*Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe*
After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.
Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | - ---- - - - -### ADMX info and settings -#### ADMX info -- **GP English name:** Prevent turning off required extensions -- **GP name:** PreventTurningOffRequiredExtensions -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions) -- **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions -- **Data type:** String - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions -- **Value name:** PreventTurningOffRequiredExtensions -- **Value type:** REG_SZ - -### Related policies -[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] - - -### Related topics - -- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. -- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. -- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them. -- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. -- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house. - -
*Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe*
After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.
Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | + +--- + + + +### ADMX info and settings +#### ADMX info +- **GP English name:** Prevent turning off required extensions +- **GP name:** PreventTurningOffRequiredExtensions +- **GP path:** Windows Components/Microsoft Edge +- **GP ADMX file name:** MicrosoftEdge.admx + +#### MDM settings +- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions) +- **Supported devices:** Desktop +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions +- **Data type:** String + +#### Registry settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Value name:** PreventTurningOffRequiredExtensions +- **Value type:** REG_SZ + +### Related policies +[Allow Developer Tools](../available-policies.md#allow-developer-tools): [!INCLUDE [allow-developer-tools-shortdesc](../shortdesc/allow-developer-tools-shortdesc.md)] + + +### Related topics + +- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. +- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. +- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them. +- [Manage apps from the Microsoft Store for Business with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. +- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house. + +
If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. | | Turn off the flip ahead with page prediction feature | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 on Windows 8 | This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
**Note**
Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | IE11 on Windows 10 | This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
**Important**
When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
-| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
+| Turn on Site Discovery WMI output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as Microsoft Endpoint Configuration Manager.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
| Turn on Site Discovery XML output | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
**Note:**
Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
| Use the Enterprise Mode IE website list | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10, version 1511 | This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. | diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index d9ff00d3a8..d1c0ab596f 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -16,9 +16,11 @@ ## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md) ## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md) -# HoloLens in commercial environments -## [Commercial feature overview](hololens-commercial-features.md) +# Deploying HoloLens and Mixed Reality Apps in Commercial Environments ## [Deployment planning](hololens-requirements.md) +## [Commercial feature overview](hololens-commercial-features.md) +## [Lincense Requriements](hololens-licenses-requirements.md) +## [Commercial Infrastructure Guidance](hololens-commercial-infrastructure.md) ## [Unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md) ## [Configure HoloLens using a provisioning package](hololens-provisioning.md) ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md new file mode 100644 index 0000000000..ad23e185ee --- /dev/null +++ b/devices/hololens/hololens-commercial-infrastructure.md @@ -0,0 +1,113 @@ +--- +title: Infrastructure Guidelines for HoloLens +description: +ms.prod: hololens +ms.sitesec: library +author: pawinfie +ms.author: pawinfie +audience: ITPro +ms.topic: article +ms.localizationpriority: high +ms.date: 1/23/2020 +ms.reviewer: +manager: bradke +appliesto: +- HoloLens (1st gen) +- HoloLens 2 +--- + +# Configure Your Network + +This portion of the document will require the following people: +1. Network Admin with permissions to make changes to the proxy/firewall +2. Azure Active Directory Admin +3. Mobile Device Manager Admin +4. Teams admin for Remote Assist only + +## Infrastructure Requirements + +### HoloLens Specific Network Requirements +Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md). + +### Remote Assist Specific Network Requirements + +1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network). +**Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.** +1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams). + +### Guides Specific Network Requirements +Guides only require network access to download and use the app. + +## Azure Active Directory Guidance +This step is only necessary if your company plans on managing the HoloLens and mixed reality apps. + +### 1. Ensure that you have an Azure AD License. +Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information. + +### 2. Ensure that your company’s users are in Azure Active Directory (Azure AD). +Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory). + +### 3. We suggest that users who will be need similar licenses are added to a group. +1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) + +2. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal) + +### 4. Ensure that your company’s users (or group of users) are assigned the necessary licenses. +Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups). + +### 5. **IMPORTANT:** Only do this step if users are expected to enroll their HoloLens/Mobile device onto the network. +These steps ensure that your company’s users (or a group of users) can add devices. +1. Option 1: Give all users permission to join devices to Azure AD. +**Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** > +**Set Users may join devices to Azure AD to *All*** + +1. Option 2: Give selected users/groups permission to join devices to Azure AD +**Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** > +**Set Users may join devices to Azure AD to *Selected*** + + +1. Option 3: You can block all users from joining their devices to the domain. This means that all devices will need to be manually enrolled by your IT department. + +## Mobile Device Manager Admin Steps + +### Scenario 1: Kiosk Mode +As a note, auto-launching an app does not currently work for HoloLens. + +How to Set Up Kiosk Mode Using Microsoft Intune. +#### 1. Sync Microsoft Store to Intune ([Here](https://docs.microsoft.com/intune/apps/windows-store-for-business)) + +#### 2. Check your app settings + +1. Log into your Microsoft Store Business account +1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”** +1. If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. + +#### 3. Configuring Kiosk Mode using MDM + +Information on configuring Kiosk Mode in Intune can be found [here](https://docs.microsoft.com/hololens/hololens-kiosk#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) + + >[!NOTE] + >You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps. + + + +If you are configuring Kiosk Mode on an MDM other than Intune, please check your MDM provider's documentation. + +## Additional Intune Quick Links + +1. [Create Profiles:](https://docs.microsoft.com/intune/configuration/device-profile-create) Profiles allow you to add and configure settings that will be pushed to the devices in your organization. + +1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). + +1. [Create Compliance Policy](https://docs.microsoft.com/intune/protect/create-compliance-policy) + +1. Conditional Access allows/denies mobile devices and mobile applications from accessing company resources. Two documents you may find helpful are [Plan your CA Deployment](https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) and [Best Practices](https://docs.microsoft.com/azure/active-directory/conditional-access/best-practices). + +## Certificates and Authentication +### MDM Certificate Distribution +If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you. + +Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep). + +### Device Certificates +Certificates can also be added to the HoloLens through package provisioning. Please see [HoloLens Provisioning](hololens-provisioning.md) for additional information. diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 1ca366ecf5..d0dbb126b7 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -20,7 +20,7 @@ In Windows 10, version 1803, you can configure your HoloLens devices to run as m When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. -Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings. +Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings. The following table lists the device capabilities in the different kiosk modes. diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md new file mode 100644 index 0000000000..6d33228879 --- /dev/null +++ b/devices/hololens/hololens-licenses-requirements.md @@ -0,0 +1,50 @@ +--- +title: Licenses for Mixed Reality Deployment +description: +ms.prod: hololens +ms.sitesec: library +author: pawinfie +ms.author: pawinfie +audience: ITPro +ms.topic: article +ms.localizationpriority: high +ms.date: 1/23/2020 +ms.reviewer: +manager: bradke +appliesto: +- HoloLens (1st gen) +- HoloLens 2 +--- + +# Licenses Required for Mixed Reality Deployment + +If you plan on using a Mobile Device Management system (MDM) to manage your HoloLens, please review the MDM License Guidance section. + +## Mobile Device Management (MDM) Licenses Guidance + +If you plan on using an MDM other than Intune, an [Azure Active Directory Licenses](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) is required. + +If you plan on using Intune as your MDM, you can acquire an [Enterprise Mobility + Security (EMS) suite (E3 or E5) licenses](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing). **Please note that Azure AD is included in both suites.** + +## Identify the licenses needed for your scenario and products + +### Remote Assist License Requirements +Make sure you have the required licensing and device. Updated licensing and product requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/requirements). + +1. [Remote Assist License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) +1. [Teams Freemium/Teams](https://products.office.com/microsoft-teams/free) +1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) + +### Guides License Requirements +Updated licensing and device requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/guides/requirements). + +1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) +1. [Power BI](https://powerbi.microsoft.com/desktop/) +1. [Guides](https://docs.microsoft.com/dynamics365/mixed-reality/guides/setup) + +### Scenario 1: Kiosk Mode +If you are not planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages. + +1. If you are **not** planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages. +1. If you are planning to use an MDM other than Intune, your MDM provider will have steps on configuring Kiosk mode. +1. If you are planning to use **Intune** as your MDM, implementation directions can be found in [Configuring your Network for HoloLens](). diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md index 6ee4fb35c1..e3b11960b1 100644 --- a/devices/hololens/hololens-offline.md +++ b/devices/hololens/hololens-offline.md @@ -1,5 +1,5 @@ --- -title: Use HoloLens offline +title: Manage connection endpoints for HoloLens description: To set up HoloLens, you'll need to connect to a Wi-Fi network keywords: hololens, offline, OOBE audience: ITPro @@ -17,13 +17,13 @@ appliesto: - HoloLens 2 --- -# Use HoloLens offline +# Manage connection endpoints for HoloLens -HoloLens support a limited set of offline experiences for connectivity conscious customers and for customers who have environmental limits on connectivity. +Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuratiion (e.g. proxy or firewall) for those components to be functional. ## Near-offline setup -HoloLens need a network connection to go through initial device set up. If your corporate network has network restrictions, the following URLs will need to be available: +HoloLens supports a limited set of offline experiences for customers who have network environment restrictions. However, HoloLens needs network connection to go through initial device set up and the following URLs have to be enabled: | Purpose | URL | |------|------| @@ -35,9 +35,125 @@ HoloLens need a network connection to go through initial device set up. If your | MSA | https://login.live.com/ppsecure/inlineconnect.srf?id=80600 | | MSA Pin | https://account.live.com/msangc?fl=enroll | -Additional references: +## Endpoint configuration + +In addition to the list above, to take full advantage of HoloLens functionality, the following endpoints need to be enabled in your network configuration. + + +| Purpose | URL | +|------|------| +| Azure | wd-prod-fe.cloudapp.azure.com | | | +| | ris-prod-atm.trafficmanager.net | | | | +| | validation-v2.sls.trafficmanager.net | | | | +| Azure AD Multi-Factor Authentication | https://secure.aadcdn.microsoftonline-p.com | | | | +| Intune and MDM Configurations | activation-v2.sls.microsoft.com/* | | | | +| | cdn.onenote.net | | | | +| | client.wns.windows.com | | | | +| | crl.microsoft.com/pki/crl/* | | | | +| | ctldl.windowsupdate.com | | | | +| | *displaycatalog.mp.microsoft.com | | | | +| | dm3p.wns.windows.com | | | | +| | *microsoft.com/pkiops/* | | | | +| | ocsp.digicert.com/* | | | | +| | r.manage.microsoft.com | | | | +| | tile-service.weather.microsoft.com | | | | +| | settings-win.data.microsoft.com | | | | +| Certificates | activation-v2.sls.microsoft.com/* | | | | +| | crl.microsoft.com/pki/crl/* | | | | +| | ocsp.digicert.com/* | | | | +| | https://www.microsoft.com/pkiops/* | | | | +| Cortana and Search | store-images.*microsoft.com | | | | +| | www.bing.com/client | | | | +| | www.bing.com | | | | +| | www.bing.com/proactive | | | | +| | www.bing.com/threshold/xls.aspx | | | | +| | exo-ring.msedge.net | | | | +| | fp.msedge.net | | | | +| | fp-vp.azureedge.net | | | | +| | odinvzc.azureedge.net | | | | +| | spo-ring.msedge.net | | | | +| Device Authentication | login.live.com* | | | | +| Device metadata | dmd.metaservices.microsoft.com | | | | +| Location | inference.location.live.net | | | | +| | location-inference-westus.cloudapp.net | | | | +| Diagnostic Data | v10.events.data.microsoft.com | | | | +| | v10.vortex-win.data.microsoft.com/collect/v1 | | | | +| | https://www.microsoft.com | | | | +| | co4.telecommand.telemetry.microsoft.com | | | | +| | cs11.wpc.v0cdn.net | | | | +| | cs1137.wpc.gammacdn.net | | | | +| | modern.watson.data.microsoft.com* | | | | +| | watson.telemetry.microsoft.com | | | | +| Licensing | licensing.mp.microsoft.com | | | | +| Microsoft Account | login.msa.akadns6.net | | | | +| | us.configsvc1.live.com.akadns.net | | | | +| Microsoft Edge | iecvlist.microsoft.com | | | | +| Microsoft forward link redirection service (FWLink) | go.microsoft.com | | | | +| Microsoft Store | *.wns.windows.com | | | | +| | storecatalogrevocation.storequality.microsoft.com | | | | +| | img-prod-cms-rt-microsoft-com* | | | | +| | store-images.microsoft.com | | | | +| | .md.mp.microsoft.com | | | +| | *displaycatalog.mp.microsoft.com | | | | +| | pti.store.microsoft.com | | | | +| | storeedgefd.dsx.mp.microsoft.com | | | | +| | markets.books.microsoft.com | | | | +| | share.microsoft.com | | | | +| Network Connection Status Indicator (NCSI) | www.msftconnecttest.com* | | | | +| Office | *.c-msedge.net | | | | +| | *.e-msedge.net | | | | +| | *.s-msedge.net | | | | +| | nexusrules.officeapps.live.com | | | | +| | ocos-office365-s2s.msedge.net | | | | +| | officeclient.microsoft.com | | | | +| | outlook.office365.com | | | | +| | client-office365-tas.msedge.net | | | | +| | https://www.office.com | | | | +| | onecollector.cloudapp.aria | | | | +| | v10.events.data.microsoft.com/onecollector/1.0/ | | | | +| | self.events.data.microsoft.com | | | | +| | to-do.microsoft.com | | | | +| OneDrive | g.live.com/1rewlive5skydrive/* | | | | +| | msagfx.live.com | | | | +| | oneclient.sfx.ms | | | | +| Photos App | evoke-windowsservices-tas.msedge.net | | | | +| Settings | cy2.settings.data.microsoft.com.akadns.net | | | | +| | settings.data.microsoft.com | | | | +| | settings-win.data.microsoft.com | | | | +| Windows Defender | wdcp.microsoft.com | | | | +| | definitionupdates.microsoft.com | | | | +| | go.microsoft.com | | | | +| | *smartscreen.microsoft.com | | | | +| | smartscreen-sn3p.smartscreen.microsoft.com | | | | +| | unitedstates.smartscreen-prod.microsoft.com | | | | +| Windows Spotlight | *.search.msn.com | | | | +| | arc.msn.com | | | | +| | g.msn.com* | | | | +| | query.prod.cms.rt.microsoft.com | | | | +| | ris.api.iris.microsoft.com | | | | +| Windows Update | *.prod.do.dsp.mp.microsoft.com | | | | +| | cs9.wac.phicdn.net | | | | +| | emdl.ws.microsoft.com | | | | +| | *.dl.delivery.mp.microsoft.com | | | | +| | *.windowsupdate.com | | | | +| | *.delivery.mp.microsoft.com | | | | +| | *.update.microsoft.com | | | | + + + +## References + +> [!NOTE] +> If you are deploying D365 Remote Assist, you will have to enable the endpoints on this [list](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams) +- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) +- [Manage connection endpoints for Windows 10 Enterprise, version 1903](https://docs.microsoft.com/windows/privacy/manage-windows-1903-endpoints) +- [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) +- [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm) +- [Intune network configuration requirements and bandwidth](https://docs.microsoft.com/intune/fundamentals/network-bandwidth-use#network-communication-requirements) +- [Network endpoints for Microsoft Intune](https://docs.microsoft.com/intune/fundamentals/intune-endpoints) +- [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges) +- [Prerequisites for Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-install-prerequisites) -- [Technical reference for AAD related IP ranges and URLs](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges) ## HoloLens limitations diff --git a/devices/hololens/images/aad-kioskmode.PNG b/devices/hololens/images/aad-kioskmode.PNG new file mode 100644 index 0000000000..c058f25241 Binary files /dev/null and b/devices/hololens/images/aad-kioskmode.PNG differ diff --git a/devices/hololens/images/azure-ad-image.PNG b/devices/hololens/images/azure-ad-image.PNG new file mode 100644 index 0000000000..e0215265f6 Binary files /dev/null and b/devices/hololens/images/azure-ad-image.PNG differ diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index 20c6c45925..74505ca6ff 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -129,17 +129,16 @@ To deploy apps to a large number of Surface Hubs in your organization, use a sup | MDM provider | Supports offline-licensed app packages | |-----------------------------|----------------------------------------| -| On-premises MDM with System Center Configuration Manager (beginning in version 1602) | Yes | -| Hybrid MDM with System Center Configuration Manager and Microsoft Intune | Yes | -| [Microsoft Intune standalone](https://docs.microsoft.com/intune/windows-store-for-business) | Yes | +| On-premises MDM with Configuration Manager (beginning in version 1602) | Yes | +| | Third-party MDM provider | Check to make sure your MDM provider supports deploying offline-licensed app packages. | -**To deploy apps remotely using System Center Configuration Manager (either on-prem MDM or hybrid MDM)** +**To deploy apps remotely using Microsoft Endpoint Configuration Manager** > [!NOTE] -> These instructions are based on the current branch of System Center Configuration Manager. +> These instructions are based on the current branch of Microsoft Endpoint Configuration Manager. -1. Enroll your Surface Hubs to System Center Configuration Manager. For more information, see [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm). +1. Enroll your Surface Hubs to Configuration Manager. For more information, see [Enroll a Surface Hub into MDM](manage-settings-with-mdm-for-surface-hub.md#enroll-into-mdm). 2. Download the offline-licensed app package, the *encoded* license file, and any necessary dependency files from the Store for Business. For more information, see [Download an offline-licensed app](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app). Place the downloaded files in the same folder on a network share. 3. In the **Software Library** workspace of the Configuration Manager console, click **Overview** > **Application Management** > **Applications**. 4. On the **Home** tab, in the **Create** group, click **Create Application**. @@ -150,11 +149,11 @@ To deploy apps to a large number of Surface Hubs in your organization, use a sup 9. On the **General Information** page, complete additional details about the app. Some of this information might already be populated if it was automatically obtained from the app package. 10. Click **Next**, review the application information on the Summary page, and then complete the Create Application Wizard. 11. Create a deployment type for the application. For more information, see [Create deployment types for the application](https://docs.microsoft.com/sccm/apps/deploy-use/create-applications#create-deployment-types-for-the-application). -12. Deploy the application to your Surface Hubs. For more information, see [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). -13. As needed, update the app by downloading a new package from the Store for Business, and publishing an application revision in Configuration Manager. For more information, see [Update and retire applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt595704.aspx). +12. Deploy the application to your Surface Hubs. For more information, see [Deploy applications with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). +13. As needed, update the app by downloading a new package from the Store for Business, and publishing an application revision in Configuration Manager. For more information, see [Update and retire applications with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt595704.aspx). > [!NOTE] -> If you are using System Center Configuration Manager (current branch), you can bypass the above steps by connecting the Store for Business to System Center Configuration Manager. By doing so, you can synchronize the list of apps you've purchased with System Center Configuration Manager, view these in the Configuration Manager console, and deploy them like you would any other app. For more information, see [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://technet.microsoft.com/library/mt740630.aspx). +> If you are using Microsoft Endpoint Configuration Manager (current branch), you can bypass the above steps by connecting the Store for Business to Configuration Manager. By doing so, you can synchronize the list of apps you've purchased with Configuration Manager, view these in the Configuration Manager console, and deploy them like you would any other app. For more information, see [Manage apps from the Microsoft Store for Business with Configuration Manager](https://technet.microsoft.com/library/mt740630.aspx). ## Summary diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index fcd75f6dfd..4ad681ff5f 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -19,7 +19,7 @@ ms.localizationpriority: medium After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in a couple ways: - **Local management** - Every Surface Hub can be configured locally using the **Settings** app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. For more information, see [Local management for Surface Hub settings](local-management-surface-hub-settings.md). -- **Remote management** - Surface Hub allow IT admins to manage settings and policies using a mobile device management (MDM) provider, such as Microsoft Intune, System Center Configuration Manager, and other third-party providers. Additionally, admins can monitor Surface Hubs using Microsoft Operations Management Suite (OMS). For more information, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md), and [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). +- **Remote management** - Surface Hub allow IT admins to manage settings and policies using a mobile device management (MDM) provider, such as Microsoft Intune, Microsoft Endpoint Configuration Manager, and other third-party providers. Additionally, admins can monitor Surface Hubs using Microsoft Operations Management Suite (OMS). For more information, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md), and [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). > [!NOTE] > These management methods are not mutually exclusive. Devices can be both locally and remotely managed if you choose. However, MDM policies and settings will overwrite any local changes when the Surface Hub syncs with the management server. diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 4535bd1f1b..961a12fcd0 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -58,7 +58,7 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business 2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates). > [!NOTE] -> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://docs.microsoft.com/windows/deployment/update/waas-wufb-intune) +> You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://docs.microsoft.com/windows/deployment/update/waas-wufb-intune) ### Group Surface Hub into deployment rings diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index a6eb33d8f4..198dba4f74 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -28,7 +28,7 @@ Review these dependencies to make sure Surface Hub features will work in your IT | Active Directory or Azure Active Directory (Azure AD) |
The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.
You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. | | Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync |Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.
ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. | | Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.| -| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | +| Mobile device management (MDM) solution (Microsoft Intune, Microsoft Endpoint Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | | Microsoft Operations Management Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | | Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.**Note:** For more information on enabling 802.1X wired authentication on Surface Hub, see [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md).**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. | diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md index 40a5768d27..0e5600c12c 100644 --- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md +++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md @@ -93,7 +93,7 @@ Internet Connectivity |Device does have Internet connectivity |Device does not h HTTP Version |1.1 |1.0 |If HTTP 1.0 found, it will cause issue with WU and Store | Direct Internet Connectivity |Device has a Proxy configured Device has no Proxy configured |N/A |Informational. Is your device behind a proxy? | Proxy Address | | |If configured, returns proxy address. | -Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated thru the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/) +Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/) Proxy Auth Types | | |If proxy authentication is used, return the Authentication methods advertised by the proxy. | #### Environment diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md index 1abd2b9751..0b9915c4b0 100644 --- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md +++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md @@ -29,10 +29,8 @@ Although the deployment and management of Surface devices is fundamentally the s ## Updating Surface device drivers and firmware - For devices that recieve updates through Windows Update, drivers for Surface components (and even firmware updates) are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS) or Configuration Manager, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates/). - > [!NOTE] > Surface device drivers and firmware are signed with SHA-256, which is not natively supported by Windows Server 2008 R2. A workaround is available for Configuration Manager environments running on Windows Server 2008 R2. For more information, see [Can't import drivers into Microsoft Endpoint Configuration Manager (KB3025419)](https://support.microsoft.com/kb/3025419). diff --git a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md index c728d1fff0..b49b04d13a 100644 --- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md +++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md @@ -50,6 +50,54 @@ To add the keyboard drivers to the selection profile, follow these steps: 4. Right-click the **WindowsPEX64** folder and select **Import Drivers**. 5. Follow the instructions in the Import Driver Wizard to import the driver folders into the WindowsPEX64 folder. +> [!NOTE] +> Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released. + +To support Surface Laptop (1st Gen), import the following folders: + + - SurfacePlatformInstaller\Drivers\System\GPIO + - SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver + - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver + - SurfacePlatformInstaller\Drivers\System\PreciseTouch + +Or for newer MSI files beginning with "SurfaceUpdate", use: + +- SurfaceUpdate\SerialIOGPIO +- SurfaceUpdate\SurfaceHidMiniDriver +- SurfaceUpdate\SurfaceSerialHubDriver +- SurfaceUpdate\Itouch + +To support Surface Laptop 2, import the following folders: + + - SurfacePlatformInstaller\Drivers\System\GPIO + - SurfacePlatformInstaller\Drivers\System\SurfaceHIDMiniDriver + - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver + - SurfacePlatformInstaller\Drivers\System\I2C + - SurfacePlatformInstaller\Drivers\System\SPI + - SurfacePlatformInstaller\Drivers\System\UART + - SurfacePlatformInstaller\Drivers\System\PreciseTouch + +Or for newer MSI files beginning with "SurfaceUpdate", use: + +- SurfaceUpdate\SerialIOGPIO +- SurfaceUpdate\IclSerialIOI2C +- SurfaceUpdate\IclSerialIOSPI +- SurfaceUpdate\IclSerialIOUART +- SurfaceUpdate\SurfaceHidMini +- SurfaceUpdate\SurfaceSerialHub +- SurfaceUpdate\Itouch + + +To support Surface Laptop 3 with Intel Processor, import the following folders: + +- SurfaceUpdate\IclSerialIOGPIO +- SurfaceUpdate\IclSerialIOI2C +- SurfaceUpdate\IclSerialIOSPI +- SurfaceUpdate\IclSerialIOUART +- SurfaceUpdate\SurfaceHidMini +- SurfaceUpdate\SurfaceSerialHub +- SurfaceUpdate\SurfaceHotPlug +- SurfaceUpdate\Itouch > [!NOTE] > Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released. @@ -119,7 +167,8 @@ To add the keyboard drivers to the selection profile, follow these steps: 9. Verify that you have configured the remaining Surface Laptop drivers by using either a selection profile or a **DriverGroup001** variable. - For Surface Laptop (1st Gen), the model is **Surface Laptop**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop folder as shown in the figure that follows this list. - - For Surface Laptop 2, the model is **Surface Laptop 2**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 2 folder. + - For Surface Laptop 2, the model is **Surface Laptop 2**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 2 folder. + - For Surface Laptop 3 with Intel processor, the model is Surface Laptop 3. The remaining Surface Laptop drivers are located in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 3 folder.  diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index f280b2ff62..3c05a0d165 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -33,9 +33,6 @@ The primary concern when selecting an Ethernet adapter is how that adapter will Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware. -> [!NOTE] -> PXE boot is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) - The following Ethernet devices are supported for network boot with Surface devices: - Surface USB-C to Ethernet and USB 3.0 Adapter diff --git a/mdop/agpm/resources-for-agpm.md b/mdop/agpm/resources-for-agpm.md index 3ebc42e3e4..5aa2774df3 100644 --- a/mdop/agpm/resources-for-agpm.md +++ b/mdop/agpm/resources-for-agpm.md @@ -19,19 +19,19 @@ ms.date: 08/30/2016 ### Documents for download -- [Advanced Group Policy Management 4.0 documents](https://go.microsoft.com/fwlink/?LinkID=158931) +- [Advanced Group Policy Management 4.0 documents](https://www.microsoft.com/download/details.aspx?id=13975) ### Microsoft Desktop Optimization Pack resources -- [Microsoft Desktop Optimization Pack (MDOP) for Software Assurance TechCenter](https://go.microsoft.com/fwlink/?LinkID=159870) (http://www.microsoft.com/technet/mdop): Links to MDOP videos and resources. +- [Microsoft Desktop Optimization Pack (MDOP) for Software Assurance TechCenter](https://go.microsoft.com/fwlink/?LinkID=159870) (https://www.microsoft.com/technet/mdop): Links to MDOP videos and resources. - [Enterprise products: MDOP](https://go.microsoft.com/fwlink/?LinkID=160297): Overviews and information about the benefits of applications in MDOP. ### Group Policy resources -- [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkID=145531) (http://www.microsoft.com/grouppolicy): Links to Group Policy documentation, tools, and downloads. +- [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkID=145531) (https://www.microsoft.com/grouppolicy): Links to Group Policy documentation, tools, and downloads. -- [Group Policy Team Blog](https://go.microsoft.com/fwlink/?LinkID=75192) (http://blogs.technet.com/GroupPolicy): Stay current on the latest news about Group Policy with articles by the Group Policy Team and other experts. +- [Group Policy Team Blog](https://go.microsoft.com/fwlink/?LinkID=75192) (https://blogs.technet.com/GroupPolicy): Stay current on the latest news about Group Policy with articles by the Group Policy Team and other experts. - [Group Policy Forum](https://go.microsoft.com/fwlink/?LinkID=145532): Do you have questions about Group Policy or AGPM? You can post your questions to the forum, and receive answers from the experts. diff --git a/mdop/mbam-v25/troubleshooting-mbam-installation.md b/mdop/mbam-v25/troubleshooting-mbam-installation.md index d8e8d0fc89..f2d0494b7f 100644 --- a/mdop/mbam-v25/troubleshooting-mbam-installation.md +++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md @@ -335,7 +335,7 @@ The MBAM agent will be unable to post any updates to the database if connectivit User: SYSTEM Computer: TESTLABS.CONTOSO.COM Description: - An error occured while applying MBAM policies. + An error occurred while applying MBAM policies. Volume ID:\\?\Volume{871c5858-2467-4d0b-8c83-d68af8ce10e5}\ Error code: 0x803D0010 @@ -352,7 +352,7 @@ The MBAM agent will be unable to post any updates to the database if connectivit User: SYSTEM Computer: TESTLABS.CONTOSO.COM Description: - An error occured while applying MBAM policies. + An error occurred while applying MBAM policies. Volume ID:\\?\Volume{871c5858-2467-4d0b-8c83-d68af8ce10e5}\ Error code: 0x803D0006 @@ -420,7 +420,7 @@ The MBAM services may be unable to connect to the database server because of a n Computer: MBAM2-Admin.contoso.com Description: Event code: 100001 - Event message: SQL error occured + Event message: SQL error occurred Event time: 7/11/2013 6:16:34 PM Event time (UTC): 7/11/2013 12:46:34 PM Event ID: 6615fb8eb9d54e778b933d5bb7ca91ed @@ -552,7 +552,7 @@ Review the activity in the service trace log for any error or warning entries. BValue type is string. Supported operation is Get.
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index a24f114581..1c440edf96 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -492,6 +492,18 @@ Supported operation is Execute, Add, Delete, and Get. **AppInstallation/*PackageFamilyName*/HostedInstall** Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). +The following list shows the supported deployment options: +- ForceApplicationShutdown +- DevelopmentMode +- InstallAllResources +- ForceTargetApplicationShutdown +- ForceUpdateToAnyVersion +- DeferRegistration="1". If the app is in use at the time of installation. This stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1. +- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803. +- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607. +- ValidateDependencies="1". This is used at provisioning/staging time. If it is set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies are not present. Available in the latest insider flight of 20H1. +- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809. + Supported operation is Execute, Add, Delete, and Get. **AppInstallation/*PackageFamilyName*/LastError** diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md index 186d34e8ec..ea77470ed5 100644 --- a/windows/configuration/wcd/wcd-calling.md +++ b/windows/configuration/wcd/wcd-calling.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: dansimp -ms.localizationpriority: medium +ms.localizationpriority: medium ms.author: dansimp ms.topic: article ms.date: 04/30/2018 @@ -57,7 +57,7 @@ See [Dialer codes to launch diagnostic applications](https://docs.microsoft.com/ ## PerSimSettings -Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, select **Add**, and then configure the folowing settings. +Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, select **Add**, and then configure the following settings. ### Critical diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md index 67158a5f0c..f556155dc7 100644 --- a/windows/configuration/wcd/wcd-messaging.md +++ b/windows/configuration/wcd/wcd-messaging.md @@ -81,7 +81,7 @@ SyncSender | Specify a value for SyncSender that is greater than 3 characters bu ## PerSimSettings -Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the folowing settings. +Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the following settings. ### AllowMmsIfDataIsOff diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 61db3462a7..14223dbdc3 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -272,7 +272,7 @@ For clients that should have their feature updates approved as soon as they’re Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week. > [!WARNING] -> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actualy want--which can be a problem when the download sizes are very large. +> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large. ## Manually approve and deploy feature updates diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 2a7e01c1d8..ee85dd816a 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -11,7 +11,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.topic: article --- @@ -24,7 +25,7 @@ The simplest path to upgrade PCs that are currently running Windows 7, Windows ## Proof-of-concept environment -For the purposes of this topic, we will use four machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). +For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).  diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md index 264ebca94c..e9c0da934f 100644 --- a/windows/deployment/volume-activation/vamt-requirements.md +++ b/windows/deployment/volume-activation/vamt-requirements.md @@ -31,17 +31,16 @@ The Volume Activation Management Tool (VAMT) can be used to perform activations The following table lists the system requirements for the VAMT host computer. -|Item |Minimum system requirement | -|-----|---------------------------| -|Computer and Processor |1 GHz x86 or x64 processor | -|Memory |1 GB RAM for x86 or 2 GB RAM for x64 | -|Hard Disk |16 GB available hard disk space for x86 or 20 GB for x64 | -|External Drive|Removable media (Optional) | -|Display |1024x768 or higher resolution monitor | -|Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS | -|Operating System |Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. | -|Additional Requirements |Use DES encryption types for this account
Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
+NoteDES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.