deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-28 16:53:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox

Browse Source
This commit is contained in:
jdeckerMS
2017-05-11 11:32:17 -07:00
parent acad249fc6 890b7e745e
commit 3100aafdfb
55 changed files with 551 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
.openpublishing.publish.config.json
View File

@ -374,6 +374,22 @@
"build_entry_point": "docs",
"template_folder": "_themes",
"version": 0
},
{
"docset_name": "bcs",
"build_source_folder": "bcs",
"build_output_subfolder": "bcs",
"locale": "en-us",
"monikers": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes",
"version": 0
}
],
"notification_subscribers": [
@ -387,6 +403,12 @@
"skip_source_output_uploading": false,
"need_preview_pull_request": true,
"dependent_repositories": [
{
"path_to_root": "_themes.pdf",
"url": "https://github.com/Microsoft/templates.docs.msft.pdf",
"branch": "master",
"branch_mapping": {}
},
{
"path_to_root": "_themes",
"url": "https://github.com/Microsoft/templates.docs.msft",
@ -394,5 +416,20 @@
"branch_mapping": {}
}
],
"need_generate_pdf_url_template": false
"branch_target_mapping": {
"live": [
"Publish",
"Pdf"
],
"master": [
"Publish",
"Pdf"
]
},
"need_generate_pdf_url_template": false,
"Targets": {
"Pdf": {
"template_folder": "_themes.pdf"
}
}
}

20
.openpublishing.redirection.json
View File

@ -1471,6 +1471,11 @@
"redirect_document_id": true
},
{
"source_path": "windows/manage/windows-spotlight.md",
"redirect_url": "/windows/configuration/windows-spotlight",
"redirect_document_id": true
},
{
"source_path": "windows/deploy/activate-forest-by-proxy-vamt.md",
"redirect_url": "/windows/deployment/volume-activation/activate-forest-by-proxy-vamt",
"redirect_document_id": true
@ -8214,6 +8219,21 @@
"source_path": "education/get-started/index.md",
"redirect_url": "/education/get-started/get-started-with-microsoft-education",
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/windows-10-enterprise-security-guides.md",
"redirect_url": "/windows/windows-10/index",
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/change-history-for-keep-windows-10-secure.md",
"redirect_url": "/windows/windows-10/index",
"redirect_document_id": true
},
{
"source_path": "windows/manage/change-history-for-manage-and-update-windows-10.md",
"redirect_url": "/windows/windows-10/index",
"redirect_document_id": true
}
]
}

13
CONTRIBUTING.md
View File

@ -18,7 +18,7 @@ We've tried to make editing an existing, public file as simple as possible.
**To edit a topic**
1. Go to the page on TechNet that you want to update, and then click **Edit**.
1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**.
![GitHub Web, showing the Edit link](images/contribute-link.png)
@ -62,14 +62,23 @@ We've tried to make editing an existing, public file as simple as possible.
The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places:
- [Windows 10](https://docs.microsoft.com/windows/windows-10)
- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)
- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)
- [Surface](https://docs.microsoft.com/surface)
- [Surface Hub](https://docs.microsoft.com/surface-hub)
- [HoloLens](https://docs.microsoft.com/hololens)
- [Microsoft Store](https://docs.microsoft.com/microsoft-store)
- [Windows 10 for Education](https://docs.microsoft.com/education/windows)
- [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
- [Internet Explorer 11](https://docs.microsoft.com/internet-explorer)
- [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/microsoft-desktop-optimization-pack)

1
bcs/TOC.md Normal file
View File

@ -0,0 +1 @@
# [Index](index.md)

37
bcs/docfx.json Normal file
View File

@ -0,0 +1,37 @@
{
"build": {
"content": [
{
"files": [
"**/*.md"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {},
"fileMetadata": {},
"template": [],
"dest": "bcs"
}
}

1
bcs/index.md Normal file
View File

@ -0,0 +1 @@
# Placeholder

5
browsers/edge/available-policies.md
View File

@ -226,9 +226,6 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
- **Description:** This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
>[!Important]
>Sites are put on the auto-allowed list based on how frequently employees load and run the content.
- If you enable or dont configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
- If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge.
@ -357,7 +354,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A
https://fabrikam.com/opensearch.xml
- If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.<p>If you don't configure this setting, the default search engine is set to the one specified in App settings.
- If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.
- If you don't configure this setting (default), the default search engine is set to the one specified in App settings.

6
devices/hololens/hololens-enroll-mdm.md
View File

@ -11,7 +11,7 @@ localizationpriority: medium
# Enroll HoloLens in MDM
You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
>[!NOTE]
>Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
@ -22,7 +22,7 @@ You can manage multiple Microsoft HoloLens devices simultaneously using solution
## Auto-enrollment in MDM
If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and Airwatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
If your organization uses Azure Active Directory (Azure AD) and an MDM solution that accepts an AAD token for authentication (currently, only supported in Microsoft Intune and AirWatch), your IT admin can configure Azure AD to automatically allow MDM enrollment after the user signs in with their Azure AD account. [Learn how to configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
When auto-enrollment is enabled, no additional manual enrollment is needed. When the user signs in with an Azure AD account, the device is enrolled in MDM after completing the first-run experience.
@ -36,4 +36,4 @@ When auto-enrollment is enabled, no additional manual enrollment is needed. When
4. Upon successful authentication to the MDM server, a success message is shown.
Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management.
Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management.

4
devices/hololens/index.md
View File

@ -23,7 +23,7 @@ localizationpriority: medium
| [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
| [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time |
| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business|
| [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune |
| [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft Intune |
| [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app |
| [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |
| [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens|
@ -37,4 +37,4 @@ localizationpriority: medium
- [HoloLens Commercial Suite](https://www.microsoft.com/microsoft-hololens/hololens-commercial)
- [HoloLens release notes](https://developer.microsoft.com/en-us/windows/mixed-reality/release_notes)
- [HoloLens release notes](https://developer.microsoft.com/en-us/windows/mixed-reality/release_notes)

2
devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
View File

@ -13,7 +13,7 @@ author: Scottmca
Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client to publish apps, settings, and policies, you use the same process that you would use for any other device.
You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index) article in the TechNet Library.
You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index).
Although the deployment and management of Surface devices is fundamentally the same as any other PC, there are some scenarios that may require additional considerations or steps. This article provides descriptions and guidance for these scenarios; the solutions documented in this article may apply to other devices and manufacturers as well.

101
education/get-started/get-started-with-microsoft-education.md
View File

@ -50,6 +50,8 @@ In this walkthrough, we'll show you the basics on how to:
This diagram shows a high-level view of what we cover in this walkthrough. The numbers correspond to the sections in the walkthrough and roughly correspond to the flow of the overall process; but, note that not all sections in this walkthrough are shown in the diagram.
**Figure 1** - Microsoft Education IT administrator workflow
![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft-education-get-started-workflow.png)
## Prerequisites
@ -109,7 +111,7 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
1. Click <a href="https://aka.ms/intuneforedupreviewtrial" target="_blank">https://aka.ms/intuneforedupreviewtrial</a> to get started.
2. In the **Intune for Education Trial** page, click **Sign in**.
**Figure 1** - Intune for Education trial sign in page
**Figure 2** - Intune for Education trial sign in page
![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
@ -125,7 +127,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol
1. Go to the <a href="https://signup.microsoft.com/Signup?OfferId=03ee83a5-5cb4-4545-aca9-33ead43f222a,d764709a-7763-45ef-a2a8-db5b8b6ae704&DL=ENTERPRISEPREMIUM_FACULTY" target="_blank">Office 365 for Education sign up page</a> to sign up for a free subscription for your school.
2. Create an account and a user ID and password to use to sign into your account.
**Figure 2** - Office 365 account creation
**Figure 3** - Office 365 account creation
![Create an Office 365 account](images/o365_createaccount.png)
@ -151,7 +153,7 @@ Follow all the steps in this section to use SDS and sample CSV files in a trial
1. Go to the <a href="https://aka.ms/sdsscripts" target="_blank">O365-EDU-Tools GitHub site</a>.
2. Click the green **Clone or download** button to download the SDS sample files.
**Figure 3** - Download the SDS sample files from GitHub
**Figure 4** - Download the SDS sample files from GitHub
![Download the SDS sample files from GitHub](images/sds_github_downloadsample.png)
@ -159,7 +161,7 @@ Follow all the steps in this section to use SDS and sample CSV files in a trial
4. Go to the folder where you saved the .zip and unzip the files.
5. Open the **O365-EDU-Tools-master** folder and then open the **CSV Samples** subfolder. Confirm that you can see the following sample CSV files.
**Figure 4** - Sample CSV files
**Figure 5** - Sample CSV files
![Use the sample CSV files](images/sds_sample_csv_files_us_uk.png)
@ -170,12 +172,25 @@ Follow all the steps in this section to use SDS and sample CSV files in a trial
To learn more about the CSV files that are required and the info you need to include in each file, see <a href="https://aka.ms/sdscsvattributes" target="_blank">CSV files for School Data Sync</a>. If you run into any issues, see <a href="https://aka.ms/sdserrors" target="_blank">School Data Sync errors and troubleshooting</a>.
**<a name="assignclassroom"></a>Assign Classroom license**
The Classroom application is retired, but you will need to assign the Classroom Preview license to yourself and other global admins so that you can access the services. The single license will allow global admins to access both Classroom Preview and School Data Sync.
1. In the <a href="https://portal.office.com/adminportal" target="_blank">Office 365 admin center</a>, select **Users > Active users**.
2. Select the checkbox for your global admin account.
3. In the account details window, under **Product licenses**, click **Edit**.
4. In the **Product licenses** page, turn on **Microsoft Classroom** and then click **Save**.
5. Confirm that you can access SDS. To do this, log in to <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
> [!NOTE]
> Only global admins can access SDS.
**<a name="usesdstoimportdata"></a>Use SDS to import student data**
1. Go to the <a href="http://sds.microsoft.com" target="_blank">Microsoft School Data Sync site</a>.
1. If you haven't done so already, To do this, go to <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
**Figure 5** - Settings for managing SDS
**Figure 6** - Settings for managing SDS
![Settings for managing SDS](images/sds_sds_and_classroom_off.png)
@ -183,7 +198,7 @@ To learn more about the CSV files that are required and the info you need to inc
New menu options will appear on the left of the SDS portal.
**Figure 6** - New menu options appear after SDS is turned on
**Figure 7** - New menu options appear after SDS is turned on
![New menu options appear after SDS is turned on](images/sds_sds_on_newmenu_items.png)
@ -191,7 +206,7 @@ To learn more about the CSV files that are required and the info you need to inc
This opens up the new profile setup wizard within the main page.
**Figure 7** - New SDS profile setup wizard
**Figure 8** - New SDS profile setup wizard
![New SDS profile setup wizard](images/sds_updated_addnewprofile.png)
@ -221,7 +236,7 @@ To learn more about the CSV files that are required and the info you need to inc
5. In the **License Options** section, check the box to select the option.
6. Click **Next**.
**Figure 8** - Sync options for the new profile
**Figure 9** - Sync options for the new profile
![Specify sync options for the new SDS profile](images/sds_addnewprofile_syncoptions.png)
@ -231,7 +246,7 @@ To learn more about the CSV files that are required and the info you need to inc
3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For this walkthrough, choose **STANDARDWOFFPACK_FACULTY**.
4. Click **Next**.
**Figure 9** - Specify options for teacher mapping
**Figure 10** - Specify options for teacher mapping
![Specify options for teacher mapping](images/sds_addnewprofile_teacheroptions.png)
@ -241,7 +256,7 @@ To learn more about the CSV files that are required and the info you need to inc
3. In the **Student licenses** section, choose the SKU to assign licenses for students. For this walkthrough, choose **STANDARDWOFFPACK_STUDENT**.
4. Click **Next**.
**Figure 10** - Specify options for student mapping
**Figure 11** - Specify options for student mapping
![Specify options for student mapping](images/sds_addnewprofile_studentoptions.png)
@ -251,7 +266,7 @@ To learn more about the CSV files that are required and the info you need to inc
11. You will see a page for your profile. The status might indicate that it's still being set up.
**Figure 11** - SDS profile page
**Figure 12** - SDS profile page
![SDS profile page](images/sds_profilepage.png)
@ -259,7 +274,7 @@ To learn more about the CSV files that are required and the info you need to inc
If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Ready to sync**.
**Figure 12** - New profile is ready to sync
**Figure 13** - New profile is ready to sync
![Confirm that the new profile is ready](images/sds_profile_readytosync.png)
@ -288,20 +303,20 @@ You'll need to configure Microsoft Store for Education to accept the services ag
This will take you to the Microsoft Store for Education portal.
**Figure 13** - Microsoft Store for Education portal
**Figure 14** - Microsoft Store for Education portal
![Microsoft Store for Education portal](images/msfe_store_portal.png)
3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
**Figure 14** - Select management tools from the list of Store settings options
**Figure 15** - Select management tools from the list of Store settings options
![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
**Figure 15** - Activate Intune for Education as the management tool
**Figure 16** - Activate Intune for Education as the management tool
![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png)
@ -335,20 +350,20 @@ Intune for Education provides an **Express configuration** option so you can get
1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
**Figure 16** - Intune for Education dashboard
**Figure 17** - Intune for Education dashboard
![Intune for Education dashboard](images/i4e_portal.png)
2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
3. In the **Welcome to Intune for Education** screen, click **Get started**.
**Figure 17** - Click Get started to set up Intune for Education
**Figure 18** - Click Get started to set up Intune for Education
![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
**Figure 18** - SDS is configured
**Figure 19** - SDS is configured
![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
@ -361,7 +376,7 @@ Intune for Education provides an **Express configuration** option so you can get
> [!TIP]
> At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
>
> **Figure 19** - Click on the buttons to go back to that step
> **Figure 20** - Click on the buttons to go back to that step
>
> ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
@ -374,7 +389,7 @@ Intune for Education provides an **Express configuration** option so you can get
> [!TIP]
> Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
**Figure 20** - Choose the apps that you want to install for the group
**Figure 21** - Choose the apps that you want to install for the group
![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
@ -384,7 +399,7 @@ Intune for Education provides an **Express configuration** option so you can get
8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
**Figure 21** - Expand the settings group to get more details
**Figure 22** - Expand the settings group to get more details
![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped.png)
@ -392,20 +407,20 @@ Intune for Education provides an **Express configuration** option so you can get
- In the **Internet browser settings** group, change the **Send Do Not Track requests to help protect users' privacy** setting to **Block**.
- In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Private Microsoft Store for Business apps** to **Allow**.
**Figure 22** - Set some additional settings
**Figure 23** - Set some additional settings
![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettingsconfigured_cropped.png)
10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
**Figure 23** - Review the group, apps, and settings you configured
**Figure 24** - Review the group, apps, and settings you configured
![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
11. Click **Save** to end express configuration.
12. You will see the **You're done!** screen which lets you choose one of two options.
**Figure 24** - All done with Intune for Education express configuration
**Figure 25** - All done with Intune for Education express configuration
![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
@ -422,13 +437,13 @@ Intune for Education provides an **Express configuration** option so you can get
1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
**Figure 25** - Click on **Apps** to see the list of apps for your tenant
**Figure 26** - Click on **Apps** to see the list of apps for your tenant
![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
**Figure 26** - Select the option to add a new Store app
**Figure 27** - Select the option to add a new Store app
![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
@ -447,7 +462,7 @@ Intune for Education provides an **Express configuration** option so you can get
For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
**Figure 27** - Apps inventory in Microsoft Store for Education
**Figure 28** - Apps inventory in Microsoft Store for Education
![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
@ -462,32 +477,32 @@ Now that you've bought the apps, use Intune for Education to specify the group t
1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
**Figure 28** - Groups page in Intune for Education
**Figure 29** - Groups page in Intune for Education
![Groups page in Intune for Education](images/i4e_groupspage.png)
2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page.
**Figure 29** - List of all users in the tenant
**Figure 30** - List of all users in the tenant
![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
**Figure 30** - Edit apps to assign them to users
**Figure 31** - Edit apps to assign them to users
![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select.
**Figure 31** - Select the apps to deploy to the group
**Figure 32** - Select the apps to deploy to the group
![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected.
**Figure 32** - Updated list of assigned apps
**Figure 33** - Updated list of assigned apps
![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
@ -511,13 +526,13 @@ We recommend using the latest build of Windows 10, version 1703 on your educatio
1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
**Figure 33** - Let's start with region
**Figure 34** - Let's start with region
![Let's start with region](images/win10_letsstartwithregion.png)
3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
**Figure 34** - Select setup for an organization
**Figure 35** - Select setup for an organization
![Select setup for an organization](images/win10_setupforanorg.png)
@ -536,7 +551,7 @@ Verify that the device is set up correctly and boots without any issues.
> [!NOTE]
> It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
**Figure 35** - Sample list of apps for a user
**Figure 36** - Sample list of apps for a user
![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
@ -548,7 +563,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s
2. Select **Groups** and select **All Devices**.
3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
**Figure 36** - List of all managed devices
**Figure 37** - List of all managed devices
![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
@ -556,7 +571,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s
5. Select **Accounts > Access work or school**.
6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
**Figure 37** - Confirm that the Windows 10 device is joined to Azure AD
**Figure 38** - Confirm that the Windows 10 device is joined to Azure AD
![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
@ -572,7 +587,7 @@ If you need to make changes or updates to any of the apps or settings for the gr
2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
**Figure 38** - See the list of available settings in Intune for Education
**Figure 39** - See the list of available settings in Intune for Education
![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
@ -594,7 +609,7 @@ Follow the steps in this section to enable a single person to add many devices t
2. Click **Admin centers** and select **Azure AD** to go to the Azure portal.
3. Configure the device settings for the school's Active Directory. From the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>, select **Azure Active Directory > Users and groups > Device settings**.
**Figure 39** - Device settings in the new Azure portal
**Figure 40** - Device settings in the new Azure portal
![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
@ -611,7 +626,7 @@ Follow the steps in this section to ensure that settings for the each user follo
3. Configure the device settings for the school's Active Directory. From the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>, select **Azure Active Directory > Users and groups > Device settings**.
4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
**Figure 40** - Enable settings to roam with users
**Figure 41** - Enable settings to roam with users
![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
@ -639,7 +654,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
**Figure 41** - Device is now managed by Intune for Education
**Figure 42** - Device is now managed by Intune for Education
![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
@ -649,7 +664,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
**Figure 42** - Device is connected to organization's MDM
**Figure 43** - Device is connected to organization's MDM
![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)

BIN
education/get-started/images/o365_assignlicense.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
education/get-started/images/o365_assignsdslicense.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
education/get-started/images/o365_subscriptions_verifyclassroomsubscription.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

53
education/index.md
View File

@ -1,8 +1,9 @@
---
layout: HubPage
hide_bc: true
title: Microsoft Education Documentation | Microsoft Docs
description: TK from Celeste Guzman
title: Microsoft Education documentation and resources | Microsoft Docs
description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
author: CelesteDG
---
<div id="main" class="v2">
<div class="container">
@ -14,7 +15,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_advanced.svg" src="/media/common/i_advanced.svg" alt="" />
<img data-hoverimage="/media/common/i_advanced.svg" src="/media/common/i_advanced.svg" alt="Learn more about Microsoft Education products." />
</div>
</div>
<div class="cardText">
@ -32,7 +33,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_get-started.svg" src="/media/common/i_get-started.svg" alt="" />
<img data-hoverimage="/media/common/i_get-started.svg" src="/media/common/i_get-started.svg" alt="For IT Pros: Get started with Microsoft Education" />
</div>
</div>
<div class="cardText">
@ -61,7 +62,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-get-started.svg" alt="" />
<img src="/media/hubs/education/education-pro-get-started.svg" alt="For IT Pros: Get started with Microsoft Education" />
</div>
</div>
<div class="cardText">
@ -80,7 +81,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-office365.svg" alt="" />
<img src="/media/hubs/education/education-pro-office365.svg" alt="Office 365 for Education" />
</div>
</div>
<div class="cardText">
@ -99,7 +100,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-intune.svg" alt="" />
<img src="/media/hubs/education/education-pro-intune.svg" alt="Microsoft Intune for Education" />
</div>
</div>
<div class="cardText">
@ -118,7 +119,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-windows10.svg" alt="" />
<img src="/media/hubs/education/education-pro-windows10.svg" alt="Windows 10 for Education" />
</div>
</div>
<div class="cardText">
@ -137,7 +138,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-school-data.svg" alt="" />
<img src="/media/hubs/education/education-pro-school-data.svg" alt="School Data Sync" />
</div>
</div>
<div class="cardText">
@ -156,7 +157,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-azure-directory.svg" alt="" />
<img src="/media/hubs/education/education-pro-azure-directory.svg" alt="Azure Active Directory" />
</div>
</div>
<div class="cardText">
@ -175,7 +176,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-store.svg" alt="" />
<img src="/media/hubs/education/education-pro-store.svg" alt="Microsoft Store for Education" />
</div>
</div>
<div class="cardText">
@ -194,7 +195,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-minecraft.svg" alt="" />
<img src="/media/hubs/education/education-pro-minecraft.svg" alt="Minecraft: Educaton Edition" />
</div>
</div>
<div class="cardText">
@ -223,7 +224,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-teachers-help.svg" alt="" />
<img src="/media/hubs/education/education-teachers-help.svg" alt="Get started for educators" />
</div>
</div>
<div class="cardText">
@ -242,7 +243,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-teachers-office-help.svg" alt="" />
<img src="/media/hubs/education/education-teachers-office-help.svg" alt="Office help and training" />
</div>
</div>
<div class="cardText">
@ -261,7 +262,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-teachers-windows-help.svg" alt="" />
<img src="/media/hubs/education/education-teachers-windows-help.svg" alt="Windows help" />
</div>
</div>
<div class="cardText">
@ -280,7 +281,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-store.svg" alt="" />
<img src="/media/hubs/education/education-pro-store.svg" alt="Microsoft Store for Education" />
</div>
</div>
<div class="cardText">
@ -299,7 +300,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-minecraft.svg" alt="" />
<img src="/media/hubs/education/education-pro-minecraft.svg" alt="Minecraft: Education Edition" />
</div>
</div>
<div class="cardText">
@ -318,7 +319,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-teachers-educator-community.svg" alt="" />
<img src="/media/hubs/education/education-teachers-educator-community.svg" alt="Microsoft Educator Community" />
</div>
</div>
<div class="cardText">
@ -347,7 +348,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-students-help.svg" alt="" />
<img src="/media/hubs/education/education-students-help.svg" alt="Get started for students" />
</div>
</div>
<div class="cardText">
@ -366,7 +367,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-students-office-help.svg" alt="" />
<img src="/media/hubs/education/education-students-office-help.svg" alt="Office help and training" />
</div>
</div>
<div class="cardText">
@ -385,7 +386,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-students-windows-help.svg" alt="" />
<img src="/media/hubs/education/education-students-windows-help.svg" alt="Windows help" />
</div>
</div>
<div class="cardText">
@ -404,7 +405,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-students-imagine.svg" alt="" />
<img src="/media/hubs/education/education-students-imagine.svg" alt="Microsoft Imagine" />
</div>
</div>
<div class="cardText">
@ -433,12 +434,12 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-developers-uwp-apps.svg" alt="" />
<img src="/media/hubs/education/education-developers-uwp-apps.svg" alt="UWP apps for education" />
</div>
</div>
<div class="cardText">
<h3>UWP apps for education</h3>
<p>Learn how to write Universal Windows apps for education</p>
<p>Learn how to write Universal Windows apps for education.</p>
</div>
</div>
</div>
@ -452,7 +453,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-developers-api-test.svg" alt="" />
<img src="/media/hubs/education/education-developers-api-test.svg" alt="Take a Test API" />
</div>
</div>
<div class="cardText">
@ -471,7 +472,7 @@ description: TK from Celeste Guzman
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-developers-office-education.svg" alt="" />
<img src="/media/hubs/education/education-developers-office-education.svg" alt="Office Education Dev Center" />
</div>
</div>
<div class="cardText">

BIN
education/windows/images/suspc_createpackage_settingspage.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 174 KiB

BIN
education/windows/images/suspc_createpackage_summary.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
education/windows/images/suspc_createpackage_takeatestpage.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
education/windows/images/suspc_getstarted_050817.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
education/windows/images/suspc_ppkgisready_050817.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
education/windows/images/suspc_runpackage_getpcsready.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
education/windows/images/suspc_runpackage_installpackage.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
education/windows/images/suspc_savepackage_insertusb_050817.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

20
education/windows/use-set-up-school-pcs-app.md
View File

@ -17,7 +17,7 @@ author: CelesteDG
IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
![Set up School PCs app](images/suspc_getstarted_resized.png)
![Set up School PCs app](images/suspc_getstarted_050817.png)
## What does this app do?
@ -61,7 +61,7 @@ A student PC that's set up using the Set up School PCs provisioning package is t
* **Network tips**
* You cannot use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. You can only connect to an open network, or one with a basic password.
* If you need to set up a lot of devices over Wi-Fi, make sure that your network configuration can support it.
- We recommend configuring your DHCP so you have a good set of IP addresses available (about 100-200). These IP addresses will expire after a short amount of time (about 30 minutes). This allows you set up many devices simultaneously, and the IP addresses will be freed up quick so you can continue to set up devices without risk of crashing your network.
- We recommend configuring your DHCP so at least 200 IP addresses are available for the devices you are setting up. Configure your IP addresses to expire after a short time (about 30 minutes). This ensures that you can set up many devices simultaneously, and IP addresses will free up quickly so you can continue to set up devices without hitting network issues.
* **Apply to new student PCs**
* The provisioning package that the Set up School PCs app creates should be used on new PCs that haven't been set up for accounts yet. If you apply the provisioning package to a student PC that has already been set up, existing accounts and data might be lost.
@ -112,7 +112,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 1** - Launch the Set up School PCs app
![Launch the Set up School PCs app](images/suspc_getstarted_resized.png)
![Launch the Set up School PCs app](images/suspc_getstarted_050817.png)
2. Click **Get started**.
3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
@ -170,7 +170,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 3** - Configure student PC settings
![Configure student PC settings](images/suspc_choosesettings_settings_updated.png)
![Configure student PC settings](images/suspc_createpackage_settingspage.png)
When you're doing configuring the student PC settings, click **Next**.
@ -182,7 +182,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 4** - Configure the Take a Test app
![Configure the Take a Test app](images/suspc_choosesettings_setuptakeatest.png)
![Configure the Take a Test app](images/suspc_createpackage_takeatestpage.png)
3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
@ -202,7 +202,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 5** - Review your settings and change them as needed
![Review your settings and change them as needed](images/suspc_choosesettings_summary.png)
![Review your settings and change them as needed](images/suspc_createpackage_summary.png)
2. Click **Accept**.
@ -213,19 +213,19 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 6** - Select the USB drive and save the provisioning package
![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png)
![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb_050817.png)
10. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
**Figure 7** - Provisioning package is ready
![Provisioning package is ready](images/suspc_ppkg_isready.png)
![Provisioning package is ready](images/suspc_ppkgisready_050817.png)
12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
**Figure 8** - Line up the student PCs and get them ready for setup
![Line up the student PCs and get them ready for setup](images/suspc_getpcsready_getpcsready.png)
![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png)
13. Click **Next**.
14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs.
@ -234,7 +234,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 9** - Install the provisioning package on the student PCs
![Install the provisioning package on the student PCs](images/suspc_getpcsready_installpackage.png)
![Install the provisioning package on the student PCs](images/suspc_runpackage_installpackage.png)
### Apply the provisioning package to the student PCs

32
education/windows/windows-editions-for-education-customers.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 editions for education customers
description: Provides an overview of the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions.
description: Provides an overview of the two Windows 10 editions that are designed for the needs of K-12 institutions.
keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers
ms.prod: w10
ms.mktglfcycl: plan
@ -16,39 +16,45 @@ author: CelesteDG
- Windows 10
Windows 10 Anniversary Update (Windows 10, version 1607) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows weve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsofts commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows weve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsofts commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
Windows 10, version 1607 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information about Windows 10, version 1607 on [windows.com](http://www.windows.com/).
Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](http://www.windows.com/).
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
## Windows 10 Pro Education
Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings, including the removal of Cortana<sup>1</sup>. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
> [!NOTE]
> If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 (Anniversary Update) to Windows 10, version 1703 (Creators Update) will enable Cortana. You can use the **AllowCortana** policy to turn it off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
For Cortana<sup>1</sup>,
- If you're using version 1607, Cortana is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 or newer versions that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
Existing devices running Windows 10 Pro, currently activated with the original OEM digital product key and purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future), will upgrade automatically to Windows 10 Pro Education as part of the Windows 10, version 1607 installation.
Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), available at a later date.
Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
Customers that deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
## Windows 10 Education
Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings, including the removal of Cortana<sup>1</sup>. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
> [!NOTE]
> If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 (Anniversary Update) to Windows 10, version 1703 (Creators Update) will enable Cortana. You can use the **AllowCortana** policy to turn it off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
For Cortana<sup>1</sup>,
- If you're using version 1607, Cortana<sup>1</sup> is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you do not have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628).
Customers that deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
Customers who deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
@ -62,4 +68,4 @@ For any other questions, contact [Microsoft Customer Service and Support](https:
<sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device. Cortana is disabled in the Windows 10 Pro Education and Windows 10 Education editions.</small>
<sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device.</small>

2
store-for-business/distribute-apps-with-management-tool.md
View File

@ -59,7 +59,7 @@ This diagram shows how you can use a management tool to distribute an online-lic
## Related topics
[Configure MDM Provider](configure-mdm-provider-windows-store-for-business.md)
[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx)
 

4
windows/access-protection/credential-guard/credential-guard-manage.md
View File

@ -143,8 +143,8 @@ For client machines that are running Windows 10 1703, LSAIso is running whenever
- **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
- **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
## Disable Credential Guard

2
windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -49,7 +49,7 @@ The Windows Hello for Business PIN is subject to the same set of IT management p
## What if someone steals the laptop or phone?
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the users biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
**Configure BitLocker without TPM**
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:

1
windows/configuration/TOC.md
View File

@ -19,6 +19,7 @@
### [Settings and quick actions that can be locked down in Windows 10 Mobile](mobile-devices/settings-that-can-be-locked-down.md)
### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md)
### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md)
## [Configure cellular settings for tablets and PCs](provisioning-apn.md)
## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md)
### [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
### [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)

3
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -18,7 +18,8 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
| New or changed topic | Description |
| --- | --- |
| [ Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings. |
| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | New |
| [ Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings |
## April 2017

BIN
windows/configuration/images/apn-add-details.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/configuration/images/apn-add.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

1
windows/configuration/index.md
View File

@ -25,6 +25,7 @@ Enterprises often need to apply custom configurations to devices for their users
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |
| [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. |
| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. |
| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. |
| [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) | The worlds first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. |
| [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. |

5
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -287,7 +287,7 @@ You can prevent Windows from setting the time automatically.
-or-
- Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Enable Windows NTP Server** &gt; **Windows Time Service** &gt; **Enable Windows NTP Client**
- Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Enable Windows NTP Server** &gt; **Windows Time Service** &gt; **Configure Windows NTP Client**
-or -
@ -511,6 +511,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) <br/> Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off. <br /> Default: Enabled |
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> Default: Enabled |
| Configure Start pages | Choose the Start page for domain-joined devices. <br /> Set this to **about:blank** |
| Prevent the First Run webpage from opening pages | Choose whether employees see the First Run webpage. <br /> Default: Enabled |
The Windows 10, version 1511 Microsoft Edge Group Policy names are:
@ -1824,7 +1825,7 @@ You can turn off Windows Update by setting the following registry entries:
-and-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Intenet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off access to all Windows Update features**.
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off access to all Windows Update features**.
-and-

79
windows/configuration/provisioning-apn.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Configure cellular settings for tablets and PCs (Windows 10)
description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles.
ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Configure cellular settings for tablets and PCs
**Applies to**
- Windows 10
>**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings)
Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect.
For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling.
## Prerequisites
- Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education)
- Tablet or PC with built-in cellular modem or plug-in USB modem dongle
- [Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md)
- APN (the address that your PC uses to connect to the Internet when using the cellular data connection)
>[!NOTE]
>You can get the APN from your mobile operator.
## How to configure cellular settings in a provisioning package
1. In Windows Configuration Designer, [start a new project](provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option.
2. Enter a name for your project, and then click **Next**.
3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
4. Go to **Runtime settings > Connections > EnterpriseAPN**.
5. Enter a name for the connection, and then click **Add**.
![Example of APN connection name](images/apn-add.png)
6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
![settings for new connection](images/apn-add-details.png)
7. The following table describes the settings available for the connection.
| Setting | Description |
| --- | --- |
| AlwaysOn | By default, the Connection Manager will automatically attempt to connect to the APN when a connection is available. You can disable this setting. |
| APNName | Enter the name of the APN. |
| AuthType | You can select **None** (the default), or specify **Auto**, **PAP**, **CHAP**, or **MSCHAPv2** authentication. If you select PAP, CHAP, or MSCHAPv2 authentication, you must also enter a user name and password. |
| ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attach APN is not only used as the Internet APN. |
| Enabled | By default, the connection is enabled. You can change this setting. |
| IccId | This is the Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. |
| IPType | By default, the connection can use IPv4 and IPv6 concurrently. You can change this setting to only IPv4, only IPv6, or IPv6 with IPv4 provided by 46xlat. |
| IsAttachAPN | Specify whether this APN should be requested as part of an LTE Attach. |
| Password | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a password that corresponds to the user name. |
| Roaming | Select the behavior that you want when the device is roaming. The options are:</br></br>-Disallowed</br>-Allowed (default)</br>-DomesticRoaming</br>-Use OnlyForDomesticRoaming</br>-UseOnlyForNonDomesticRoaming</br>-UseOnlyForRoaming |
| UserName | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a user name. |
8. After you configure the connection settings, [build the provisioning package](provisioning-packages/provisioning-create-package.md#build-package).
9. [Apply the package to devices.](provisioning-packages/provisioning-apply-package.md)

BIN
windows/configure/images/apn-add-details.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/configure/images/apn-add.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

2
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -36,7 +36,7 @@ Windows Update for Business is a free service that is available for Windows Pro,
Windows Update for Business provides three types of updates to Windows 10 devices:
- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-anually.
- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually.
- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.

35
windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
View File

@ -825,6 +825,41 @@ Download and run the media creation tool. See [Download windows 10](https://www.
</td>
</tr>
<tr>
<td>0x80240FFF </td>
<td>Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install <a href="https://support.microsoft.com/help/3095113/en-us">hotfix 3095113</a>, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.</td>
<td> You can prevent this by installing <a href="http://blogs.technet.com/b/wsus/archive/2015/12/04/important-update-for-wsus-4-0-kb-3095113.aspx">hotfix 3095113</a> before you enable update synchronization. However, if you have already run into this problem, do the following:
<ol>
<li>Disable the Upgrades classification.</li>
<li>Install hotfix 3095113.</li>
<li>Delete previously synched updates.</li>
<li>Enable the Upgrades classification.</li>
<li>Perform a full synch.</li>
</ol>
<p>For detailed information on how to run these steps check out <a href="http://blogs.technet.com/b/wsus/archive/2016/01/30/quot-help-i-synched-upgrades-too-soon-quot.aspx">How to delete upgrades in WSUS</a>.</p>
</td>
</tr>
<tr>
<td>0x8007007E</td>
<td>Occurs when update synchronization fails because you do not have <a href="https://support.microsoft.com/help/3095113/en-us">hotfix 3095113</a> installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downlaoded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.</td>
<td> Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadate before you installed the hotfix.
<ol>
<li>Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following:
<ol>
<li>Open <b>Administrative Tools</b> from the Control Panel.</li>
<li>Double-click <b>Services</b>.</li>
<li>Find the <b>Windows Update</b> service, right-click it, and then click <b>Stop</b>. If prompted, enter your credentials.</li>
</ol>
</li>
<li>Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.</li>
<li>Restart the Windows Update service.</li>
</ol>
</td>
</tr>
</table>
### Other error codes

12
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -4,8 +4,7 @@ description: Deploy Windows 10 in a test lab using System Center Configuration M
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, sccm, configuration manager
ms.pagetype: deploykeywords: deployment, automate, tools, configure, sccm, configuration manager
localizationpriority: high
author: greg-lindsay
---
@ -15,7 +14,6 @@ author: greg-lindsay
**Applies to**
- Windows 10
**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides:
- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
@ -26,7 +24,6 @@ The PoC environment is a virtual network running on Hyper-V with three virtual m
- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**.
@ -38,7 +35,6 @@ This guide provides end-to-end instructions to install and configure System Cent
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
<div style='font-size:9.0pt'>
<TABLE border=1 cellspacing=0 cellpadding=0>
<TR><TD BGCOLOR="#a0e4fa"><B>Topic</B><TD BGCOLOR="#a0e4fa"><B>Description</B><TD BGCOLOR="#a0e4fa"><B>Time</B>
@ -48,8 +44,7 @@ Topics and procedures in this guide are summarized in the following table. An es
<TR><TD>[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)<TD>Prerequisite procedures to support Zero Touch installation.<TD>60 minutes
<TR><TD>[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)<TD>Use the MDT wizard to create the boot image in Configuration Manager.<TD>20 minutes
<TR><TD>[Create a Windows 10 reference image](#create-a-windows-10-reference-image)<TD>This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.<TD>0-60 minutes
<TR><TD>[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)<TD>Add a Windows 10 operating system image and distribute it.<TD>10 minutes
<TR><TD>[Create a task sequence](#create-a-task-sequence)<TD>Create a Configuration Manager task sequence with MDT integration using the MDT wizard<TD>15 minutes
<TR><TD>[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)<TD>Add a Windows 10 operating system image and distribute it.<TD>10 minutes<TR><TD>[Create a task sequence](#create-a-task-sequence)<TD>Create a Configuration Manager task sequence with MDT integration using the MDT wizard<TD>15 minutes
<TR><TD>[Finalize the operating system configuration](#finalize-the-operating-system-configuration)<TD>Enable monitoring, configure rules, and distribute content.<TD>30 minutes
<TR><TD>[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)<TD>Deploy Windows 10 using Configuration Manager deployment packages and task sequences.<TD>60 minutes
<TR><TD>[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)<TD>Replace a client computer with Windows 10 using Configuration Manager.<TD>90 minutes
@ -60,7 +55,6 @@ Topics and procedures in this guide are summarized in the following table. An es
</div>
## Install prerequisites
1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
```
@ -78,7 +72,7 @@ Topics and procedures in this guide are summarized in the following table. An es
This command mounts the .ISO file to drive D on SRV1.
4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server 2012 SP2:
4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
```
D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms

1
windows/device-security/TOC.md
View File

@ -561,6 +561,7 @@
##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
##### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)

2
windows/device-security/bitlocker/bitlocker-group-policy-settings.md
View File

@ -323,7 +323,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
<tbody>
<tr class="odd">
<td align="left"><p><strong>Policy description</strong></p></td>
<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits.</p></td>
<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits, and it can have a maximum length of 20 digits.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Introduced</strong></p></td>

154
windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md Normal file
View File

@ -0,0 +1,154 @@
---
title: Network access - Restrict clients allowed to make remote calls to SAM
description: Security policy setting that controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# Network access: Restrict clients allowed to make remote calls to SAM
**Applies to**
- Windows 10, version 1607 and later
- Windows 10, version 1511 with [KB 4103198](https://support.microsoft.com/en-us/help/4013198) installed
- Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/en-us/help/4012606) installed
- Windows 8.1 with [KB 4102219](https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
- Windows 7 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
- Windows Server 2016
- Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
- Windows Server 2012 with [KB 4012220](https://support.microsoft.com/en-us/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed
- Windows Server 2008 R2 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the the KB articles listed in **Applies to** section of this topic.
This topic describes the default values for this security policy setting in different versions of Windows, related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups in the SAM so that your environment remains secure without adversely impacting application compatibility.
## Reference
The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory. This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment.
To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls. The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define.
By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is not defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. If the policy setting is left blank after the policy is defined, the policy is not enforced.
The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers. You can edit the default security descriptor to allow or deny other users and groups, including the built-in Administrators.
The default security descriptor on computers that run earlier versions of Windows does not restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. This less restrictive default allows for testing the impact of enabling restrictions on existing applications.
This means that if you have a mix of computers, such as servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed.
## Possible values
- Not defined
- Defined, along with the security descriptor for users and groups who are allowed or denied remote access to local SAM and Active directory using SAMRPC.
## Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
This policy setting controls a string that will contain the SDDL of the security descriptor to be deployed to the following registry setting:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam
> [!NOTE]
This policy is implemented similarly to other Network access policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path.
## Default values
Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. The different default values help strike a balance where recent Windows versions are more secure by default and older versions dont undergo any disruptive behavior changes. Computers that run earlier versions of Windows do not perform any access check by default. That includes domain controllers and non-domain controllers. This allows administrators to test whether applying the same restriction (that is, granting READ_CONTROL access only to members of the local Administrators group) will cause compatibility problems for existing applications before implementing this security policy setting in a production environment.
In other words, the hotfix in each KB article provides the necessary code and functionality, but you need to configure the restriction after you install the hotfix—no restrictions are enabled by default after the hotfix is installed on earlier versions of Windows.
### Default values beginning with Windows 10 version 1607 and Windows Server 2016
The following default values apply to computers beginning with Windows Server 2016 and Windows 10, version 1607. The default security descriptor for non-domain controllers grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group.
| |Default SDDL |Translated SDDL| Comments
|---|---|---|---|
|Domain controller (reading Active Directory|“”|-|Everyone has read permissions to preserve compatibility.
|Non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br>• Revision: 0x02 <br>• Size: 0x0020 <br>• Ace Count: 0x001 <br>• Ace[00]------------------------- AceType:0x00 <br> (ACCESS_ALLOWED_ACE_TYPE)<br> AceSize:0x0018 <br> InheritFlags:0x00 <br> Access Mask:0x00020000 <br> AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> SACL: Not present |Only members of the local (built-in) Administrators group get access.|
### Default values for earlier versions of Windows
The following sections explain how to enable audit only mode to test the restriction while using applications you plan to run.
## Policy management
This section explains how to configure audit-only mode, how to analyze related events that are logged when the Network access: Restrict clients allowed to make remote calls to SAM security policy setting is enabled, and how to configure event throttling to prevent flooding the event log.
### Audit only mode
Audit only mode configures the SAM interface to do the access check against the currently configured security descriptor but will not fail the call if the access check fails. Instead, the call will be allowed, but the SAM interface will log an event describing what would have happened if the feature had been enabled. This provides administrators a way to test their applications before enabling the policy in production. Audit only mode is not configured by default. To configure it, add the following registry setting.
|Registry|Details|
|---|---|
|Path|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa|
|Setting|RestrictRemoteSamAuditOnlyMode|
|Data Type|REG_DWORD|
|Value|1|
|Notes|This setting cannot be added or removed by using predefined Group Policy settings. <br> Administrators may create a custom policy to set the registry value if needed. <br> SAM responds dynamically to changes in this registry value without a reboot. <br> You can use the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script to parse the event logs, as explained in the next section.|
### Related events
There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM:
1. Dump event logs to a common share.
2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script.
3. Look for the following events: <br>
• For domain controllers, events are logged in the Directory Services log in Event Viewer with event source Directory-Service-SAM (from Event ID 16962 to 16969, as listed in the following table). <br>
• For non-domain controllers, the same event IDs are logged in the System log with event source Directory-Service-SAM.
4. Identify which security contexts are enumerating users or groups in the SAM database.
5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.
|Event ID|Event Message Text|Explanation |
|---|---|---|
|16962|"Remote calls to the SAM database are being restricted using the default security descriptor: %1.%n "<br><br> %2- "Default SD String:" |Emit event when registry SDDL is absent, causing fallback to default hard-coded SDDL (event should include a copy of the default SDDL).|
|16963|Message Text: "Remote calls to the SAM database are being restricted using the configured registry security descriptor: %1.%n" <br><br> %1 - "Registry SD String:" |Emit event when a new SDDL is read from the registry (either on startup or change) and is considered valid. The event includes the source and a copy of the queried SDDL.
|16964|"The registry security descriptor is malformed: %1.%n Remote calls to the SAM database are being restricted using the default security descriptor: %2.%n" <br><br>%1- "Malformed SD String:"<br> %2- "Default SD String:"|Emit event when registry SDDL is mal-formed, causing fallback to default hard-coded SDDL (event should include a copy of the default SDDL).
|16965|Message Text: "A remote call to the SAM database has been denied.%nClient SID: %1%n Network address: %2%n"<br><br> %1- "Client SID:" %2- "Client Network Address | Emit event when access is denied to a remote client. Event should include identity and network address of the client.
|16966|Audit Mode is enabled- <br><br>Message Text: "Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %n"|Emit event whenever training mode (see 16968) is enabled or disabled.
|16967|Audit Mode is disabled- <br><br>Message Text: "Audit only mode is now disabled for remote calls to the SAM database.%n For more information"|Emit event whenever training mode (see 16968) is enabled or disabled.
|16968| Message Text: "Audit only mode is currently enabled for remote calls to the SAM database.%n The following client would have been normally denied access:%nClient SID: %1 from network address: %2. %n" <br>%1- "Client SID:" <br>%2- "Client Network Address:"|Emit event when access would have been denied to a remote client, but was allowed through due to training mode being enabled. Event should include identity and network address of the client.|
|16969|Message Text: "%2 remote calls to the SAM database have been denied in the past %1 seconds throttling window.%n <br>"%1- "Throttle window:" <br>%2- "Suppressed Message Count:"| Throttling may be necessary for some events due to expected high volume on some servers causing the event log to wrap. <br><br>Note: There is no throttling of events when audit mode is enabled. Environments with a large number of low-privilege and anonymous querying of the remote database may see large numbers of events logged to the System log. For more info, see the [Event Throttling](#event-throttling) section.
Compare the security context attempting to remotely enumerate accounts with the default security descriptor. Then edit the security descriptor to add accounts that require remote access.
### Event Throttling
A busy server can flood event logs with events related to the remote enumeration access check. To prevent this, access-denied events are logged once every 15 minutes by default. The length of this period is controlled by the following registry value.
|Registry Path|System\CurrentControlSet\Control\Lsa\
|---|---|
Setting |RestrictRemoteSamEventThrottlingWindow|
Data Type |DWORD|
|Value|seconds|
|Reboot Required?|No|
|Notes|**Default** is 900 seconds 15mins. <br>The throttling uses a suppressed events counter which starts at 0 and gets incremented during the throttling window. <br> For example, X events were suppressed in the last 15 minutes. <br>The counter is restarted after the event 16969 is logged.
### Restart requirement
Restarts are not required to enable, disable or modify the **Network access: Restrict clients allowed to make remote calls to SAM security** policy setting, including audit only mode. Changes become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans. <br><br>
The following example illustrates how an attacker might exploit remote SAM enumeration:
1. A low-privileged attacker gains a foothold on a network.
2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine.
3. If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials.
### Countermeasure
You can mitigate this vulnerability by enabling the **Network access: Restrict clients allowed to make remote calls** to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access.
### Potential impact
If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail. To identify accounts that may be affected, test this setting in [audit only mode](#audit-only-mode).
## Related Topics
[Security Options](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/security-options)
[SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b)
<br>

1
windows/device-security/security-policy-settings/security-options.md
View File

@ -82,6 +82,7 @@ For info about setting security policies, see [Configure security policy setting
| [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.|
| [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. |
| [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. |
| [Network access: Restrict clients allowed to make remote calls to SAM](network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting. |
| [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. |
| [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. |
| [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)| Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. |

2
windows/threat-protection/change-history-for-threat-protection.md
View File

@ -14,7 +14,7 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc
## March 2017
|New or changed topic |Description |
|---------------------|------------|
|[Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)|Updated based on Windows 10, version 1703.|
|[Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)|Updated based on Windows 10, version 1703.|
|[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) |Updated based on Windows 10, version 1703. |

14
windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: View and organize the Windows Defender ATP Alerts queue
description: Learn about how the Windows Defender ATP alerts queue work, and how to sort and filter lists of alerts.
description: Learn about how the Windows Defender ATP alerts queues work, and how to sort and filter lists of alerts.
keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -21,7 +21,7 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In any of the queues, you'll see details such as the severity of alerts and the number of machines where the alerts were seen.
The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
Alerts are organized in queues by their workflow status or assignment:
@ -33,17 +33,17 @@ Alerts are organized in queues by their workflow status or assignment:
To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
> [!NOTE]
> By default, the queues are sorted from newest to oldest.
> By default, alerts in the queues are sorted from newest to oldest.
## Sort and filter the alerts
You can sort and filter the alerts by using the available filters or clicking columns that allows you to sort the view in ascending or descending order.
You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order.
![Alerts queue with numbers](images/alerts-queue-numbered.png)
Highlighted area|Area name|Description
:---|:---|:---
1 | Alert filters | Filter the list of alerts by severity, detection source, time period, or change the view from flat to grouped.
2 | Alert selected | Select an alert to bring up the **Alert management** to manage and see details about the alert.
2 | Alert selected | Select an alert to bring up the **Alert management** pane to manage and see details about the alert.
3 | Alert management pane | View and manage alerts without leaving the alerts queue view.
### Sort, filter, and group the alerts list
@ -76,9 +76,9 @@ Reviewing the various alerts and their severity can help you decide on the appro
**View**</br>
- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top.
- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating alerts together.
- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together.
The group view allows for efficient alert triage and management.
The grouped view allows efficient alert triage and management.
### Use the Alert management pane
Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.

2
windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -77,7 +77,7 @@ netsh winhttp set proxy <proxy>:<port>
For example: netsh winhttp set proxy 10.0.0.6:8080
## Enable access to Windows Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
Primary Domain Controller | .Microsoft.com DNS record
:---|:---

2
windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
View File

@ -27,7 +27,7 @@ You can define custom alert definitions and indicators of compromise (IOC) using
Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
### Use the threat intelligence REST API to create custom threat intelligence alerts
You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource, you call and specify the resource URLs using one of the following operations:
You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource:
- GET
- POST

2
windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -134,7 +134,7 @@ This step will guide you in simulating an event in connection to a malicious IP
## Step 4: Explore the custom alert in the portal
This step will guide you in exploring the custom alert in the portal.
1. Open the [Windows Defender ATP portal](http: /securitycenter.windows.com/) on a browser.
1. Open the [Windows Defender ATP portal](http://securitycenter.windows.com/) on a browser.
2. Log in with your Windows Defender ATP credentials.

10
windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
View File

@ -28,11 +28,11 @@ Follow these steps to associate your WIP policy with your organization's existin
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
![Microsoft Azure Intune, Create a new policy using the the Azure portal](images/wip-azure-vpn-device-policy.png)
![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png)
3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
![Microsoft Azure Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png)
![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png)
4. In the **Custom OMA-URI Settings** blade, click **Add**.
@ -48,13 +48,13 @@ Follow these steps to associate your WIP policy with your organization's existin
- **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
![Microsoft Azure Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png)
![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png)
6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
7. Click **Create** to create the policy, including your OMA_URI info.
## Deploy your VPN policy using Microsoft Azure Intune
## Deploy your VPN policy using Microsoft Intune
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
**To deploy your Custom VPN policy**
@ -70,4 +70,4 @@ After youve created your VPN policy, you'll need to deploy it to the same gro
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

5
windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
View File

@ -342,6 +342,9 @@ After you've added the apps you want to protect with WIP, you'll need to apply a
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
**To add your protection mode**
1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
@ -353,7 +356,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
|Mode |Description |
|-----|------------|
|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459).|
|Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|

5
windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
View File

@ -339,10 +339,13 @@ After you've added the apps you want to protect with WIP, you'll need to apply a
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
|Mode |Description |
|-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|

10
windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
View File

@ -1,5 +1,5 @@
---
title: Deploy your Windows Information Protection (WIP) policy using Microsoft Azure Intune (Windows 10)
title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
description: After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
@ -11,7 +11,7 @@ author: eross-msft
localizationpriority: high
---
# Deploy your Windows Information Protection (WIP) policy using Microsoft Azure Intune
# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune
**Applies to:**
- Windows 10, version 1607 and later
@ -29,15 +29,15 @@ After youve created your Windows Information Protection (WIP) policy, you'll
The policy is deployed to the selected users' devices.
![Microsoft Azure Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
## Related topics
- [Create a Windows Information Protection (WIP) policy using Microsoft Azure Intune](create-wip-policy-using-intune.md)
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](create-vpn-and-wip-policy-using-intune.md)
- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)

11
windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -82,7 +82,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
You dont have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
- **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list.
- **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
- **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
@ -123,18 +124,18 @@ Enterprise data is automatically encrypted after its loaded on a device from
Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list dont have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if its personally owned.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
You can set your WIP policy to use 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that wouldve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
>[!NOTE]
>For info about how to collect your audit logs, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
## Turn off WIP
You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isnt recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info wont be automatically reapplied.

2
windows/whats-new/whats-new-windows-10-version-1703.md
View File

@ -171,7 +171,7 @@ For Windows desktops, users are able to reset a forgotten PIN through **Settings
For more details, check out [What if I forget my PIN?](/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password#what-if-i-forget-my-pin).
### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
Microsoft Azure Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Azure Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Azure Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md).
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md).
You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md).