From c5b53a3823e0d332e6fe074d77cf8ee00988b7c5 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 13 Sep 2016 11:38:07 -0700 Subject: [PATCH 01/16] 8885597 --- ...osk-for-windows-10-for-desktop-editions.md | 56 ++++++++++++++++++- 1 file changed, 54 insertions(+), 2 deletions(-) diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index 7d798edb80..4c4e2e0cfb 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -300,11 +300,63 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. ``` +# Check if shell launcher license is enabled +function Check-ShellLauncherLicenseEnabled +{ + [string]$source = @" +using System; +using System.Runtime.InteropServices; + +static class CheckShellLauncherLicense +{ + const int S_OK = 0; + + public static bool IsShellLauncherLicenseEnabled() + { + int enabled = 0; + + if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { + enabled = 0; + } + + return (enabled != 0); + } + + static class NativeMethods + { + [DllImport("Slc.dll")] + internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); + } + +} +"@ + + $type = Add-Type -TypeDefinition $source -PassThru + + return $type[0]::IsShellLauncherLicenseEnabled() +} + +[bool]$result = $false + +$result = Check-ShellLauncherLicenseEnabled +"`nShell Launcher license enabled is set to " + $result +if (-not($result)) +{ + "`nThis device doesn't have required license to use Shell Launcher" + exit +} + $COMPUTER = "localhost" $NAMESPACE = "root\standardcimv2\embedded" # Create a handle to the class instance so we can call the static methods. -$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" +try { + $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" + } catch [Exception] { + write-host $_.Exception.Message; + write-host "Make sure Shell Launcher feature is enabled" + exit + } # This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. @@ -319,7 +371,7 @@ function Get-UsernameSID($AccountName) { $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) return $NTUserSID.Value - + } # Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. From 058acd2800798a10227a4ae34f64e31758fb7d7f Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 13 Sep 2016 14:49:23 -0700 Subject: [PATCH 02/16] added topic to change history --- .../manage/change-history-for-manage-and-update-windows-10.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 001afc958e..48e1b81df3 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | +| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the script for setting a custom shell using Shell Launcher. | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added content for Windows Server 2016 | ## August 2016 From 46ad3a1210b2e5b13a850b46c68e49e7f2d8c4e2 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Tue, 13 Sep 2016 16:10:37 -0700 Subject: [PATCH 03/16] Fixed typos, incorrect links, disappearing backslashes --- ...ation-publishing-and-client-interaction.md | 42 +++++++++---------- windows/manage/appv-performance-guidance.md | 20 ++++----- 2 files changed, 26 insertions(+), 36 deletions(-) diff --git a/windows/manage/appv-application-publishing-and-client-interaction.md b/windows/manage/appv-application-publishing-and-client-interaction.md index ca6912ebd6..1bc94a9b27 100644 --- a/windows/manage/appv-application-publishing-and-client-interaction.md +++ b/windows/manage/appv-application-publishing-and-client-interaction.md @@ -245,7 +245,7 @@ Before an application can access the package registry data, the App-V Client mus When a new package is added to the App-V Client, a copy of the REGISTRY.DAT file from the package is created at `%ProgramData%\Microsoft\AppV\Client\VREG\{Version GUID}.dat`. The name of the file is the version GUID with the .DAT extension. The reason this copy is made is to ensure that the actual hive file in the package is never in use, which would prevent the removal of the package at a later time. -**Registry.dat from Package Store ** > **%ProgramData%\Microsoft\AppV\Client\Vreg\{VersionGuid}.dat** +**Registry.dat from Package Store** > **%ProgramData%\Microsoft\AppV\Client\Vreg\\{VersionGuid}.dat**   When the first application from the package is launched on the client, the client stages or copies the contents out of the hive file, re-creating the package registry data in an alternate location `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Packages\PackageGuid\Versions\VersionGuid\REGISTRY`. The staged registry data has two distinct types of machine data and user data. Machine data is shared across all users on the machine. User data is staged for each user to a userspecific location `HKCU\Software\Microsoft\AppV\Client\Packages\PackageGuid\Registry\User`. The machine data is ultimately removed at package removal time, and the user data is removed on a user unpublish operation. @@ -387,7 +387,7 @@ Packages can be explicitly loaded using the Windows PowerShell `Mount-AppVClient ### Streaming packages -The App-V Client can be configured to change the default behavior of streaming. All streaming policies are stored under the following registry key: `HKEY_LOCAL_MAcHINE\Software\Microsoft\AppV\Client\Streaming`. Policies are set using the Windows PowerShell cmdlet `Set-AppvClientConfiguration`. The following policies apply to Streaming: +The App-V Client can be configured to change the default behavior of streaming. All streaming policies are stored under the following registry key: `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Streaming`. Policies are set using the Windows PowerShell cmdlet `Set-AppvClientConfiguration`. The following policies apply to Streaming: @@ -485,8 +485,8 @@ App-V registry roaming falls into two scenarios, as shown in the following table
--++ @@ -499,8 +499,8 @@ App-V registry roaming falls into two scenarios, as shown in the following table @@ -513,8 +513,8 @@ App-V registry roaming falls into two scenarios, as shown in the following table

In this scenario, these settings are not roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following location:

    -

  • HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\{UserSID}\REGISTRY\MACHINE\SOFTWARE

    • -

  • HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\Registry\User\{UserSID}\SOFTWARE

    • +

  • HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\{UserSID}\REGISTRY\MACHINE\SOFTWARE

    • +

  • HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\Registry\User\\{UserSID}\SOFTWARE

@@ -532,21 +532,21 @@ The following table shows local and roaming locations, when folder redirection h | VFS directory in package | Mapped location of backing store | | - | - | -| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\ProgramFilesX86 | -| SystemX86 | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\SystemX86 | -| Windows | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\Windows | -| appv\_ROOT | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\appv_ROOT| -| AppData | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\AppData | +| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\\ProgramFilesX86 | +| SystemX86 | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\\SystemX86 | +| Windows | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\\Windows | +| appv\_ROOT | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\\appv_ROOT| +| AppData | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\\AppData | The following table shows local and roaming locations, when folder redirection has been implemented for %AppData%, and the location has been redirected (typically to a network location). | VFS directory in package | Mapped location of backing store | | - | - | -| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\ProgramFilesX86 | -| SystemX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\SystemX86 | -| Windows | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\Windows | -| appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\appv\_ROOT | -| AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\\AppData | +| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\\ProgramFilesX86 | +| SystemX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\\SystemX86 | +| Windows | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\\Windows | +| appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\\appv\_ROOT | +| AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\\\AppData |   The current App-V Client VFS driver cannot write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. The detailed steps of the processes are: @@ -602,11 +602,7 @@ In an App-V Full Infrastructure, after applications are sequenced they are manag This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/en-us/download/details.aspx?id=38177). -The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured during setup of the client or post-setup with Windows PowerShell commands. See [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md) or use Windows PowerShell: - -``` syntax -get-command *appv* -``` +The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured after client setup with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell). ### Publishing refresh diff --git a/windows/manage/appv-performance-guidance.md b/windows/manage/appv-performance-guidance.md index 5c2f1c51a3..e0a277bf9c 100644 --- a/windows/manage/appv-performance-guidance.md +++ b/windows/manage/appv-performance-guidance.md @@ -29,15 +29,12 @@ You should read and understand the following information before reading this doc **Note**   Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk * review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document. -  - Finally, this document will provide you with the information to configure the computer running App-V client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI). To help determine what information is relevant to your environment you should review each section’s brief overview and applicability checklist. ## App-V in stateful\* non-persistent deployments - This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. A number of conditions must be met and steps followed to provide the optimal user experience. Use the information in the following section for more information: @@ -125,7 +122,7 @@ IT Administration   -### Usage Scenario +### Usage Scenarios As you review the two scenarios, keep in mind that these approach the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both. @@ -143,9 +140,9 @@ As you review the two scenarios, keep in mind that these approach the extremes. +

The following describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) later in this topic.

+

The impact of this alteration is detailed in the [User Experience Walk-through](#bkmk-uewt) section of this document.

Applications that are run as standard users

When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This presents as two distinct paths:

    -

  • HKLM: HKCU\SOFTWARE\Classes\AppV\Client\Packages\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE

    • -

  • HKCU: HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\REGISTRY\USER\{UserSID}\SOFTWARE

    • +

  • HKLM: HKCU\SOFTWARE\Classes\AppV\Client\Packages\\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE

    • +

  • HKCU: HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\REGISTRY\USER\{UserSID}\SOFTWARE

The locations are enabled for roaming based on the operating system settings.

To provide the most optimal user experience, this approach leverages the capabilities of a UPM solution and requires additional image preparation and can incur some additional image management overhead.

-

The following describes many performance improvements in stateful non-persistent deployments. For more information, see the Sequencing Steps to Optimize Packages for Publishing Performance and reference to App-V Sequencing Guide in the See Also section of this document.

The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in very costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.

-

The impact of this alteration is detailed in the User Experience Walkthrough section of this document.
@@ -443,13 +440,11 @@ In a non-persistent environment, it is unlikely these pended operations will be The following section contains lists with information about Microsoft documentation and downloads that may be useful when optimizing your environment for performance. -**.NET NGEN Blog and Script (Highly Recommended)** + -About NGEN technology +**.NET NGEN Blog (Highly Recommended)** -- [How to speed up NGEN optimaztion](http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx) - -- [Script](http://aka.ms/DrainNGenQueue) +- [How to speed up NGEN optimization](http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx) **Windows Server and Server Roles** @@ -483,7 +478,6 @@ Server Performance Tuning Guidelines for ## Sequencing Steps to Optimize Packages for Publishing Performance - Several App-V features facilitate new scenarios or enable new customer deployment scenarios. These following features can impact the performance of the publishing and launch operations. @@ -504,7 +498,7 @@ Several App-V features facilitate new scenarios or enable new customer deploymen - From e5756601a5440634b9d5fa2700b8a9533925827b Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 14 Sep 2016 13:16:50 -0700 Subject: [PATCH 09/16] fix dism command --- ...p-a-kiosk-for-windows-10-for-desktop-editions.md | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index 4c4e2e0cfb..ce35ceef5d 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -283,17 +283,8 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici 1. Open a command prompt as an administrator. 2. Enter the following command. - -

No Feature Block 1 (FB1, also known as Primary FB)

No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch.If there are network limitations, FB1 will:

+

No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:

  • Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.

  • Delay launch until the entire FB1 has been streamed.

    • From 4ab2cac8dc81bb9196c90f8721f884f3d9ba5f1f Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Tue, 13 Sep 2016 16:16:02 -0700 Subject: [PATCH 04/16] Tweaked wording --- .../appv-application-publishing-and-client-interaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/appv-application-publishing-and-client-interaction.md b/windows/manage/appv-application-publishing-and-client-interaction.md index 1bc94a9b27..59a1305652 100644 --- a/windows/manage/appv-application-publishing-and-client-interaction.md +++ b/windows/manage/appv-application-publishing-and-client-interaction.md @@ -602,7 +602,7 @@ In an App-V Full Infrastructure, after applications are sequenced they are manag This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/en-us/download/details.aspx?id=38177). -The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured after client setup with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell). +The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell). ### Publishing refresh From 6d36a7c447b2a437e0b5fa9cd4faacc876e36c79 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Tue, 13 Sep 2016 16:46:16 -0700 Subject: [PATCH 05/16] Fixed fmt of backslashes < > etc. --- ...ation-publishing-and-client-interaction.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/manage/appv-application-publishing-and-client-interaction.md b/windows/manage/appv-application-publishing-and-client-interaction.md index 59a1305652..140600ffd6 100644 --- a/windows/manage/appv-application-publishing-and-client-interaction.md +++ b/windows/manage/appv-application-publishing-and-client-interaction.md @@ -532,21 +532,21 @@ The following table shows local and roaming locations, when folder redirection h | VFS directory in package | Mapped location of backing store | | - | - | -| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\\ProgramFilesX86 | -| SystemX86 | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\\SystemX86 | -| Windows | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\\Windows | -| appv\_ROOT | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\\appv_ROOT| -| AppData | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\\AppData | +| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\ProgramFilesX86 | +| SystemX86 | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\SystemX86 | +| Windows | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\Windows | +| appv\_ROOT | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\appv_ROOT| +| AppData | C:\Users\username\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\AppData | The following table shows local and roaming locations, when folder redirection has been implemented for %AppData%, and the location has been redirected (typically to a network location). | VFS directory in package | Mapped location of backing store | | - | - | -| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\\ProgramFilesX86 | -| SystemX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\\SystemX86 | -| Windows | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\\Windows | -| appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\\appv\_ROOT | -| AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\\\AppData | +| ProgramFilesX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\ProgramFilesX86 | +| SystemX86 | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\SystemX86 | +| Windows | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\Windows | +| appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\appv\_ROOT | +| AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\\<GUID>\AppData |   The current App-V Client VFS driver cannot write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. The detailed steps of the processes are: From 1e059b0f5bbc931c531218d5458d30afee3485c0 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 14 Sep 2016 07:00:39 -0700 Subject: [PATCH 06/16] change history, convenience PIN notes --- .../change-history-for-keep-windows-10-secure.md | 6 ++++++ .../implement-microsoft-passport-in-your-organization.md | 2 +- .../change-history-for-manage-and-update-windows-10.md | 5 +++-- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 4394da8ab8..4b4d5ec17e 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -12,6 +12,12 @@ author: brianlic-msft # Change history for Keep Windows 10 secure This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## September 2016 + +| New or changed topic | Description | +| --- | --- | +| [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs | + ## August 2016 |New or changed topic | Description | |----------------------|-------------| diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index 23ecf47c6e..83ab70e1d8 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -20,7 +20,7 @@ localizationpriority: high You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. >[!IMPORTANT] ->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10. Use **Windows Hello for Business** policy settings to manage PINs. +>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. Use **Windows Hello for Business** policy settings to manage PINs.   ## Group Policy settings for Windows Hello for Businness diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 48e1b81df3..371cdedb8d 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -16,8 +16,9 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | -| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the script for setting a custom shell using Shell Launcher. | +| [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added content for Windows Server 2016 | +| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the script for setting a custom shell using Shell Launcher. | ## August 2016 @@ -101,7 +102,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | ---|---| | [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | New | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New | -|[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New | +| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New | ## November 2015 From 8c435c2bcd67874f418a498083a702bdb52832ef Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 14 Sep 2016 11:46:01 -0700 Subject: [PATCH 07/16] removed KeySpec from inf example --- windows/keep-secure/bitlocker-how-to-enable-network-unlock.md | 1 - windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 119e93acad..3f2fc5e488 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -164,7 +164,6 @@ Certreq example: KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE" KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG" KeyLength=2048 - Keyspec="AT_KEYEXCHANGE" SMIME=FALSE HashAlgorithm=sha512 [Extensions] diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 4b4d5ec17e..5de6b76a7a 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -17,6 +17,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md | New or changed topic | Description | | --- | --- | | [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs | +| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate | ## August 2016 |New or changed topic | Description | From 32ebf3910951cc9fc90e526ef10969678004306f Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 14 Sep 2016 13:01:32 -0700 Subject: [PATCH 08/16] Fixed one more disappearing backslash --- .../appv-application-publishing-and-client-interaction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/appv-application-publishing-and-client-interaction.md b/windows/manage/appv-application-publishing-and-client-interaction.md index 140600ffd6..b99eb36f43 100644 --- a/windows/manage/appv-application-publishing-and-client-interaction.md +++ b/windows/manage/appv-application-publishing-and-client-interaction.md @@ -500,7 +500,7 @@ App-V registry roaming falls into two scenarios, as shown in the following table

When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This presents as two distinct paths:

  • HKLM: HKCU\SOFTWARE\Classes\AppV\Client\Packages\\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE

    • -

  • HKCU: HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\REGISTRY\USER\{UserSID}\SOFTWARE

    • +

  • HKCU: HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\REGISTRY\USER\\{UserSID}\SOFTWARE

The locations are enabled for roaming based on the operating system settings.
- - - - - - - - - 
Dism /online /Enable-Feature /FeatureName:Client-EmbeddedShellLauncher
+ + `Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher` **To set your custom shell** From de3f0284bf34fdfc39a88bc9c19944833aceabfd Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 14 Sep 2016 13:21:02 -0700 Subject: [PATCH 10/16] fix format --- .../set-up-a-kiosk-for-windows-10-for-desktop-editions.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index ce35ceef5d..211f47f9c2 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -284,7 +284,9 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici 1. Open a command prompt as an administrator. 2. Enter the following command. - `Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher` + ``` + Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher + ``` **To set your custom shell** From 4cdf7d5c17f162bf9aa77413cc93bcb0fabfe168 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 14 Sep 2016 16:01:37 -0700 Subject: [PATCH 11/16] fixing table and adding note about a policy that no longer applies to version 1607 --- ...orm-module-services-group-policy-settings.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md index c60ccfbea9..5973f94f6f 100644 --- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md +++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md @@ -23,7 +23,7 @@ The TPM Services Group Policy settings are located at: **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** | Setting | Windows 10, version 1607 | Windows 10, version 1511 and Windows 10, version 1507 | Windows Server 2012 R2, Windows 8.1 and Windows RT | Windows Server 2012, Windows 8 and Windows RT | Windows Server 2008 R2 and Windows 7 | Windows Server 2008 and Windows Vista | -| - | - | - | - | - | - | +| - | - | - | - | - | - | - | | [Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu) | | X| X| X| X| X| | [Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc)| X| X| X| X| X| X| | [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) | X| X| X| X| X| X| @@ -32,21 +32,28 @@ The TPM Services Group Policy settings are located at: | [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X||| | [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X| X||| | [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X|||| -  + ### Turn on TPM backup to Active Directory Domain Services This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information. ->**Note:**  This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). -  +>[!NOTE] +>This policy setting applies to the Windows operating systems listed in the [version table](#bkmk-version-table). + + TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands. ->**Important:**  To back up TPM owner information from a computer running Windows 10, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). This functionality is discontinued starting with Windows 10, version 1607. +>[!IMPORTANT] +>To back up TPM owner information from a computer running Windows 10, version 1507, Windows 10, version 1511, Windows 8.1, or Windows 8, you might need to first set up appropriate schema extensions and access control settings on the domain so that the AD DS backup can succeed. Windows Server 2012 R2 and Windows Server 2012 include the required schema extensions by default. For more information, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). This functionality is discontinued starting with Windows 10, version 1607. If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds. If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS. +>[!NOTE] +> The **Turn on TPM backup to Active Directory Domain Services** is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files. + + ### Configure the list of blocked TPM commands This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows. From 6fcb068608878b7d6758fbccd3e0ed6b6ba0700a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 14 Sep 2016 16:29:47 -0700 Subject: [PATCH 12/16] review feedback --- ...g-system-components-to-microsoft-services.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index eae421589e..06104959e3 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -168,11 +168,18 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** + -and- + +1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. +2. Double-click **Certificate Path Validation Settings**. +3. On the **Network Retrieval** tab, select the **Define these policy settings** check box. +4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**. + -or- - Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1. - -or- + -and- 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. 2. Double-click **Certificate Path Validation Settings**. @@ -609,7 +616,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. @@ -943,6 +950,10 @@ To turn off **Let apps automatically share and sync info with wireless devices t - Turn off the feature in the UI. + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** + To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: - Turn off the feature in the UI. @@ -1041,7 +1052,7 @@ Enterprise customers can manage their Windows activation status with volume lice For Windows 10: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Activation** -or- From 6ca868f4fd1329a112cbe45b0ab4465e05c1b067 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 14 Sep 2016 16:56:06 -0700 Subject: [PATCH 13/16] more review feedback --- ...dows-operating-system-components-to-microsoft-services.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 06104959e3..aa3cd76c07 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -190,6 +190,9 @@ On Windows Server 2016 Nano Server: - Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1. +>[!NOTE] +>CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. + ### 2. Cortana and Search Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730683). @@ -1046,6 +1049,8 @@ To turn off **Let apps run in the background**: - Turn off the feature in the UI for each app. + - Set the **Select a setting** box to **Force Deny**. + ### 17. Software Protection Platform Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: From 8b144dbf2c00983edda35f1131ffbf09417e50d6 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 14 Sep 2016 17:03:11 -0700 Subject: [PATCH 14/16] review feedback --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index aa3cd76c07..44413130fc 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1057,7 +1057,7 @@ Enterprise customers can manage their Windows activation status with volume lice For Windows 10: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Activation** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation** -or- @@ -1065,7 +1065,7 @@ For Windows 10: For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation** The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. From c29561c34bcb99b39dbfd00864a61bf6889e58a4 Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Wed, 14 Sep 2016 17:06:02 -0700 Subject: [PATCH 15/16] Updated the change history for EDU and description for one topic --- education/windows/change-history-edu.md | 25 ++++++++++--------- .../create-tests-using-microsoft-forms.md | 2 +- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 0d1c19f506..f03105f10d 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -12,38 +12,39 @@ author: jdeckerMS This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. +## September 2016 + +| New or changed topic | Description| +| --- | --- | +| [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md) | New. Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. | ## RELEASE: Windows 10, version 1607 -The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: +The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: - [Set up Windows 10](set-up-windows-10.md) - [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) - [Provision student PCs with apps](set-up-students-pcs-with-apps.md) - [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) - ## July 2016 - | New or changed topic | Description| | --- | --- | -| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New | -|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New | - - +| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New. Learn about the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions. | +|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use SCCM, Intune, and Group Policy to manage devices. | ## June 2016 | New or changed topic | Description | |----------------------|-------------| -| [Get Minecraft Education Edition](get-minecraft-for-education.md)
[For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
[For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New | +| [Get Minecraft Education Edition](get-minecraft-for-education.md)
[For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
[For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New. Learn how to get and distribute Minecraft: Education Edition. | ## May 2016 | New or changed topic | Description | |----------------------|-------------| -| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New | -| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New | -| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
[Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
[Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
[Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New | +| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New. Learn how the Set up School PCs app works and how to use it. | +| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. | +| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
[Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
[Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
[Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. | | [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 | -| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 | \ No newline at end of file +| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 | diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md index ec0fc56066..64a6208970 100644 --- a/education/windows/create-tests-using-microsoft-forms.md +++ b/education/windows/create-tests-using-microsoft-forms.md @@ -1,6 +1,6 @@ --- title: Create tests using Microsoft Forms -description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while complete a test. +description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. keywords: school, Take a Test, Microsoft Forms ms.prod: w10 ms.mktglfcycl: plan From dd43b079ce504acd4e2f7a376554d583254af4c1 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 14 Sep 2016 18:13:24 -0700 Subject: [PATCH 16/16] Changing bold to hdg for linking purposes --- ...-getting-started-on-the-device-guard-deployment-process.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md index 0e1ec374bc..0790236e3f 100644 --- a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -16,7 +16,7 @@ author: brianlic-msft This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you. -**Planning** +## Planning 1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). @@ -33,7 +33,7 @@ This topic provides a roadmap for planning and getting started on the Device Gua 4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files). -**Getting started on the deployment process** +## Getting started on the deployment process 1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).