deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into atp-powerbi

Browse Source
This commit is contained in:
Joey Caparas 2017-08-09 09:55:01 -07:00
commit 1eb2b1341f
28 changed files with 1543 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
bcs/index.md
View File

@ -4,6 +4,7 @@ hide_bc: true
author: CelesteDG
ms.author: celested
ms.topic: hub-page
ms.localizationpriority: high
audience: microsoft-business 
title: Microsoft 365 Business documentation and resources
description: Learn about the product documentation and resources available for Microsoft 365 Business partners, IT admins, information workers, and business owners.
@ -40,7 +41,7 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
<div class="cardText">
<span class="likeAnH3">For Partners and IT admins:<br />Get Started with Microsoft 365 Business</span>
<span class="likeAnH3">For Partners and IT admins:<br />Get started with Microsoft 365 Business</span>
</div>
</div>
</div>
@ -56,7 +57,7 @@ description: Learn about the product documentation and resources available for M
<a href="#partner-it">Partner/IT admin</a>
<ul id="partner-it">
<li>
<a data-default="true" href="#getstarted">Get Started</a>
<a data-default="true" href="#getstarted">Get started</a>
<ul id="getstarted" class="cardsC">
<li class="fullSpan">
<div class="container intro">
@ -74,8 +75,8 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
<div class="cardText">
<h3>Learn about Microsoft 365 Business</h3>
<p>Want to learn more about Microsoft 365 Business? Start here.</p>
<h3>Why Microsoft 365 Business?</h3>
<p>Learn how Microsoft 365 Business can empower your team, safeguard your business, and simplify IT management with a single solution.</p>
</div>
</div>
</div>
@ -332,7 +333,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="#">
<a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -342,8 +343,27 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
<div class="cardText">
<h3>Identity migration</h3>
<p>Got on-premises AD and plan to move your organizations identity management to the cloud? Do a one-time sync using <a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846">Azure AD Connect</a>, or, if you have Exchange servers and plan to also migrate email to the cloud, do a one-time sync using <a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">Minimal hybrid migration</a>.</p>
<h3>Identity migration with Azure AD Connect</h3>
<p>Got on-premises AD and plan to move your organizations identity management to the cloud? Do a one-time sync using Azure AD Connect.<a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">Minimal hybrid migration</a>.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/bcs-partner-identity-manager.svg" alt="Identity integration" />
</div>
</div>
<div class="cardText">
<h3>Identity migration with minimal hybrid migration</h3>
<p>Or, if you have Exchange servers and plan to also migrate email to the cloud, do a one-time sync using minimal hybrid migration.</p>
</div>
</div>
</div>
@ -398,6 +418,25 @@ description: Learn about the product documentation and resources available for M
</div>
</a>
</li>
<li>
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364#bkmk_support">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/bcs-partner-advanced-management-technical-support-4.svg" alt="Submit a technical support request for Microsoft 365 Business" />
</div>
</div>
<div class="cardText">
<h3>Microsoft Technical Support</h3>
<p>Submit a technical support request for Microsoft 365 Business.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="#">
<div class="cardSize">
@ -416,26 +455,7 @@ description: Learn about the product documentation and resources available for M
</div>
</div>
</a>
</li>
<li>
<a href="#">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/bcs-partner-advanced-management-technical-support-4.svg" alt="Submit a technical support request for Microsoft 365 Business" />
</div>
</div>
<div class="cardText">
<h3>Microsoft Technical Support - Coming soon</h3>
<p>Submit a technical support request for Microsoft 365 Business.</p>
</div>
</div>
</div>
</div>
</a>
</li>
</li>
</ul>
</li>
<li>
@ -468,7 +488,7 @@ description: Learn about the product documentation and resources available for M
</li>
-->
<li>
<a href="https://docs.microsoft.com/windows">
<a href="https://docs.microsoft.com/en-us/windows/windows-10/">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -479,7 +499,7 @@ description: Learn about the product documentation and resources available for M
</div>
<div class="cardText">
<h3>Windows 10</h3>
<p>Learn more about Windows 10.</p>
<p>Find out what's new, how to apply custom configurations to devices, managing apps, deployment, and more.</p>
</div>
</div>
</div>
@ -747,7 +767,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/c654bd23-d256-4ac7-8fba-0c993bf5a771">
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
<div class="cardSize">
<div class="cardPadding">
<div class="card">

8
bcs/support/microsoft-365-business-faqs.md
View File

@ -5,9 +5,10 @@ author: CelesteDG 
ms.author: celested 
ms.topic: article 
ms.prod: microsoft-365-business
ms.localizationpriority: high
audience: microsoft-business 
keywords: Microsoft 365 Business, Microsoft 365, SMB, FAQ, frequently asked questions, answers
ms.date: 07/10/2017
ms.date: 08/04/2017
---
# Microsoft 365 Business Frequently Asked Questions
@ -147,7 +148,7 @@ Who has access to the Microsoft 365 Business preview?
The Microsoft 365 Business preview is available to new customers as well as existing Office 365 subscribers in all [markets where Office 365 is currently available](https://products.office.com/en-us/business/international-availability).
Im an existing Office 365 customer. Can I access the Microsoft 365 Business preview?
--------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Microsoft 365 Business can be used with existing Office 365 Business Premium subscriptions. Office 365 Business Premium subscribers that move to Microsoft 365 Business would not experience any end-user impacts (re-install Office, lose functionality, etc) upon assignment of the license. Customers running Office 365 Enterprise E3/E5 may experience end user impacts if they move to Microsoft 365 Business, it is not a recommended transition path at this time.
@ -185,8 +186,9 @@ Is there any charge for the Microsoft 365 Business preview?
No, Microsoft will not charge for the preview. If you work with an outside [IT partner](https://partnercenter.microsoft.com/en-us/pcv/search) and require assistance to deploy Microsoft 365 Business preview, they may charge you for their deployment services and assistance. At the end of the preview customers may convert to a paid subscription to continue using Microsoft 365 Business.
Im an existing Office 365 customer. Will I be charged for an Office 365 subscription while I am using the Microsoft 365 Business preview?
------------------------------------------------------------------------------------------------------------------------------------------
Customers will continue to be charged for any active Office 365 plan to which they are subscribed.
The Microsoft 365 Business preview is free and does not require an existing Office 365 Business Premium subscription. Current Office 365 customers will continue to be billed for active Office 365 subscriptions that are not associated with the Microsoft 365 Business preview.
What is the best way to deploy Microsoft 365 Business in my organization?
--------------------------------------------------------------------------

2
education/windows/change-history-edu.md
View File

@ -28,7 +28,7 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
| --- | ---- |
| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md) | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a policies section to inform you of any policies that affect the Take a Test app or functionality within the app. |
| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a Group Policy section to inform you of any policies that affect the Take a Test app or functionality within the app. |
## June 2017

34
education/windows/take-a-test-app-technical.md
View File

@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 07/28/2017
ms.date: 08/07/2017
---
# Take a Test app technical reference
@ -51,6 +51,18 @@ When Take a Test is running, the following MDM policies are applied to lock down
| AllowCortana | Disables Cortana functionality | 0 |
| AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
## Group Policy
To ensure Take a Test activates correctly, make sure the following Group Policy are not configured on the PC.
| Functionality | Group Policy path | Policy |
| --- | --- | --- |
| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Do not Require CTRL+ALT+DEL |
| Disable lock screen notifications | Computer Configuration\Administrative Templates\System\Logon | Turn off app notifications on the lock screen |
| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Do not display the lock screen |
| Disable UAC | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | User Account Control: Run all administrators in Admin Approval Mode |
| Disable local workstation | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Lock Computer |
## Allowed functionality
When Take a Test is running, the following functionality is available to students:
@ -75,26 +87,6 @@ When Take a Test is running, the following functionality is available to student
- Ctrl+Alt+Del
- Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
## Policies
If the lock screen is disabled, Take a Test will not launch above lock. Be aware that if you set the following Group Policy, this breaks activation of Take a Test above lock.
**Group Policy path:** Computer Configuration\Administrative Templates\Control Panel\Personalization\ <br />
**Group Policy name:** Do not display the lock screen <br />
**ADML:** %SDXROOT%\shell\policies\ControlPanelDisplay.adml <br />
**ADMX:** %SDXROOT%\shell\policies\ControlPanelDisplay.admx <br />
 
```
<policy name="CPL_Personalization_NoLockScreen" class="Machine"
        displayName="$(string.CPL_Personalization_NoLockScreen)"
        explainText="$(string.CPL_Personalization_NoLockScreen_Help)"
        key="Software\Policies\Microsoft\Windows\Personalization"
        valueName="NoLockScreen">
  <parentCategory ref="Personalization" />
  <supportedOn ref="windows:SUPPORTED_Windows8" />
</policy>
```
## Learn more

33
education/windows/test-windows10s-for-edu.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 08/01/2017
ms.date: 08/07/2017
---
# Test Windows 10 S on existing Windows 10 education devices
@ -77,8 +77,36 @@ Make sure all drivers are installed and working properly on your device running
Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer.
<!--
| | | |
| - | - | - |
| [Acer](https://www.acer.com/ac/en/US/content/windows10s-compatible-list) | [American Future Tech](https://www.ibuypower.com/Support/Support) | [Asus](https://www.asus.com/event/2017/win10S/) |
| [Atec](http://www.atec.kr/contents/ms_info.html) | [Axdia](https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html) | [Casper](http://www.casper.com.tr/window10sdestegi) |
| [Cyberpower](https://www.cyberpowerpc.com/support/) | [Daewoo](http://www.lucoms.com/v2/cs/cs_windows10.asp) | [Fujitsu](http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update) |
| [Global K](http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html) | [HP](https://support.hp.com/us-en/document/c05588871) | [LANIT Trading](http://irbis-digital.ru/support/podderzhka-windows-10-s/) |
| [Lenovo](https://support.lenovo.com/us/en/solutions/ht504589) | [LG](http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html) | [MCJ](https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361) |
| [Micro P/Exertis](http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx) | [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s) | [MSI](https://www.msi.com/Landing/Win10S) |
| [Panasonic](https://panasonic.net/cns/pc/Windows10S/) | [Positivo SA](http://www.positivoinformatica.com.br/atualizacao-windows-10) | [Positivo da Bahia](http://www.br.vaio.com/atualizacao-windows-10/) |
| [Samsung](http://www.samsung.com/us/support/windows10s/) | [Toshiba](http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en) | [Trekstor](http://www.trekstor.de/windows-10-s-en.html) |
| [Trigem](http://www.trigem.co.kr/windows/win10S.html) | [Vaio](http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/) | [Wortmann](https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx) |
-->
| | | |
| - | - | - |
| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="https://www.ibuypower.com/Support/Support" target="_blank">American Future Tech</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> |
| <a href="http://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> | <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="http://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> |
| <a href="https://www.cyberpowerpc.com/support/" target="_blank">Cyberpower</a> | <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> |
| <a href="http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update" target="_blank">Fujitsu</a> | <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> |
| <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> | <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> |
| <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> | <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> |
| <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> | <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> |
| <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> |
| <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> |
| <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> |
> [!NOTE]
> We'll update this section with more information so check back again soon.
> If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future.
<!--
* [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s)
@ -172,7 +200,6 @@ To use an installation media to reinstall Windows 10, follow these steps.
Ready to test Windows 10 S on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information.
When you're ready, you can download the Windows 10 S installer by clicking the **Download installer** button below:
<!-- download the Windows 10 S installer from [this Microsoft website](https://go.microsoft.com/fwlink/?linkid=853240). -->
> [!div class="nextstepaction" style="center"]
> [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)

36
mdop/mbam-v2/create-or-edit-the-sms-defmof-file.md
View File

@ -32,8 +32,8 @@ In the following sections, complete the instructions that correspond to the vers
// Microsoft BitLocker Administration and Monitoring
//===================================================
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("BitLocker Encryption Details"),
SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@ -66,9 +66,9 @@ In the following sections, complete the instructions that correspond to the vers
[ SMS_Report (TRUE) ]
Boolean IsAutoUnlockEnabled;
};
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[ SMS_Report(TRUE),
SMS_Group_Name("BitLocker Policy"),
SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0")]
@ -112,8 +112,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Operating System Ex"),
SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@ -126,8 +126,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Computer System Ex"),
SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]
@ -194,8 +194,8 @@ In the following sections, complete the instructions that correspond to the vers
// Microsoft BitLocker Administration and Monitoring
//===================================================
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("BitLocker Encryption Details"),
SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")]
@ -229,8 +229,8 @@ In the following sections, complete the instructions that correspond to the vers
Boolean IsAutoUnlockEnabled;
};
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[ SMS_Report(TRUE),
SMS_Group_Name("BitLocker Policy"),
SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@ -275,8 +275,8 @@ In the following sections, complete the instructions that correspond to the vers
string EncodedComputerName;
};
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
[ SMS_Report(TRUE),
SMS_Group_Name("BitLocker Policy"),
SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"),
@ -322,8 +322,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista.
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Operating System Ex"),
SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ]
@ -336,8 +336,8 @@ In the following sections, complete the instructions that correspond to the vers
};
//Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista.
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[ SMS_Report (TRUE),
SMS_Group_Name ("Computer System Ex"),
SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ]

36
mdop/mbam-v2/edit-the-configurationmof-file.md
View File

@ -42,8 +42,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
//===================================================
// Microsoft BitLocker Administration and Monitoring
//===================================================
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Win32_BitLockerEncryptionDetails
{
@ -75,8 +75,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
Boolean IsAutoUnlockEnabled;
};
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy
{
@ -137,8 +137,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
EncodedComputerName;
};
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_OperatingSystemExtended
@ -149,8 +149,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
uint32 SKU;
};
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_ComputerSystemExtended
@ -181,8 +181,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
// Microsoft BitLocker Administration and Monitoring
//===================================================
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
[Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Win32_BitLockerEncryptionDetails
{
@ -214,8 +214,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
Boolean IsAutoUnlockEnabled;
};
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy
{
@ -276,8 +276,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
EncodedComputerName;
};
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
[DYNPROPS]
Class Win32Reg_MBAMPolicy_64
{
@ -338,8 +338,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
EncodedComputerName;
};
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_OperatingSystemExtended
@ -350,8 +350,8 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
uint32 SKU;
};
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
[Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class CCM_ComputerSystemExtended

BIN
windows/access-protection/credential-guard/images/credguard-gp.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 32 KiB

2
windows/application-management/change-history-for-application-management.md
View File

@ -18,6 +18,6 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
| New or changed topic | Description |
| --- | --- |
| [Service Host process refactoring](svchost-service-refactoring.md) | New |
| [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |
| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | New |

2
windows/application-management/index.md
View File

@ -13,7 +13,7 @@ ms.localizationpriority: medium
**Applies to**
- Windows 10
Learn about managing applications in Window 10 and Windows 10 Mobile clients.
Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
| Topic | Description |

1
windows/client-management/mdm/TOC.md
View File

@ -203,6 +203,7 @@
#### [InternetExplorer](policy-csp-internetexplorer.md)
#### [Kerberos](policy-csp-kerberos.md)
#### [Licensing](policy-csp-licensing.md)
#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
#### [Location](policy-csp-location.md)
#### [LockDown](policy-csp-lockdown.md)
#### [Maps](policy-csp-maps.md)

82
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/28/2017
ms.date: 08/04/2017
---
# What's new in MDM enrollment and management
@ -969,10 +969,34 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>CredentialProviders/EnableWindowsAutoPilotResetCredentials</li>
<li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
<li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
<li>DeviceGuard/RequirePlatformSecurityFeatures</li>
<li>DeviceGuard/LsaCfgFlags</li>
<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
<li>Power/DisplayOffTimeoutOnBattery</li>
<li>Power/DisplayOffTimeoutPluggedIn</li>
<li>Power/HibernateTimeoutOnBattery</li>
@ -1280,6 +1304,58 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
### August 2017
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th>New or updated topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">[CM\_CellularEntries CSP](cm-cellularentries-csp.md)</td>
<td style="vertical-align:top"><p>Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
</ul>
<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
</td></tr>
</tbody>
</table>
### July 2017
<table>
@ -1313,7 +1389,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<ul>
<li>Education/DefaultPrinterName</li>
<li>Education/PreventAddingNewPrinters</li>
<li>Education/PrinterNames</li>
<li>Education/PrinterNames</li>
<li>Security/ClearTPMIfNotReady</li>
<li>WindowsDefenderSecurityCenter/CompanyName</li>
<li>WindowsDefenderSecurityCenter/DisableAppBrowserUI</li>

81
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/27/2017
ms.date: 08/04/2017
---
# Policy CSP
@ -534,7 +534,7 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword" id="credentialproviders-blockpicturepassword">CredentialProviders/BlockPicturePassword</a>
</dd>
<dd>
<a href="./policy-csp-credentialproviders.md#credentialproviders-enablewindowsautopilotresetcredentials" id="credentialproviders-enablewindowsautopilotresetcredentials">CredentialProviders/EnableWindowsAutoPilotResetCredentials</a>
<a href="./policy-csp-credentialproviders.md#credentialproviders-disableautomaticredeploymentcredentials" id="credentialproviders-disableautomaticredeploymentcredentials">CredentialProviders/DisableAutomaticReDeploymentCredentials</a>
</dd>
</dl>
@ -1778,6 +1778,83 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### LocalPoliciesSecurityOptions policies
<dl>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-enableguestaccountstatus" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount" id="localpoliciessecurityoptions-accounts-renameadministratoraccount">LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount" id="localpoliciessecurityoptions-accounts-renameguestaccount">LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin" id="localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin" id="localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel" id="localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit" id="localpoliciessecurityoptions-interactivelogon-machineinactivitylimit">LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-tbuseraccountcontrol-runalladministratorsinadminapprovalmoded" id="localpoliciessecurityoptions-tbuseraccountcontrol-runalladministratorsinadminapprovalmoded">LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation">LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations" id="localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations">LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</a>
</dd>
</dl>
### Location policies
<dl>

9
windows/client-management/mdm/policy-csp-credentialproviders.md
View File

@ -124,7 +124,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="credentialproviders-enablewindowsautopilotresetcredentials"></a>**CredentialProviders/EnableWindowsAutoPilotResetCredentials**
<a href="" id="credentialproviders-disableautomaticredeploymentcredentials"></a>**CredentialProviders/DisableAutomaticReDeploymentCredentials**
<!--StartSKU-->
<table>
@ -150,11 +150,12 @@ ADMX Info:
<!--EndSKU-->
<!--StartDescription-->
Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
Default value is 0.
- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment
- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
<!--EndDescription-->
<!--EndPolicy-->

1024
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md Normal file
View File

File diff suppressed because it is too large Load Diff

20
windows/client-management/mdm/policy-csp-textinput.md
View File

@ -364,26 +364,6 @@ ms.date: 07/14/2017
<a href="" id="textinput-allowkoreanextendedhanja"></a>**TextInput/AllowKoreanExtendedHanja**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->

24
windows/client-management/mdm/policy-csp-wifi.md
View File

@ -23,26 +23,6 @@ ms.date: 07/14/2017
<a href="" id="wifi-allowwifihotspotreporting"></a>**WiFi/AllowWiFiHotSpotReporting**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
@ -303,8 +283,6 @@ Footnote:
<!--EndIoTCore-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Wifi policies supported by Microsoft Surface Hub
- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
<!--EndSurfaceHub-->

20
windows/client-management/mdm/policy-csp-wirelessdisplay.md
View File

@ -163,26 +163,6 @@ ms.date: 07/14/2017
<a href="" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver"></a>**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->

3
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1690,6 +1690,9 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
> [!NOTE]
> This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
-or-
- Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).

1
windows/configuration/start-secondary-tiles.md
View File

@ -72,6 +72,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
3. If youd like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
- For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
- Open `C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState` and replace those images with your customized images
>[!TIP]
>A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images.

16
windows/deployment/TOC.md
View File

@ -14,19 +14,6 @@
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
### [Windows 10 deployment test lab](windows-10-poc.md)
#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
@ -218,9 +205,6 @@
### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)
### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
#### [Get started with Update Compliance](update/update-compliance-get-started.md)
#### [Use Update Compliance](update/update-compliance-using.md)
### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md)

6
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -329,7 +329,7 @@ The steps below walk you through the process of editing the Windows 10 referenc
 
5. State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings:
1. Name: Install - Microsoft NET Framework 3.5.1
2. Select the operating system for which roles are to be installed: Windows 8.1
2. Select the operating system for which roles are to be installed: Windows 10
3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
**Important**  
@ -471,7 +471,7 @@ In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except
### Update the deployment share
After the deployment share has been configured, it needs to be updated. This is the process when the Windows Windows PE boot images are created.
After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created.
1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard.
@ -566,7 +566,7 @@ SkipFinalSummary=YES
The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
 
- **JoinWorkgroup.** Configures Windows to join a workgroup.
- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 8.1 deployments in which the deployment wizard will otherwise appear behind the tiles.
- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
- **FinishAction.** Instructs MDT what to do when the task sequence is complete.
- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image.
- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.

2
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -138,7 +138,7 @@ To ensure that user computers are receiving the most up to date data from Micros
- Schedule the Upgrade Readiness deployment script to automatically run so that you dont have to manually initiate an inventory scan each time the compatibility update KBs are updated.
- Schedule monthly user computer scans to view monthly active computer and usage information.
>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the **Windows Compat Appraiser** task. Deltas are invoked via the nightly scheduled task. It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on.
>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas is created when the update package is installed. For Windows 10 devices, it's already part of the OS. A full scan averages about 2 MB, but the delta scans are very small. The scheduled task is named **Windows Compatibility Appraiser** and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Deltas are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on.
### Distribute the deployment script at scale

4
windows/deployment/vda-subscription-activation.md
View File

@ -12,7 +12,11 @@ author: greg-lindsay
# Configure VDA for Windows 10 Subscription Activation
<<<<<<< HEAD
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license.
=======
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
>>>>>>> 9cfade7b4735548209a42a177179689a7e522ec6
## Requirements

1
windows/device-security/TOC.md
View File

@ -94,6 +94,7 @@
### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md)
### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md)

13
windows/device-security/bitlocker/bitlocker-frequently-asked-questions.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
localizationpriority: high
author: brianlic-msft
---
@ -189,6 +189,12 @@ You can use the Manage-bde.exe command-line tool to replace your TPM-only authen
`manage-bde protectors add %systemdrive% -tpmandpin <4-20 digit numeric PIN>`
### <a href="" id="bkmk-add-auth"></a> When should an additional method of authentication be considered?
New hardware that meets [Windows Hardware Compatibility Program](https://docs.microsoft.com/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack.
For older hardware, where a PIN may be needed, its recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers.
### <a href="" id="bkmk-recoveryinfo"></a>If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
@ -395,6 +401,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
### <a href="" id="bkmk-VM"></a> Can I use BitLocker with virtual machines (VMs)?
Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (in **Settings** under **Accounts** > **Access work or school** > **Connect to work or school** to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](https://docs.microsoft.com/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
## More information
- [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

185
windows/device-security/bitlocker/bitlocker-management-for-enterprises.md Normal file
View File

@ -0,0 +1,185 @@
---
title: BitLocker Management Recommendations for Enterprises (Windows 10)
description: This topic explains recommendations for managing BitLocker.
ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# BitLocker Management Recommendations for Enterprises
This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices.
## Forward-looking recommendations for managing BitLocker
The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction.
Therefore, we recommend that you upgrade your hardware so that your devices comply with InstantGo or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD).
Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for:
- [Domain-joined computers](#dom_join)
- [Devices joined to Azure Active Directory (Azure AD)](#azure_ad)
- [Workplace-joined PCs and Phones](#work_join)
- [Servers](#servers)
- [Scripts](#powershell)
<br />
## BitLocker management at a glance
| | PC Old Hardware | PC New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone
|---|---|----|---|---|
|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A|
|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS|
<br />
*PC hardware that supports InstantGo or HSTI
<br />
<br />
<a id="dom_join"></a>
## Recommendations for domain-joined computers
Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support InstantGo beginning with Windows 8.1. For more information, see [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption).
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
For older client computers with BitLocker that are domain joined on-premises, Microsoft BitLocker Administration and Management<sup>[1]</sup> (MBAM) remains the best way to manage BitLocker. MBAM continues to be maintained and receives security patches. Using MBAM provides the following functionality:
- Encrypts device with BitLocker using MBAM
- Stores BitLocker Recovery keys in MBAM Server
- Provides Recovery key access to end-user, helpdesk and advanced helpdesk
- Provides Reporting on Compliance and Recovery key access audit
<a id="MBAM25"></a>
<sup>[1]</sup>The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1).
<br />
<a id="azure_ad"></a>
## Recommendations for devices joined to Azure Active Directory
<a id="MDM"></a>
Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). Device encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker device encryption is enabled on the device. Compliance with device encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
For hardware that is compliant with InstantGo and HSTI, when using either of these features, device encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
<a id="work_join"></a>
## Workplace-joined PCs and phones
For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker device encryption is managed over MDM, and similarly for Azure AD domain join.
<a id="servers"></a>
## Recommendations for servers
Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).
If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).
<a id ="powershell"></a>
## PowerShell examples
For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.
*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
```
PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
```
For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS).
*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
```
PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
```
Subsequently, you can use PowerShell to enable BitLocker.
*Example: Use PowerShell to enable BitLocker with a TPM protector*
```
PS C:\>Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
```
*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
```
PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
```
<a id = "articles"></a>
## Related Articles
[Bitlocker: FAQs](bitlocker-frequently-asked-questions.md)
[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx)
[Overview of BitLocker and automatic encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#device-encryption)
[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)*
[Enable BitLocker task sequence](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker)
[BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx)
[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
*(Overview)*
[Configuration Settings Providers](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
*(Policy CSP: See [Security-RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-policies))*
[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
<br />
**Windows Server setup tools**
[Windows Server Installation Options](https://technet.microsoft.com/library/hh831786(v=ws.11).aspx)
[How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/)
[How to add or remove optional components on Server Core](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) *(Features on Demand)*
[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)
[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
<br />
<a id="powershell"></a>
**Powershell**
[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell)
[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)

7
windows/device-security/change-history-for-device-security.md
View File

@ -11,6 +11,13 @@ author: brianlic-msft
# Change history for device security
This topic lists new and updated topics in the [Device security](index.md) documentation.
## August 2017
|New or changed topic |Description |
|---------------------|------------|
| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
## July 2017
|New or changed topic |Description |
|---------------------|------------|