Merge branch 'master' into mdm-gp-storage-policies

devices/surface/microsoft-surface-data-eraser.md

@@ -57,6 +57,9 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include:
 >[!NOTE]
 >Because the ability to boot to USB is required to run Microsoft Surface Data Eraser, if the device is not configured to boot from USB or if the device is unable to boot or POST successfully, the Microsoft Surface Data Eraser tool will not function.
 
+>[!NOTE]
+>Surface Data Eraser on Surface Studio and Surface Studio 2 can take up to 6 minutes to boot into WinPE before disk erasure can occur.
+
 
 ## How to create a Microsoft Surface Data Eraser USB stick
 

windows/client-management/mdm/policy-csp-internetexplorer.md

@@ -2132,7 +2132,7 @@ If you disable or do not configure this policy, users may choose their own site-
 > [!Note]  
 > This policy is a list that contains the site and index value.
 
-The list is a set of pairs of strings. Each string is seperated by F000. Each pair of string are stored as a registry name and value.  The registry name is the site and the value is an index. The index has to be sequential. See an example below.
+The list is a set of pairs of strings. Each string is seperated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below.
 
 <!--/Description-->
 > [!TIP]

windows/configuration/kiosk-methods.md

@@ -7,7 +7,6 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: jdeckerms
-ms.date: 01/09/2019
 ---
 
 # Configure kiosks and digital signs on Windows desktop editions

windows/configuration/kiosk-prepare.md

@@ -28,6 +28,7 @@ ms.date: 01/09/2019
 >
 >Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
 
+## Configuration recommendations
 
 For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
 
@@ -237,3 +238,4 @@ The following table describes some features that have interoperability issues we
 
 
 
+

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md

@@ -517,8 +517,8 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 #### Configure Parameters for HTTP.SYS
 1. Open an elevated command prompt.
 2. Run the following commands <br>
-```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` <br>
+```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` <br>
-```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```<br>
+```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```<br>
 3. Restart the NDES server.
 
 ## Download, Install and Configure the Intune Certificate Connector

windows/security/identity-protection/hello-for-business/passwordless-strategy.md

@@ -25,7 +25,7 @@ Before you move away from passwords, you need something to replace them.  With W
 Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely.  Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics.  However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
 
 ### 2. Reduce user-visible password surface area
-With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface.  The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it.  This state helps decondition users from providing a password any time a password prompt shows on their computer.  This is a how passwords are phished.  Users who rarely, it at all, use their password are unlikely to provide it.  Password prompts are no longer the norm.
+With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished.  Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
 
 ### 3. Transition into a password-less deployment
 Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world.  A world where:

windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md

@@ -22,8 +22,8 @@ Microsoft Intune helps you create and deploy your enterprise data protection (WI
 ## In this section
 |Topic |Description |
 |------|------------|
-|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.|
+|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MAM (Mobile Application Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.|
 |[Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](create-wip-policy-using-intune.md) |Details about how to use the classic console for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
 |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
 |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |