deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into sh-7964738

Browse Source
This commit is contained in:
Trudy Hakala 2016-09-20 08:48:11 -07:00
commit 2d38e272f9
130 changed files with 695 additions and 452 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CONTRIBUTING.md
View File

@ -11,7 +11,10 @@ You've already completed this step.
## Editing topics ## Editing topics
We've tried to make editing an existing file as simple as possible. We've tried to make editing an existing, public file as simple as possible.
>**Note**<br>
>At this time, only the English (en-us) content is available for editing.
**To edit a topic** **To edit a topic**
@ -19,38 +22,42 @@ We've tried to make editing an existing file as simple as possible.
![GitHub Web, showing the Contribute link](images/contribute-link.png) ![GitHub Web, showing the Contribute link](images/contribute-link.png)
2. Click the **Pencil** icon (in the red box) to edit the content. 2. Log into (or sign up for) a GitHub account.
You must have a GitHub account to get to the page that lets you edit a topic.
3. Click the **Pencil** icon (in the red box) to edit the content.
![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png) ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
3. Using markdown language, make your changes to the topic. For info about how to edit content using markdown, see: 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
- **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide) - **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide)
- **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/)
4. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png)
5. When youre done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account. 6. When youre done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account.
![GitHub Web, showing the Propose file change button](images/propose-file-change.png) ![GitHub Web, showing the Propose file change button](images/propose-file-change.png)
The **Comparing changes** screen appears to see what the changes are between your fork and the original content. The **Comparing changes** screen appears to see what the changes are between your fork and the original content.
6. On the **Comparing changes** screen, youll see if there are any problems with the file youre checking in. 7. On the **Comparing changes** screen, youll see if there are any problems with the file youre checking in.
If there are no problems, youll see the message, **Able to merge**. If there are no problems, youll see the message, **Able to merge**.
![GitHub Web, showing the Comparing changes screen](images/compare-changes.png) ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png)
7. Click **Create pull request**. 8. Click **Create pull request**.
8. Enter a title and description to give the approver the appropriate context about whats in the request. 9. Enter a title and description to give the approver the appropriate context about whats in the request.
9. Scroll to the bottom of the page, making sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people. 10. Scroll to the bottom of the page, making sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people.
10. Click **Create pull request**. 11. Click **Create pull request** again to actually submit the pull request.
The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places: The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places:

2
browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
View File

@ -51,7 +51,7 @@ After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your
- **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script. - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script.
- **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.<p> **Important**<br>Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like *http://share/test.ins*. - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.<p> **Important**<br>Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `http://share/test.ins`.
If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md). If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md).

9
browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
View File

@ -33,10 +33,11 @@ DHCP has a higher priority than DNS for automatic configuration. If DHCP provide
![](images/wedge.gif) **To set up automatic detection for DHCP servers** ![](images/wedge.gif) **To set up automatic detection for DHCP servers**
- Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). - Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
<p>**Examples:**<br>
http://www.microsoft.com/webproxy.pac<br> **Examples:**<br>
http://marketing/config.ins<br> `http://www.microsoft.com/webproxy.pac`<br>
http://123.4.567.8/account.pac<p> `http://marketing/config.ins`<br>
`http://123.4.567.8/account.pac`<p>
For more detailed info about how to set up your DHCP server, see your server documentation. For more detailed info about how to set up your DHCP server, see your server documentation.
![](images/wedge.gif) **To set up automatic detection for DNS servers** ![](images/wedge.gif) **To set up automatic detection for DNS servers**

2
browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md
View File

@ -20,7 +20,7 @@ Using a proxy server lets you limit access to the Internet. You can also use the
1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services. 1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services.
2. Type the address of the proxy server you want to use for your services into the **Address of proxy** box. In most cases, a single proxy server is used for all of your services.<p> 2. Type the address of the proxy server you want to use for your services into the **Address of proxy** box. In most cases, a single proxy server is used for all of your services.<p>
Proxy locations that dont begin with a protocol (like, http:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry *http://proxy*. Proxy locations that dont begin with a protocol (like, http:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `http://proxy`.
3. Type the port for each service. The default value is *80*. 3. Type the port for each service. The default value is *80*.

5
devices/surface-hub/create-a-device-account-using-office-365.md
View File

@ -54,7 +54,7 @@ If you prefer to use a graphical user interface, you can create a device account
![assign license for Skype for Business online.](images/setupdeviceaccto365-07.png) ![assign license for Skype for Business online.](images/setupdeviceaccto365-07.png)
From the list, uncheck **Skype for Business Online (plan 2)** (this license may vary depending on your organization), and click **SAVE**. From the list, select **Skype for Business Online (Plan 2)**, and then click **SAVE**. The license may vary depending on your organization (for example, you might have Plan 2, or Plan 3).
### <a href="" id="create-device-acct-o365-mbx-policy"></a>Create a mobile device mailbox (ActiveSync) policy from the Exchange Admin Center ### <a href="" id="create-device-acct-o365-mbx-policy"></a>Create a mobile device mailbox (ActiveSync) policy from the Exchange Admin Center
@ -133,8 +133,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
5. Finally, to connect to Exchange Online Services, run: 5. Finally, to connect to Exchange Online Services, run:
``` syntax ``` syntax
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" AllowRedirection
"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" AllowRedirection
``` ```
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-21.png) ![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-21.png)

14
devices/surface-hub/device-reset-surface-hub.md
View File

@ -30,7 +30,7 @@ Initiating a reset will return the device to the last cumulative Windows update,
- Local admins on the device - Local admins on the device
- Configurations from MDM or the Settings app - Configurations from MDM or the Settings app
**To reset a Surface Hub** **To reset a Surface Hub from Settings**</br>
1. On your Surface Hub, open **Settings**. 1. On your Surface Hub, open **Settings**.
![Image showing Settings app for Surface Hub.](images/sh-settings.png) ![Image showing Settings app for Surface Hub.](images/sh-settings.png)
@ -43,8 +43,18 @@ Initiating a reset will return the device to the last cumulative Windows update,
![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png)
**To reset a Surface Hub from Windows Recovery Environment**</br>
On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. If this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from Windows Recovery Environment (Windows RE). To learn more about Windows RE, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx).
To reset a Surface Hub from Windows RE:
1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch.
2. The device should automatically boot into Windows RE. Select **Advanced Repair**.
3. Select **Reset**.
4. If prompted, enter your device's BitLocker key.
**Important Note**</br> **Important Note**</br>
Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality. Performing a device reset may take up to 2 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again.

BIN
devices/surface-hub/images/setupdeviceaccto365-07.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 28 KiB

6
education/windows/TOC.md
View File

@ -1,5 +1,4 @@
# [Windows 10 for education](index.md) # [Windows 10 for Education](index.md)
## [Change history for Windows 10 for Education](change-history-edu.md)
## [Windows 10 editions for education customers](windows-editions-for-education-customers.md) ## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
## [Setup options for Windows 10](set-up-windows-10.md) ## [Setup options for Windows 10](set-up-windows-10.md)
### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) ### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
@ -12,9 +11,10 @@
## [Take tests in Windows 10 ](take-tests-in-windows-10.md) ## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
### [Set up Take a Test on a single PC](take-a-test-single-pc.md) ### [Set up Take a Test on a single PC](take-a-test-single-pc.md)
### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) ### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
### [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md)
### [Take a Test app technical reference](take-a-test-app-technical.md) ### [Take a Test app technical reference](take-a-test-app-technical.md)
## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Chromebook migration guide](chromebook-migration-guide.md) ## [Chromebook migration guide](chromebook-migration-guide.md)
## [Change history for Windows 10 for Education](change-history-edu.md)

21
education/windows/change-history-edu.md
View File

@ -12,6 +12,11 @@ author: jdeckerMS
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
## September 2016
| New or changed topic | Description|
| --- | --- |
| [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md) | New. Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. |
## RELEASE: Windows 10, version 1607 ## RELEASE: Windows 10, version 1607
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
@ -21,29 +26,25 @@ The topics in this library have been updated for Windows 10, version 1607 (also
- [Provision student PCs with apps](set-up-students-pcs-with-apps.md) - [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
- [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) - [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
## July 2016 ## July 2016
| New or changed topic | Description| | New or changed topic | Description|
| --- | --- | | --- | --- |
| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New | | [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New. Learn about the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions. |
|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New | |[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use SCCM, Intune, and Group Policy to manage devices. |
## June 2016 ## June 2016
| New or changed topic | Description | | New or changed topic | Description |
|----------------------|-------------| |----------------------|-------------|
| [Get Minecraft Education Edition](get-minecraft-for-education.md) </br> [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) </br> [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New | | [Get Minecraft Education Edition](get-minecraft-for-education.md) </br> [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) </br> [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New. Learn how to get and distribute Minecraft: Education Edition. |
## May 2016 ## May 2016
| New or changed topic | Description | | New or changed topic | Description |
|----------------------|-------------| |----------------------|-------------|
| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New | | [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New. Learn how the Set up School PCs app works and how to use it. |
| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New | | [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. |
| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) </br> [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) </br> [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) </br> [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New | | [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) </br> [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) </br> [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) </br> [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. |
| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 | | [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 |
| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 | | [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 |

29
education/windows/create-tests-using-microsoft-forms.md Normal file
View File

@ -0,0 +1,29 @@
---
title: Create tests using Microsoft Forms
description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test.
keywords: school, Take a Test, Microsoft Forms
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
---
# Create tests using Microsoft Forms
**Applies to:**
- Windows 10
For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms.
To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test.
Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment.
[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959)
## Related topics
[Take tests in Windows 10](take-tests-in-windows-10.md)

8
education/windows/index.md
View File

@ -9,9 +9,11 @@ author: jdeckerMS
--- ---
# Windows 10 for Education # Windows 10 for Education
[Windows 10 Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things. [Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things.
[Find out how to get Windows 10 Education for your school.](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools) [Find out how to get Windows 10 Education or Windows 10 Pro Education for your school](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
[Learn more about what features and functionality are supported in each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
## In this section ## In this section
@ -28,5 +30,5 @@ author: jdeckerMS
## Related topics ## Related topics
- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)
- [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356) - [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356)
- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)

5
education/windows/take-tests-in-windows-10.md
View File

@ -42,7 +42,6 @@ Many schools use online testing for formative and summative assessments. It's cr
## Related topics ## Related topics
[Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md)
[Take a Test app technical reference](take-a-test-app-technical.md) [Take a Test app technical reference](take-a-test-app-technical.md)

1
education/windows/windows-editions-for-education-customers.md
View File

@ -7,7 +7,6 @@ ms.mktglfcycl: plan
ms.sitesec: library ms.sitesec: library
ms.pagetype: edu ms.pagetype: edu
author: CelesteDG author: CelesteDG
localizationpriority: high
--- ---
# Windows 10 editions for education customers # Windows 10 editions for education customers

6
windows/deploy/activate-using-active-directory-based-activation-client.md
View File

@ -24,8 +24,8 @@ localizationpriority: high
**Looking for retail activation?** **Looking for retail activation?**
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) - [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 R2 or Windows Server 2012, but after the schema is updated, older domain controllers can still activate clients. Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 or Windows Server 2012 R2, but after the schema is updated, older domain controllers can still activate clients.
Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
The process proceeds as follows: The process proceeds as follows:
1. Perform one of the following tasks: 1. Perform one of the following tasks:
@ -38,7 +38,7 @@ The process proceeds as follows:
**Figure 10**. The Active Directory-based activation flow **Figure 10**. The Active Directory-based activation flow
For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days. Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days.
When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.

1
windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
keywords: image, deploy, distribute keywords: image, deploy, distribute
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
--- ---

33
windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
View File

@ -4,6 +4,7 @@ description: In this topic, you will learn how to configure the Windows Preinsta
ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
keywords: deploy, task sequence keywords: deploy, task sequence
ms.prod: w10 ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
@ -35,13 +36,12 @@ This section will show you how to import some network and storage drivers for Wi
5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice. 5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
![figure 21](images/fig21-add-drivers.png) ![Add drivers to Windows PE](images/fig21-add-drivers.png "Add drivers to Windows PE")
Figure 21. Add drivers to Windows PE. *Figure 21. Add drivers to Windows PE*
**Note**  
The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
>[!NOTE]  
>The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
   
## <a href="" id="sec02"></a>Add drivers for Windows 10 ## <a href="" id="sec02"></a>Add drivers for Windows 10
@ -55,31 +55,28 @@ This section illustrates how to add drivers for Windows 10 through an example in
3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**. 3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
![figure 22](images/fig22-createcategories.png) ![Create driver categories](images/fig22-createcategories.png "Create driver categories")
Figure 22. Create driver categories. *Figure 22. Create driver categories*
4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**: 4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
1. Name: Windows 10 x64 - HP EliteBook 8560w * Name: Windows 10 x64 - HP EliteBook 8560w
2. Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
**Note**  
The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
>[!NOTE]  
>The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
   
5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**. 5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
**Note**   >[!NOTE]  
If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
  ![Drivers imported and a new driver package created](images/mdt-06-fig26.png "Drivers imported and a new driver package created")
![figure 23](images/mdt-06-fig26.png) *Figure 23. Drivers imported and a new driver package created*
Figure 23. Drivers imported and a new driver package created.
## Related topics ## Related topics

1
windows/deploy/assign-applications-using-roles-in-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
keywords: settings, database, deploy keywords: settings, database, deploy
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus

3
windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
View File

@ -5,6 +5,7 @@ ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
keywords: replication, replicate, deploy, configure, remote keywords: replication, replicate, deploy, configure, remote
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus
@ -76,6 +77,7 @@ Setting up DFS-R for replication is a quick and straightforward process. You pre
![figure 3](images/mdt-10-fig03.png) ![figure 3](images/mdt-10-fig03.png)
Figure 3. Sharing the **E:\\MDTProduction folder** on MDT02. Figure 3. Sharing the **E:\\MDTProduction folder** on MDT02.
### Configure the deployment share ### Configure the deployment share
When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property. When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property.
@ -146,6 +148,7 @@ Once the MDT01 and MDT02 servers are prepared, you are ready to configure the ac
1. In the **Staging** tab, set the quota to **20480 MB**. 1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**. 2. In the **Advanced** tab, set the quota to **8192 MB**.
In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share: In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share:
``` syntax ``` syntax
(Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB (Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
``` ```

1
windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
View File

@ -4,6 +4,7 @@ description: This topic describes how to configure a PXE server to load Windows
keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: deploy ms.pagetype: deploy
author: greg-lindsay author: greg-lindsay

1
windows/deploy/configure-mdt-2013-for-userexit-scripts.md
View File

@ -5,6 +5,7 @@ ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
keywords: rules, script keywords: rules, script
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus

1
windows/deploy/configure-mdt-2013-settings.md
View File

@ -5,6 +5,7 @@ ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
keywords: customize, customization, deploy, features, tools keywords: customize, customization, deploy, features, tools
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus

1
windows/deploy/configure-mdt-deployment-share-rules.md
View File

@ -5,6 +5,7 @@ ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b
keywords: rules, configuration, automate, deploy keywords: rules, configuration, automate, deploy
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus

1
windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
keywords: tool, customize, deploy, boot image keywords: tool, customize, deploy, boot image
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
--- ---

75
windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
View File

@ -5,6 +5,7 @@ ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
keywords: deploy, upgrade, task sequence, install keywords: deploy, upgrade, task sequence, install
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.pagetype: mdt ms.pagetype: mdt
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
@ -24,7 +25,7 @@ For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is
## <a href="" id="sec01"></a>Create a task sequence using the MDT Integration Wizard ## <a href="" id="sec01"></a>Create a task sequence using the MDT Integration Wizard
This section will walk you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use. This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. 1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
@ -32,27 +33,27 @@ This section will walk you through the process of creating a System Center 2012
3. On the **General** page, assign the following settings and then click **Next**: 3. On the **General** page, assign the following settings and then click **Next**:
1. Task sequence name: Windows 10 Enterprise x64 RTM * Task sequence name: Windows 10 Enterprise x64 RTM
2. Task sequence comments: Production image with Office 2013 * Task sequence comments: Production image with Office 2013
4. On the **Details** page, assign the following settings and then click **Next**: 4. On the **Details** page, assign the following settings and then click **Next**:
1. Join a Domain * Join a Domain
2. Domain: contoso.com * Domain: contoso.com
1. Account: CONTOSO\\CM\_JD * Account: CONTOSO\\CM\_JD
2. Password: Passw0rd! * Password: Passw0rd!
3. Windows Settings * Windows Settings
1. User name: Contoso * User name: Contoso
2. Organization name: Contoso * Organization name: Contoso
3. Product key: &lt;blank&gt; * Product key: &lt;blank&gt;
5. On the **Capture Settings** page, accept the default settings, and click **Next**. 5. On the **Capture Settings** page, accept the default settings, and click **Next**.
@ -87,12 +88,10 @@ After you create the task sequence, we recommend that you configure the task seq
2. In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following: 2. In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following:
- OSDPreserveDriveLetter: True * OSDPreserveDriveLetter: True
**Note**   >[!NOTE]  
If you don't change this value, your Windows installation will end up in E:\\Windows. >If you don't change this value, your Windows installation will end up in E:\\Windows.
 
3. In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values). 3. In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values).
@ -102,57 +101,55 @@ After you create the task sequence, we recommend that you configure the task seq
6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: 6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
1. Name: HP EliteBook 8560w * Name: HP EliteBook 8560w
2. Driver Package: Windows 10 x64 - HP EliteBook 8560w * Driver Package: Windows 10 x64 - HP EliteBook 8560w
3. Options: Task Sequence Variable: Model equals HP EliteBook 8560w * Options: Task Sequence Variable: Model equals HP EliteBook 8560w
**Note**   >[!NOTE]  
You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
  ![Driver package options](images/fig27-driverpackage.png "Driver package options")
![figure 24](images/fig27-driverpackage.png) *Figure 24. The driver package options*
Figure 24. The driver package options.
7. In the **State Restore / Install Applications** group, select the **Install Application** action. 7. In the **State Restore / Install Applications** group, select the **Install Application** action.
8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list. 8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
![figure 25](images/fig28-addapp.png) ![Add an application to the task sequence](images/fig28-addapp.png "Add an application to the task sequence")
Figure 25. Add an application to the Configuration Manager task sequence. *Figure 25. Add an application to the Configuration Manager task sequence*
9. In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings: 9. In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings:
1. Restore state from another computer * Restore state from another computer
2. If computer account fails to connect to state store, use the Network Access account * If computer account fails to connect to state store, use the Network Access account
3. Options: Continue on error * Options: Continue on error
4. Options / Condition: * Options / Condition:
1. Task Sequence Variable * Task Sequence Variable
2. USMTLOCAL not equals True * USMTLOCAL not equals True
10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings: 10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings:
1. Options: Continue on error * Options: Continue on error
2. Options / Condition: * Options / Condition:
1. Task Sequence Variable * Task Sequence Variable
2. USMTLOCAL not equals True * USMTLOCAL not equals True
11. Click **OK**. 11. Click **OK**.
**Note**   >[!NOTE]  
The Request State Store and Release State Store actions need to be added for common computer replace scenarios. >The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
   

11
windows/deploy/create-a-windows-10-reference-image.md
View File

@ -5,6 +5,7 @@ ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa
keywords: deploy, deployment, configure, customize, install, installation keywords: deploy, deployment, configure, customize, install, installation
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus
@ -164,6 +165,7 @@ You also can customize the Office installation using a Config.xml file. But we r
If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in and then make the deployment share a PowerShell drive (PSDrive). If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in and then make the deployment share a PowerShell drive (PSDrive).
1. On MDT01, log on as **CONTOSO\\Administrator**. 1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: 2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
``` syntax ``` syntax
Import-Topic "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1" Import-Topic "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "E:\MDTBuildLab" New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "E:\MDTBuildLab"
@ -173,7 +175,9 @@ If you need to add many applications, you can take advantage of the PowerShell s
In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x86. In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x86.
1. On MDT01, log on as **CONTOSO\\Administrator**. 1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt: 2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax ``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x86" $ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q" $CommandLine = "vcredist_x86.exe /Q"
@ -187,6 +191,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x64. In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x64.
1. On MDT01, log on as **CONTOSO\\Administrator**. 1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt: 2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax ``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x64" $ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q" $CommandLine = "vcredist_x64.exe /Q"
@ -200,6 +205,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x86. In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x86.
1. On MDT01, log on as **CONTOSO\\Administrator**. 1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt: 2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax ``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x86" $ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q" $CommandLine = "vcredist_x86.exe /Q"
@ -213,6 +219,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x64. In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x64.
1. On MDT01, log on as **CONTOSO\\Administrator**. 1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt: 2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax ``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x64" $ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q" $CommandLine = "vcredist_x64.exe /Q"
@ -226,6 +233,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x86. In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x86.
1. On MDT01, log on as **CONTOSO\\Administrator**. 1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt: 2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax ``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x86" $ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q" $CommandLine = "vcredist_x86.exe /Q"
@ -239,6 +247,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x64. In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x64.
1. On MDT01, log on as **CONTOSO\\Administrator**. 1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt: 2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax ``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x64" $ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q" $CommandLine = "vcredist_x64.exe /Q"
@ -252,6 +261,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux86. In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux86.
1. On MDT01, log on as **CONTOSO\\Administrator**. 1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt: 2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax ``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x86" $ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x86"
$CommandLine = "vcredist_x86.exe /Q" $CommandLine = "vcredist_x86.exe /Q"
@ -265,6 +275,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Upda
In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux64. In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux64.
1. On MDT01, log on as **CONTOSO\\Administrator**. 1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt: 2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax ``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x64" $ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x64"
$CommandLine = "vcredist_x64.exe /Q" $CommandLine = "vcredist_x64.exe /Q"

32
windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
View File

@ -4,7 +4,9 @@ description: Microsoft System Center 2012 R2 Configuration Manager supports depl
ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
keywords: deployment, task sequence, custom, customize keywords: deployment, task sequence, custom, customize
ms.prod: w10 ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
--- ---
@ -20,15 +22,13 @@ Microsoft System Center 2012 R2 Configuration Manager supports deploying applica
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
**Note**   >[!NOTE]  
Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications. >Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
 
## Example: Create the Adobe Reader XI application ## Example: Create the Adobe Reader XI application
The steps below show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01. The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
1. On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder. 1. On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder.
@ -40,17 +40,17 @@ The steps below show you how to create the Adobe Reader XI application. This sec
5. In the Create Application Wizard, on the **General** page, use the following settings: 5. In the Create Application Wizard, on the **General** page, use the following settings:
1. Automatically detect information about this application from installation files * Automatically detect information about this application from installation files
2. Type: Windows Installer (\*.msi file) * Type: Windows Installer (\*.msi file)
3. Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI * Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
4. \\AdbeRdr11000\_en\_US.msi * \\AdbeRdr11000\_en\_US.msi
![figure 19](images/mdt-06-fig20.png) ![The Create Application Wizard](images/mdt-06-fig20.png "The Create Application Wizard")
Figure 19. The Create Application Wizard. *Figure 19. The Create Application Wizard*
6. Click **Next**, and wait while Configuration Manager parses the MSI file. 6. Click **Next**, and wait while Configuration Manager parses the MSI file.
@ -58,14 +58,12 @@ The steps below show you how to create the Adobe Reader XI application. This sec
8. On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**. 8. On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**.
**Note**   >[!NOTE]
Since it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
  ![Add the OSD Install suffix to the application name](images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
![figure 20](images/mdt-06-fig21.png) *Figure 20. Add the "OSD Install" suffix to the application name*
Figure 20. Add the "OSD Install" suffix to the application name.
9. In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar. 9. In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar.

3
windows/deploy/deploy-a-windows-10-image-using-mdt.md
View File

@ -5,6 +5,7 @@ ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
keywords: deployment, automate, tools, configure keywords: deployment, automate, tools, configure
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus
@ -304,6 +305,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
2. CustomSettings.ini 2. CustomSettings.ini
2. Right-click the **MDT Production** deployment share and select **Properties**. 2. Right-click the **MDT Production** deployment share and select **Properties**.
3. Select the **Rules** tab and modify using the following information: 3. Select the **Rules** tab and modify using the following information:
``` syntax ``` syntax
[Settings] [Settings]
Priority=Default Priority=Default
@ -340,6 +342,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
SkipFinalSummary=NO SkipFinalSummary=NO
``` ```
4. Click **Edit Bootstrap.ini** and modify using the following information: 4. Click **Edit Bootstrap.ini** and modify using the following information:
``` syntax ``` syntax
[Settings] [Settings]
Priority=Default Priority=Default

1
windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
keywords: deployment, image, UEFI, task sequence keywords: deployment, image, UEFI, task sequence
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
--- ---

1
windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
View File

@ -4,6 +4,7 @@ description: If you have Microsoft System Center 2012 R2 Configuration Manager
ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363 ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
keywords: deployment, custom, boot keywords: deployment, custom, boot
ms.prod: w10 ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus

2
windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
View File

@ -5,7 +5,9 @@ ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
keywords: deploy, tools, configure, script keywords: deploy, tools, configure, script
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
localizationpriority: high
author: mtniehaus author: mtniehaus
ms.pagetype: mdt ms.pagetype: mdt
--- ---

47
windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
View File

@ -4,6 +4,7 @@ description: This topic walks you through the steps to finalize the configuratio
ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
keywords: configure, deploy, upgrade keywords: configure, deploy, upgrade
ms.prod: w10 ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
@ -27,19 +28,19 @@ This section will walk you through the process of creating the E:\\MDTProduction
1. On CM01, using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard: 1. On CM01, using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
1. Deployment share path: E:\\MDTProduction * Deployment share path: E:\\MDTProduction
2. Share name: MDTProduction$ * Share name: MDTProduction$
3. Deployment share description: MDT Production * Deployment share description: MDT Production
4. Options: &lt;default settings&gt; * Options: &lt;default settings&gt;
2. Right-click the **MDT Production** deployment share, and select **Properties**. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**. 2. Right-click the **MDT Production** deployment share, and select **Properties**. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
![figure 26](images/mdt-06-fig31.png) ![Enable MDT monitoring for Configuration Manager](images/mdt-06-fig31.png)
Figure 26. Enabling MDT monitoring for Configuration Manager. *Figure 26. Enable MDT monitoring for Configuration Manager*
## <a href="" id="sec02"></a>Create and share the Logs folder ## <a href="" id="sec02"></a>Create and share the Logs folder
@ -81,14 +82,14 @@ This section will show you how to configure the rules (the Windows 10 x64 Settin
ApplyGPOPack=NO ApplyGPOPack=NO
``` ```
![figure 27](images/fig30-settingspack.png) ![Settings package during deployment](images/fig30-settingspack.png)
Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment *Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment*
3. Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. 3. Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**.
**Note**   >[!NOTE]  
Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes. >Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes.
   
@ -114,13 +115,13 @@ This sections provides steps to help you create a deployment for the task sequen
3. On the **Deployment Settings** page, use the following settings and then click **Next**: 3. On the **Deployment Settings** page, use the following settings and then click **Next**:
1. Purpose: Available * Purpose: Available
2. Make available to the following: Only media and PXE * Make available to the following: Only media and PXE
![figure 28](images/mdt-06-fig33.png) ![Configure the deployment settings](images/mdt-06-fig33.png)
Figure 28. Configure the deployment settings. *Figure 28. Configure the deployment settings*
4. On the **Scheduling** page, accept the default settings and click **Next**. 4. On the **Scheduling** page, accept the default settings and click **Next**.
@ -130,9 +131,9 @@ This sections provides steps to help you create a deployment for the task sequen
7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**. 7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
![figure 29](images/fig32-deploywiz.png) ![Task sequence deployed](images/fig32-deploywiz.png)
Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE. *Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE*
## <a href="" id="sec06"></a>Configure Configuration Manager to prompt for the computer name during deployment (optional) ## <a href="" id="sec06"></a>Configure Configuration Manager to prompt for the computer name during deployment (optional)
@ -145,20 +146,18 @@ This section provides steps to help you configure the All Unknown Computers coll
2. In the **Collection Variables** tab, create a new variable with the following settings: 2. In the **Collection Variables** tab, create a new variable with the following settings:
1. Name: OSDComputerName * Name: OSDComputerName
2. Clear the **Do not display this value in the Configuration Manager console** check box. * Clear the **Do not display this value in the Configuration Manager console** check box.
3. Click **OK**. 3. Click **OK**.
**Note**   >[!NOTE]  
Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard. >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
  ![Configure a collection variable](images/mdt-06-fig35.png)
![figure 30](images/mdt-06-fig35.png) *Figure 30. Configure a collection variable*
Figure 30. Configure a collection variable.
## Related topics ## Related topics

1
windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
View File

@ -5,6 +5,7 @@ ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
keywords: deploy, image, feature, install, tools keywords: deploy, image, feature, install, tools
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus

BIN
windows/deploy/images/convert.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/deploy/images/download_vhd.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/deploy/images/installing-drivers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/deploy/images/svr_mgr2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

3
windows/deploy/integrate-configuration-manager-with-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
ms.pagetype: mdt ms.pagetype: mdt
keywords: deploy, image, customize, task sequence keywords: deploy, image, customize, task sequence
ms.prod: w10 ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
@ -28,6 +29,7 @@ When MDT is integrated with Configuration Manager, the task sequence takes addit
The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence. - The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
``` syntax ``` syntax
[Settings] [Settings]
Priority=Model Priority=Model
@ -35,6 +37,7 @@ The task sequence uses instructions that allow you to reduce the number of task
Packages001=PS100010:Install HP Hotkeys Packages001=PS100010:Install HP Hotkeys
``` ```
- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop. - The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
``` syntax ``` syntax
[Settings] [Settings]
Priority= ByLaptopType, ByDesktopType Priority= ByLaptopType, ByDesktopType

1
windows/deploy/key-features-in-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
keywords: deploy, feature, tools, upgrade, migrate, provisioning keywords: deploy, feature, tools, upgrade, migrate, provisioning
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus

1
windows/deploy/mdt-2013-lite-touch-components.md
View File

@ -5,6 +5,7 @@ ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
keywords: deploy, install, deployment, boot, log, monitor keywords: deploy, install, deployment, boot, log, monitor
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus

25
windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
keywords: deploy, upgrade keywords: deploy, upgrade
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
--- ---
@ -24,32 +25,28 @@ To monitor an operating system deployment conducted through System Center 2012 R
1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh). 1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
**Note**   >[!NOTE]
It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again. >It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
  ![PC0001 being deployed by Configuration Manager](images/mdt-06-fig39.png)
![figure 33](images/mdt-06-fig39.png) *Figure 33. PC0001 being deployed by Configuration Manager*
Figure 33. PC0001 being deployed by Configuration Manager.
2. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. 2. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option.
3. The task sequence will now run and do the following: 3. The task sequence will now run and do the following:
1. Install the Windows 10 operating system. * Install the Windows 10 operating system.
2. Install the Configuration Manager client and the client hotfix. * Install the Configuration Manager client and the client hotfix.
3. Join the machine to the domain. * Join the machine to the domain.
4. Install the application added to the task sequence. * Install the application added to the task sequence.
**Note**  
You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
>[!NOTE]
>You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
   
4. If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed. 4. If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed.
## Related topics ## Related topics

1
windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
keywords: deploy, system requirements keywords: deploy, system requirements
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus

2
windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -4,7 +4,9 @@ description: This topic will walk you through the process of integrating Microso
ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08 ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
keywords: install, configure, deploy, deployment keywords: install, configure, deploy, deployment
ms.prod: w10 ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
--- ---

10
windows/deploy/provision-pcs-with-apps-and-certificates.md
View File

@ -76,10 +76,18 @@ Universal apps that you can distribute in the provisioning package can be line-o
![required frameworks for offline app package](images/uwp-dependencies.png) ![required frameworks for offline app package](images/uwp-dependencies.png)
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page. 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
![generate license for offline app](images/uwp-license.png) ![generate license for offline app](images/uwp-license.png)
- Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
6. In the **Available customizations** pane, click the **LicenseProductId** that you just added.
7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *<file name>*.**ms-windows-store-license**, and select the license file.
[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md) [Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md)
> [!NOTE] > [!NOTE]

1
windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
keywords: upgrade, install, installation, computer refresh keywords: upgrade, install, installation, computer refresh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
--- ---

2
windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
View File

@ -5,6 +5,7 @@ ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
keywords: reinstallation, customize, template, script, restore keywords: reinstallation, customize, template, script, restore
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus
@ -66,6 +67,7 @@ The custom USMT template is named MigContosoData.xml, and you can find it in the
In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file. In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file.
1. Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder. 1. Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder.
2. Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line: 2. Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line:
``` syntax ``` syntax
USMTMigFiles003=MigContosoData.xml USMTMigFiles003=MigContosoData.xml
``` ```

1
windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
keywords: upgrade, install, installation, replace computer, setup keywords: upgrade, install, installation, replace computer, setup
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
--- ---

2
windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
View File

@ -5,7 +5,9 @@ ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
keywords: deploy, deployment, replace keywords: deploy, deployment, replace
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
localizationpriority: high
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus
--- ---

4
windows/deploy/set-up-mdt-2013-for-bitlocker.md
View File

@ -5,6 +5,7 @@ description:
keywords: disk, encryption, TPM, configure, secure, script keywords: disk, encryption, TPM, configure, secure, script
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus
@ -84,6 +85,7 @@ If you consistently get the error "Windows BitLocker Drive Encryption Informatio
In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01. In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
1. On DC01, start an elevated PowerShell prompt (run as Administrator). 1. On DC01, start an elevated PowerShell prompt (run as Administrator).
2. Configure the permissions by running the following command: 2. Configure the permissions by running the following command:
``` syntax ``` syntax
cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
``` ```
@ -105,10 +107,12 @@ cctk.exe --tpm=on --valsetuppwd=Password1234
### Add tools from HP ### Add tools from HP
The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool: The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
``` syntax ``` syntax
BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234 BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
``` ```
And the sample content of the TPMEnable.REPSET file: And the sample content of the TPMEnable.REPSET file:
``` syntax ``` syntax
English English
Activate Embedded Security On Next Boot Activate Embedded Security On Next Boot

1
windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
View File

@ -5,6 +5,7 @@ ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c
keywords: deploy, script keywords: deploy, script
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus

1
windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
View File

@ -4,6 +4,7 @@ description: The simplest path to upgrade PCs currently running Windows 7, Wind
ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
keywords: upgrade, update, task sequence, deploy keywords: upgrade, update, task sequence, deploy
ms.prod: w10 ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
author: mtniehaus author: mtniehaus
--- ---

1
windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
View File

@ -5,6 +5,7 @@ ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
keywords: upgrade, update, task sequence, deploy keywords: upgrade, update, task sequence, deploy
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus

1
windows/deploy/upgrade-windows-phone-8-1-to-10.md
View File

@ -4,6 +4,7 @@ description: This article describes how to upgrade eligible Windows Phone 8.1 de
keywords: upgrade, update, windows, phone, windows 10, mdm, mobile keywords: upgrade, update, windows, phone, windows 10, mdm, mobile
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: Jamiejdt author: Jamiejdt

2
windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
keywords: web services, database keywords: web services, database
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: mtniehaus author: mtniehaus
@ -139,6 +140,7 @@ Make sure the account you are using has permissions to run runbooks on the Orche
   
1. On PC0001, log on as **CONTOSO\\MDT\_BA**. 1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
2. Using an elevated command prompt (run as Administrator), type the following command: 2. Using an elevated command prompt (run as Administrator), type the following command:
``` syntax ``` syntax
cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
``` ```

1
windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
View File

@ -6,6 +6,7 @@ ms.pagetype: mdt
keywords: database, permissions, settings, configure, deploy keywords: database, permissions, settings, configure, deploy
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
--- ---

1
windows/deploy/use-web-services-in-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
keywords: deploy, web apps keywords: deploy, web apps
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.pagetype: mdt ms.pagetype: mdt
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus

1
windows/deploy/windows-10-deployment-scenarios.md
View File

@ -5,6 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
keywords: upgrade, in-place, configuration, deploy keywords: upgrade, in-place, configuration, deploy
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: mtniehaus author: mtniehaus
--- ---

1
windows/deploy/windows-10-edition-upgrades.md
View File

@ -4,6 +4,7 @@ description: With Windows 10, you can quickly upgrade from one edition of Windo
ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mobile ms.pagetype: mobile
author: greg-lindsay author: greg-lindsay

1
windows/deploy/windows-10-enterprise-e3-overview.md
View File

@ -4,6 +4,7 @@ description: Describes Windows 10 Enterprise E3, an offering that delivers, by s
keywords: upgrade, update, task sequence, deploy keywords: upgrade, update, task sequence, deploy
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
ms.pagetype: mdt ms.pagetype: mdt
author: greg-lindsay author: greg-lindsay

28
windows/deploy/windows-10-poc-mdt.md
View File

@ -1,28 +0,0 @@
---
title: Placeholder (Windows 10)
description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
---
# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
**Applies to**
- Windows 10
## In this guide
## Related Topics
 
 

28
windows/deploy/windows-10-poc-sccm.md
View File

@ -1,28 +0,0 @@
---
title: Placeholder (Windows 10)
description: Deploy Windows 10 in a test lab using System Center Configuration Manager
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
---
# Deploy Windows 10 in a test lab using System Center Configuration Manager
**Applies to**
- Windows 10
## In this guide
## Related Topics
 
 

1
windows/deploy/windows-10-upgrade-paths.md
View File

@ -4,6 +4,7 @@ description: You can upgrade to Windows 10 from a previous version of Windows if
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
localizationpriority: high
ms.pagetype: mobile ms.pagetype: mobile
author: greg-lindsay author: greg-lindsay
--- ---

1
windows/deploy/windows-adk-scenarios-for-it-pros.md
View File

@ -4,6 +4,7 @@ description: The Windows Assessment and Deployment Kit (Windows ADK) contains to
ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library ms.sitesec: library
author: greg-lindsay author: greg-lindsay
--- ---

3
windows/keep-secure/active-directory-security-groups.md
View File

@ -2231,6 +2231,7 @@ The Key Admins group applies to versions of the Windows Server operating system
| Default members | None | | Default members | None |
| Default member of | None | | Default member of | None |
| Protected by ADMINSDHOLDER? | No | | Protected by ADMINSDHOLDER? | No |
| Safe to move out of default container? | Yes |
| Safe to delegate management of this group to non-Service admins? | No | | Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None | | Default User Rights | None |
@ -3351,6 +3352,7 @@ The Storage Replica Administrators group applies to versions of the Windows Serv
| Default members | None | | Default members | None |
| Default member of | None | | Default member of | None |
| Protected by ADMINSDHOLDER? | No | | Protected by ADMINSDHOLDER? | No |
| Safe to move out of default container? | Yes |
| Safe to delegate management of this group to non-Service admins? | No | | Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None | | Default User Rights | None |
@ -3371,6 +3373,7 @@ The System Managed Accounts group applies to versions of the Windows Server oper
| Default members | Users | | Default members | Users |
| Default member of | None | | Default member of | None |
| Protected by ADMINSDHOLDER? | No | | Protected by ADMINSDHOLDER? | No |
| Safe to move out of default container? | Yes |
| Safe to delegate management of this group to non-Service admins? | No | | Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None | | Default User Rights | None |

4
windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
redirect_url: https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
--- ---
# Additional Windows Defender ATP configuration settings # Additional Windows Defender ATP configuration settings
This page has been redirected to [Configure endpoints](https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection) This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)

2
windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

8
windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -15,7 +15,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Azure Active Directory - Azure Active Directory
@ -37,12 +37,12 @@ Assigning read only access rights requires adding the users to the “Security R
Use the following steps to assign security roles: Use the following steps to assign security roles:
- Preparations: - Preparations:
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).<br> - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
> [!NOTE] > [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line. > You need to run the PowerShell cmdlets in an elevated command-line.
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/en-us/library/dn194123.aspx). - Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
- For **read and write** access, assign users to the security administrator role by using the following command: - For **read and write** access, assign users to the security administrator role by using the following command:
```text ```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
@ -52,4 +52,4 @@ Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "s
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com” Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
``` ```
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).

56
windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
View File

@ -141,21 +141,29 @@ To enroll a certificate from an existing certification authority (CA), do the fo
2. Select **Yes, export the private key**. 2. Select **Yes, export the private key**.
3. Complete the wizard to create the .pfx file. 3. Complete the wizard to create the .pfx file.
To create a self-signed certificate, do the following: To create a self-signed certificate, you can either use the New-SelfSignedCertificate cmdlet in Windows PowerShell or use Certreq.
1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf Windows PowerShell example:
```syntax
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
```
Certreq example:
1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf.
2. Add the following contents to the previously created file: 2. Add the following contents to the previously created file:
``` syntax ``` syntax
[NewRequest] [NewRequest]
Subject="CN=BitLocker Network Unlock certificate" Subject="CN=BitLocker Network Unlock certificate"
ProviderType=0 ProviderType=0
MachineKeySet=True
Exportable=true Exportable=true
RequestType=Cert RequestType=Cert
KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE" KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG" KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG"
KeyLength=2048 KeyLength=2048
Keyspec="AT_KEYEXCHANGE"
SMIME=FALSE SMIME=FALSE
HashAlgorithm=sha512 HashAlgorithm=sha512
[Extensions] [Extensions]
@ -171,16 +179,16 @@ To create a self-signed certificate, do the following:
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
``` ```
4. Verify the previous command properly created the certificate by confirming the .cer file exists 4. Verify the previous command properly created the certificate by confirming the .cer file exists.
5. Launch the Certificate Manager by running **certmgr.msc** 5. Launch Certificates - Local Machine by running **certlm.msc**.
6. Create a .pfx file by opening the **Certificates Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file. 6. Create a .pfx file by opening the **Certificates Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server ### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. 1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import** 2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**.
3. In the **File to Import** dialog, choose the .pfx file created previously. 3. In the **File to Import** dialog, choose the .pfx file created previously.
4. Enter the password used to create the .pfx and complete the wizard. 4. Enter the password used to create the .pfx and complete the wizard.
@ -190,21 +198,21 @@ With certificate and key deployed to the WDS server for Network Unlock, the fina
The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock. The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock.
1. Open Group Policy Management Console (gpmc.msc) 1. Open Group Policy Management Console (gpmc.msc).
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option 2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
The following steps describe how to deploy the required Group Policy setting: The following steps describe how to deploy the required Group Policy setting:
>**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. >**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
   
1. Copy the .cer file created for Network Unlock to the domain controller 1. Copy the .cer file created for Network Unlock to the domain controller.
2. On the domain controller, launch Group Policy Management Console (gpmc.msc) 2. On the domain controller, launch Group Policy Management Console (gpmc.msc).
3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. 3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
4. Deploy the public certificate to clients 4. Deploy the public certificate to clients:
1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**.
2. Right-click the folder and choose **Add Network Unlock Certificate** 2. Right-click the folder and choose **Add Network Unlock Certificate**.
3. Follow the wizard steps and import the .cer file that was copied earlier. 3. Follow the wizard steps and import the .cer file that was copied earlier.
>**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer. >**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
@ -213,16 +221,16 @@ The following steps describe how to deploy the required Group Policy setting:
An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following: An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
1. Open Group Policy Management Console (gpmc.msc) 1. Open Group Policy Management Console (gpmc.msc).
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option 2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock ### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates. The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
1. Open the Certificates Template snap-in (certtmpl.msc). 1. Open the Certificates Template snap-in (certtmpl.msc).
2. Locate the User template. Right-click the template name and select **Duplicate Template** 2. Locate the User template. Right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected. 3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option. 4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected. 5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
@ -238,9 +246,9 @@ The following steps detail how to create a certificate template for use with Bit
- **Name:** **BitLocker Network Unlock** - **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK** 14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template. 17. Select **OK** to complete configuration of the template.
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
@ -320,8 +328,8 @@ Files to gather when troubleshooting BitLocker Network Unlock include:
In the right pane, click **Enable Log**. In the right pane, click **Enable Log**.
2. The DHCP subnet configuration file (if one exists). 2. The DHCP subnet configuration file (if one exists).
3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell 3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell.
4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address 4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address.
## <a href="" id="bkmk-unsupportedsystems"></a>Configure Network Unlock Group Policy settings on earlier versions ## <a href="" id="bkmk-unsupportedsystems"></a>Configure Network Unlock Group Policy settings on earlier versions

7
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -12,6 +12,13 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure # Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## September 2016
| New or changed topic | Description |
| --- | --- |
| [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate |
## August 2016 ## August 2016
|New or changed topic | Description | |New or changed topic | Description |
|----------------------|-------------| |----------------------|-------------|

2
windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
View File

@ -17,7 +17,7 @@ localizationpriority: high
- Azure Active Directory - Azure Active Directory
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

2
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

8
windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -17,7 +17,7 @@ localizationpriority: high
- Group Policy - Group Policy
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -34,7 +34,7 @@ localizationpriority: high
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**. 4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
@ -61,7 +61,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_ b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**. 2. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
3. In the **Group Policy Management Editor**, go to **Computer configuration**. 3. In the **Group Policy Management Editor**, go to **Computer configuration**.
@ -88,7 +88,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**. 4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.

6
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -16,18 +16,18 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
## Configure endpoints using Microsoft Intune ## Configure endpoints using Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
### Onboard and monitor endpoints ### Onboard and monitor endpoints

14
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -45,9 +45,9 @@ You can use System Center Configuration Managers existing functionality to cr
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to. a. Choose a predefined device collection to deploy the package to.
@ -72,7 +72,7 @@ Possible values are:
The default value in case the registry key doesnt exist is 1. The default value in case the registry key doesnt exist is 1.
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx). For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
### Offboard endpoints ### Offboard endpoints
@ -90,9 +90,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to. a. Choose a predefined device collection to deploy the package to.
@ -128,7 +128,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
Name: “OnboardingState” Name: “OnboardingState”
Value: “1” Value: “1”
``` ```
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx). For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
## Related topics ## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)

2
windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

2
windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

2
windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -17,7 +17,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

2
windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

2
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

4
windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
View File

@ -77,7 +77,7 @@ It's possible that you might revoke data from an unenrolled device only to later
1. Have your employee sign in to the unenrolled device, open a command prompt, and type: 1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
`Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW` `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW`
Where *&lt;”new_location”&gt;* is in a different directory. This can be on the employees device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. Where *&lt;”new_location”&gt;* is in a different directory. This can be on the employees device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
@ -87,7 +87,7 @@ It's possible that you might revoke data from an unenrolled device only to later
3. Have your employee sign in to the unenrolled device, and type: 3. Have your employee sign in to the unenrolled device, and type:
`Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”` `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”`
4. Ask the employee to lock and unlock the device. 4. Ask the employee to lock and unlock the device.

4
windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -87,7 +87,7 @@ Threats are considered "active" if there is a very high probability that the mal
Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
> [!NOTE] > [!NOTE]
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. > The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
### Related topics ### Related topics
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)

7
windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -16,14 +16,15 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP. This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
> [!NOTE] > [!NOTE]
> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See also [Windows 10 privacy FAQ](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq) for more information. > This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information.
## What data does Windows Defender ATP collect? ## What data does Windows Defender ATP collect?
@ -31,7 +32,7 @@ Microsoft will collect and store information from your configured endpoints in a
Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version). Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/). Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
Microsoft uses this data to: Microsoft uses this data to:
- Proactively identify indicators of attack (IOAs) in your organization - Proactively identify indicators of attack (IOAs) in your organization

2
windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender - Windows Defender

13
windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md
View File

@ -25,6 +25,7 @@ This topic includes the following sections:
- [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics. - [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics.
- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy. - [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy.
- [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted. - [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted.
- [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied.
## Overview of the process of creating code integrity policies ## Overview of the process of creating code integrity policies
@ -97,8 +98,18 @@ Table 3. Code integrity policy - file rule levels
> **Note**&nbsp;&nbsp;When you create code integrity policies with the [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. > **Note**&nbsp;&nbsp;When you create code integrity policies with the [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
## Example of file rule levels in use
For example, consider some IT professionals in a department that runs many servers. They decide they want their servers to run only software signed by the providers of their software and drivers, that is, the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
To create the code integrity policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge code integrity policies into the original policy to allow that additional software to run. Then they enable the code integrity policy in enforced mode for their servers.
As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their code integrity policy. If they come to a time when the internally-written, unsigned application must be updated, they must also update the code integrity policy so that the hash in the policy matches the hash of the updated internal application.
They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by code integrity policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required).
## Related topics ## Related topics
- [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) - [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats)
- [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) - [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)

2
windows/keep-secure/dynamic-access-control.md
View File

@ -16,7 +16,7 @@ This overview topic for the IT professional describes Dynamic Access Control and
Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources. Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.
For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a users permissions change dynamically without additional administrator intervention if the users job or role changes (resulting in changes to the users account attributes in AD DS). For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a users permissions change dynamically without additional administrator intervention if the users job or role changes (resulting in changes to the users account attributes in AD DS). For more detailed examples of Dynamic Access Control in use, see the scenarios described in [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/windows-server-docs/identity/solution-guides/dynamic-access-control--scenario-overview).
Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes. Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.

8
windows/keep-secure/enlightened-microsoft-apps-and-wip.md
View File

@ -62,7 +62,6 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Product name |App info | |Product name |App info |
|-------------|---------| |-------------|---------|
|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.MicrosoftEdge<br>**App Type:** Universal app | |Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.MicrosoftEdge<br>**App Type:** Universal app |
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** iexplore.exe<br>**App Type:** Desktop app |
|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.People<br>**App Type:** Universal app | |Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.People<br>**App Type:** Universal app |
|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Word<br>**App Type:** Universal app | |Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Word<br>**App Type:** Universal app |
|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Excel<br>**App Type:** Universal app | |Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Excel<br>**App Type:** Universal app |
@ -71,8 +70,9 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app | |Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app | |Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app | |Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** onedrive.exe<br>**App Type:** Desktop app|
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** mspaint.exe<br>**App Type:** Desktop app |
|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app | |Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |
|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app | |Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** iexplore.exe<br>**App Type:** Desktop app |
|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** onedrive.exe<br>**App Type:** Desktop app|
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |

4
windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -18,12 +18,12 @@ localizationpriority: high
- Event Viewer - Event Viewer
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints. You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps. For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.

8
windows/keep-secure/implement-microsoft-passport-in-your-organization.md
View File

@ -20,9 +20,13 @@ localizationpriority: high
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
>[!IMPORTANT] >[!IMPORTANT]
>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10. Use **Windows Hello for Business** policy settings to manage PINs. >The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
>
>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
>
>Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
   
## Group Policy settings for Windows Hello for Businness ## Group Policy settings for Windows Hello for Business
The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**. The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.

2
windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

2
windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
View File

@ -15,7 +15,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

4
windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
View File

@ -15,7 +15,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -67,7 +67,7 @@ In the file's page, **Submit for deep analysis** is enabled when the file is ava
> [!NOTE] > [!NOTE]
> Only files from Windows 10 can be automatically collected. > Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available. You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
> [!NOTE] > [!NOTE]
> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP. > Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.

2
windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
View File

@ -15,7 +15,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

4
windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -40,7 +40,7 @@ The Machines view contains the following columns:
- **Active malware detections** - the number of active malware detections reported by the machine - **Active malware detections** - the number of active malware detections reported by the machine
> [!NOTE] > [!NOTE]
> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. > The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
Click any column header to sort the view in ascending or descending order. Click any column header to sort the view in ascending or descending order.

2
windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

4
windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -36,7 +36,7 @@ When you run the onboarding wizard for the first time, you must choose where you
The Windows Defender ATP agent only supports the following editions of Windows 10: The Windows Defender ATP agent only supports the following editions of Windows 10:
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education

4
windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
--- ---
redirect_url: https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
--- ---
# Monitor the Windows Defender Advanced Threat Protection onboarding # Monitor the Windows Defender Advanced Threat Protection onboarding
This page has been redirected to [Configure endpoints](https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection) This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)

2
windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

2
windows/keep-secure/overview-create-wip-policy.md
View File

@ -23,4 +23,4 @@ Microsoft Intune and System Center Configuration Manager helps you create and de
|------|------------| |------|------------|
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |

4
windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
View File

@ -16,7 +16,7 @@ author: brianlic-msft
This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you. This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
**Planning** ## Planning
1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). 1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
@ -33,7 +33,7 @@ This topic provides a roadmap for planning and getting started on the Device Gua
4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files). 4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
**Getting started on the deployment process** ## Getting started on the deployment process
1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md). 1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).

4
windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -39,7 +39,7 @@ When you open the portal, youll see the main areas of the application:
![Windows Defender Advanced Threat Protection portal](images/portal-image.png) ![Windows Defender Advanced Threat Protection portal](images/portal-image.png)
> [!NOTE] > [!NOTE]
> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. > Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.

2
windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ localizationpriority: high
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise
- Windows 10 Enterprise for Education - Windows 10 Education
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Windows Defender Advanced Threat Protection (Windows Defender ATP)

Some files were not shown because too many files have changed in this diff Show More