deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into sfb-10015274

Browse Source
This commit is contained in:
Trudy Hakala
2016-12-01 14:40:46 -08:00
parent a2d6394f45 ee868cb77c
commit f5970e9575
4 changed files with 24 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
windows/deploy/upgrade-analytics-get-started.md
View File

@ -115,7 +115,9 @@ To ensure that user computers are receiving the most up to date data from Micros
## Run the Upgrade Analytics deployment script
To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the Upgrade Analytics deployment script, developed by Microsoft.
To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
> The following guidance applies to version 11.30.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
The Upgrade Analytics deployment script does the following:
@ -125,7 +127,7 @@ The Upgrade Analytics deployment script does the following:
3. Checks whether the computer has a pending restart.  
4. Verifies that the latest version of KB package 10.0.x is installed (requires 10.0.14348 or subsequent releases).
4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended).
5. If enabled, turns on verbose mode for troubleshooting.
@ -135,17 +137,15 @@ The Upgrade Analytics deployment script does the following:
To run the Upgrade Analytics deployment script:
1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. The files in the Diagnostics folder are necessary only if you plan to run the script in troubleshooting mode.
1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is inteded to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
2. Edit the following parameters in RunConfig.bat:
1. Provide a storage location for log information. Example: %SystemDrive%\\UADiagnostics
1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics
2. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory.
2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry.
3. Input your commercial ID key.
4. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
> *logMode = 0 log to console only*
>
@ -153,9 +153,7 @@ To run the Upgrade Analytics deployment script:
>
> *logMode = 2 log to file only*
3. For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode.
4. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
> *IEOptInLevel = 0 Internet Explorer data collection is disabled*
>
@ -165,9 +163,7 @@ To run the Upgrade Analytics deployment script:
>
> *IEOptInLevel = 3 Data collection is enabled for all sites*
5. Notify users if they need to restart their computers. By default, this is set to off.
6. After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
@ -197,8 +193,12 @@ The deployment script displays the following exit codes to let you know if it wa
<TR><TD>19<TD>This machine doesnt have the proper KBs installed. Make sure you have recent compatibility update KB downloaded.
<TR><TD>20<TD>Error writing RequestAllAppraiserVersions registry key.
<TR><TD>21<TD>Function SetRequestAllAppraiserVersions: Unexpected failure.
<TR><TD>22<TD>Error when running inventory scan.
<TR><TD>22<TD>RunAppraiser failed with unexpected exception.
<TR><TD>23<TD>Error finding system variable %WINDIR%.
<TR><TD>24<TD>SetIEDataOptIn failed when writing IEDataOptIn to registry.
<TR><TD>25<TD>SetIEDataOptIn failed with unexpected exception.
<TR><TD>26<TD>The operating system is LTSB SKU. The script does not support LTSB SKUs.
<TR><TD>27<TD>The operating system is Server SKU. The script does not support Server SKUs.
</TABLE>
</div>

4
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -51,6 +51,10 @@ You can use System Center Configuration Managers existing functionality to cr
a. Choose a predefined device collection to deploy the package to.
> [!NOTE]
> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading.
### Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.

4
windows/keep-secure/implement-microsoft-passport-in-your-organization.md
View File

@ -20,7 +20,7 @@ localizationpriority: high
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
>[!IMPORTANT]
>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. Use the **Turn on PIN sign-in** setting to allow or deny the use of a convenience PIN for Windows 10, versions 1507, 1511, and 1607.
>
>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
>
@ -376,4 +376,4 @@ The PIN is managed using the same Windows Hello for Business policies that you c
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 
 

6
windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
View File

@ -93,7 +93,7 @@ This section is an overview that describes different parts of the end-to-end sec
| Number | Part of the solution | Description |
| - | - | - |
| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with a TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organizations tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.<br/>MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.<br/>Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
@ -416,7 +416,7 @@ Health attestation logs the measurements in various TPM Platform Configuration R
![figure 6](images/hva-fig6-logs.png)
When starting a device equipped with a TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
![figure 7](images/hva-fig7-measurement.png)
@ -436,7 +436,7 @@ The number of retained logs may be set with the registry **REG\_DWORD** value **
 
The following process describes how health boot measurements are sent to the health attestation service:
1. The client (a Windows 10-based device with a TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
3. The remote device heath attestation service then: