diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 5d581c9574..294efd050c 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -510,6 +510,9 @@ "notification_subscribers": [ "elizapo@microsoft.com" ], + "sync_notification_subscribers": [ + "daniha@microsoft.com" + ], "branches_to_filter": [ "" ], @@ -518,6 +521,7 @@ "skip_source_output_uploading": false, "need_preview_pull_request": true, "resolve_user_profile_using_github": true, + "contribution_branch_mappings": {}, "dependent_repositories": [ { "path_to_root": "_themes.pdf", @@ -547,11 +551,7 @@ ] }, "need_generate_pdf_url_template": true, - "targets": { - "Pdf": { - "template_folder": "_themes.pdf" - } - }, + "targets": {}, "need_generate_pdf": false, "need_generate_intellisense": false } \ No newline at end of file diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index f4df822a14..d24333f170 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -32,7 +32,7 @@ #### [Wireless network management](wireless-network-management-for-surface-hub.md) ### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) ### [Configure Surface Hub Start menu](surface-hub-start-menu.md) -### [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) +### [Set up and use Microsoft Whiteboard](whiteboard-collaboration.md) ### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md) ### [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) ### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index dc313f8f5d..2d52e698c0 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -190,15 +190,15 @@ Enable the device account with Skype for Business. In order to enable Skype for Business, your environment will need to meet the following prerequisites: -- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. -- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). +- You'll need to have Skype for Business Online Standalone Plan 2 or higher in your O365 plan. The plan needs to support conferencing capability. +- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Skype for Business Online Standalone Plan 3. - Your tenant users must have Exchange mailboxes. -- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. +- Your Surface Hub account does require a Skype for Business Online Standalone Plan 2 or Skype for Business Online Standalone Plan 3 license, but it does not require an Exchange Online license. 1. Start by creating a remote PowerShell session from a PC. ```PowerShell - Import-Module LyncOnlineConnector + Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` @@ -348,15 +348,15 @@ Enable the device account with Skype for Business. In order to enable Skype for Business, your environment will need to meet the following prerequisites: -- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. -- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). +- You'll need to have Skype for Business Online Standalone Plan 2 or higher in your O365 plan. The plan needs to support conferencing capability. +- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Skype for Business Online Standalone Plan 3. - Your tenant users must have Exchange mailboxes. -- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. +- Your Surface Hub account does require a Skype for Business Online Standalone Plan 2 or Skype for Business Online Standalone Plan 3 license, but it does not require an Exchange Online license. 1. Start by creating a remote PowerShell session from a PC. ```PowerShell - Import-Module LyncOnlineConnector + Import-Module SkypeOnlineConnector $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` @@ -372,8 +372,7 @@ If you aren't sure what value to use for the `RegistrarPool` parameter in your e 3. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell - Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool - "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress + Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index 9518232b8b..da29b06c9d 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -32,7 +32,7 @@ Learn about managing and updating Surface Hub. | [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network | | [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.| [Configure Surface Hub Start menu](surface-hub-start-menu.md) | Use MDM to customize the Start menu for Surface Hub. -| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. | +| [Set up and use Microsoft Whiteboard](whiteboard-collaboration.md) | Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. | | [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.| | [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | You can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS. | | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.| diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md index 262bcc5d2a..e6e0eeb5c1 100644 --- a/devices/surface-hub/surface-hub-recovery-tool.md +++ b/devices/surface-hub/surface-hub-recovery-tool.md @@ -46,9 +46,9 @@ If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub ## Download Surface Hub Recovery Tool -Surface Hub Recovery Tool is available for download from [Surface Hub Tools for IT](https://www.microsoft.com/download/details.aspx?id=52210) under the file name **SurfaceHub_Recovery_v1.4.137.0.msi**. +Surface Hub Recovery Tool is available for download from [Surface Hub Tools for IT](https://www.microsoft.com/download/details.aspx?id=52210) under the file name **SurfaceHub_Recovery_v1.14.137.0.msi**. -To start the download, click **Download**, choose **SurfaceHub_Recovery_v1.4.137.0.msi** from the list, and click **Next**. From the pop-up, choose one of the following: +To start the download, click **Download**, choose **SurfaceHub_Recovery_v1.14.137.0.msi** from the list, and click **Next**. From the pop-up, choose one of the following: - Click **Run** to start the installation immediately. - Click **Save** to copy the download to your computer for later installation. @@ -96,4 +96,4 @@ The reimaging process appears halted/frozen | It is safe to close and restart th The drive isn’t recognized by the tool | Verify that the Surface Hub SSD is enumerated as a Lite-On drive, "LITEON L CH-128V2S USB Device". If the drive is recognized as another named device, your current cable isn’t compatible. Try another cable or one of the tested cable listed above. Error: -2147024809 | Open Disk Manager and remove the partitions on the Surface Hub drive. Disconnect and reconnect the drive to the host machine. Restart the imaging tool again. -If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support). \ No newline at end of file +If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support). diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 10f086f358..9a68506147 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -1,27 +1,29 @@ --- -title: Set up and use Whiteboard to Whiteboard collaboration +title: Set up and use Microsoft Whiteboard description: Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. ms.prod: surface-hub ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 07/12/2018 +ms.date: 03/18/2019 ms.localizationpriority: medium --- -# Set up and use Whiteboard to Whiteboard collaboration (Surface Hub) +# Set up and use Microsoft Whiteboard + -The Microsoft Whiteboard app includes the capability for two Surface Hubs to collaborate in real time on the same board. >[!IMPORTANT] ->A new Microsoft Whiteboard app was released on July 12, 2018. The existing Whiteboard app that comes installed on Surface Hub and is pinned to the Welcome screen cannot collaborate with the new version that can be installed on the PC. If people in your organization install the new Whiteboard on their PCs, you must install the new Whiteboard on Surface Hub to enable collaboration. To learn more about installing the new Whiteboard on your Surface Hub, see [Whiteboard on Surface Hub opt-in](https://go.microsoft.com/fwlink/p/?LinkId=2004277). +>A new Microsoft Whiteboard app was released on July 12, 2018. The existing Whiteboard app that comes installed on Surface Hub and is pinned to the Welcome screen has been renamed **Microsoft Whiteboard 2016**. Microsoft Whiteboard 2016 will be automatically upgraded by May 21, 2019, and the collaboration service for the legacy app will stop functioning after June 7, 2019. For more details, see [Enable Microsoft Whiteboard on Surface Hub](https://support.office.com/article/enable-microsoft-whiteboard-on-surface-hub-b5df4539-f735-42ff-b22a-0f5e21be7627?ui=en-US&rs=en-US&ad=US). + +The Microsoft Whiteboard app includes the capability for two Surface Hubs to collaborate in real time on the same board. By ensuring that your organization meets the prerequisites, users can then ink, collaborate, and ideate together. ![example of a whiteboard with collaborative inking](images/wb-collab-example.png) -## Prerequisites for Whiteboard to Whiteboard collaboration +## Prerequisites for Whiteboard to Whiteboard collaboration (Microsoft Whiteboard 2016) To get Whiteboard to Whiteboard collaboration up and running, you’ll need to make sure your organization meets the following requirements: @@ -36,7 +38,7 @@ To get Whiteboard to Whiteboard collaboration up and running, you’ll need to m >[!NOTE] >Collaborative sessions can only take place between users within the same tenant, so users outside of your organization won’t be able to join even if they have a Surface Hub. -## Using Whiteboard to Whiteboard collaboration +## Using Whiteboard to Whiteboard collaboration (Microsoft Whiteboard 2016) To start a collaboration session: diff --git a/mdop/uev-v1/index.md b/mdop/uev-v1/index.md index 0eacccc566..49e6e8a74c 100644 --- a/mdop/uev-v1/index.md +++ b/mdop/uev-v1/index.md @@ -13,6 +13,9 @@ ms.date: 04/19/2017 # Microsoft User Experience Virtualization (UE-V) 1.0 +>[!NOTE] +>This documentation is a for version of UE-V that was included in the Microsoft Desktop Optimization Pack (MDOP). For information about the latest version of UE-V which is included in Windows 10 Enterprise, see [Get Started with UE-V](https://docs.microsoft.com/windows/configuration/ue-v/uev-getting-started). + Microsoft User Experience Virtualization (UE-V) captures and centralizes application settings and Windows operating system settings for the user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. diff --git a/mdop/uev-v2/index.md b/mdop/uev-v2/index.md index 8932147ff3..4f56275558 100644 --- a/mdop/uev-v2/index.md +++ b/mdop/uev-v2/index.md @@ -13,6 +13,9 @@ ms.date: 04/19/2017 # Microsoft User Experience Virtualization (UE-V) 2.x +>[!NOTE] +>This documentation is a for version of UE-V that was included in the Microsoft Desktop Optimization Pack (MDOP). For information about the latest version of UE-V which is included in Windows 10 Enterprise, see [Get Started with UE-V](https://docs.microsoft.com/windows/configuration/ue-v/uev-getting-started). + Capture and centralize your users’ application settings and Windows OS settings by implementing Microsoft User Experience Virtualization (UE-V) 2.0 or 2.1. Then, apply these settings to the devices users access in your enterprise, like desktop computers, laptops, or virtual desktop infrastructure (VDI) sessions. diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md index 46dd73d807..212b62ecf0 100644 --- a/store-for-business/update-microsoft-store-for-business-account-settings.md +++ b/store-for-business/update-microsoft-store-for-business-account-settings.md @@ -1,6 +1,6 @@ --- -title: Update Microsoft Store for Business and Microsoft Store for Education billing account settings (Windows 10) -description: The billing account page in Microsoft Store for Business and Microsoft Store for Education shows information about your organization that you can update, including country or region, organization contact info, agreements with Microsoft and admin approvals. +title: Update your Billing account settings +description: The billing account page in Microsoft Store for Business and Microsoft Store for Education, and M365 admin center shows information about your organization that you can update, including country or region, organization contact info, agreements with Microsoft and admin approvals. keywords: billing accounts, organization info ms.prod: w10 ms.mktglfcycl: manage @@ -10,10 +10,10 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 03/01/2019 +ms.date: 03/18/2019 --- -# Update Microsoft Store for Business and Microsoft Store for Education account settings +# Update Billing account settings A billing account contains defining information about your organization. >[!NOTE] diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index d055f0c12d..c17263348d 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -45,9 +45,6 @@ Use the following links for more information about creating and managing virtual - [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) -## Have a suggestion for App-V? - -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 14905d408b..4d636e90c8 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -505,7 +505,7 @@ Provisioning packages can be applied to a device during the first-run experience #### After setup, from a USB drive, network folder, or SharePoint site 1. Sign in with an admin account. -2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. +2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation. >[!NOTE] >if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. @@ -537,6 +537,7 @@ The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configu + ## Considerations for Windows Mixed Reality immersive headsets diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index a4a8ead75e..f45cc4b960 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -14,6 +14,9 @@ ms.date: 03/08/2018 **Applies to** - Windows 10, version 1607 +>[!NOTE] +>This documentation is for the most recent version of UE-V. If you're looking for information about UE-V 2.x, which was included in the Microsoft Desktop Optimization Pack (MDOP), see [Get Started with UE-V 2.x](https://docs.microsoft.com/microsoft-desktop-optimization-pack/uev-v2/get-started-with-ue-v-2x-new-uevv2). + Follow the steps in this topic to deploy User Experience Virtualization (UE-V) for the first time in a test environment. Evaluate UE-V to determine whether it’s the right solution to manage user settings across multiple devices within your enterprise. >[!NOTE] @@ -150,7 +153,7 @@ You’re ready to run a few tests on your UE-V evaluation deployment to see how ## Have a suggestion for UE-V? -Add or vote on suggestions on the [User Experience Virtualization feedback site](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization).
For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). +For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). ## Other resources for this feature diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index bf34e59012..19bc04a0f5 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -588,4 +588,4 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowUserInputFromWirelessDisplayReceiver](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | | \ No newline at end of file +| [AllowUserInputFromWirelessDisplayReceiver](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | | diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 1466263dc5..049d352939 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -22,13 +22,14 @@ This topic will show you how to take your reference image for Windows 10, and d For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. -**Note**   -For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). -  ![figure 1](../images/mdt-07-fig01.png) Figure 1. The machines used in this topic. +>[!NOTE] +>For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). +  + ## Step 1: Configure Active Directory permissions These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. @@ -92,9 +93,10 @@ In these steps, we assume that you have completed the steps in the [Create a Win 6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**. 7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to match the following: **Windows 10 Enterprise x64 RTM Custom Image**. -**Note**   -The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. +>[!NOTE]   +>The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.   + ![figure 2](../images/fig2-importedos.png) Figure 2. The imported operating system after renaming it. @@ -128,8 +130,8 @@ In order to deploy Windows 10 with MDT successfully, you need drivers for the b - Microsoft Surface Pro For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers. -**Note**   -You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. +>[!NOTE] +>You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time.   ### Create the driver source structure in the file system @@ -150,8 +152,8 @@ The key to successful management of drivers for MDT, as well as for any other de - Microsoft Corporation - Surface Pro 3 -**Note**   -Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. +>[!NOTE] +>Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.   ### Create the logical driver structure in MDT @@ -285,8 +287,9 @@ This section will show you how to create the task sequence used to deploy your p 2. Configure the **Inject Drivers** action with the following settings: 1. Choose a selection profile: Nothing 2. Install all drivers from the selection profile - **Note**   - The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. + + >[!NOTE]   + >The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.   3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. @@ -359,8 +362,10 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh - In the **Lite Touch Boot Image Settings** area: 1. Image description: MDT Production x86 2. ISO file name: MDT Production x86.iso - **Note**   - Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. + + >[!NOTE] + + >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.   7. In the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. 8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. @@ -372,8 +377,8 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh 11. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box. 12. Click **OK**. -**Note**   -It will take a while for the Deployment Workbench to create the monitoring database and web service. +>[!NOTE] +>It will take a while for the Deployment Workbench to create the monitoring database and web service.   ![figure 8](../images/mdt-07-fig08.png) @@ -479,8 +484,8 @@ Like the MDT Build Lab deployment share, the MDT Production deployment share nee 1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. 2. Use the default options for the Update Deployment Share Wizard. -**Note**   -The update process will take 5 to 10 minutes. +>[!NOTE] +>The update process will take 5 to 10 minutes.   ## Step 8: Deploy the Windows 10 client image @@ -588,8 +593,9 @@ To filter what is being added to the media, you create a selection profile. When In these steps, you generate offline media from the MDT Production deployment share. To filter what is being added to the media, you use the previously created selection profile. 1. On MDT01, using File Explorer, create the **E:\\MDTOfflineMedia** folder. - **Note**   - When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. + + >[!NOTE] + >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media.   2. Using Deployment Workbench, in the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. 3. Use the following settings for the New Media Wizard: diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 23c462b839..c96216fab7 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -45,7 +45,10 @@ These steps assume that you have the MDT01 member server installed and configure 3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings: 1. Deployment Tools 2. Windows Preinstallation Environment (Windows PE) - 3. User State Migration Tool (UMST) + 3. User State Migration Tool (USMT) + + >[!IMPORTANT] + >Starting with Windows 10, version 1809, Windows PE is released separately from the AFK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information. ## Install MDT diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 9c63798bd2..be96b68e59 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -112,7 +112,7 @@ Also, the pause period is calculated from the set start date. For more details, ## Monitor Windows Updates by using Update Compliance -Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. +Update Compliance provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. ![Update Compliance Dashboard](images/waas-wufb-update-compliance.png) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index c6eda60ace..6b83fee5c8 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -17,15 +17,15 @@ ms.topic: article **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 10 Mobile -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. ## Schedule update installation -In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time. +In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified installation time. To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the install**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**). @@ -40,7 +40,7 @@ For a detailed description of these registry keys, see [Registry keys used to ma When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installation: - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. -- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. +- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. @@ -48,9 +48,9 @@ For a detailed description of these registry keys, see [Registry keys used to ma ## Configure active hours -*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. +*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. -By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. +By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time. @@ -89,7 +89,7 @@ For a detailed description of these registry keys, see [Registry keys used to ma With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time. -To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. +To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-activehoursmaxrange). @@ -103,9 +103,9 @@ In Windows 10, version 1703, we have added settings to control restart notificat ### Auto-restart notifications -Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. +Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. -To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it. +To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it. To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartRequiredNotificationDismissal) @@ -170,7 +170,7 @@ The following tables list registry values that correspond to the Group Policy se | Registry key | Key type | Value | | --- | --- | --- | | ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | -| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | +| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | | SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours
1: enable automatic restart after updates outside of active hours | **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** @@ -179,32 +179,24 @@ The following tables list registry values that correspond to the Group Policy se | --- | --- | --- | | AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time
1: enable automatic reboot after update installation at ascheduled time | | AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes | -| AUOptions | REG_DWORD | 2: notify for download and automatically install updates
3: automatically download and notify for instllation of updates
4: Automatically download and schedule installation of updates
5: allow the local admin to configure these settings
**Note:** To configure restart behavior, set this value to **4** | -| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
1: do not reboot after an update installation if a user is logged on
**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation | +| AUOptions | REG_DWORD | 2: notify for download and automatically install updates
3: automatically download and notify for installation of updates
4: Automatically download and schedule installation of updates
5: allow the local admin to configure these settings
**Note:** To configure restart behavior, set this value to **4** | +| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on
1: do not reboot after an update installation if a user is logged on
**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation | | ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour
starts with 12 AM (0) and ends with 11 PM (23) | There are 3 different registry combinations for controlling restart behavior: - To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range. - To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting. -- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. +- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**. ## Related topics - [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - - - - - - - - diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index dbae4ad42f..9d4f85609f 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -26,7 +26,8 @@ The compatibility update that sends diagnostic data from user computers to Micro If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. -Note: Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. +> [!NOTE] +> Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. See [Windows 10 Specifications](https://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements. diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index a22b5336e7..7399e75801 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -32,7 +32,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e | How does a customer authorize an OEM or Channel Partner to register Autopilot devices on the customer’s behalf? | Before an OEM or Channel Partner can register a device for Autopilot on behalf of a customer, the customer must first give them consent. The consent process begins with the OEM or Channel Partner sending a link to the customer, which directs the customer to a consent page in Microsoft Store for Business. The steps explaining this process are [here](registration-auth.md). | | Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. | | Does Windows Autopilot support removing the option to enable a local administrator account? | Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).| -| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

Go [here](https://msdn.microsoft.com/partner-center/createuseraccounts-and-set-permissions) for more information. | +| How can I test the Windows Autopilot CSV file in the Partner Center? | Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center.

Go [here](https://msdn.microsoft.com/partner-center/create-user-accounts-and-set-permissions) for more information. | | Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. | | Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access:

1. Direct CSP: Gets direct authorization from the customer to register devices.

2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.

3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. | diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 723a232bcc..0cbf266f2a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -36,7 +36,7 @@ To help make it easier to deploy settings to restrict connections from Windows 1 This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. -Make sure should you've chosen the right settings configuration for your environment before applying. +Make sure you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. >[!IMPORTANT] @@ -342,8 +342,6 @@ You can also apply the Group Policies using the following registry keys: | Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: ConnectedSearchUseWeb
Value: 0 | | Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search
REG_DWORD: ConnectedSearchPrivacy
Value: 3 | -In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. - >[!IMPORTANT] >These steps are not required for devices running Windows 10, version 1607 or Windows Server 2016. @@ -447,8 +445,6 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later: - **true**. Font streaming is enabled. -If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting named **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters** with a value of 1. - > [!NOTE] > After you apply this policy, you must restart the device for it to take effect. @@ -642,7 +638,6 @@ Use either Group Policy or MDM policies to manage settings for Microsoft Edge. F Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. - | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| | Allow configuration updates for the Books Library | Choose whether configuration updates are done for the Books Library.
Default: Enabled | @@ -655,19 +650,6 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Start pages | Choose the Start page for domain-joined devices.
Set this to **\** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
Set to: Enable | -The Windows 10, version 1511 Microsoft Edge Group Policy names are: - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Allow address bar drop-down list suggestions | Choose whether employees can use Address Bar drop-down list suggestions.
Default: Disabled | -| Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled | -| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled | -| Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | -| Turn off Address Bar search suggestions | Choose whether the Address Bar shows search suggestions.
Default: Enabled | -| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled | -| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled | -| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | - Alternatively, you can configure the Microsoft Group Policies using the following registry entries: | Policy | Registry path | @@ -1988,9 +1970,6 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. - > [!NOTE] - > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**. - - **Personalization** > **Start** > **Occasionally show suggestions in Start**. - **System** > **Notifications & actions** > **Show me tips about Windows**. @@ -2161,3 +2140,4 @@ You can turn off automatic updates by doing one of the following. This is not re - **5**. Turn off automatic updates. To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx). + diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 789395a1bf..f07f4f199a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -15,7 +15,7 @@ localizationpriority: medium ms.date: 08/19/2018 --- # Windows Hello for Business Provisioning - + **Applies to:** - Windows 10 @@ -24,14 +24,14 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, - The Windows Hello for Business deployment type - If the environment is managed or federated -[Azure AD joined provisioning in a Managed environment](#Azure-AD-joined-provisioning-in-a-Managed-environment)
-[Azure AD joined provisioning in a Federated environment](#Azure-AD-joined-provisioning-in-a-Federated-environment)
-[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment](#Hybrid-Azure-AD-joined-provisioning-in-a-Key-Trust-deployment-in-a-Managed-envrionment)
-[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#Hybrid-Azure-AD-joined-provisioning-in-a-Certificate-Trust-deployment-in-a-Managed-environment)
-[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment-in-a-Managed-environment)
-[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment-in-a-Federated-environment)
-[Domain joined provisioning in an On-premises Key Trust deployment](#Domain-joined-provisioning-in-an-On-premises-Key-Trust-deployment)
-[Domain joined provisioning in an On-premises Certificate Trust deployment](#Domain-joined-provisioning-in-an-On-premises-Certificate-Trust-deployment)
+[Azure AD joined provisioning in a Managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
+[Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
+[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
+[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)
+[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)
+[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
+[Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
+[Domain joined provisioning in an On-premises Certificate Trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
@@ -45,7 +45,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.| -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Azure AD joined provisioning in a Federated environment ![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png) @@ -55,7 +55,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, |B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).| |C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.| -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment ![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed ennvironment](images/howitworks/prov-haadj-keytrust-managed.png) @@ -71,7 +71,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment ![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-certtrust-managed.png) @@ -89,7 +89,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, > The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory. -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-instant-certtrust-managed.png) @@ -106,7 +106,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, > Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow. -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Fedeerated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png) @@ -122,7 +122,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, > [!IMPORTANT] > Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow. -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Domain joined provisioning in an On-premises Key Trust deployment ![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png) @@ -133,7 +133,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, |C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.| -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) ## Domain joined provisioning in an On-premises Certificate Trust deployment ![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png) @@ -147,4 +147,4 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, |F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.| |G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.| -[Return to top](#Windows-Hello-for-Business-Provisioning) +[Return to top](#windows-hello-for-business-provisioning) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 71ad012ce7..6f443cff4f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -30,7 +30,7 @@ The distributed systems on which these technologies were built involved several * [Public Key Infrastucture](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) -* [MultiFactor Authetication](#multifactor-authentication) +* [MultiFactor Authentication](#multifactor-authentication) * [Device Registration](#device-registration) ## Directories ## @@ -140,4 +140,4 @@ If your environment is already federated and supports Azure device registration, 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index aebc17a2ae..1993139da7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -62,7 +62,7 @@ The minimum required enterprise certificate authority that can be used with Wind > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: -> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store. +> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. > * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. ### Section Review diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 580a5b58bd..860ed64ab2 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -19,12 +19,12 @@ MBSA was largely used in situations where neither Microsoft Update nor a local W ## The Solution A script can help you with an alternative to MBSA’s patch-compliance checking: -- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)), which includes a sample .vbs script. +- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script. For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be). For example: -[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)) +[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) [![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be) The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index 938b358427..9ed8d6f32a 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -59,6 +59,10 @@ For more information, see [Investigate a user account](investigate-user-windows- ## Skype for Business integration Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks. +>[!NOTE] +> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode. + + ## Azure Advanced Threat Protection integration The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.