deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into sh-7964717

Browse Source
This commit is contained in:
Trudy Hakala 2016-09-25 17:56:38 -07:00
commit 2e4dad2796
214 changed files with 3824 additions and 710 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CONTRIBUTING.md
View File

@ -30,7 +30,7 @@ We've tried to make editing an existing, public file as simple as possible.
![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
4. Using markdown language, make your changes to the topic. For info about how to edit content using markdown, see:
4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
- **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide)
- **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/)

1
browsers/internet-explorer/ie11-deploy-guide/index.md
View File

@ -6,6 +6,7 @@ ms.prod: ie11
ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3
title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
ms.sitesec: library
localizationpriority: low
---

1
browsers/internet-explorer/ie11-ieak/index.md
View File

@ -6,6 +6,7 @@ ms.prod: ie11
ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
ms.sitesec: library
localizationpriority: low
---

5
devices/surface-hub/create-a-device-account-using-office-365.md
View File

@ -54,7 +54,7 @@ If you prefer to use a graphical user interface, you can create a device account
![assign license for Skype for Business online.](images/setupdeviceaccto365-07.png)
From the list, uncheck **Skype for Business Online (plan 2)** (this license may vary depending on your organization), and click **SAVE**.
From the list, select **Skype for Business Online (Plan 2)**, and then click **SAVE**. The license may vary depending on your organization (for example, you might have Plan 2, or Plan 3).
### <a href="" id="create-device-acct-o365-mbx-policy"></a>Create a mobile device mailbox (ActiveSync) policy from the Exchange Admin Center
@ -133,8 +133,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
5. Finally, to connect to Exchange Online Services, run:
``` syntax
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri
"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" AllowRedirection
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" AllowRedirection
```
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-21.png)

BIN
devices/surface-hub/images/setupdeviceaccto365-07.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 28 KiB

133
devices/surface-hub/intro-to-surface-hub.md
View File

@ -15,143 +15,14 @@ localizationpriority: medium
Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organizations infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device.
### <a href="" id="surface-hub-features-and-interactions"></a>Surface Hub features and interactions with other services
The capabilities of your Surface Hub will depend on what other Microsoft products and technologies are available to it in your infrastructure. The products listed in the following table each support specific features in Surface Hub.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Scenario</th>
<th align="left">Requirement</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>One-touch meeting join, meetings calendar, and email (for example, sending whiteboards)</p></td>
<td align="left"><p>Device account with Microsoft Exchange 2013 or later, or Exchange Online and a network connection to where the account is hosted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Meetings using Skype for Business</p></td>
<td align="left"><p>Device account with Skype for Business (Lync Server 2013 or later) or Skype for Business Online, and a network connection so the account can be accessed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Web browsing through Microsoft Edge</p></td>
<td align="left"><p>Internet connectivity.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Remote and multi-device management</p></td>
<td align="left"><p>Supported mobile device management (MDM) solutions (Microsoft Intune, System Center 2012 R2 Configuration Manager, or supported third-party solution).</p></td>
</tr>
<tr class="even">
<td align="left"><p>Group-based local management (directory of employees who can manage a device)</p></td>
<td align="left"><p>Active Directory or Azure Active Directory (Azure AD).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Universal Windows app installation</p></td>
<td align="left"><p>Windows Imaging and Configuration Designer (ICD) or supported MDM solutions (Intune, Configuration Manager, or supported third-party solution).</p></td>
</tr>
<tr class="even">
<td align="left"><p>OS updates</p></td>
<td align="left"><p>Internet connectivity or Windows Server Update Services (WSUS).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Device monitoring and health</p></td>
<td align="left"><p>Microsoft Operations Management Suite (OMS).</p></td>
</tr>
</tbody>
</table>
 
Youll need to understand how each of these services interacts with Surface Hub. See [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) for details.
### <a href="" id="setup-dependencies"></a>Surface Hub Setup dependencies
## Surface Hub setup process
Review these dependencies to make sure Surface Hub features will work in your environment.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Dependency</th>
<th align="left">Purpose</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Active Directory (if using an on-premises deployment)</p></td>
<td align="left"><p>The Surface Hub must be able to connect to the domain controller in order to validate the device accounts credentials, as well as to access information like the device accounts display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Office 365 (if using an online deployment)</p></td>
<td align="left"><p>The Surface Hub must have Internet access in order to reach your Office 365 tenant. The device will connect to the Office 365 in order to validate the device accounts credentials, as well as to access information like the device accounts display name, alias, Exchange server, and SIP address.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Device account</p></td>
<td align="left"><p>The device account is an Active Directory and/or Azure AD account that enables several key features for the Surface Hub. Learn more about device accounts in [Create and test a device account](create-and-test-a-device-account-surface-hub.md).</p></td>
</tr>
<tr class="even">
<td align="left"><p>Exchange and Exchange ActiveSync</p></td>
<td align="left"><p>The Surface Hub must be able to reach the device accounts Exchange servers. Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.</p>
<p>ActiveSync is used to sync the device accounts calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Skype for Business</p></td>
<td align="left"><p>The Surface Hub must be able to reach the device accounts Skype for Business servers. Skype for Business is used for various conferencing features, like video calls, IM, and screen sharing.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Certificate-based authentication</p></td>
<td align="left"><p>If certificate-based authentication is required to establish a connection with Exchange ActiveSync or Skype for Business, those certificates must be deployed to each Surface Hub.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Dynamic IP</p></td>
<td align="left"><p>The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address. Network or Internet access is required, depending on the configuration of your topology (on-premises or online respectively) in order to validate the device account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Proxy servers</p></td>
<td align="left"><p>If your topology requires a connection to a proxy server to reach Active Directory, Microsoft Online Services, or your Exchange or Skype for Business servers, then you can configure it during first run, or in Settings.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Mobile device management (MDM) solution provider</p></td>
<td align="left"><p>If you want to manage devices remotely and by groups (apply settings or policies to multiple devices at a time), you must set up a MDM solution and enroll the device to that solution.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Operations Management Suite (OMS)</p></td>
<td align="left"><p>OMS is used to monitor Surface Hub devices.</p></td>
</tr>
</tbody>
</table>
 
### Surface Hub setup process
In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Read through all the info before you start. Heres the general order of things youll need to do:
In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need:
1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)
2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md)
3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md)
After you have your Surface Hub running in your organization, youll need info about:
- [Device maintenance and management](manage-surface-hub.md)
In the unlikely event that you run into problems, see [Troubleshoot Surface Hub](troubleshoot-surface-hub.md).
 
 

100
devices/surface-hub/prepare-your-environment-for-surface-hub.md
View File

@ -14,87 +14,63 @@ localizationpriority: medium
# Prepare your environment for Microsoft Surface Hub
This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment.
## Create and test a device account
This section contains an overview of setup dependencies and the setup process. Review the info in this section to help you prepare your environment and gather information needed to set up your Surface Hub.
A "device account" is an account that Surface Hub uses in order to access features from Exchange, like email and calendar, and to enable Skype for Business. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
## Review infrastructure dependencies
Review these dependencies to make sure Surface Hub features will work in your IT infrastructure.
## Check network availability
| Dependency | Purpose |
|-------------------------------------------------------|-------------------------------------------------------|
| Active Directory or Azure Active Directory (Azure AD) | <p>The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device accounts credentials, as well as to access information like the device accounts display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.</p>You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. |
| Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync | <p>Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.</p>ActiveSync is used to sync the device accounts calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. |
| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing. |
| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
| Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
| Network and Internet access | <p>In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.</p><p>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</p>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. |
Additionally, note that Surface Hub requires the following open ports:
- HTTPS: 443
- HTTP: 80
Depending on your environment, access to additional ports may be needed:
- For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
- For on-premises installations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx).
Microsoft collects telemetry to help improve your Surface Hub experience. Add these sites to your allow list:
- Telemetry client endpoint: `https://vortex.data.microsoft.com/`
- Telemetry settings endpoint: `https://settings.data.microsoft.com/`
In order to function properly, the Surface Hub must have access to a wired or wireless network that meets these requirements:
## Work with other admins
- Access to your Active Directory or Azure Active Directory (Azure AD) instance, as well as your Microsoft Exchange and Skype for Business servers
- Can receive an IP address using DHCP
- Open ports:
- HTTPS: 443
- HTTP: 80
A wired connection is preferred.
## Certificates
Surface Hub interacts with a few different products and services. Depending on the size of your organization, there could be multiple people supporting different products in your environment. You'll want to include people who manage Exchange, Active Directory (or Azure Active Directory), mobile device management (MDM), and network resources in your planning and prep for Surface Hub deployments.
Your Surface Hub may require certificates for ActiveSync, Skype for Business, network usage, or other authentication. To install certificates, you can either create a provisioning package (in order to install at first run, or after first run in Settings), or deploy them through a mobile device management (MDM) solution (after first run only).
## Create and verify device account
To install certificates using provisioning packages, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). To install them using MDM, see the documentation for your MDM solution.
A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
## Create provisioning packages
After you've created your device account, there are a couple of ways to verify that it's setup correctly.
- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
- Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub.
Currently, Surface Hub can use provisioning packages only to install certificates and to install Universal Windows Platform (UWP) apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.
## Prepare for first-run program
There are a few more item to consider before you start the [first-run program](first-run-program-surface-hub.md).
Customers will use provisioning packages to authenticate (for example, to Exchange or Skype for Business), or to sideload apps that don't come from the Windows Store or Windows Store for Business.
### Create provisioning packages (optional)
You can use provisioning packages to add certificates, customize settings and install apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. You can [install provisioning packages at first-run](first-run-program-surface-hub.md#first-page).
## Know the Exchange server for your device account
### Set up admin groups
Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins).
### Review and complete Surface Hub setup worksheet (optional)
When you go through the first-run program for your Surface Hub, there's some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you go through the first-run program. For more information, see [Setup worksheet](setup-worksheet-surface-hub.md).
You should know which Exchange server the device account will use for email and calendar services. The device will attempt to discover this automatically during first run, but if auto-discovery doesn't work, you may need to enter the server info manually.
### Admin group management
Every Surface Hub can be configured individually by opening the Settings app on the device. To prevent people who are not administrators from changing settings, the Settings app requires local administrator credentials to open the app and change settings. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed.
## Skype for Business
Certificates may be required in order to have the Surface Hub use Skype for Business.
## <a href="" id="prepare-checklist"></a>Checklist for preparation
In order to ensure that your environment is ready for the Surface Hub, verify the items in the following list.
1. The device account has been created.
Test this by running:
- Surface Hub device account validation PowerShell scripts
- Lync Windows app from the Windows Store (if Lync runs successfully, then Skype for Business will most likely run).
2. Ensure that there is a working network/Internet connection for the device to connect to:
- It must be able to receive an IP address using DHCP (Surface Hub cannot be configured with a static IP address)
- It must have these ports open:
- HTTPS: 443
- HTTP: 80
If your network runs through a proxy, you'll need the proxy address or script information as well.
3. In order to improve your experience, we collect data. To collect data, we need these sites whitelisted:
- Telemetry client endpoint: https://vortex.data.microsoft.com/
- Telemetry settings endpoint: https://settings.data.microsoft.com/
4. Choose the local admin method you want to set up during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)). Also, decide whether you'll be using MDM (see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)).
5. You've created provisioning packages, as needed. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
6. Have all necessary information available from the [Setup worksheet](setup-worksheet-surface-hub.md).
## In this section
<table>
<colgroup>
<col width="50%" />

2
devices/surface-hub/setup-worksheet-surface-hub.md
View File

@ -33,7 +33,7 @@ You should fill out one list for each Surface Hub you need to configure, althoug
<p>If your network uses a proxy for network and/or Internet access, you must provide a script or server/port information.</p>
</td>
<td>
<p>Proxy script: http://contoso/proxy.pa </br>
<p>Proxy script: <code>http://contoso/proxy.pa</code> </br>
- OR - </br>
Server and port info: 10.10.10.100, port 80
</p>

30
devices/surface/TOC.md
View File

@ -1,21 +1,25 @@
# [Surface](index.md)
## [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
## [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
## [Deploy Surface devices](deploy.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
### [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
#### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
#### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md)
## [Surface firmware and driver updates](update.md)
### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
## [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
## [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
## [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
## [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
## [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
## [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
## [Surface Data Eraser](microsoft-surface-data-eraser.md)
## [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
## [Surface Dock Updater](surface-dock-updater.md)
### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
## [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
## [Surface Data Eraser](microsoft-surface-data-eraser.md)

3
devices/surface/advanced-uefi-security-features-for-surface.md Normal file
View File

@ -0,0 +1,3 @@
---
redirect_url: https://technet.microsoft.com/itpro/surface/advanced-uefi-security-features-for-surface-pro-3
---

43
devices/surface/deploy.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Deploy Surface devices (Surface)
description: Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator.
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: heatherpoulsen
---
# Deploy Surface devices
Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator.
## In this section
| Topic | Description |
| --- | --- |
| [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.|
| [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
| [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|
| [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)| Get guidance and answers to help you perform a network deployment to Surface devices.|
| [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)| See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. |
 
## Related topics
[Surface TechCenter](https://technet.microsoft.com/windows/surface)
[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
 
 

BIN
devices/surface/images/using-sda-driverfiles-fig1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
devices/surface/images/using-sda-installcommand-fig2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
devices/surface/images/using-sda-newinstall-fig3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

97
devices/surface/index.md
View File

@ -2,6 +2,7 @@
title: Surface (Surface)
description:
ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04
localizationpriority: high
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
@ -12,96 +13,28 @@ author: heatherpoulsen
# Surface
## Purpose
This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization.
For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface).
## In this section
| Topic | Description |
| --- | --- |
| [Deploy Surface devices](deploy.md) | Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. |
| [Surface firmware and driver updates](update.md) | Find out how to download and manage the latest firmware and driver updates for your Surface device. |
| [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. |
| [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
| [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
| [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
| [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
| [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)</p></td>
<td><p>Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.</p></td>
</tr>
<tr class="even">
<td><p>[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)</p></td>
<td><p>Walk through the process of customizing the Surface out-of-box experience for end users in your organization.</p></td>
</tr>
<tr class="odd">
<td><p>[Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)</p></td>
<td><p>Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.</p></td>
</tr>
<tr class="even">
<td><p>[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)</p></td>
<td><p>Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.</p></td>
</tr>
<tr class="odd">
<td><p>[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)</p></td>
<td><p>Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.</p></td>
</tr>
<tr class="even">
<td><p>[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)</p></td>
<td><p>Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.</p></td>
</tr>
<tr class="odd">
<td><p>[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)</p></td>
<td><p>Get guidance and answers to help you perform a network deployment to Surface devices.</p></td>
</tr>
<tr class="even">
<td><p>[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)</p></td>
<td><p>Read about the different methods you can use to manage the process of Surface Dock firmware updates.</p></td>
</tr>
<tr class="odd">
<td><p>[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)</p></td>
<td><p>Explore the available options to manage firmware and driver updates for Surface devices.</p></td>
</tr>
<tr class="even">
<td><p>[Manage Surface UEFI settings](manage-surface-uefi-settings.md)<p></td>
<td><p>Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.</p></td>
</tr>
<tr class="odd">
<td><p>[Surface Data Eraser](microsoft-surface-data-eraser.md)</p></td>
<td><p>Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.</p></td>
</tr>
<tr class="even">
<td><p>[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)</p></td>
<td><p>See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.</p></td>
</tr>
<tr class="odd">
<td><p>[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)</p></td>
<td><p>Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.</p></td>
</tr>
<tr class="even">
<td><p>[Surface Dock Updater](surface-dock-updater.md)</p></td>
<td><p>Get a detailed walkthrough of Microsoft Surface Dock Updater.</p></td>
</tr>
<tr class="odd">
<td><p>[Surface Enterprise Management Mode](surface-enterprise-management-mode.md)</p></td>
<td><p>See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization.
</p></td>
</tr>
<tr class="even">
<td><p>[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)</p></td>
<td><p>Find out how to perform a Windows 10 upgrade deployment to your Surface devices.</p></td>
</tr>
</tbody>
</table>
 

7
devices/surface/manage-surface-uefi-settings.md
View File

@ -14,7 +14,8 @@ author: miladCA
Current and future generations of Surface devices, including Surface Pro 4 and Surface Book, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the devices operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings.
>**Note:**&nbsp;&nbsp;Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI.
>[!NOTE]
>Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI.
You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot.
@ -137,3 +138,7 @@ Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as sh
![Exit Surface UEFI and restart the device](images/manage-surface-uefi-fig8.png "Exit Surface UEFI and restart the device")
*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
## Related topics
[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

6
devices/surface/microsoft-surface-deployment-accelerator.md
View File

@ -115,6 +115,10 @@ This version is the original release of SDA. This version of SDA includes suppor
* Windows 8.1
## Related topics
[Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
[Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md)

34
devices/surface/surface-enterprise-management-mode.md
View File

@ -13,7 +13,8 @@ author: jobotto
Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
>**Note**:&nbsp;&nbsp;SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).
>[!NOTE]
>SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
@ -25,7 +26,8 @@ The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown i
*Figure 1. Microsoft Surface UEFI Configurator*
>**Note**:&nbsp;&nbsp;Windows 10 is required to run Microsoft Surface UEFI Configurator
>[!NOTE]
>Windows 10 is required to run Microsoft Surface UEFI Configurator
You can use the Microsoft Surface UEFI Configurator tool in three modes:
@ -36,7 +38,7 @@ You can use the Microsoft Surface UEFI Configurator tool in three modes:
#### Download Microsoft Surface UEFI Configurator
You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
### Configuration package
@ -48,7 +50,8 @@ Surface UEFI configuration packages are the primary mechanism to implement and m
See the [Surface Enterprise Management Mode certificate requirements](#surface-enterprise-management-mode-certificate-requirements) section of this article for more information about the requirements for the SEMM certificate.
>**Note**:&nbsp;&nbsp;You can also specify a UEFI password with SEMM that is required to view the **Security**, **Devices**, **Boot Configuration**, or **Enterprise Management** pages of Surface UEFI.
>[!NOTE]
>You can also specify a UEFI password with SEMM that is required to view the **Security**, **Devices**, **Boot Configuration**, or **Enterprise Management** pages of Surface UEFI.
After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device.
@ -85,7 +88,8 @@ You can configure the following advanced settings with SEMM:
* Display of the Surface UEFI **Devices** page
* Display of the Surface UEFI **Boot** page
>**Note**:&nbsp;&nbsp;When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
>[!NOTE]
>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
![Certificate thumbprint display](images\surface-ent-mgmt-fig5-success.png "Certificate thumbprint display")
@ -113,11 +117,13 @@ In some scenarios, it may be impossible to use a Surface UEFI reset package. (Fo
When you use the process on the **Enterprise Management** page to reset SEMM on a Surface device, you are provided with a Reset Request. This Reset Request can be saved as a file to a USB drive, copied as text, or read as a QR Code with a mobile device to be easily emailed or messaged. Use the Microsoft Surface UEFI Configurator Reset Request option to load a Reset Request file or enter the Reset Request text or QR Code. Microsoft Surface UEFI Configurator will generate a verification code that can be entered on the Surface device. If you enter the code on the Surface device and click **Restart**, the device will be unenrolled from SEMM.
>**Note**:&nbsp;&nbsp;A Reset Request expires two hours after it is created.
>[!NOTE]
>A Reset Request expires two hours after it is created.
## Surface Enterprise Management Mode certificate requirements
>**Note**:&nbsp;&nbsp;The SEMM certificate is required to perform any modification to SEMM or Surface UEFI settings on enrolled Surface devices. If the SEMM certificate is corrupted or lost, SEMM cannot be removed or reset. Manage your SEMM certificate accordingly with an appropriate solution for backup and recovery.
>[!NOTE]
>The SEMM certificate is required to perform any modification to SEMM or Surface UEFI settings on enrolled Surface devices. If the SEMM certificate is corrupted or lost, SEMM cannot be removed or reset. Manage your SEMM certificate accordingly with an appropriate solution for backup and recovery.
Packages created with the Microsoft Surface UEFI Configurator tool are signed with a certificate. This certificate ensures that after a device is enrolled in SEMM, only packages created with the approved certificate can be used to modify the settings of UEFI. The following settings are recommended for the SEMM certificate:
@ -132,8 +138,9 @@ Packages created with the Microsoft Surface UEFI Configurator tool are signed wi
It is also recommended that the SEMM certificate be authenticated in a two-tier public key infrastructure (PKI) architecture where the intermediate certification authority (CA) is dedicated to SEMM, enabling certificate revocation. For more information about a two-tier PKI configuration, see [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348).
>**Note**:&nbsp;&nbsp;You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios.
To use this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate with a password of `12345678`.<br/><br/>The certificate generated by this script is not recommended for production environments.
>[!NOTE]
>You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios.
> To use this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate with a password of `12345678`.<br/><br/>The certificate generated by this script is not recommended for production environments.
```
if (-not (Test-Path "Demo Certificate")) { New-Item -ItemType Directory -Force -Path "Demo Certificate" }
@ -160,4 +167,11 @@ $TestUefiV2 | Export-PfxCertificate -Password $pw -FilePath "Demo Certificate\Te
For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must be exported with the private key and with password protection. Microsoft Surface UEFI Configurator will prompt you to select the SEMM certificate file (.pfx) and certificate password when it is required.
>**Note**:&nbsp;&nbsp;For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
>[!NOTE]
>For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
## Related topics
[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)

38
devices/surface/update.md Normal file
View File

@ -0,0 +1,38 @@
---
title: Surface firmware and driver updates (Surface)
description: Find out how to download and manage the latest firmware and driver updates for your Surface device.
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: heatherpoulsen
---
# Surface firmware and driver updates
Find out how to download and manage the latest firmware and driver updates for your Surface device.
## In this section
| Topic | Description |
| --- | --- |
| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.|
| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.|
| [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|
 
## Related topics
[Surface TechCenter](https://technet.microsoft.com/windows/surface)
[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
 
 

163
devices/surface/using-the-sda-deployment-share.md Normal file
View File

@ -0,0 +1,163 @@
---
title: Using the Microsoft Surface Deployment Accelerator deployment share (Surface)
description: Explore the scenarios where you can use SDA to meet the deployment needs of your organization including Proof of Concept, pilot deployment, as well as import additional drivers and applications.
keywords: deploy, install, automate, deployment solution
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: Scottmca
---
# Using the Microsoft Surface Deployment Accelerator deployment share
With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily set up a deployment solution that is ready to deploy Windows to Surface devices. The prepared environment is built on powerful deployment technologies available from Microsoft, such as the [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/en-us/windows/dn475741), and is capable of immediately performing a deployment after configuration. See [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator) for a comprehensive walkthrough of using the SDA wizard to set up a deployment share and perform a deployment.
For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/en-us/itpro/surface/microsoft-surface-deployment-accelerator).
Using SDA provides these primary benefits:
* With SDA, you can create a ready-to-deploy environment that can deploy to target devices as fast as your download speeds allow. The wizard experience enables you to check a few boxes and then the automated process builds your deployment environment for you.
* With SDA, you prepare a deployment environment built on the industry leading deployment solution of MDT. With MDT you can scale from a relatively basic deployment of a few Surface devices to a solution capable of deploying to thousands of devices including all of the different makes and models in your organization and all of the applications required by each device and user.
This article explores four scenarios where you can use SDA to meet the needs of your organization. See [Deploy Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/index) to explore the capabilities of MDT and the Windows deployment technologies available from Microsoft in greater detail.
## Perform a Proof of Concept deployment
One of the primary scenarios for use of SDA is as a Proof of Concept. A *Proof of Concept* (PoC) enables you to test or evaluate the capabilities of a solution or technology. A PoC is often used to illustrate the benefits of the solution or technology to decision makers. For example, if you want to recommend Surface devices as a replacement of older point of sale (POS) systems, you could perform a PoC to demonstrate how Surface devices provide superior computing power, flexibility, and connectivity when compared to alternate options.
Using SDA to prepare a PoC of Surface devices enables you to very quickly prepare a demonstration of Surface device or devices, which gives you more time for customization or preparation. The flexibility of SDA even lets you import resources, like applications and drivers, from existing MDT deployment infrastructure. See the [Work with existing deployment shares](#work-with-existing-deployment-shares) section later in this article for more information.
SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Windows Store and desktop applications, and several models of Surface devices.
Some recommendations for a successful PoC with SDA are:
* Keep your SDA deployment environment separate from your production network. This ensures optimal performance and reduces potential for conflicts during your PoC deployment.
* Use a fresh and updated instance of Windows Server to house your SDA deployment share to maintain the simplicity and performance of the demonstration environment.
* Test the deployment process before you demonstrate your PoC. This reduces the potential for unexpected situations and keeps the demonstration focused on the deployment process and Surface devices.
* Use offline files with SDA to further reduce installation times.
* For help with your PoC, contact [Surface Support](https://www.microsoft.com/surface/en-us/support/contact-us-business).
## Perform a pilot deployment
A pilot deployment differs from a PoC. Where a PoC is usually a closed demonstration that is performed prior to the deployment process in order to get approval for the use of certain technologies or solutions, a *pilot deployment* is performed during the deployment process as a limited scope deployment for testing and validation. The focus of a pilot deployment can be as narrow as only a handful of devices, or wide enough to include a significant portion of your organization.
>[!NOTE]
>A pilot deployment should not replace the testing process that should be performed regularly in the lab as the deployment environment is built and developed. A deployment solution should be tested in virtual and physical environments as new applications and drivers are added and when task sequences are modified and before a pilot deployment is performed.
For example, you are tasked with deploying Surface devices to mobile workers and you want to test the organizations MDT deployment process by providing a small number of devices to executives. You can use SDA to create an isolated Surface deployment environment and then copy the task sequence, applications, and drivers needed from the production deployment share. This not only enables you to quickly create a Surface deployment, but it also minimizes the risk to the production deployment process used for other types of devices.
For small organizations, the pilot deployment environment of SDA may suffice as a complete deployment solution. Even if you do not have an existing deployment environment, you can import drivers and applications (covered later in this article) to provide a complete deployment solution based on MDT. Even without previous knowledge of MDT or Windows deployment, you can follow the [Step-by-Step: Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator) article to get started with a deployment to Surface devices.
## Import additional drivers
The SDA deployment share includes all of the drivers needed for Surface devices. This includes the drivers for the components inside the Surface device, such as the wireless network adapter and the main chipset, as well as drivers for Surface accessories, such as the Surface Dock or Surface USB Ethernet adapters. The SDA deployment share does not, however, include drivers for third-party devices or peripherals.
For example, you may intend to use your Surface device with a thermal printer, credit card reader, and barcode scanner as a POS terminal. In this scenario, the thermal printer, credit card reader, and barcode scanner will very likely require installation of drivers to operate properly. You could potentially download and install these drivers from Windows Update when each peripheral is connected, or you could install the driver package from the manufacturer manually on each Surface device, but the ideal solution is to have these drivers already present in Windows so that when the peripheral is connected, it will just work.
Because SDA is built on MDT, adding the drivers to the SDA deployment share is easy and simple.
>[!NOTE]
>The drivers must be in the Setup Information File (.inf) format. If the drivers for your device come as an executable file (.exe), they may need to be extracted or installed to procure the .inf file. Some device drivers come packaged with applications, for example an all-in-one printer bundled with scan software. These applications will need to be installed separately from the drivers.
To import drivers for a peripheral device:
1. Download the drivers for your device from the manufacturer web site.
2. Open the MDT Deployment Workbench.
3. Expand the **Deployment Shares** node and expand the SDA deployment share.
4. Expand the **Out-of-Box Drivers** folder.
5. Select the folder of the Surface model for which you would like to include this driver.
6. Click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
![Provide the location of your driver files](images\using-sda-driverfiles-fig1.png "Provide the location of your driver files")
*Figure 1. Provide the location of your driver files*
7. The Import Drivers Wizard presents a series of steps:
- **Specify Directory** Click **Browse** and navigate to the folder where you stored the drivers in Step 1.
- **Summary** Review the specified configuration on this page before you click **Next** to begin the import process.
- **Progress** While the drivers are imported, a progress bar is displayed on this page.
- **Confirmation** When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
8. Repeat Steps 5-7 for each Surface model on which you would like to include this driver.
9. Close the Deployment Workbench.
After the drivers are imported for the Surface model, the deployment task sequence will automatically select the drivers during the deployment process and include them in the Windows environment. When you connect your device, such as the barcode scanner in the example, Windows should automatically detect the device and you should be able to use it immediately.
>[!NOTE]
>You can even import drivers for other computer makes and models to support other devices. See **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt) for more information about how to import drivers for other makes and models.
## Import additional applications
As with drivers, the SDA deployment share can be pre-configured with apps like the Surface App and Microsoft Office 365. You can also add applications to the SDA deployment share and configure them to be installed on your Surface devices during deployment of Windows. In the ideal scenario, your Surface devices deployed with the SDA deployment share will include all of the applications needed to be ready for your end users.
In the previous example for including drivers for a POS system, you would also need to include POS software for processing transactions and recording the input from the barcode scanner and credit card reader. To import an application and prepare it for installation on your Surface devices during Windows deployment:
1. Download the application installation files or locate the installation media for your application.
2. Determine the command line instruction for silent installation, usually provided by the developer of the application. For Windows Installer files (.msi), see [Standard Installer Command-Line Options](https://msdn.microsoft.com/library/windows/desktop/aa372024) in the Windows Dev Center.
3. Open the MDT Deployment Workbench.
4. Expand the **Deployment Shares** node and expand the SDA deployment share.
5. Expand the **Applications** folder.
6. Click **New Application** to start the New Application Wizard, as shown in Figure 2.
![Provide the command to install your application](images\using-sda-installcommand-fig2.png "Provide the command to install your application")
*Figure 2: Provide the command to install your application*
7. Follow the steps of the New Application Wizard:
- **Application Type** Click **Application with Source Files**, and then click **Next**.
- **Details** Enter a name for the application in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
- **Source** Click **Browse** to navigate to and select the folder with the application installation files procured in Step 1, and then click **Next**.
- **Destination** Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
- **Command Details** Enter the silent command-line instruction, for example `setup.msi /quiet /norestart`
- **Summary** Review the specified configuration on this page before you click **Next** to begin the import process.
- **Progress** While the installation files are imported, a progress bar is displayed on this page.
- **Confirmation** When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
8. Click the **Task Sequences** folder, right-click **1 - Deploy Microsoft Surface**, and then click **Properties**.
9. Click the **Task Sequence** tab to view the steps that are included in the new task sequence.
10. Select the **Windows Update (Pre-Application Installation)** step, and then click **Add**.
11. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
![A new Install Application step for Sample POS App](images\using-sda-newinstall-fig3.png "A new Install Application step for Sample POS App")
*Figure 3. A new Install Application step for Sample POS App*
12. On the **Properties** tab of the new **Install Application** step, enter **Install - Sample POS App** in the **Name** field, where *Sample POS App* is the name of your app.
13. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
14. Select your app from the list of applications, and then click **OK**.
15. Click **OK** to close the task sequence properties.
16. Close the Deployment Workbench.
## Work with existing deployment shares
One of the many benefits of an MDT deployment share is the simplicity of how deployment resources are stored. The MDT deployment share is, at its core, just a standard network file share. All deployment resources, such as Windows images, application installation files, and drivers, are stored in a share that can be browsed with File Explorer, copied and pasted, and moved just like any other file share, provided that you have the necessary permissions. This makes working with deployment resources extremely easy. MDT even allows you to make it easier by allowing you to open multiple deployment shares from the Deployment Workbench and to transfer or copy resources between them.
This ability gives SDA some extra capabilities when used in an environment with an existing MDT infrastructure. For example, if you install SDA on an isolated server to prepare a PoC and then log on to your production MDT deployment share from the Deployment Workbench on your SDA server, you can copy applications, drivers, task sequences, and other components into the SDA deployment share that is prepared with Surface apps and drivers. With this process, in a very short amount time, you can have a deployment environment ready to deploy your organizations precise requirements to Surface devices.
You can also use this capability in reverse. For example, you can copy the Surface drivers, deployment task sequences, and apps directly into a lab or testing environment following a successful PoC. Using these resources, you can immediately begin to integrate Surface deployment into your existing deployment infrastructure.

2
education/windows/TOC.md
View File

@ -1,5 +1,4 @@
# [Windows 10 for Education](index.md)
## [Change history for Windows 10 for Education](change-history-edu.md)
## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
## [Setup options for Windows 10](set-up-windows-10.md)
### [Use the Set up School PCs app ](use-set-up-school-pcs-app.md)
@ -18,3 +17,4 @@
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Chromebook migration guide](chromebook-migration-guide.md)
## [Change history for Windows 10 for Education](change-history-edu.md)

21
education/windows/change-history-edu.md
View File

@ -12,6 +12,11 @@ author: jdeckerMS
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
## September 2016
| New or changed topic | Description|
| --- | --- |
| [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md) | New. Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. |
## RELEASE: Windows 10, version 1607
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
@ -21,29 +26,25 @@ The topics in this library have been updated for Windows 10, version 1607 (also
- [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
- [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
## July 2016
| New or changed topic | Description|
| --- | --- |
| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New |
|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New |
| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New. Learn about the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions. |
|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use SCCM, Intune, and Group Policy to manage devices. |
## June 2016
| New or changed topic | Description |
|----------------------|-------------|
| [Get Minecraft Education Edition](get-minecraft-for-education.md) </br> [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) </br> [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New |
| [Get Minecraft Education Edition](get-minecraft-for-education.md) </br> [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) </br> [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) | New. Learn how to get and distribute Minecraft: Education Edition. |
## May 2016
| New or changed topic | Description |
|----------------------|-------------|
| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New |
| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New |
| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) </br> [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) </br> [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) </br> [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New |
| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New. Learn how the Set up School PCs app works and how to use it. |
| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. |
| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) </br> [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) </br> [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) </br> [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. |
| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 |
| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 |

2
education/windows/create-tests-using-microsoft-forms.md
View File

@ -1,6 +1,6 @@
---
title: Create tests using Microsoft Forms
description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while complete a test.
description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test.
keywords: school, Take a Test, Microsoft Forms
ms.prod: w10
ms.mktglfcycl: plan

23
education/windows/set-up-school-pcs-technical.md
View File

@ -191,16 +191,6 @@ The **Set up School PCs** app produces a specialized provisioning package that m
</tr>
<tr> <td> <p> Turn off the advertising ID </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components </strong></p> </td>
</tr>
<tr> <td> <p> Do not show Windows Tips </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td> <p> Turn off Microsoft consumer experiences </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td> <p> Microsoft Passport for Work </p> </td> <td> <p> Disabled</p> </td>
</tr>
<tr> <td> <p> Prevent the usage of OneDrive for file storage </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Biometrics</strong></p> </td>
</tr>
<tr> <td> <p> Allow the use of biometrics </p> </td> <td> <p> Disabled</p> </td>
@ -209,6 +199,11 @@ The **Set up School PCs** app produces a specialized provisioning package that m
</tr>
<tr> <td> <p> Allow domain users to log on using biometrics </p> </td> <td> <p> Disabled</p> </td>
</tr>
<tr><td colspan="2"><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Cloud Content</strong></td></tr>
<tr> <td> <p> Do not show Windows Tips </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td> <p> Turn off Microsoft consumer experiences </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Data Collection and Preview Builds</strong></p> </td>
</tr>
<tr> <td> <p> Toggle user control over Insider builds </p> </td> <td> <p> Disabled</p> </td>
@ -235,10 +230,18 @@ The **Set up School PCs** app produces a specialized provisioning package that m
</tr>
<tr> <td> <p> Configure corporate home pages </p> </td> <td> <p> Enabled, about:blank</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>OneDrive</strong></p> </td>
</tr>
<tr> <td> <p> Prevent the usage of OneDrive for file storage </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Search</strong></p> </td>
</tr>
<tr> <td> <p> Allow Cortana </p> </td> <td> <p> Disabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Windows Hello for Business</strong></p> </td>
</tr>
<tr> <td> <p> Use Windows Hello for Business </p> </td> <td> <p> Disabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Windows Settings</strong> > <strong>Security Settings</strong> > <strong>Local Policies</strong> > <strong>Security Options</strong></p> </td>
</tr>
<tr><td><p>Accounts: Block Microsoft accounts</p><p>**Note** Microsoft accounts can still be used in apps.</p></td><td><p>Enabled</p></td></tr>

1
education/windows/windows-editions-for-education-customers.md
View File

@ -7,7 +7,6 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
localizationpriority: high
---
# Windows 10 editions for education customers

26
mdop/TOC.md
View File

@ -1,21 +1,21 @@
# [Microsoft Desktop Optimization Pack](index.md)
## [Advanced Group Policy Management](agpm/)
## [Advanced Group Policy Management](agpm/index.md)
## [Application Virtualization]()
### [Application Virtualization 5](appv-v5/)
### [Application Virtualization 4](appv-v4/)
### [Application Virtualization 5](appv-v5/index.md)
### [Application Virtualization 4](appv-v4/index.md)
### [SoftGrid Application Virtualization](softgrid-application-virtualization.md)
## [Diagnostics and Recovery Toolset]()
### [Diagnostics and Recovery Toolset 10](dart-v10/)
### [Diagnostics and Recovery Toolset 8](dart-v8/)
### [Diagnostics and Recovery Toolset 7](dart-v7/)
### [Diagnostics and Recovery Toolset 10](dart-v10/index.md)
### [Diagnostics and Recovery Toolset 8](dart-v8/index.md)
### [Diagnostics and Recovery Toolset 7](dart-v7/index.md)
### [Diagnostics and Recovery Toolset 6.5](dart-v65.md)
## [Microsoft Bitlocker Administration and Monitoring]()
### [Microsoft Bitlocker Administration and Monitoring 2.5](mbam-v25/)
### [Microsoft Bitlocker Administration and Monitoring 2](mbam-v2/)
### [Microsoft Bitlocker Administration and Monitoring 1](mbam-v1/)
### [Microsoft Bitlocker Administration and Monitoring 2.5](mbam-v25/index.md)
### [Microsoft Bitlocker Administration and Monitoring 2](mbam-v2/index.md)
### [Microsoft Bitlocker Administration and Monitoring 1](mbam-v1/index.md)
## [Microsoft Enterprise Desktop Virtualization]()
### [Microsoft Enterprise Desktop Virtualization 2](medv-v2/)
### [Microsoft Enterprise Desktop Virtualization 2](medv-v2/index.md)
## [User Experience Virtualization]()
### [User Experience Virtualization 2](uev-v2/)
### [User Experience Virtualization 1](uev-v1/)
## [MDOP Solutions and Scenarios](solutions/)
### [User Experience Virtualization 2](uev-v2/index.md)
### [User Experience Virtualization 1](uev-v1/index.md)
## [MDOP Solutions and Scenarios](solutions/index.md)

10
windows/TOC.md
View File

@ -1,6 +1,6 @@
# [Windows 10 and Windows 10 Mobile](index.md)
## [What's new in Windows 10](whats-new/)
## [Plan for Windows 10 deployment](plan/)
## [Deploy Windows 10](deploy/)
## [Keep Windows 10 secure](keep-secure/)
## [Manage and update Windows 10](manage/)
## [What's new in Windows 10](whats-new/index.md)
## [Plan for Windows 10 deployment](plan/index.md)
## [Deploy Windows 10](deploy/index.md)
## [Keep Windows 10 secure](keep-secure/index.md)
## [Manage and update Windows 10](manage/index.md)

6
windows/deploy/activate-using-active-directory-based-activation-client.md
View File

@ -24,8 +24,8 @@ localizationpriority: high
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 R2 or Windows Server 2012, but after the schema is updated, older domain controllers can still activate clients.
Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated by adprep.exe on a computer running Windows Server 2012 or Windows Server 2012 R2, but after the schema is updated, older domain controllers can still activate clients.
Any domain-joined computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2 with a GVLK will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console in Windows Server 2012 R2 or the VAMT in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
The process proceeds as follows:
1. Perform one of the following tasks:
@ -38,7 +38,7 @@ The process proceeds as follows:
**Figure 10**. The Active Directory-based activation flow
For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days.
When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.

1
windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
keywords: image, deploy, distribute
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
---

33
windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
View File

@ -4,6 +4,7 @@ description: In this topic, you will learn how to configure the Windows Preinsta
ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
keywords: deploy, task sequence
ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
@ -35,13 +36,12 @@ This section will show you how to import some network and storage drivers for Wi
5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image. Also select the **Update distribution points when finished** check box, and click **Next** twice.
![figure 21](images/fig21-add-drivers.png)
![Add drivers to Windows PE](images/fig21-add-drivers.png "Add drivers to Windows PE")
Figure 21. Add drivers to Windows PE.
**Note**  
The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
*Figure 21. Add drivers to Windows PE*
>[!NOTE]  
>The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two.
 
## <a href="" id="sec02"></a>Add drivers for Windows 10
@ -55,31 +55,28 @@ This section illustrates how to add drivers for Windows 10 through an example in
3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named Windows 10 x64 - HP EliteBook 8560w, and then click **Next**.
![figure 22](images/fig22-createcategories.png)
![Create driver categories](images/fig22-createcategories.png "Create driver categories")
Figure 22. Create driver categories.
*Figure 22. Create driver categories*
4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
1. Name: Windows 10 x64 - HP EliteBook 8560w
* Name: Windows 10 x64 - HP EliteBook 8560w
2. Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
**Note**  
The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
* Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\HP EliteBook 8560w
>[!NOTE]  
>The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder.
 
5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
**Note**  
If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
>[!NOTE]  
>If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
 
![Drivers imported and a new driver package created](images/mdt-06-fig26.png "Drivers imported and a new driver package created")
![figure 23](images/mdt-06-fig26.png)
Figure 23. Drivers imported and a new driver package created.
*Figure 23. Drivers imported and a new driver package created*
## Related topics

1
windows/deploy/assign-applications-using-roles-in-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7
keywords: settings, database, deploy
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

3
windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
View File

@ -5,6 +5,7 @@ ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
keywords: replication, replicate, deploy, configure, remote
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@ -76,6 +77,7 @@ Setting up DFS-R for replication is a quick and straightforward process. You pre
![figure 3](images/mdt-10-fig03.png)
Figure 3. Sharing the **E:\\MDTProduction folder** on MDT02.
### Configure the deployment share
When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property.
@ -146,6 +148,7 @@ Once the MDT01 and MDT02 servers are prepared, you are ready to configure the ac
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share:
``` syntax
(Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
```

1
windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
View File

@ -4,6 +4,7 @@ description: This topic describes how to configure a PXE server to load Windows
keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay

1
windows/deploy/configure-mdt-2013-for-userexit-scripts.md
View File

@ -5,6 +5,7 @@ ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7
keywords: rules, script
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

1
windows/deploy/configure-mdt-2013-settings.md
View File

@ -5,6 +5,7 @@ ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
keywords: customize, customization, deploy, features, tools
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

1
windows/deploy/configure-mdt-deployment-share-rules.md
View File

@ -5,6 +5,7 @@ ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b
keywords: rules, configuration, automate, deploy
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

1
windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
keywords: tool, customize, deploy, boot image
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
---

75
windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
View File

@ -5,6 +5,7 @@ ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
keywords: deploy, upgrade, task sequence, install
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.pagetype: mdt
ms.sitesec: library
author: mtniehaus
@ -24,7 +25,7 @@ For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is
## <a href="" id="sec01"></a>Create a task sequence using the MDT Integration Wizard
This section will walk you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
@ -32,27 +33,27 @@ This section will walk you through the process of creating a System Center 2012
3. On the **General** page, assign the following settings and then click **Next**:
1. Task sequence name: Windows 10 Enterprise x64 RTM
* Task sequence name: Windows 10 Enterprise x64 RTM
2. Task sequence comments: Production image with Office 2013
* Task sequence comments: Production image with Office 2013
4. On the **Details** page, assign the following settings and then click **Next**:
1. Join a Domain
* Join a Domain
2. Domain: contoso.com
* Domain: contoso.com
1. Account: CONTOSO\\CM\_JD
* Account: CONTOSO\\CM\_JD
2. Password: Passw0rd!
* Password: Passw0rd!
3. Windows Settings
* Windows Settings
1. User name: Contoso
* User name: Contoso
2. Organization name: Contoso
* Organization name: Contoso
3. Product key: &lt;blank&gt;
* Product key: &lt;blank&gt;
5. On the **Capture Settings** page, accept the default settings, and click **Next**.
@ -87,12 +88,10 @@ After you create the task sequence, we recommend that you configure the task seq
2. In the **Install** group, select the **Set Variable for Drive Letter** action and configure the following:
- OSDPreserveDriveLetter: True
* OSDPreserveDriveLetter: True
**Note**  
If you don't change this value, your Windows installation will end up in E:\\Windows.
 
>[!NOTE]  
>If you don't change this value, your Windows installation will end up in E:\\Windows.
3. In the **Post Install** group, select **Apply Network Settings**, and configure the Domain OU value to use the **Contoso / Workstations** OU (browse for values).
@ -102,57 +101,55 @@ After you create the task sequence, we recommend that you configure the task seq
6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
1. Name: HP EliteBook 8560w
* Name: HP EliteBook 8560w
2. Driver Package: Windows 10 x64 - HP EliteBook 8560w
* Driver Package: Windows 10 x64 - HP EliteBook 8560w
3. Options: Task Sequence Variable: Model equals HP EliteBook 8560w
* Options: Task Sequence Variable: Model equals HP EliteBook 8560w
**Note**  
You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
>[!NOTE]  
>You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
 
![Driver package options](images/fig27-driverpackage.png "Driver package options")
![figure 24](images/fig27-driverpackage.png)
Figure 24. The driver package options.
*Figure 24. The driver package options*
7. In the **State Restore / Install Applications** group, select the **Install Application** action.
8. Select the **Install the following applications** option, and add the OSD / Adobe Reader XI - OSD Install application to the list.
![figure 25](images/fig28-addapp.png)
![Add an application to the task sequence](images/fig28-addapp.png "Add an application to the task sequence")
Figure 25. Add an application to the Configuration Manager task sequence.
*Figure 25. Add an application to the Configuration Manager task sequence*
9. In the **State Restore** group, after the **Set Status 5** action, add a **Request State Store** action with the following settings:
1. Restore state from another computer
* Restore state from another computer
2. If computer account fails to connect to state store, use the Network Access account
* If computer account fails to connect to state store, use the Network Access account
3. Options: Continue on error
* Options: Continue on error
4. Options / Condition:
* Options / Condition:
1. Task Sequence Variable
* Task Sequence Variable
2. USMTLOCAL not equals True
* USMTLOCAL not equals True
10. In the **State Restore** group, after the **Restore User State** action, add a **Release State Store** action with the following settings:
1. Options: Continue on error
* Options: Continue on error
2. Options / Condition:
* Options / Condition:
1. Task Sequence Variable
* Task Sequence Variable
2. USMTLOCAL not equals True
* USMTLOCAL not equals True
11. Click **OK**.
**Note**  
The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
>[!NOTE]  
>The Request State Store and Release State Store actions need to be added for common computer replace scenarios.
 

11
windows/deploy/create-a-windows-10-reference-image.md
View File

@ -5,6 +5,7 @@ ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa
keywords: deploy, deployment, configure, customize, install, installation
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@ -164,6 +165,7 @@ You also can customize the Office installation using a Config.xml file. But we r
If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in and then make the deployment share a PowerShell drive (PSDrive).
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
``` syntax
Import-Topic "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "E:\MDTBuildLab"
@ -173,7 +175,9 @@ If you need to add many applications, you can take advantage of the PowerShell s
In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x86.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q"
@ -187,6 +191,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2005SP1x64.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
@ -200,6 +205,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x86.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q"
@ -213,6 +219,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2008SP1x64.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
@ -226,6 +233,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x86.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x86"
$CommandLine = "vcredist_x86.exe /Q"
@ -239,6 +247,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2010SP1x64.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
@ -252,6 +261,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1
In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux86.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x86"
$CommandLine = "vcredist_x86.exe /Q"
@ -265,6 +275,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Upda
In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Update 4 x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to E:\\Downloads\\VC++2012Ux64.
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x64"
$CommandLine = "vcredist_x64.exe /Q"

31
windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
View File

@ -4,6 +4,7 @@ description: Microsoft System Center 2012 R2 Configuration Manager supports depl
ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
keywords: deployment, task sequence, custom, customize
ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
@ -20,15 +21,13 @@ Microsoft System Center 2012 R2 Configuration Manager supports deploying applica
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
**Note**  
Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
 
>[!NOTE]  
>Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
## Example: Create the Adobe Reader XI application
The steps below show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
The following steps show you how to create the Adobe Reader XI application. This section assumes that you have downloaded the MSI version of Adobe Reader XI to the C:\\Setup\\Adobe Reader XI folder on CM01.
1. On CM01, using File Explorer, copy the **C:\\Setup\\Adobe Reader XI** folder to the **E:\\Sources\\Software\\Adobe** folder.
@ -40,17 +39,17 @@ The steps below show you how to create the Adobe Reader XI application. This sec
5. In the Create Application Wizard, on the **General** page, use the following settings:
1. Automatically detect information about this application from installation files
* Automatically detect information about this application from installation files
2. Type: Windows Installer (\*.msi file)
* Type: Windows Installer (\*.msi file)
3. Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
* Location: \\\\CM01\\Sources$\\Software\\Adobe\\Adobe Reader XI
4. \\AdbeRdr11000\_en\_US.msi
* \\AdbeRdr11000\_en\_US.msi
![figure 19](images/mdt-06-fig20.png)
![The Create Application Wizard](images/mdt-06-fig20.png "The Create Application Wizard")
Figure 19. The Create Application Wizard.
*Figure 19. The Create Application Wizard*
6. Click **Next**, and wait while Configuration Manager parses the MSI file.
@ -58,14 +57,12 @@ The steps below show you how to create the Adobe Reader XI application. This sec
8. On the **General Information** page, name the application Adobe Reader XI - OSD Install, click **Next** twice, and then click **Close**.
**Note**  
Since it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
>[!NOTE]
>Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
 
![Add the OSD Install suffix to the application name](images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
![figure 20](images/mdt-06-fig21.png)
Figure 20. Add the "OSD Install" suffix to the application name.
*Figure 20. Add the "OSD Install" suffix to the application name*
9. In the **Applications** node, select the Adobe Reader XI - OSD Install application, and click **Properties** on the ribbon bar.

3
windows/deploy/deploy-a-windows-10-image-using-mdt.md
View File

@ -5,6 +5,7 @@ ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
keywords: deployment, automate, tools, configure
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@ -304,6 +305,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
2. CustomSettings.ini
2. Right-click the **MDT Production** deployment share and select **Properties**.
3. Select the **Rules** tab and modify using the following information:
``` syntax
[Settings]
Priority=Default
@ -340,6 +342,7 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
SkipFinalSummary=NO
```
4. Click **Edit Bootstrap.ini** and modify using the following information:
``` syntax
[Settings]
Priority=Default

1
windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
keywords: deployment, image, UEFI, task sequence
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
---

1
windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
View File

@ -4,6 +4,7 @@ description: If you have Microsoft System Center 2012 R2 Configuration Manager
ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
keywords: deployment, custom, boot
ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus

1
windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
View File

@ -5,6 +5,7 @@ ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
keywords: deploy, tools, configure, script
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
ms.pagetype: mdt

47
windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
View File

@ -4,6 +4,7 @@ description: This topic walks you through the steps to finalize the configuratio
ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
keywords: configure, deploy, upgrade
ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
@ -27,19 +28,19 @@ This section will walk you through the process of creating the E:\\MDTProduction
1. On CM01, using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
1. Deployment share path: E:\\MDTProduction
* Deployment share path: E:\\MDTProduction
2. Share name: MDTProduction$
* Share name: MDTProduction$
3. Deployment share description: MDT Production
* Deployment share description: MDT Production
4. Options: &lt;default settings&gt;
* Options: &lt;default settings&gt;
2. Right-click the **MDT Production** deployment share, and select **Properties**. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
![figure 26](images/mdt-06-fig31.png)
![Enable MDT monitoring for Configuration Manager](images/mdt-06-fig31.png)
Figure 26. Enabling MDT monitoring for Configuration Manager.
*Figure 26. Enable MDT monitoring for Configuration Manager*
## <a href="" id="sec02"></a>Create and share the Logs folder
@ -81,14 +82,14 @@ This section will show you how to configure the rules (the Windows 10 x64 Settin
ApplyGPOPack=NO
```
![figure 27](images/fig30-settingspack.png)
![Settings package during deployment](images/fig30-settingspack.png)
Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment
*Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment*
3. Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**.
**Note**  
Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes.
>[!NOTE]  
>Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes.
 
@ -114,13 +115,13 @@ This sections provides steps to help you create a deployment for the task sequen
3. On the **Deployment Settings** page, use the following settings and then click **Next**:
1. Purpose: Available
* Purpose: Available
2. Make available to the following: Only media and PXE
* Make available to the following: Only media and PXE
![figure 28](images/mdt-06-fig33.png)
![Configure the deployment settings](images/mdt-06-fig33.png)
Figure 28. Configure the deployment settings.
*Figure 28. Configure the deployment settings*
4. On the **Scheduling** page, accept the default settings and click **Next**.
@ -130,9 +131,9 @@ This sections provides steps to help you create a deployment for the task sequen
7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
![figure 29](images/fig32-deploywiz.png)
![Task sequence deployed](images/fig32-deploywiz.png)
Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE.
*Figure 29. The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE*
## <a href="" id="sec06"></a>Configure Configuration Manager to prompt for the computer name during deployment (optional)
@ -145,20 +146,18 @@ This section provides steps to help you configure the All Unknown Computers coll
2. In the **Collection Variables** tab, create a new variable with the following settings:
1. Name: OSDComputerName
* Name: OSDComputerName
2. Clear the **Do not display this value in the Configuration Manager console** check box.
* Clear the **Do not display this value in the Configuration Manager console** check box.
3. Click **OK**.
**Note**  
Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
>[!NOTE]  
>Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
 
![Configure a collection variable](images/mdt-06-fig35.png)
![figure 30](images/mdt-06-fig35.png)
Figure 30. Configure a collection variable.
*Figure 30. Configure a collection variable*
## Related topics

1
windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
View File

@ -5,6 +5,7 @@ ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
keywords: deploy, image, feature, install, tools
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

BIN
windows/deploy/images/convert.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/deploy/images/download_vhd.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/deploy/images/installing-drivers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/deploy/images/svr_mgr2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

3
windows/deploy/integrate-configuration-manager-with-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
ms.pagetype: mdt
keywords: deploy, image, customize, task sequence
ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus
@ -28,6 +29,7 @@ When MDT is integrated with Configuration Manager, the task sequence takes addit
The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
``` syntax
[Settings]
Priority=Model
@ -35,6 +37,7 @@ The task sequence uses instructions that allow you to reduce the number of task
Packages001=PS100010:Install HP Hotkeys
```
- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
``` syntax
[Settings]
Priority= ByLaptopType, ByDesktopType

1
windows/deploy/key-features-in-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
keywords: deploy, feature, tools, upgrade, migrate, provisioning
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

1
windows/deploy/mdt-2013-lite-touch-components.md
View File

@ -5,6 +5,7 @@ ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
keywords: deploy, install, deployment, boot, log, monitor
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

25
windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: 4863c6aa-6369-4171-8e1a-b052ca195fce
keywords: deploy, upgrade
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
---
@ -24,32 +25,28 @@ To monitor an operating system deployment conducted through System Center 2012 R
1. On CM01, using the Deployment Workbench, expand **MDT Production**, and use the **Monitoring** node to view the deployment process (press **F5** to refresh).
**Note**  
It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
>[!NOTE]
>It takes a little while for the task sequence to start reporting monitor information, so if PC0001 does not appear when you press F5 the first time, wait 20 seconds and try again.
 
![PC0001 being deployed by Configuration Manager](images/mdt-06-fig39.png)
![figure 33](images/mdt-06-fig39.png)
Figure 33. PC0001 being deployed by Configuration Manager.
*Figure 33. PC0001 being deployed by Configuration Manager*
2. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option.
3. The task sequence will now run and do the following:
1. Install the Windows 10 operating system.
* Install the Windows 10 operating system.
2. Install the Configuration Manager client and the client hotfix.
* Install the Configuration Manager client and the client hotfix.
3. Join the machine to the domain.
* Join the machine to the domain.
4. Install the application added to the task sequence.
**Note**  
You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
* Install the application added to the task sequence.
>[!NOTE]
>You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
 
4. If time permits, allow the deployment of PC0001 to complete. Then log in as Administrator in the CONTOSO domain and verify that Adobe Reader XI was installed.
## Related topics

1
windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
keywords: deploy, system requirements
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

1
windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -4,6 +4,7 @@ description: This topic will walk you through the process of integrating Microso
ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
keywords: install, configure, deploy, deployment
ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy
ms.sitesec: library
author: mtniehaus

10
windows/deploy/provision-pcs-with-apps-and-certificates.md
View File

@ -76,10 +76,18 @@ Universal apps that you can distribute in the provisioning package can be line-o
![required frameworks for offline app package](images/uwp-dependencies.png)
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page.
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
![generate license for offline app](images/uwp-license.png)
- Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
6. In the **Available customizations** pane, click the **LicenseProductId** that you just added.
7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *<file name>*.**ms-windows-store-license**, and select the license file.
[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md)
> [!NOTE]

1
windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
keywords: upgrade, install, installation, computer refresh
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
---

2
windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
View File

@ -5,6 +5,7 @@ ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
keywords: reinstallation, customize, template, script, restore
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@ -66,6 +67,7 @@ The custom USMT template is named MigContosoData.xml, and you can find it in the
In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file.
1. Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder.
2. Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line:
``` syntax
USMTMigFiles003=MigContosoData.xml
```

1
windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -5,6 +5,7 @@ ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
keywords: upgrade, install, installation, replace computer, setup
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
---

1
windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
View File

@ -5,6 +5,7 @@ ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
keywords: deploy, deployment, replace
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

4
windows/deploy/set-up-mdt-2013-for-bitlocker.md
View File

@ -5,6 +5,7 @@ description:
keywords: disk, encryption, TPM, configure, secure, script
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@ -84,6 +85,7 @@ If you consistently get the error "Windows BitLocker Drive Encryption Informatio
In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
1. On DC01, start an elevated PowerShell prompt (run as Administrator).
2. Configure the permissions by running the following command:
``` syntax
cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
```
@ -105,10 +107,12 @@ cctk.exe --tpm=on --valsetuppwd=Password1234
### Add tools from HP
The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
``` syntax
BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
```
And the sample content of the TPMEnable.REPSET file:
``` syntax
English
Activate Embedded Security On Next Boot

1
windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
View File

@ -5,6 +5,7 @@ ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c
keywords: deploy, script
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

1
windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
View File

@ -4,6 +4,7 @@ description: The simplest path to upgrade PCs currently running Windows 7, Wind
ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy
author: mtniehaus
---

1
windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
View File

@ -5,6 +5,7 @@ ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus

1
windows/deploy/upgrade-windows-phone-8-1-to-10.md
View File

@ -4,6 +4,7 @@ description: This article describes how to upgrade eligible Windows Phone 8.1 de
keywords: upgrade, update, windows, phone, windows 10, mdm, mobile
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: Jamiejdt

2
windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
keywords: web services, database
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
@ -139,6 +140,7 @@ Make sure the account you are using has permissions to run runbooks on the Orche
 
1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
2. Using an elevated command prompt (run as Administrator), type the following command:
``` syntax
cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
```

1
windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
View File

@ -6,6 +6,7 @@ ms.pagetype: mdt
keywords: database, permissions, settings, configure, deploy
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
---

1
windows/deploy/use-web-services-in-mdt-2013.md
View File

@ -5,6 +5,7 @@ ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
keywords: deploy, web apps
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.pagetype: mdt
ms.sitesec: library
author: mtniehaus

1
windows/deploy/windows-10-deployment-scenarios.md
View File

@ -5,6 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
keywords: upgrade, in-place, configuration, deploy
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
---

1
windows/deploy/windows-10-edition-upgrades.md
View File

@ -4,6 +4,7 @@ description: With Windows 10, you can quickly upgrade from one edition of Windo
ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay

1
windows/deploy/windows-10-enterprise-e3-overview.md
View File

@ -4,6 +4,7 @@ description: Describes Windows 10 Enterprise E3, an offering that delivers, by s
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: greg-lindsay

28
windows/deploy/windows-10-poc-mdt.md
View File

@ -1,28 +0,0 @@
---
title: Placeholder (Windows 10)
description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
---
# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
**Applies to**
- Windows 10
## In this guide
## Related Topics
 
 

28
windows/deploy/windows-10-poc-sccm.md
View File

@ -1,28 +0,0 @@
---
title: Placeholder (Windows 10)
description: Deploy Windows 10 in a test lab using System Center Configuration Manager
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
---
# Deploy Windows 10 in a test lab using System Center Configuration Manager
**Applies to**
- Windows 10
## In this guide
## Related Topics
 
 

1
windows/deploy/windows-10-upgrade-paths.md
View File

@ -4,6 +4,7 @@ description: You can upgrade to Windows 10 from a previous version of Windows if
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
---

1
windows/deploy/windows-adk-scenarios-for-it-pros.md
View File

@ -4,6 +4,7 @@ description: The Windows Assessment and Deployment Kit (Windows ADK) contains to
ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: greg-lindsay
---

1
windows/keep-secure/TOC.md
View File

@ -35,6 +35,7 @@
#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
## [VPN profile options](vpn-profile-options.md)

4
windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
redirect_url: https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
---
# Additional Windows Defender ATP configuration settings
This page has been redirected to [Configure endpoints](https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)
This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)

6
windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -37,12 +37,12 @@ Assigning read only access rights requires adding the users to the “Security R
Use the following steps to assign security roles:
- Preparations:
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).<br>
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/en-us/library/dn194123.aspx).
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
@ -52,4 +52,4 @@ Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "s
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
```
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).

49
windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
View File

@ -146,12 +146,12 @@ To create a self-signed certificate, you can either use the New-SelfSignedCertif
Windows PowerShell example:
```syntax
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt -KeyLength 2048 -KeySpec KeyExchange -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
```
Certreq example:
1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf
1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf.
2. Add the following contents to the previously created file:
``` syntax
@ -162,9 +162,8 @@ Certreq example:
Exportable=true
RequestType=Cert
KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG"
KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG"
KeyLength=2048
Keyspec="AT_KEYEXCHANGE"
SMIME=FALSE
HashAlgorithm=sha512
[Extensions]
@ -180,9 +179,9 @@ Certreq example:
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
```
4. Verify the previous command properly created the certificate by confirming the .cer file exists
5. Launch the Certificate Manager by running **certmgr.msc**
6. Create a .pfx file by opening the **Certificates Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
4. Verify the previous command properly created the certificate by confirming the .cer file exists.
5. Launch Certificates - Local Machine by running **certlm.msc**.
6. Create a .pfx file by opening the **Certificates Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server
@ -193,27 +192,27 @@ With the certificate and key created, deploy them to the infrastructure to prope
3. In the **File to Import** dialog, choose the .pfx file created previously.
4. Enter the password used to create the .pfx and complete the wizard.
### Step Six: Configure Group Policy settings for Network Unlock
### <a href="" id="bkmk-stepsix"></a>Step Six: Configure Group Policy settings for Network Unlock
With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock.
1. Open Group Policy Management Console (gpmc.msc)
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
1. Open Group Policy Management Console (gpmc.msc).
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
The following steps describe how to deploy the required Group Policy setting:
>**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
 
1. Copy the .cer file created for Network Unlock to the domain controller
2. On the domain controller, launch Group Policy Management Console (gpmc.msc)
1. Copy the .cer file created for Network Unlock to the domain controller.
2. On the domain controller, launch Group Policy Management Console (gpmc.msc).
3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
4. Deploy the public certificate to clients
4. Deploy the public certificate to clients:
1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**
2. Right-click the folder and choose **Add Network Unlock Certificate**
1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**.
2. Right-click the folder and choose **Add Network Unlock Certificate**.
3. Follow the wizard steps and import the .cer file that was copied earlier.
>**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
@ -222,16 +221,16 @@ The following steps describe how to deploy the required Group Policy setting:
An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
1. Open Group Policy Management Console (gpmc.msc)
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
1. Open Group Policy Management Console (gpmc.msc).
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
1. Open the Certificates Template snap-in (certtmpl.msc).
2. Locate the User template. Right-click the template name and select **Duplicate Template**
2. Locate the User template. Right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
@ -247,9 +246,9 @@ The following steps detail how to create a certificate template for use with Bit
- **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template.
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
@ -329,8 +328,8 @@ Files to gather when troubleshooting BitLocker Network Unlock include:
In the right pane, click **Enable Log**.
2. The DHCP subnet configuration file (if one exists).
3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell
4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address
3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell.
4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address.
## <a href="" id="bkmk-unsupportedsystems"></a>Configure Network Unlock Group Policy settings on earlier versions
@ -347,7 +346,7 @@ The following steps can be used to configure Network Unlock on these older syste
3. [Step Three: Install the Network Unlock feature](#bkmk-stepthree)
4. [Step Four: Create the Network Unlock certificate](#bkmk-stepfour)
5. [Step Five: Deploy the private key and certificate to the WDS server](#bkmk-stepfive)
6. **Step Six: Configure registry settings for Network Unlock**
6. [Step Six: Configure registry settings for Network Unlock](#bkmk-stepsix)
Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer

10
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -12,6 +12,16 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## September 2016
| New or changed topic | Description |
| --- | --- |
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) | New |
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
| [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate |
## August 2016
|New or changed topic | Description |
|----------------------|-------------|

6
windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -34,7 +34,7 @@ localizationpriority: high
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
@ -61,7 +61,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
2. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
3. In the **Group Policy Management Editor**, go to **Computer configuration**.
@ -88,7 +88,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.

4
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -23,11 +23,11 @@ localizationpriority: high
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
## Configure endpoints using Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
### Onboard and monitor endpoints

12
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -45,9 +45,9 @@ You can use System Center Configuration Managers existing functionality to cr
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
@ -72,7 +72,7 @@ Possible values are:
The default value in case the registry key doesnt exist is 1.
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
### Offboard endpoints
@ -90,9 +90,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
@ -128,7 +128,7 @@ Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
Name: “OnboardingState”
Value: “1”
```
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)

4
windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
View File

@ -77,7 +77,7 @@ It's possible that you might revoke data from an unenrolled device only to later
1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
`Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW`
`Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW`
Where *&lt;”new_location”&gt;* is in a different directory. This can be on the employees device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
@ -87,7 +87,7 @@ It's possible that you might revoke data from an unenrolled device only to later
3. Have your employee sign in to the unenrolled device, and type:
`Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”`
`Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”`
4. Ask the employee to lock and unlock the device.

8
windows/keep-secure/create-wip-policy-using-intune.md
View File

@ -370,8 +370,8 @@ There are no default locations included with WIP, you must add each of your netw
</tr>
<tr>
<td>Enterprise Cloud Resources</td>
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the <code>/*AppCompat*/</code> string to this setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/*AppCompat*/</code></td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
@ -380,8 +380,8 @@ There are no default locations included with WIP, you must add each of your netw
</tr>
<tr>
<td>Enterprise Proxy Servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldnt include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when youre visiting another company and not on that companys guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.<p>This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because theyre used for WIP-protected traffic.<p>This setting is also required if theres a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when youre visiting another company and not on the guest network. To make sure this doesnt happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise Internal Proxy Servers</td>

9
windows/keep-secure/create-wip-policy-using-sccm.md
View File

@ -391,8 +391,8 @@ There are no default locations included with WIP, you must add each of your netw
</tr>
<tr>
<td>Enterprise Cloud Resources</td>
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the <code>/*AppCompat*/</code> string to this setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/*AppCompat*/</code></td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
@ -401,8 +401,13 @@ There are no default locations included with WIP, you must add each of your netw
</tr>
<tr>
<td>Enterprise Proxy Servers</td>
<<<<<<< HEAD
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.<p>This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because theyre used for WIP-protected traffic.<p>TThis setting is also required if theres a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when youre visiting another company and not on the guest network. To make sure this doesnt happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
=======
<td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldnt include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when youre visiting another company and not on that companys guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
>>>>>>> refs/remotes/origin/master
</tr>
<tr>
<td>Enterprise Internal Proxy Servers</td>

4
windows/keep-secure/credential-guard.md
View File

@ -30,7 +30,9 @@ Credential Guard isolates secrets that previous versions of Windows stored in th
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.
Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases.
Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used.
Here's a high-level overview on how the LSA is isolated by using virtualization-based security:

2
windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -87,7 +87,7 @@ Threats are considered "active" if there is a very high probability that the mal
Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
> [!NOTE]
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
### Related topics
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)

4
windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -24,7 +24,7 @@ localizationpriority: high
This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
> [!NOTE]
> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See also [Windows 10 privacy FAQ](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq) for more information.
> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information.
## What data does Windows Defender ATP collect?
@ -32,7 +32,7 @@ Microsoft will collect and store information from your configured endpoints in a
Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
Microsoft uses this data to:
- Proactively identify indicators of attack (IOAs) in your organization

8
windows/keep-secure/enlightened-microsoft-apps-and-wip.md
View File

@ -62,7 +62,6 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Product name |App info |
|-------------|---------|
|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.MicrosoftEdge<br>**App Type:** Universal app |
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** iexplore.exe<br>**App Type:** Desktop app |
|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.People<br>**App Type:** Universal app |
|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Word<br>**App Type:** Universal app |
|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Excel<br>**App Type:** Universal app |
@ -71,8 +70,9 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** onedrive.exe<br>**App Type:** Desktop app|
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** mspaint.exe<br>**App Type:** Desktop app |
|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |
|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** iexplore.exe<br>**App Type:** Desktop app |
|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** onedrive.exe<br>**App Type:** Desktop app|
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |

2
windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -23,7 +23,7 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints.
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.

1
windows/keep-secure/guidance-and-best-practices-wip.md
View File

@ -26,3 +26,4 @@ This section includes info about the enlightened Microsoft apps, including how t
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). |

8
windows/keep-secure/implement-microsoft-passport-in-your-organization.md
View File

@ -20,9 +20,13 @@ localizationpriority: high
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
>[!IMPORTANT]
>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10. Use **Windows Hello for Business** policy settings to manage PINs.
>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
>
>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
>
>Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.
 
## Group Policy settings for Windows Hello for Businness
## Group Policy settings for Windows Hello for Business
The following table lists the Group Policy settings that you can configure for Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.

2
windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
View File

@ -67,7 +67,7 @@ In the file's page, **Submit for deep analysis** is enabled when the file is ava
> [!NOTE]
> Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
> [!NOTE]
> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.

2
windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -40,7 +40,7 @@ The Machines view contains the following columns:
- **Active malware detections** - the number of active malware detections reported by the machine
> [!NOTE]
> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
Click any column header to sort the view in ascending or descending order.

77
windows/keep-secure/limitations-with-wip.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Limitations while using Windows Information Protection (WIP) (Windows 10)
description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
localizationpriority: high
---
# Limitations while using Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
This table provides info about the most common problems you might encounter while running WIP in your organization.
<table>
<tr>
<th>Limitation</th>
<th>How it appears</th>
<th>Workaround</th>
</tr>
<tr>
<td>Enterprise data on USB drives is tied to the device it was protected on.</td>
<td>Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.</td>
<td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td>
</tr>
<tr>
<td>Direct Access is incompatible with WIP.</td>
<td>Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isnt a corporate network resource.</td>
<td>We recommend that you use VPN for client access to your intranet resources.<p><strong>Note</strong><br>VPN is optional and isnt required by WIP.</td>
</tr>
<tr>
<td><strong>NetworkIsolation</strong> Group Policy setting is incompatible with WIP.</td>
<td>The <strong>NetworkIsolation</strong> Group Policy setting has incompatible network settings that can conflict and cause problems with WIP.</td>
<td>We recommend that you dont use the NetworkIsolation Group Policy setting.</td>
</tr>
<tr>
<td>Cortana can potentially allow data leakage if its on the allowed apps list.</td>
<td>If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.</td>
<td>We dont recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.</td>
</tr>
<tr>
<td>WIP is designed for use by a single user per device.</td>
<td>A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled users content can be revoked during the unenrollment process.</td>
<td>We recommend only having one user per managed device.</td>
</tr>
<tr>
<td>Installers copied from an enterprise network file share might not work properly.</td>
<td>An app might fail to properly install because it cant read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.</td>
<td>To fix this, you can:
<ul>
<li>Start the installer directly from the file share.<p>-OR-</li>
<li>Decrypt the locally copied files needed by the installer.<p>-OR-</li>
<li>Mark the file share with the installation media as “personal”. To do this, youll need to set the Enterprise IP ranges as <strong>Authoritative</strong> and then exclude the IP address of the file server, or youll need to put the file server on the Enterprise Proxy Server list.</li>
</ul></td>
</tr>
<tr>
<td>Changing your primary Corporate Identity isnt supported.</td>
<td>You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.</td>
<td>Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.</td>
</tr>
<tr>
<td>Redirected folders with Client Side Caching are not compatible with WIP.</td>
<td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.</td>
</tr>
<tr>
<td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
<td>A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.</td>
<td>Open File Explorer and change the file ownership to **Personal** before you upload.</td>
</tr>
</table>

4
windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
redirect_url: https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection
---
# Monitor the Windows Defender Advanced Threat Protection onboarding
This page has been redirected to [Configure endpoints](https://technet.microsoft.com/en-au/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)
This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)

4
windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md
View File

@ -16,7 +16,7 @@ author: brianlic-msft
This topic provides a roadmap for planning and getting started on the Device Guard deployment process, with links to topics that provide additional detail. Planning for Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
**Planning**
## Planning
1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
@ -33,7 +33,7 @@ This topic provides a roadmap for planning and getting started on the Device Gua
4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
**Getting started on the deployment process**
## Getting started on the deployment process
1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).

2
windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
View File

@ -39,7 +39,7 @@ When you open the portal, youll see the main areas of the application:
![Windows Defender Advanced Threat Protection portal](images/portal-image.png)
> [!NOTE]
> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.

Some files were not shown because too many files have changed in this diff Show More