all of the devices must be behind the same NAT, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. For more details, see "Download mode" in [Delivery optimization reference](waas-delivery-optimization-reference.md). From 1099a143206e432341f9e388db4310391365f822 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Thu, 24 Oct 2019 12:21:12 -0700 Subject: [PATCH 63/68] Update manage-windows-1809-endpoints.md Adding missing critical auth endpoints for Microsoft account. Not sure why they were not added here --- windows/privacy/manage-windows-1809-endpoints.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index f574f6409d..ca7e93d18b 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -261,6 +261,8 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op | Source process | Protocol | Destination | |----------------|----------|------------| | | | login.msa.akadns6.net | +| | | login.live.com | +| | | account.live.com | | system32\Auth.Host.exe | HTTPS | auth.gfx.ms | | | | us.configsvc1.live.com.akadns.net | From de63cfe0b66c46539d2d25467b78b3de92410c46 Mon Sep 17 00:00:00 2001 From: sudarshan-g <36419515+sudarshan-g@users.noreply.github.com> Date: Fri, 25 Oct 2019 01:08:15 +0530 Subject: [PATCH 64/68] Adds note indicating that the update cannot be uninstalled once installed. --- windows/deployment/update/servicing-stack-updates.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 1f23ccbc44..6b2ec009a6 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -4,7 +4,8 @@ description: Servicing stack updates improve the code that installs the other up ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.author: greglin ms.date: 11/29/2018 @@ -54,3 +55,4 @@ Typically, the improvements are reliability and performance improvements that do * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. * Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). +* These updates cannot be uninstalled from the machine. Once the servicing stack is updated, it cannot be rolled back to a previous version. From ba88e18d11931871d28920281192593c757f25db Mon Sep 17 00:00:00 2001 From: sudarshan-g <36419515+sudarshan-g@users.noreply.github.com> Date: Fri, 25 Oct 2019 01:18:43 +0530 Subject: [PATCH 65/68] Update servicing-stack-updates.md --- windows/deployment/update/servicing-stack-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 6b2ec009a6..79bd5003c8 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -55,4 +55,4 @@ Typically, the improvements are reliability and performance improvements that do * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. * Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). -* These updates cannot be uninstalled from the machine. Once the servicing stack is updated, it cannot be rolled back to a previous version. +* Once any servicing stack update is installed, it cannot be removed or uninstalled from the machine. From d4f053e727d5f3381ffff1f7ff86312b1fbf00d1 Mon Sep 17 00:00:00 2001 From: sudarshan-g <36419515+sudarshan-g@users.noreply.github.com> Date: Fri, 25 Oct 2019 01:20:24 +0530 Subject: [PATCH 66/68] Update servicing-stack-updates.md --- windows/deployment/update/servicing-stack-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 79bd5003c8..67d92aa201 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -55,4 +55,4 @@ Typically, the improvements are reliability and performance improvements that do * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. * Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). -* Once any servicing stack update is installed, it cannot be removed or uninstalled from the machine. +* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine. From 4f6d75988103fed6b9450286f36d850094f8c5c4 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 24 Oct 2019 15:11:54 -0700 Subject: [PATCH 67/68] Update configure-windows-diagnostic-data-in-your-organization.md --- .../configure-windows-diagnostic-data-in-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 2ad39bdc03..709a681130 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -104,7 +104,7 @@ Windows diagnostic data also helps Microsoft better understand how customers use ### Insights into your own organization -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better. Microsoft provides a set of solutions that leverage information shared by customers to provide insights customized for your internal use. The first of these was [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), followed by [Desktop Analytics](https://aka.ms/DADocs) starting 31st Jan 2020, both helping organizations with [Windows as a Service](/windows/deployment/update/wass-overview) adoption and potential compatibility challenges. Another example is [Microsoft Defender Advanced Threat Protection](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better. Microsoft provides a set of solutions that leverage information shared by customers to provide insights customized for your internal use. The first of these was [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), followed by [Desktop Analytics](https://aka.ms/DADocs) (coming soon). Both help organizations with [Windows as a Service](/windows/deployment/update/wass-overview) adoption and potential compatibility challenges. For E5 customers, [Microsoft Defender Advanced Threat Protection](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. ## How Microsoft handles diagnostic data From 98c585b4051c33f9f7c9562a41ebc8897823dac3 Mon Sep 17 00:00:00 2001 From: Albert Cabello Serrano Date: Fri, 25 Oct 2019 09:31:52 -0700 Subject: [PATCH 68/68] Update gdpr-it-guidance.md Windows Analytics retirement and adding Desktop Analytics service --- windows/privacy/gdpr-it-guidance.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index ba1428445d..db1139f73b 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -117,23 +117,27 @@ Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", ### Windows services where Microsoft is the processor under the GDPR -Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Desktop Analytics](https://aka.ms/dadocs), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). >[!NOTE] ->Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)). +>Both Desktop Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)). -#### Windows Analytics +#### Desktop Analytics -[Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service. +> [!IMPORTANT] +> The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](/windows/deployment/update/update-compliance-get-started) will continue to be supported. +> For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). -Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10. +[Desktop Analytics](https://aka.ms/dadocs) is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of Windows Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise with data aggregated from millions of devices into the Desktop Analytics service. -As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics. +Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Desktop Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10. + +As a result, in terms of the GDPR, the organization that has subscribed to Desktop Analytics is acting as the controller, while Microsoft is the processor for Desktop Analytics. >[!NOTE] ->The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes. +>The IT organization must explicitly enable Desktop Analytics for a device after the organization subscribes. >[!IMPORTANT] ->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. +>Desktop Analytics does not collect Windows Diagnostic data by itself. Instead, Desktop Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. See [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/enable-data-sharing) #### Windows Defender ATP