diff --git a/education/windows/images/setup-options.png b/education/windows/images/setup-options.png index d0330a2289..07d29576a0 100644 Binary files a/education/windows/images/setup-options.png and b/education/windows/images/setup-options.png differ diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index e6fa36b229..e1f6e4258c 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -1,5 +1,5 @@ --- -title: Setup options for Windows 10 +title: Provisioning options for Windows 10 description: Decide which option for setting up Windows 10 is right for you. keywords: shared cart, shared PC, school ms.prod: w10 @@ -9,17 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Setup options for Windows 10 +# Provisioning options for Windows 10 **Applies to:** - Windows 10 -MSA is only intended for consumer services. Schools may want to consider using MDM or group policy to block students from adding MSA as a secondary account - - -Reminder to schools that they should consider ratings when picking apps from the store. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, etc. - - +You have two tools to choose from to set up PCs for your classroom: **Set up School PCs** app and the **Provision school devices** option in Windows Imaging and Configuratio Designer (ICD). Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). The following diagram compares the tools. ![Which tool to use to set up Windows 10](images/setup-options.png) diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index c37b1cbdcb..b24a8b5382 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -15,6 +15,7 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: +- [Provisioning packages for Windows 10](provisioning-packages.md) - [Provision PCs with apps and certificates for initial deployment](provision-pcs-with-apps-and-certificates.md) - [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md index 28dd14ea9e..9183f2f9cd 100644 --- a/windows/deploy/provision-pcs-for-initial-deployment.md +++ b/windows/deploy/provision-pcs-for-initial-deployment.md @@ -29,7 +29,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur - Simple to apply. -[Learn more about the benefits and uses of provisioning packages.](../whats-new/new-provisioning-packages.md) +[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) ## What does simple provisioning do? diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/deploy/provision-pcs-with-apps-and-certificates.md index 69a4bb263f..370a52069a 100644 --- a/windows/deploy/provision-pcs-with-apps-and-certificates.md +++ b/windows/deploy/provision-pcs-with-apps-and-certificates.md @@ -29,7 +29,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur - Simple to apply. -[Learn more about the benefits and uses of provisioning packages.](../whats-new/new-provisioning-packages.md) +[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) ## Create the provisioning package diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md index 553f2ba08b..39db1e184b 100644 --- a/windows/deploy/provisioning-packages.md +++ b/windows/deploy/provisioning-packages.md @@ -33,11 +33,11 @@ Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT * **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. - > [Learn how to use simple provisioning to configure Windows 10 computers.](../deploy/provision-pcs-for-initial-deployment.md) + > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md) * **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. - > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](../deploy/provision-pcs-with-apps-and-certificates.md) + > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md) * **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: @@ -93,11 +93,11 @@ For details about the settings you can customize in provisioning packages, see [ ## Creating a provisioning package -With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10 [from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700). +With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740). While running ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box: -- Windows Imaging and Configuration Designer (ICD) +- Configuration Designer > **Note:** In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features. @@ -115,10 +115,11 @@ Provisioning packages can be applied both during image deployment and during run ## Related topics +- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) +- [LProvision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) - -[Configure devices without MDM](../manage/configure-devices-without-mdm.md) +- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)   diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md index 0e753d5573..d5eb1a60e3 100644 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md @@ -2,7 +2,7 @@ title: Manage identity verification using Windows Hello for Business (Windows 10) description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -keywords: identity, PIN, biometric, Hello +keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -44,7 +44,7 @@ As an administrator in an enterprise or educational organization, you can create - Windows Hello for Business, which is configured by Group Policy or MDM policy, uses key-based or certificate-based authentication. -## Benefits of Microsoft Passport +## Benefits of Windows Hello Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed. @@ -52,7 +52,7 @@ You may wonder [how a PIN can help protect a device better than a password](why- In Windows 10, Hello replaces passwords. The Hello provisioning process creates two cryptographic keys bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identify provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. In addition, during the registration process, the attestation claim is produced for every identity provider to cryptographically prove that the Hello keys are tied to TPM. During registration, when the attestation claim is not presented to the identity provider, the identity provider must assume that the Hello key is created in software. -![how authentication works in microsoft passport](images/authflow.png) +![how authentication works in windows hello](images/authflow.png) Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. Hello helps protect user identities and user credentials. Because no passwords are used, it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are generated within isolated environments of TPMs. @@ -70,7 +70,7 @@ Hello also enables Windows 10 Mobile devices to be used as [a remote credential - Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device. - Private key never leaves a device. The authenticating server has a public key that is mapped to the user account during the registration process. - PIN entry and biometric gesture both trigger Windows 10 to verify the user's identity and authenticate using Hello keys or certificates. -- *Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.* +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. - Certificates are added to the Hello container and are protected by the Hello gesture. - Windows Update behavior: After a reboot is required by Windows Update, the last interactive user is automatically signed on without any user gesture and the session is locked so the user's lock screen apps can run. diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 8ef5a5d376..2605d0c837 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -20,6 +20,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also - [Diagnostics for devices managed by MDM](diagnostics-for-mdm-devices.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +- [Guidelines for choosing an app for assigned access (kisok mode)](guidelines-for-assigned-access-app.md) ## June 2016 diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index e0b0cb5a4e..748d4c7b86 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -21,7 +21,7 @@ In Windows 10, version 1607, the following Group Policies apply only to Windows | **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) | | **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) | | **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) | -| **Do not require CTRL+ALT+DEL**
combined with
**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon
and
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. | +| **Do not require CTRL+ALT+DEL**
combined with
**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon
and
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro.

**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.| | **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) | | **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) | | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers.md b/windows/manage/how-it-pros-can-use-configuration-service-providers.md index 1678cfa34b..e6ec60d6cd 100644 --- a/windows/manage/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/manage/how-it-pros-can-use-configuration-service-providers.md @@ -23,7 +23,7 @@ The CSPs are documented on the [Hardware Dev Center](http://go.microsoft.com/fwl **Note**   The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile. -  + [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056(v=vs.85).aspx#whatsnew_1607) ## What is a CSP? diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/manage/lockdown-features-windows-10.md index 0acfd3723a..b0d0851d25 100644 --- a/windows/manage/lockdown-features-windows-10.md +++ b/windows/manage/lockdown-features-windows-10.md @@ -39,7 +39,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media

-[Unified Writer Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607) +[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)

The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.

diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md index e378197805..9025888ea6 100644 --- a/windows/manage/manage-corporate-devices.md +++ b/windows/manage/manage-corporate-devices.md @@ -48,7 +48,7 @@ Desktop devices running Windows 10 that are joined to an Active Directory domai -

[Microsoft System Center Configuration Manager Technical Preview](http://go.microsoft.com/fwlink/p/?LinkId=613622)

+

[Microsoft System Center Configuration Manager 2016](http://go.microsoft.com/fwlink/p/?LinkId=613622)

Client deployment, upgrade, and management with new and existing features

diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 503f5e9190..77726d67f8 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -16,17 +16,16 @@ Learn about new features in Windows 10 for IT professionals, such as Enterprise - [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) - [What's new in Windows 10, version 1511](whats-new-windows-10-version-1511.md) -- [Documentation for Windows 10 Insider Preview](windows-10-insider-preview.md) +   ## Learn more - -[Windows 10 content from Microsoft Ignite](http://go.microsoft.com/fwlink/p/?LinkId=613210) - -[Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkId=690485) +- [Windows 10 update history](https://support.microsoft.com/en-us/help/12387/windows-10-update-history) +- [Windows 10 content from Microsoft Ignite](http://go.microsoft.com/fwlink/p/?LinkId=613210) +- [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkId=690485) ## Related topics diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 4ff3d2b9a8..f769d8bf55 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -25,17 +25,27 @@ Windows ICD now includes simplified workflows for creating provisioning packages - [Advanced provisioning to deploy certificates and apps](~/deploy/provision-pcs-with-apps-and-certificates.md) - [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain) +[Learn more about using provisioning packages in Windows 10.](../deploy/provisioning-packages.md) + ## Security ### Windows Hello for Business -When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the [Windows Hello](~/keep-secure/manage-identity-verification-using-microsoft-passport.md) name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. +When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. + +Additional changes for Windows Hello in Windows 10, version 1607: + +- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. +- Group Policy for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**. +- Users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. + +[Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md)   ## Management ### Taskbar configuration -Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. +Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. [Learn how to configure the taskbar.](../manage/windows-10-start-layout-options-and-policies.md) ### Mobile device management and configuration service providers (CSPs)