@@ -14,7 +15,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -32,7 +33,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -61,7 +62,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -80,7 +81,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -99,7 +100,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -118,7 +119,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -137,7 +138,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -156,7 +157,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -175,7 +176,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -194,7 +195,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -223,7 +224,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -242,7 +243,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -261,7 +262,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -280,7 +281,7 @@ description: TK from Celeste Guzman
-
+
+
@@ -299,7 +300,7 @@ description: TK from Celeste Guzman
-
+
+
@@ -318,7 +319,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -347,7 +348,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -366,7 +367,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -385,7 +386,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -404,7 +405,7 @@ description: TK from Celeste Guzman
- 
+
+
@@ -433,12 +434,12 @@ description: TK from Celeste Guzman
@@ -452,7 +453,7 @@ description: TK from Celeste Guzman
- 
+
+
UWP apps for education
-Learn how to write Universal Windows apps for education
+Learn how to write Universal Windows apps for education.
- 
+
+
@@ -471,7 +472,7 @@ description: TK from Celeste Guzman
- 
+
+
diff --git a/education/windows/images/suspc_createpackage_settingspage.PNG b/education/windows/images/suspc_createpackage_settingspage.PNG
new file mode 100644
index 0000000000..2e5af10917
Binary files /dev/null and b/education/windows/images/suspc_createpackage_settingspage.PNG differ
diff --git a/education/windows/images/suspc_createpackage_summary.PNG b/education/windows/images/suspc_createpackage_summary.PNG
new file mode 100644
index 0000000000..3740cc9aef
Binary files /dev/null and b/education/windows/images/suspc_createpackage_summary.PNG differ
diff --git a/education/windows/images/suspc_createpackage_takeatestpage.PNG b/education/windows/images/suspc_createpackage_takeatestpage.PNG
new file mode 100644
index 0000000000..df8c2cc5b5
Binary files /dev/null and b/education/windows/images/suspc_createpackage_takeatestpage.PNG differ
diff --git a/education/windows/images/suspc_getstarted_050817.PNG b/education/windows/images/suspc_getstarted_050817.PNG
new file mode 100644
index 0000000000..124905676a
Binary files /dev/null and b/education/windows/images/suspc_getstarted_050817.PNG differ
diff --git a/education/windows/images/suspc_ppkgisready_050817.PNG b/education/windows/images/suspc_ppkgisready_050817.PNG
new file mode 100644
index 0000000000..7bee1ead44
Binary files /dev/null and b/education/windows/images/suspc_ppkgisready_050817.PNG differ
diff --git a/education/windows/images/suspc_runpackage_getpcsready.PNG b/education/windows/images/suspc_runpackage_getpcsready.PNG
new file mode 100644
index 0000000000..f3e4cab25a
Binary files /dev/null and b/education/windows/images/suspc_runpackage_getpcsready.PNG differ
diff --git a/education/windows/images/suspc_runpackage_installpackage.PNG b/education/windows/images/suspc_runpackage_installpackage.PNG
new file mode 100644
index 0000000000..4745ceb5a7
Binary files /dev/null and b/education/windows/images/suspc_runpackage_installpackage.PNG differ
diff --git a/education/windows/images/suspc_savepackage_insertusb_050817.PNG b/education/windows/images/suspc_savepackage_insertusb_050817.PNG
new file mode 100644
index 0000000000..e0f8ceab7a
Binary files /dev/null and b/education/windows/images/suspc_savepackage_insertusb_050817.PNG differ
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index d8aae145f6..597919abca 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -17,7 +17,7 @@ author: CelesteDG
IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
-
+
## What does this app do?
@@ -61,7 +61,7 @@ A student PC that's set up using the Set up School PCs provisioning package is t
* **Network tips**
* You cannot use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. You can only connect to an open network, or one with a basic password.
* If you need to set up a lot of devices over Wi-Fi, make sure that your network configuration can support it.
- - We recommend configuring your DHCP so you have a good set of IP addresses available (about 100-200). These IP addresses will expire after a short amount of time (about 30 minutes). This allows you set up many devices simultaneously, and the IP addresses will be freed up quick so you can continue to set up devices without risk of crashing your network.
+ - We recommend configuring your DHCP so at least 200 IP addresses are available for the devices you are setting up. Configure your IP addresses to expire after a short time (about 30 minutes). This ensures that you can set up many devices simultaneously, and IP addresses will free up quickly so you can continue to set up devices without hitting network issues.
* **Apply to new student PCs**
* The provisioning package that the Set up School PCs app creates should be used on new PCs that haven't been set up for accounts yet. If you apply the provisioning package to a student PC that has already been set up, existing accounts and data might be lost.
@@ -112,7 +112,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 1** - Launch the Set up School PCs app
- 
+ 
2. Click **Get started**.
3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
@@ -170,7 +170,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 3** - Configure student PC settings
- 
+ 
When you're doing configuring the student PC settings, click **Next**.
@@ -182,7 +182,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 4** - Configure the Take a Test app
- 
+ 
3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
@@ -202,7 +202,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 5** - Review your settings and change them as needed
- 
+ 
2. Click **Accept**.
@@ -213,19 +213,19 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 6** - Select the USB drive and save the provisioning package
- 
+ 
10. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
**Figure 7** - Provisioning package is ready
- 
+ 
12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
**Figure 8** - Line up the student PCs and get them ready for setup
- 
+ 
13. Click **Next**.
14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs.
@@ -234,7 +234,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 9** - Install the provisioning package on the student PCs
- 
+ 
### Apply the provisioning package to the student PCs
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index 99a438e0b9..db3fb46f6a 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -1,6 +1,6 @@
---
title: Windows 10 editions for education customers
-description: Provides an overview of the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions.
+description: Provides an overview of the two Windows 10 editions that are designed for the needs of K-12 institutions.
keywords: Windows 10 Pro Education, Windows 10 Education, Windows 10 editions, education customers
ms.prod: w10
ms.mktglfcycl: plan
@@ -16,39 +16,45 @@ author: CelesteDG
- Windows 10
-Windows 10 Anniversary Update (Windows 10, version 1607) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
+Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
-Windows 10, version 1607 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information about Windows 10, version 1607 on [windows.com](http://www.windows.com/).
+Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](https://go.microsoft.com/fwlink/?LinkID=821951) or [Windows Configuration Designer](https://go.microsoft.com/fwlink/?LinkId=822623), easier delivery of digital assessments with [Take a Test](https://go.microsoft.com/fwlink/?LinkID=821956), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](http://www.windows.com/).
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
## Windows 10 Pro Education
-Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings, including the removal of Cortana1. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
+Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
-> [!NOTE]
-> If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 (Anniversary Update) to Windows 10, version 1703 (Creators Update) will enable Cortana. You can use the **AllowCortana** policy to turn it off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
+For Cortana1,
+- If you're using version 1607, Cortana is removed.
+- If you're using new devices with version 1703, Cortana is turned on by default.
+- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
+You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 or newer versions that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
Existing devices running Windows 10 Pro, currently activated with the original OEM digital product key and purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future), will upgrade automatically to Windows 10 Pro Education as part of the Windows 10, version 1607 installation.
-Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), available at a later date.
+Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-Customers that deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
+Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
## Windows 10 Education
-Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings, including the removal of Cortana1. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
+Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
-> [!NOTE]
-> If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 (Anniversary Update) to Windows 10, version 1703 (Creators Update) will enable Cortana. You can use the **AllowCortana** policy to turn it off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
+For Cortana1,
+- If you're using version 1607, Cortana1 is removed.
+- If you're using new devices with version 1703, Cortana is turned on by default.
+- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
+You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you do not have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628).
-Customers that deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
+Customers who deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
@@ -62,4 +68,4 @@ For any other questions, contact [Microsoft Customer Service and Support](https:
-1 Cortana available in select markets; experience may vary by region and device. Cortana is disabled in the Windows 10 Pro Education and Windows 10 Education editions.
+1 Cortana available in select markets; experience may vary by region and device.
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 391e5173f4..befde0855e 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -59,7 +59,7 @@ This diagram shows how you can use a management tool to distribute an online-lic
## Related topics
[Configure MDM Provider](configure-mdm-provider-windows-store-for-business.md)
-[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft InTune](https://technet.microsoft.com/library/mt676514.aspx)
+[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx)
diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md
index 9396f2dd47..05f08ab263 100644
--- a/windows/access-protection/credential-guard/credential-guard-manage.md
+++ b/windows/access-protection/credential-guard/credential-guard-manage.md
@@ -143,8 +143,8 @@ For client machines that are running Windows 10 1703, LSAIso is running whenever
- **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
- **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
- You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+ You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+ - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
## Disable Credential Guard
diff --git a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 1aa658b96a..208b3e6a3c 100644
--- a/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -49,7 +49,7 @@ The Windows Hello for Business PIN is subject to the same set of IT management p
## What if someone steals the laptop or phone?
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
-You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
+You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
**Configure BitLocker without TPM**
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index 4d7de0a870..e91e9f7bda 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -19,6 +19,7 @@
### [Settings and quick actions that can be locked down in Windows 10 Mobile](mobile-devices/settings-that-can-be-locked-down.md)
### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md)
### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md)
+## [Configure cellular settings for tablets and PCs](provisioning-apn.md)
## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md)
### [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
### [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 07cebcf161..4236b5e7da 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -18,7 +18,8 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
| New or changed topic | Description |
| --- | --- |
-| [ Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings. |
+| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | New |
+| [ Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added MDM policies for privacy settings |
## April 2017
diff --git a/windows/configuration/images/apn-add-details.PNG b/windows/configuration/images/apn-add-details.PNG
new file mode 100644
index 0000000000..caee3d6429
Binary files /dev/null and b/windows/configuration/images/apn-add-details.PNG differ
diff --git a/windows/configuration/images/apn-add.PNG b/windows/configuration/images/apn-add.PNG
new file mode 100644
index 0000000000..0e25e5c0e9
Binary files /dev/null and b/windows/configuration/images/apn-add.PNG differ
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index c7b9711f5a..28bf0e8e33 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -25,6 +25,7 @@ Enterprises often need to apply custom configurations to devices for their users
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |
| [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. |
+| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. |
| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. |
| [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. |
| [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. |
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index b5b9ec5163..03a95580ef 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -287,7 +287,7 @@ You can prevent Windows from setting the time automatically.
-or-
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Enable Windows NTP Client**
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client**
-or -
@@ -511,6 +511,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled | | Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled | | Configure Start pages | Choose the Start page for domain-joined devices.
Set this to **about:blank** | +| Prevent the First Run webpage from opening pages | Choose whether employees see the First Run webpage.
Default: Enabled | The Windows 10, version 1511 Microsoft Edge Group Policy names are: @@ -1824,7 +1825,7 @@ You can turn off Windows Update by setting the following registry entries: -and- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Intenet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. -and- diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md new file mode 100644 index 0000000000..f1aeed6ade --- /dev/null +++ b/windows/configuration/provisioning-apn.md @@ -0,0 +1,79 @@ +--- +title: Configure cellular settings for tablets and PCs (Windows 10) +description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. +ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Configure cellular settings for tablets and PCs + + +**Applies to** + +- Windows 10 + +>**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings) + +Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect. + +For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling. + + +## Prerequisites + +- Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education) + +- Tablet or PC with built-in cellular modem or plug-in USB modem dongle + +- [Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md) + +- APN (the address that your PC uses to connect to the Internet when using the cellular data connection) + + >[!NOTE] + >You can get the APN from your mobile operator. + +## How to configure cellular settings in a provisioning package + +1. In Windows Configuration Designer, [start a new project](provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option. + +2. Enter a name for your project, and then click **Next**. + +3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. + +4. Go to **Runtime settings > Connections > EnterpriseAPN**. + +5. Enter a name for the connection, and then click **Add**. + +  + +6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection. + +  + +7. The following table describes the settings available for the connection. + + | Setting | Description | + | --- | --- | + | AlwaysOn | By default, the Connection Manager will automatically attempt to connect to the APN when a connection is available. You can disable this setting. | + | APNName | Enter the name of the APN. | + | AuthType | You can select **None** (the default), or specify **Auto**, **PAP**, **CHAP**, or **MSCHAPv2** authentication. If you select PAP, CHAP, or MSCHAPv2 authentication, you must also enter a user name and password. | + | ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attach APN is not only used as the Internet APN. | + | Enabled | By default, the connection is enabled. You can change this setting. | + | IccId | This is the Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. | + | IPType | By default, the connection can use IPv4 and IPv6 concurrently. You can change this setting to only IPv4, only IPv6, or IPv6 with IPv4 provided by 46xlat. | + | IsAttachAPN | Specify whether this APN should be requested as part of an LTE Attach. | + | Password | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a password that corresponds to the user name. | + | Roaming | Select the behavior that you want when the device is roaming. The options are:-Disallowed-Allowed (default)-DomesticRoaming-Use OnlyForDomesticRoaming-UseOnlyForNonDomesticRoaming-UseOnlyForRoaming | + | UserName | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a user name. | + +8. After you configure the connection settings, [build the provisioning package](provisioning-packages/provisioning-create-package.md#build-package). + +9. [Apply the package to devices.](provisioning-packages/provisioning-apply-package.md) + + + + diff --git a/windows/configure/images/apn-add-details.PNG b/windows/configure/images/apn-add-details.PNG new file mode 100644 index 0000000000..caee3d6429 Binary files /dev/null and b/windows/configure/images/apn-add-details.PNG differ diff --git a/windows/configure/images/apn-add.PNG b/windows/configure/images/apn-add.PNG new file mode 100644 index 0000000000..0e25e5c0e9 Binary files /dev/null and b/windows/configure/images/apn-add.PNG differ diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 91ec6739f4..d7207457f6 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -36,7 +36,7 @@ Windows Update for Business is a free service that is available for Windows Pro, Windows Update for Business provides three types of updates to Windows 10 devices: -- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-anually. +- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually. - **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred. diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 2ec92b3418..73f648a7ef 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -825,6 +825,41 @@ Download and run the media creation tool. See [Download windows 10](https://www. +
+0x80240FFF
+Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.
+ You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
+
+
+
+
+
+0x8007007E
+Occurs when update synchronization fails because you do not have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downlaoded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you are using standalone Windows Server Update Services or when WSUS is integrated with System Center Configuration Manager.
+ Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadate before you installed the hotfix.
+
+
+
+
### Other error codes
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 0ce8558c9c..4e36256cae 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -4,8 +4,7 @@ description: Deploy Windows 10 in a test lab using System Center Configuration M
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.pagetype: deploy
-keywords: deployment, automate, tools, configure, sccm, configuration manager
+ms.pagetype: deploykeywords: deployment, automate, tools, configure, sccm, configuration manager
localizationpriority: high
author: greg-lindsay
---
@@ -15,7 +14,6 @@ author: greg-lindsay
**Applies to**
- Windows 10
-
**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides:
- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
@@ -26,7 +24,6 @@ The PoC environment is a virtual network running on Hyper-V with three virtual m
- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
-
This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**.
@@ -38,7 +35,6 @@ This guide provides end-to-end instructions to install and configure System Cent
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled | | Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled | | Configure Start pages | Choose the Start page for domain-joined devices.
Set this to **about:blank** | +| Prevent the First Run webpage from opening pages | Choose whether employees see the First Run webpage.
Default: Enabled | The Windows 10, version 1511 Microsoft Edge Group Policy names are: @@ -1824,7 +1825,7 @@ You can turn off Windows Update by setting the following registry entries: -and- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Intenet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. -and- diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md new file mode 100644 index 0000000000..f1aeed6ade --- /dev/null +++ b/windows/configuration/provisioning-apn.md @@ -0,0 +1,79 @@ +--- +title: Configure cellular settings for tablets and PCs (Windows 10) +description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. +ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Configure cellular settings for tablets and PCs + + +**Applies to** + +- Windows 10 + +>**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings) + +Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect. + +For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling. + + +## Prerequisites + +- Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education) + +- Tablet or PC with built-in cellular modem or plug-in USB modem dongle + +- [Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md) + +- APN (the address that your PC uses to connect to the Internet when using the cellular data connection) + + >[!NOTE] + >You can get the APN from your mobile operator. + +## How to configure cellular settings in a provisioning package + +1. In Windows Configuration Designer, [start a new project](provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option. + +2. Enter a name for your project, and then click **Next**. + +3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. + +4. Go to **Runtime settings > Connections > EnterpriseAPN**. + +5. Enter a name for the connection, and then click **Add**. + +  + +6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection. + +  + +7. The following table describes the settings available for the connection. + + | Setting | Description | + | --- | --- | + | AlwaysOn | By default, the Connection Manager will automatically attempt to connect to the APN when a connection is available. You can disable this setting. | + | APNName | Enter the name of the APN. | + | AuthType | You can select **None** (the default), or specify **Auto**, **PAP**, **CHAP**, or **MSCHAPv2** authentication. If you select PAP, CHAP, or MSCHAPv2 authentication, you must also enter a user name and password. | + | ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attach APN is not only used as the Internet APN. | + | Enabled | By default, the connection is enabled. You can change this setting. | + | IccId | This is the Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. | + | IPType | By default, the connection can use IPv4 and IPv6 concurrently. You can change this setting to only IPv4, only IPv6, or IPv6 with IPv4 provided by 46xlat. | + | IsAttachAPN | Specify whether this APN should be requested as part of an LTE Attach. | + | Password | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a password that corresponds to the user name. | + | Roaming | Select the behavior that you want when the device is roaming. The options are:-Disallowed-Allowed (default)-DomesticRoaming-Use OnlyForDomesticRoaming-UseOnlyForNonDomesticRoaming-UseOnlyForRoaming | + | UserName | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a user name. | + +8. After you configure the connection settings, [build the provisioning package](provisioning-packages/provisioning-create-package.md#build-package). + +9. [Apply the package to devices.](provisioning-packages/provisioning-apply-package.md) + + + + diff --git a/windows/configure/images/apn-add-details.PNG b/windows/configure/images/apn-add-details.PNG new file mode 100644 index 0000000000..caee3d6429 Binary files /dev/null and b/windows/configure/images/apn-add-details.PNG differ diff --git a/windows/configure/images/apn-add.PNG b/windows/configure/images/apn-add.PNG new file mode 100644 index 0000000000..0e25e5c0e9 Binary files /dev/null and b/windows/configure/images/apn-add.PNG differ diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 91ec6739f4..d7207457f6 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -36,7 +36,7 @@ Windows Update for Business is a free service that is available for Windows Pro, Windows Update for Business provides three types of updates to Windows 10 devices: -- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-anually. +- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually. - **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred. diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 2ec92b3418..73f648a7ef 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -825,6 +825,41 @@ Download and run the media creation tool. See [Download windows 10](https://www. +
-
+
- Disable the Upgrades classification. +
- Install hotfix 3095113. +
- Delete previously synched updates. +
- Enable the Upgrades classification. +
- Perform a full synch. +
For detailed information on how to run these steps check out How to delete upgrades in WSUS.
+-
+
- Stop the Windows Update service. Sign in as a user with administrative privileges, and then do the following:
+
-
+
- Open Administrative Tools from the Control Panel. +
- Double-click Services. +
- Find the Windows Update service, right-click it, and then click Stop. If prompted, enter your credentials. +
+ - Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore. +
- Restart the Windows Update service. +
-
| Topic | Description | Time @@ -48,8 +44,7 @@ Topics and procedures in this guide are summarized in the following table. An es |
| [Prepare for Zero Touch installation](#prepare-for-zero-touch-installation) | Prerequisite procedures to support Zero Touch installation. | 60 minutes |
| [Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager) | Use the MDT wizard to create the boot image in Configuration Manager. | 20 minutes |
| [Create a Windows 10 reference image](#create-a-windows-10-reference-image) | This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image. | 0-60 minutes - |
| [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image) | Add a Windows 10 operating system image and distribute it. | 10 minutes - |
| [Create a task sequence](#create-a-task-sequence) | Create a Configuration Manager task sequence with MDT integration using the MDT wizard | 15 minutes + |
| [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image) | Add a Windows 10 operating system image and distribute it. | 10 minutes |
| [Create a task sequence](#create-a-task-sequence) | Create a Configuration Manager task sequence with MDT integration using the MDT wizard | 15 minutes |
| [Finalize the operating system configuration](#finalize-the-operating-system-configuration) | Enable monitoring, configure rules, and distribute content. | 30 minutes |
| [Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager) | Deploy Windows 10 using Configuration Manager deployment packages and task sequences. | 60 minutes |
| [Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager) | Replace a client computer with Windows 10 using Configuration Manager. | 90 minutes @@ -60,7 +55,6 @@ Topics and procedures in this guide are summarized in the following table. An es ## Install prerequisites - 1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: ``` @@ -78,7 +72,7 @@ Topics and procedures in this guide are summarized in the following table. An es This command mounts the .ISO file to drive D on SRV1. -4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server 2012 SP2: +4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server: ``` D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md index ec0aee811a..b5b1477df9 100644 --- a/windows/device-security/TOC.md +++ b/windows/device-security/TOC.md @@ -561,6 +561,7 @@ ##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md) ##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md) ##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) +##### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) ##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md) ##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md) ##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) diff --git a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md index bb1822aebb..fd3c05a29a 100644 --- a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md @@ -323,7 +323,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m |
Policy description |
-With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. |
+With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits, and it can have a maximum length of 20 digits. |
Introduced |
diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
new file mode 100644
index 0000000000..f28eab1191
--- /dev/null
+++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -0,0 +1,154 @@
+---
+title: Network access - Restrict clients allowed to make remote calls to SAM
+description: Security policy setting that controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Network access: Restrict clients allowed to make remote calls to SAM
+
+**Applies to**
+- Windows 10, version 1607 and later
+- Windows 10, version 1511 with [KB 4103198](https://support.microsoft.com/en-us/help/4013198) installed
+- Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/en-us/help/4012606) installed
+- Windows 8.1 with [KB 4102219](https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
+- Windows 7 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
+- Windows Server 2016
+- Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
+- Windows Server 2012 with [KB 4012220](https://support.microsoft.com/en-us/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed
+- Windows Server 2008 R2 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
+
+
+The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the the KB articles listed in **Applies to** section of this topic.
+
+This topic describes the default values for this security policy setting in different versions of Windows, related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups in the SAM so that your environment remains secure without adversely impacting application compatibility.
+
+## Reference
+
+The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory. This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment.
+
+To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls. The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define.
+
+By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is not defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. If the policy setting is left blank after the policy is defined, the policy is not enforced.
+
+The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers. You can edit the default security descriptor to allow or deny other users and groups, including the built-in Administrators.
+
+The default security descriptor on computers that run earlier versions of Windows does not restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. This less restrictive default allows for testing the impact of enabling restrictions on existing applications.
+
+This means that if you have a mix of computers, such as servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed.
+
+## Possible values
+- Not defined
+- Defined, along with the security descriptor for users and groups who are allowed or denied remote access to local SAM and Active directory using SAMRPC.
+
+## Location
+
+Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
+
+This policy setting controls a string that will contain the SDDL of the security descriptor to be deployed to the following registry setting:
+
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam
+
+> [!NOTE]
+This policy is implemented similarly to other Network access policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path.
+
+## Default values
+Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. The different default values help strike a balance where recent Windows versions are more secure by default and older versions don’t undergo any disruptive behavior changes. Computers that run earlier versions of Windows do not perform any access check by default. That includes domain controllers and non-domain controllers. This allows administrators to test whether applying the same restriction (that is, granting READ_CONTROL access only to members of the local Administrators group) will cause compatibility problems for existing applications before implementing this security policy setting in a production environment.
+
+In other words, the hotfix in each KB article provides the necessary code and functionality, but you need to configure the restriction after you install the hotfix—no restrictions are enabled by default after the hotfix is installed on earlier versions of Windows.
+
+### Default values beginning with Windows 10 version 1607 and Windows Server 2016
+The following default values apply to computers beginning with Windows Server 2016 and Windows 10, version 1607. The default security descriptor for non-domain controllers grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group.
+
+
+| |Default SDDL |Translated SDDL| Comments
+|---|---|---|---|
+|Domain controller (reading Active Directory|“”|-|Everyone has read permissions to preserve compatibility.
+|Non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)