deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fix: Replace tab after ordered list marker

Browse Source 
Find: `\.\t`
Replace: `. `
This commit is contained in:
Nick Schonning
2019-07-18 01:31:57 -04:00
parent b9b4d2a15b
commit f418730793
116 changed files with 1193 additions and 1193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -50,7 +50,7 @@ Requirements:
- Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD
1. Run GPEdit.msc
1. Run GPEdit.msc
Click Start, then in the text box type gpedit.
@ -62,11 +62,11 @@ Requirements:
![MDM policies](images/autoenrollment-mdm-policies.png)
4. Double-click **Auto MDM Enrollment with AAD Token**.
4. Double-click **Auto MDM Enrollment with AAD Token**.
![MDM autoenrollment policy](images/autoenrollment-policy.png)
5. Click **Enable**, then click **OK**.
5. Click **Enable**, then click **OK**.
A task is created and scheduled to run every 5 minutes for the duration of 1 day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
@ -76,9 +76,9 @@ Requirements:
![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png)
6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
7. Click **Info** to see the MDM enrollment information.
7. Click **Info** to see the MDM enrollment information.
![Work School Settings](images/autoenrollment-settings-work-school.png)
@ -91,9 +91,9 @@ Requirements:
![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png)
2. Under **Best match**, click **Task Scheduler** to launch it.
2. Under **Best match**, click **Task Scheduler** to launch it.
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png)
@ -122,11 +122,11 @@ Requirements:
> 5. Restart the Primary Domain Controller for the policy to be available.
> This procedure will work for any future version as well.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
2. Create a Security Group for the PCs.
3. Link the GPO.
4. Filter using Security Groups.
5. Enforce a GPO link.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
2. Create a Security Group for the PCs.
3. Link the GPO.
4. Filter using Security Groups.
5. Enforce a GPO link.
> [!NOTE]
> Version 1903 (March 2019) is actually on the Insider program and doesn't yet contain a downloadable version of Templates (version 1903).

16
windows/client-management/mdm/policy-csp-experience.md
View File

@ -1463,13 +1463,13 @@ _**Sync the browser settings automatically**_
_**Prevent syncing of browser settings and prevent users from turning it on**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
_**Prevent syncing of browser settings and let users turn on syncing**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
_**Turn syncing off by default but dont disable**_
@ -1550,13 +1550,13 @@ _**Sync the browser settings automatically**_
_**Prevent syncing of browser settings and prevent users from turning it on**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
_**Prevent syncing of browser settings and let users turn on syncing**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
<!--/SupportedValues-->
<!--Example-->

34
windows/client-management/troubleshoot-inaccessible-boot-device.md
View File

@ -131,7 +131,7 @@ If the BCD has the correct entries, check whether the **winload** and **bootmgr*
If the files are missing, and you want to rebuild the boot files, follow these steps:
1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows:
1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows:
```
D:\> Mkdir BootBackup
@ -155,13 +155,13 @@ R:\> Copy *.* D:\BootBackup
If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps:
1. Start **Notepad** .
1. Start **Notepad** .
2. Press Ctrl+O.
2. Press Ctrl+O.
3. Navigate to the system partition (in this example, it is R).
3. Navigate to the system partition (in this example, it is R).
4. Right-click the partition, and then format it.
4. Right-click the partition, and then format it.
### Troubleshooting if this issue occurs after a Windows Update installation
@ -175,31 +175,31 @@ After you run this command, you will see the **Install pending** and **Uninstall
![Dism output](images/pendingupdate.png)
1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer.
1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer.
![Dism output](images/revertpending.png)
2. Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**.
2. Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**.
3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**.
3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**.
4. Select **HKEY_LOCAL_MACHINE**, and then go to **File** > **Load Hive**.
4. Select **HKEY_LOCAL_MACHINE**, and then go to **File** > **Load Hive**.
5. Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive
5. Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive
![Load Hive](images/loadhive.png)
6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key.
6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key.
7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**.
7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**.
![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png)
8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive.
8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive.
9. Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value.
9. Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value.
10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on.
10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on.
11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key.
@ -209,9 +209,9 @@ After you run this command, you will see the **Install pending** and **Uninstall
1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.)
2. Expand **Services**.
2. Expand **Services**.
3. Make sure that the following registry keys exist under **Services**:
3. Make sure that the following registry keys exist under **Services**:
* ACPI

24
windows/client-management/troubleshoot-tcpip-port-exhaust.md
View File

@ -78,9 +78,9 @@ Reboot of the server will resolve the issue temporarily, but you would see all t
If you suspect that the machine is in a state of port exhaustion:
1. Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these, go to the next step.
1. Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these, go to the next step.
2. Open event viewer and under the system logs, look for the events which clearly indicate the current state:
2. Open event viewer and under the system logs, look for the events which clearly indicate the current state:
a. **Event ID 4227**
@ -133,12 +133,12 @@ For Windows 7 and Windows Server 2008 R2, you can update your Powershell version
If method 1 does not help you identify the process (prior to Windows 10 and Windows Server 2012 R2), then have a look at Task Manager:
1. Add a column called “handles” under details/processes.
2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
1. Add a column called “handles” under details/processes.
2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png)
3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
### Method 3
@ -147,13 +147,13 @@ If Task Manager did not help you identify the process, then use Process Explorer
Steps to use Process explorer:
1. [Download Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) and run it **Elevated**.
2. Alt + click the column header, select **Choose Columns**, and on the **Process Performance** tab, add **Handle Count**.
3. Select **View \ Show Lower Pane**.
4. Select **View \ Lower Pane View \ Handles**.
5. Click the **Handles** column to sort by that value.
6. Examine the processes with higher handle counts than the rest (will likely be over 10,000 if you can't make outbound connections).
7. Click to highlight one of the processes with a high handle count.
8. In the lower pane, the handles listed as below are sockets. (Sockets are technically file handles).
2. Alt + click the column header, select **Choose Columns**, and on the **Process Performance** tab, add **Handle Count**.
3. Select **View \ Show Lower Pane**.
4. Select **View \ Lower Pane View \ Handles**.
5. Click the **Handles** column to sort by that value.
6. Examine the processes with higher handle counts than the rest (will likely be over 10,000 if you can't make outbound connections).
7. Click to highlight one of the processes with a high handle count.
8. In the lower pane, the handles listed as below are sockets. (Sockets are technically file handles).
File \Device\AFD

6
windows/client-management/troubleshoot-tcpip-rpc-errors.md
View File

@ -73,16 +73,16 @@ With Registry Editor, you can modify the following parameters for RPC. The RPC P
In this example ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system.
1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
2. Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ).
2. Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ).
For example, the new registry key appears as follows:
Ports: REG_MULTI_SZ: 5000-6000
PortsInternetAvailable: REG_SZ: Y
UseInternetPorts: REG_SZ: Y
3. Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 6000, inclusive.
3. Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 6000, inclusive.
You should open up a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM application(s). Furthermore, previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.

12
windows/client-management/windows-10-mobile-and-mdm.md
View File

@ -978,12 +978,12 @@ Thisis a lists of attributes that are supported by DHA and can trigger the corre
Windows 10 mobile has protective measures that work together and integrate with Microsoft Intune or third-party Mobile Device Management (MDM) solutions. IT administrators can monitor and verify compliance to ensure corporate resources are protected end-toend with the security and trust rooted in the physical hardware of the device.
Here is what occurs when a smartphone is turned on:
1. Windows 10 Secure Boot protects the boot sequence, enables the device to boot into a defined and trusted configuration, and loads a factory trusted boot loader.
2. Windows 10 Trusted Boot takes control, verifies the digital signature of the Windows kernel, and the components are loaded and executed during the Windows startup process.
3. In parallel to Steps 1 and 2, Windows 10 Mobile TPM (Trusted Platform Modules measured boot) runs independently in a hardware-protected security zone (isolated from boot execution path monitors boot activities) to create an integrity protected and tamper evident audit trail - signed with a secret that is only accessible by TPM.
4. Devices managed by a DHA-enabled MDM solution send a copy of this audit trail to Microsoft Health Attestation Service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel.
5. Microsoft HAS reviews the audit trails, issues an encrypted/signed report, and forwards it to the device.
6. IT managers can use a DHA-enabled MDM solution to review the report in a protected, tamper-resistant and tamper-evident communication channel. They can assess if a device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with security needs and enterprise policies.
1. Windows 10 Secure Boot protects the boot sequence, enables the device to boot into a defined and trusted configuration, and loads a factory trusted boot loader.
2. Windows 10 Trusted Boot takes control, verifies the digital signature of the Windows kernel, and the components are loaded and executed during the Windows startup process.
3. In parallel to Steps 1 and 2, Windows 10 Mobile TPM (Trusted Platform Modules measured boot) runs independently in a hardware-protected security zone (isolated from boot execution path monitors boot activities) to create an integrity protected and tamper evident audit trail - signed with a secret that is only accessible by TPM.
4. Devices managed by a DHA-enabled MDM solution send a copy of this audit trail to Microsoft Health Attestation Service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel.
5. Microsoft HAS reviews the audit trails, issues an encrypted/signed report, and forwards it to the device.
6. IT managers can use a DHA-enabled MDM solution to review the report in a protected, tamper-resistant and tamper-evident communication channel. They can assess if a device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with security needs and enterprise policies.
### <a href="" id="asset-reporting"></a>Asset reporting