deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2052 from MicrosoftDocs/master

Browse Source 
Publish 2/12/2020 3:34 PM PST
This commit is contained in:
Thomas Raya 2020-02-12 17:46:56 -06:00 committed by GitHub
commit f35b3d4555
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 39 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
devices/hololens/hololens-recovery.md
View File

@ -110,8 +110,8 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper
>In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion:
1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed.
1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. It will the the only lit LED.
1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device:
1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit.
1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device.
1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2.
### HoloLens (1st gen)

BIN
devices/surface/images/config-mgr-semm-fig3.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 26 KiB

15
devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
View File

@ -75,7 +75,6 @@ To create a new application and deploy it to a collection that contains your Sur
* **Import Information** The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Select **Next** to proceed.
![Information from Surface UEFI Manager setup is automatically parsed](images/config-mgr-semm-fig1.png "Information from Surface UEFI Manager setup is automatically parsed")
*Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed*
@ -107,7 +106,7 @@ The sample scripts include examples of how to set Surface UEFI settings and how
The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, and the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script.
```
```powershell
56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition
57 $packageRoot = "$WorkingDirPath\Config"
58 $certName = "FabrikamSEMMSample.pfx"
@ -137,7 +136,7 @@ On line 73, replace the value of the **$password** variable, from **1234** to th
> [!Note]
> The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this.
```
```powershell
150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
151 # For convenience we get the thumbprint here and present to the user.
152 $pw = ConvertTo-SecureString $password -AsPlainText -Force
@ -163,7 +162,7 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin
The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras.
```
```powershell
210 # Configure Permissions
211 foreach ($uefiV2 IN $surfaceDevices.Values) {
212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
@ -215,7 +214,7 @@ You can find information about the available settings names and IDs for Surface
The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows.
```
```powershell
291 # Configure Settings
292 foreach ($uefiV2 IN $surfaceDevices.Values) {
293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
@ -277,7 +276,7 @@ To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 sc
The following code fragment, found on lines 380-477, is used to write these registry keys.
```
```powershell
380 # For Endpoint Configuration Manager or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
381 $UTCDate = (Get-Date).ToUniversalTime().ToString()
382 $certIssuer = $certPrint.Issuer
@ -480,10 +479,10 @@ To add the SEMM Configuration Manager scripts to Configuration Manager as an app
- Select **Registry** from the **Setting Type** drop-down menu.
- Select **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu.
- Enter **SOFTWARE\Microsoft\Surface\SEMM** in the **Key** field.
- Enter **Enabled_Version1000** in the **Value** field.
- Enter **CertName** in the **Value** field.
- Select **String** from the **Data Type** drop-down menu.
- Select the **This registry setting must satisfy the following rule to indicate the presence of this application** button.
- Enter **1** in the **Value** field.
- Enter the name of the certificate you entered in line 58 of the script in the **Value** field.
- Select **OK** to close the **Detection Rule** window.
![Use a registry key to identify devices enrolled in SEMM](images/config-mgr-semm-fig3.png "Use a registry key to identify devices enrolled in SEMM")

4
windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
View File

@ -18,6 +18,9 @@ manager: dansimp
- Windows 10, version 1703
- Windows 10 Mobile, version 1703
>[!IMPORTANT]
>Cortana for Power BI is deprecated and will not be available in future releases. This topic is provided as a reference for previous versions only.
Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
>[!Note]
@ -35,6 +38,7 @@ To use this walkthrough, youll need:
- **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while youre establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account.
**To connect your account to Windows**
a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**.
b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows.

11
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -31,7 +31,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a
To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
- Support for Virtualization-based security (required)
- Secure boot (required)
- TPM 1.2 or 2.0, either discrete or firmware (preferred - provides binding to hardware)
- TPM 1.2 or 2.0 (preferred - provides binding to hardware), either discrete or firmware
- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
The Virtualization-based security requires:
@ -48,9 +48,9 @@ Credential Guard can protect secrets in a Hyper-V virtual machine, just as it wo
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/)
For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/).
For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/windows/access-protection/remote-credential-guard#hardware-and-software-requirements)
For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/windows/access-protection/remote-credential-guard#hardware-and-software-requirements).
## Application requirements
@ -85,8 +85,9 @@ Computers that meet additional qualifications can provide additional protections
The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
> [!NOTE]
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. <br>
> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
>
> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
### Baseline protections

14
windows/security/identity-protection/hello-for-business/hello-faq.md
View File

@ -31,7 +31,7 @@ Microsoft is committed to its vision of a <u>world without passwords.</u> We rec
RDP currently does not support key based authentication and does not support self signed certificates. RDP with Windows Hello for Business is currently only supported with certificate based deployments.
## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager?
Windows Hello for Business deployments using Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using Configuration Manager will no longer be supported after November 2018.
Windows Hello for Business deployments using Configuration Manager should use the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings).
## How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
@ -51,7 +51,7 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join
No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
## What is the password-less strategy?
Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**.
[Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy)
@ -93,7 +93,7 @@ The **key trust** model authenticates to Active Directory using a raw key. Wind
The **certificate trust** model authenticates to Active Directory using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority.
## Do I need Windows Server 2016 domain controllers?
There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment
There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment.
## What attributes are synchronized by Azure AD Connect with Windows Hello for Business?
Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes.
@ -111,7 +111,7 @@ Starting in Windows 10, version 1709, you can use multi-factor unlock to require
Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
## Why can't I enroll biometrics for my local built-in Administrator?
Windows 10 does not allow the local administrator to enroll biometric gestures(face or fingerprint).
Windows 10 does not allow the local administrator to enroll biometric gestures (face or fingerprint).
## I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
No. If your organization is federated or using on-line services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory.
@ -144,7 +144,7 @@ The smart card emulation feature of Windows Hello for Business verifies the PIN
No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider disabled the use of biometrics.
## How are keys protected?
Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software
Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software.
Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to re-authenticate to the IDP before the IDP allows him or her to re-register).
@ -155,7 +155,7 @@ Yes. You can use the on-premises Windows Hello for Business deployment and comb
Yes, if you are federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
## Does Windows Hello for Business work with third party federation servers?
Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
| Protocol | Description |
| :---: | :--- |
@ -165,5 +165,5 @@ Windows Hello for Business can work with any third-party federation servers that
| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. |
## Does Windows Hello for Business work with Mac and Linux clients?
Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).

16
windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
View File

@ -138,16 +138,16 @@ structure required for your environment.
## Adoption Order
In many cases organizations will have existing endpoint security products in
place. The bare minimum every organization should have is an antivirus solution. But in some cases an organization might also already implanted an EDR solution.
Historically, replacing any security solution was time intensive and difficult
to achieve due to the tight hooks into the application layer and infrastructure
In many cases, organizations will have existing endpoint security products in
place. The bare minimum every organization should have is an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already.
Historically, replacing any security solution used to be time intensive and difficult
to achieve, due to the tight hooks into the application layer and infrastructure
dependencies. However, because Microsoft Defender ATP is built into the
operating system, replacing third-party solutions is easy to achieve.
operating system, replacing third-party solutions is now easy to achieve.
Choose which component of Microsoft Defender ATP to be used and remove the ones
that do not apply. The table below indicates the Microsoft recommendation on the
order on how the endpoint security suite should be enabled.
Choose the component of Microsoft Defender ATP to be used and remove the ones
that do not apply. The table below indicates the order Microsoft recommends for
how the endpoint security suite should be enabled.
| Component | Description | Adoption Order Rank |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|

2
windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
View File

@ -26,7 +26,7 @@ ms.topic: article
Web content filtering is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.
You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions.
You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. If an element on the page youre viewing is making calls to a resource which is blocked, you will see a block notification.
Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support.