deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 21:07:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix errors

Browse Source
This commit is contained in:
Joey Caparas 2017-03-14 12:51:20 -07:00
commit 34fc132f7f
61 changed files with 1678 additions and 363 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.gitignore vendored
View File

@ -10,7 +10,14 @@ Tools/NuGet/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config
windows/keep-secure/index.md
# User-specific files
.vs/
.vs/
education/windows/index.md
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
windows/keep-secure/images/atp-add-intune-policy.png
windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
windows/keep-secure/TOC.md
windows/manage/change-history-for-manage-and-update-windows-10.md
windows/manage/waas-optimize-windows-10-updates.md

3
1.ps1 Normal file
View File

@ -0,0 +1,3 @@
git add .
git commit -m "changes"
git push -u origin vso-10788146

1071
browsers/edge/available-policies.md
View File

File diff suppressed because it is too large Load Diff

5
browsers/edge/change-history-for-microsoft-edge.md
View File

@ -12,6 +12,11 @@ This topic lists new and updated topics in the Microsoft Edge documentation for
For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/).
## February 2017
|New or changed topic | Description |
|----------------------|-------------|
|[Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. |
## November 2016
|New or changed topic | Description |
|----------------------|-------------|

12
browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
View File

@ -29,7 +29,7 @@ If you're having trouble deciding whether Microsoft Edge is good for your organi
![Microsoft Edge infographic](images/microsoft-edge-infographic-sm.png)<br>
[Click to enlarge](img-microsoft-edge-infographic-lg.md)<br>
[Click to download image](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892)
### Microsoft Edge
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
@ -50,10 +50,10 @@ IE11 offers enterprises additional security, manageability, performance, backwar
- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
## Related topics
- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892)
- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx)
- [Download Internet Explorer 11](http://windows.microsoft.com/internet-explorer/download-ie)
- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index)
- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-ieak/index)
- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)

2
browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
View File

@ -17,7 +17,7 @@ If youre having problems launching your legacy apps while running Internet Ex
1. **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
2. **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
2. **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page.

4
browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
View File

@ -41,8 +41,8 @@ In IE, press **ALT+V** to show the **View** menu, press **T** to enter the **Too
## Where did the search box go?
IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider.
**Note**<br>
Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
>[!NOTE]
>Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
 

5
devices/hololens/TOC.md
View File

@ -1,8 +1,9 @@
# [Microsoft HoloLens](index.md)
## [HoloLens in the enterprise: requirements](hololens-requirements.md)
## [Set up HoloLens](hololens-setup.md)
## [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md)
## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Install apps on HoloLens](hololens-install-apps.md)
## [Install apps on HoloLens](hololens-install-apps.md)
## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

21
devices/hololens/change-history-hololens.md Normal file
View File

@ -0,0 +1,21 @@
---
title: Change history for Microsoft HoloLens documentation
description: This topic lists new and updated topics for HoloLens.
keywords: change history
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerMS
localizationpriority: medium
---
# Change history for Microsoft HoloLens documentation
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
## January 2017
| New or changed topic | Description |
| --- | --- |
| All topics | Changed all references from **Windows Holographic Enterprise** to **Windows Holographic for Business** |

4
devices/hololens/hololens-enroll-mdm.md
View File

@ -11,10 +11,10 @@ localizationpriority: medium
# Enroll HoloLens in MDM
You can manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft InTune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
>[!NOTE]
>Mobile device management (MDM) for Development Edition HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md).
>Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
## Requirements

2
devices/hololens/hololens-install-apps.md
View File

@ -16,7 +16,7 @@ The recommended way to install Universal Windows Platform (UWP) apps on HoloLens
You can also deploy apps using your mobile device management (MDM) provider or use the Windows Device Portal to install apps, if you enable **Developer Mode** on the HoloLens device.
>[!IMPORTANT]
>When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.** Developer Mode** on a device that has been upgraded to Windows Holographic Enterprise enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
>When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device.**Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
## Use Windows Store for Business to deploy apps to HoloLens

4
devices/hololens/hololens-kiosk.md
View File

@ -18,7 +18,7 @@ Kiosk mode limits the user's ability to launch new apps or change the running ap
1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/holographic/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
>[!IMPORTANT]
>When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic Enterprise enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
>When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/holographic/Using_the_Windows_Device_Portal.html#connecting_over_usb).
@ -32,7 +32,7 @@ Kiosk mode limits the user's ability to launch new apps or change the running ap
![Kiosk Mode](images/kiosk.png)
>[!NOTE]
>The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has an [Enterprise license](hololens-upgrade-enterprise.md).
>The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has a [license to upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**.

8
devices/hololens/hololens-provisioning.md
View File

@ -14,7 +14,7 @@ localizationpriority: medium
Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages.
Some of the HoloLens configurations that you can apply in a provisioning package:
- Upgrade to Windows Holographic Enterprise
- Upgrade to Windows Holographic for Business
- Set up a local account
- Set up a Wi-Fi connection
- Apply certificatess to the device
@ -32,7 +32,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
## Create a provisioning package for HoloLens
>[!NOTE]
>Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic Enterprise or if [the device has already been upgraded to Windows Holographic Enterprise](hololens-upgrade-enterprise.md).
>Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md).
1. On the Windows ICD start page, select **Advanced provisioning**.
@ -101,7 +101,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D
Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.co/library/windows/hardware/dn920025.aspx#HoloLens). The following table describes settings that you might want to configure for HoloLens.
In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens.
![Common runtime settings for HoloLens](images/icd-settings.png)
@ -110,7 +110,7 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
| **Accounts** | Create a local account. HoloLens currently supports a single user only. Creating multiple local accounts in a provisioning package is not supported. <br><br>**IMPORTANT**<br>If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/holographic/reset_or_recover_your_hololens#perform_a_full_device_recovery). |
| **Certificates** | Deploy a certificate to HoloLens. |
| **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens. |
| **EditionUpgrade** | [Upgrade to Windows Holographic Enterprise.](hololens-upgrade-enterprise.md) |
| **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens-upgrade-enterprise.md) |
| **Policies** | Allow or prevent developer mode on HoloLens. |
>[!NOTE]

10
devices/hololens/hololens-requirements.md
View File

@ -36,7 +36,7 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
- Wi-Fi network
- Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
## Upgrade to Windows Holographic Enterprise
## Upgrade to Windows Holographic for Business
- HoloLens Enterprise license XML file
@ -45,11 +45,11 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
## Related resources
[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/)
[Getting started with Azure Active Directory Premium](https://azure.microsoft.com/documentation/articles/active-directory-get-started-premium/)
[Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
[Get started with Intune](https://docs.microsoft.com/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
[Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
[Enroll devices for management in Intune](https://docs.microsoft.com/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
[Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)
[Azure AD editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/)

10
devices/hololens/hololens-upgrade-enterprise.md
View File

@ -1,6 +1,6 @@
---
title: Unlock Windows Holographic Enterprise features (HoloLens)
description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic Enterprise.
title: Unlock Windows Holographic for Business features (HoloLens)
description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic for Business.
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: hololens, devices
@ -9,14 +9,14 @@ author: jdeckerMS
localizationpriority: medium
---
# Unlock Windows Holographic Enterprise features
# Unlock Windows Holographic for Business features
Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business.
When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic Enterprise. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
>[!TIP]
>You can tell that the HoloLens has been upgraded to the Enterprise edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic Enterprise.
>You can tell that the HoloLens has been upgraded to the business edition in **Settings** > **Network & Internet**. The **VPN** option is only available in Windows Holographic for Business.

BIN
devices/hololens/images/upgrade-flow.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 47 KiB

4
devices/hololens/index.md
View File

@ -13,7 +13,7 @@ localizationpriority: medium
<table><tbody>
<tr><td style="border: 0px;width: 75%;valign= top"><p>Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.</p><p> Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic Enterprise when you apply the Enterprise license file to the device.</p></td><td align="left" style="border: 0px">![Hololens](images/hololens.png)</td></tr>
<tr><td style="border: 0px;width: 75%;valign= top"><p>Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.</p><p> Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic for Business when you apply the Enterprise license file to the device.</p></td><td align="left" style="border: 0px">![Hololens](images/hololens.png)</td></tr>
</tbody></table>
## In this section
@ -22,7 +22,7 @@ localizationpriority: medium
| --- | --- |
| [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
| [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time |
| [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic Enterprise|
| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business|
| [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune |
| [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app |
| [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |

5
devices/surface-hub/TOC.md
View File

@ -5,7 +5,8 @@
#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
#### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
##### [Online deployment](online-deployment-surface-hub-device-accounts.md)
##### [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)
##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
##### [Create a device account using UI](create-a-device-account-using-office-365.md)
##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
@ -35,5 +36,7 @@
#### [Using a room control system](use-room-control-system-with-surface-hub.md)
### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
## [Change history for Surface Hub](change-history-surface-hub.md)

8
devices/surface-hub/change-history-surface-hub.md
View File

@ -14,10 +14,18 @@ localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
## February 2017
| New or changed topic | Description |
| --- | --- |
| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | New |
## January 2017
| New or changed topic | Description |
| --- | --- |
| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | New |
| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | New |
| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added graphics cards verified to work with 84" Surface Hubs and added information about the lengths of cables. |
| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated procedures for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. |

3
devices/surface-hub/create-and-test-a-device-account-surface-hub.md
View File

@ -46,7 +46,8 @@ For detailed steps using PowerShell to provision a device account, choose an opt
| Organization deployment | Description |
|---------------------------------|--------------------------------------|
| [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
| [On-premises deployment (single-forest)](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a single-forest environment. |
| [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a multi-forest environment. |
| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell.

22
devices/surface-hub/device-reset-suface-hub.md
View File

@ -1,22 +0,0 @@
---
title: Device reset (Surface Hub)
description: You may wish to reset your Microsoft Surface Hub.
ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF
redirect_url: https://technet.microsoft.com/itpro/surface-hub/device-reset-surface-hub
keywords: reset Surface Hub
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: TrudyHa
---
 
 

6
devices/surface-hub/device-reset-surface-hub.md
View File

@ -31,9 +31,11 @@ Initiating a reset will return the device to the last cumulative Windows update,
- Configurations from MDM or the Settings app
> [!IMPORTANT]
> Performing a device reset may take up to 2 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
> Performing a device reset may take up to 6 hours. Do not turn off or unplug the Surface Hub until the process has completed. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again.
After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. If the Surface Hub displays a Welcome screen, that indicates that the reset encountered a problem and rolled back to the previously existing OS image.
If you see a blank screen for long periods of time during the **Reset device** process, please wait and do not take any action.
## Reset a Surface Hub from Settings

3
devices/surface-hub/first-run-program-surface-hub.md
View File

@ -60,7 +60,8 @@ If the default values shown are correct, then you can click **Next** to go on. O
### What happens?
>**Note**  Once the settings on this page are entered, you can't come back to this screen unless you reset the device (see [Device reset](device-reset-suface-hub.md)). Make sure that the settings are properly configured before proceeding.
>[!NOTE]
> Once the settings on this page are entered, you can't come back to this screen unless you reset the device (see [Device reset](device-reset-surface-hub.md)). Make sure that the settings are properly configured before proceeding.
 

34
devices/surface-hub/index.md
View File

@ -6,35 +6,25 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: surfacehub
author: TrudyHa
author: jdeckerMS
localizationpriority: medium
---
# Microsoft Surface Hub
Documents related to the Microsoft Surface Hub.
Documents related to deploying and managing the Microsoft Surface Hub in your organization.
>[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub)
## In this section
| Topic | Description |
| --- | --- |
| [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) | This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.|
| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise. |
| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. |
| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. |
| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation. |
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)</p></td>
<td align="left"><p>This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.</p></td>
</tr>
<tr><td>[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)</td><td>This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.</td></tr><tr>
<td>[Change history for Surface Hub](change-history-surface-hub.md)</td><td>This topic lists new and updated topis in the Surface Hub documentation.</td></tr>
</tbody>
</table>

5
devices/surface-hub/install-apps-on-surface-hub.md
View File

@ -16,10 +16,9 @@ localizationpriority: medium
You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
A few things to know about apps on Surface Hub:
- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp).
- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps).
- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.
- When submitting an app to the Windows Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Windows Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
- You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Windows Store to download and install apps.

35
devices/surface-hub/manage-windows-updates-for-surface-hub.md
View File

@ -17,7 +17,7 @@ New releases of the Surface Hub operating system are published through Windows U
- **Windows Update for Business** - New in Windows 10, Windows Update for Business is a set of features designed to provide enterprises additional control over how and when Windows Update installs releases, while reducing device management costs. Using this method, Surface Hubs are directly connected to Microsofts Windows Update service.
- **Windows Server Update Services (WSUS)** - Set of services that enable IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Using this method, Surface Hubs will receive updates from WSUS rather than Windows Update.
You can also configure Surface Hub to receive updates from both Windows Update for Business and WSUS. See [Integrate Windows Update for Business with Windows Server Update Services](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-integrate-wufb#integrate-windows-update-for-business-with-windows-server-update-services) for details.
You can also configure Surface Hub to receive updates from both Windows Update for Business and WSUS. See [Integrate Windows Update for Business with Windows Server Update Services](https://technet.microsoft.com/itpro/windows/manage/waas-integrate-wufb#integrate-windows-update-for-business-with-windows-server-update-services) for details.
| Capabilities | Windows Update for Business | Windows Server Update Services (WSUS) |
| ------------ | --------------------------- | ------------------------------------- |
@ -27,7 +27,7 @@ You can also configure Surface Hub to receive updates from both Windows Update f
| Define maintenance windows for installing updates. | Yes | Yes |
> [!TIP]
> Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Optimize update delivery for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-optimize-windows-10-updates) for details.
> Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Optimize update delivery for Windows 10 updates](https://technet.microsoft.com/itpro/windows/manage/waas-optimize-windows-10-updates) for details.
> [!NOTE]
> Surface Hub does not currently support rolling back updates.
@ -45,11 +45,11 @@ In order to improve release quality and simplify deployments, all new releases t
The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview).
For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
## Use Windows Update for Business
Surface Hubs, like all Windows 10 devices, include **Windows Update for Business (WUfB)** to enable you to control how your devices are being updated. Windows Update for Business helps reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. For more information, see [Manage updates using Windows Update for Business](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb).
Surface Hubs, like all Windows 10 devices, include **Windows Update for Business (WUfB)** to enable you to control how your devices are being updated. Windows Update for Business helps reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. For more information, see [Manage updates using Windows Update for Business](https://technet.microsoft.com/itpro/windows/manage/waas-manage-updates-wufb).
**To set up Windows Update for Business:**
1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
@ -57,11 +57,12 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
> [!NOTE]
> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune)
> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/itpro/windows/manage/waas-wufb-intune)
### Group Surface Hub into deployment rings
Use deployment rings to control when updates roll out to your Surface Hubs, giving you time to validate them. For example, you can update a small pool of devices first to verify quality before a broader roll-out to your organization. Depending on who manages Surface Hub in your organization, consider incorporating Surface Hub into the deployment rings that you've built for your other Windows 10 devices. For more information about deployment rings, see [Build deployment rings for Windows 10 updates](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-deployment-rings-windows-10-updates).
Use deployment rings to control when updates roll out to your Surface Hubs, giving you time to validate them. For example, you can update a small pool of devices first to verify quality before a broader roll-out to your organization. Depending on who manages Surface Hub in your organization, consider incorporating Surface Hub into the deployment rings that you've built for your other Windows 10 devices. For more information about deployment rings, see [Build deployment rings for Windows 10 updates](https://technet.microsoft.com/itpro/windows/manage/waas-deployment-rings-windows-10-updates).
This table gives examples of deployment rings.
@ -74,22 +75,22 @@ This table gives examples of deployment rings.
### Configure Surface Hub to use Current Branch or Current Branch for Business
By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches).
By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
**To manually configure Surface Hub to use CB or CBB:**
1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**.
2. Select **Defer feature updates**.
To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
### Configure when Surface Hub receives updates
Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
> [!NOTE]
> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
## Use Windows Server Update Services
@ -102,8 +103,16 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server
3. Navigate to **Update & security** > **Windows Update** > **Advanced options** > **Configure Windows Server Update Services (WSUS) server**.
4. Click **Use WSUS Server to download updates** and type the URL of your WSUS server.
To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
**If you use a proxy server or other method to block URLs**
If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”:
- `http(s)://*.update.microsoft.com`
- `http://download.windowsupdate.com`
- `http://windowsupdate.microsoft.com`
Once the Windows 10 Team Anniversary Update is installed, you can remove these addresses to return your Surface Hub to its previous state.
## Maintenance window
@ -126,7 +135,7 @@ A default maintenance window is set for all new Surface Hubs:
2. Navigate to **Update & security** > **Windows Update** > **Advanced options**.
3. Under **Maintenance hours**, select **Change**.
To change the maintenance window using MDM, set the **MOMAgent** node in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt608323.aspx). See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for more details.
To change the maintenance window using MDM, set the **MOMAgent** node in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for more details.
## Related topics

3
devices/surface-hub/monitor-surface-hub.md
View File

@ -101,6 +101,9 @@ This table describes the sample queries in the Surface Hub solution:
For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/).
>[!NOTE]
>Surface Hub does not currently support the use of a proxy server to communicate with the OMS service.
| Agent resource | Ports | Bypass HTTPS inspection? |
| --------------------------- | ----- | ------------------------ |
| *.ods.opinsights.azure.com | 443 | Yes |

6
devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
View File

@ -1,5 +1,5 @@
---
title: On-premises deployment (Surface Hub)
title: On-premises deployment single forest (Surface Hub)
description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
keywords: single forest deployment, on prem deployment, device account, Surface Hub
@ -11,12 +11,12 @@ author: TrudyHa
localizationpriority: medium
---
# On-premises deployment (Surface Hub)
# On-premises deployment for Surface Hub in a single-forest environment
This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If youre using a multi-forest deployment, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section.
If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If youre using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md).
1. Start a remote PowerShell session from a PC and connect to Exchange.

105
devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md Normal file
View File

@ -0,0 +1,105 @@
---
title: On-premises deployment multi-forest (Surface Hub)
description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
keywords: multi forest deployment, on prem deployment, device account, Surface Hub
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerMS
localizationpriority: medium
---
# On-premises deployment for Surface Hub in a multi-forest environment
This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If youre using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md).
1. Start a remote PowerShell session from a PC and connect to Exchange.
Be sure you have the right permissions set to run the associated cmdlets.
Note here that `$strExchangeServer` is the fully qualified domain name (FQDN) of your Exchange server, and `$strLyncFQDN` is the FQDN of your Skype for Business server.
```PowerShell
Set-ExecutionPolicy Unrestricted
$org='contoso.microsoft.com'
$cred=Get-Credential $admin@$org
$sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $cred -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue
$sessLync = New-PSSession -Credential $cred -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue
Import-PSSession $sessExchange
Import-PSSession $sessLync
```
2. After establishing a session, create a new mailbox in the Resource Forest. This will allow the account to authenticate into the Surface Hub.
If you're changing an existing resource mailbox:
```PowerShell
New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01"
```
3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to **False**. If this isnt set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
If you havent created a compatible policy yet, use the following cmdlet-—this one creates a policy called "Surface Hubs". Once its created, you can apply the same policy to other device accounts.
```PowerShell
$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
```
Once you have a compatible policy, then you will need to apply the policy to the device account.
```PowerShell
Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy -ActiveSyncEnabled $true
Set-Mailbox $acctUpn -Type Room
```
4. Various Exchange properties can be set on the device account to improve the meeting experience for people. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
```PowerShell
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information. This should be set in the User Forest.
```PowerShell
Set-AdUser $acctUpn -PasswordNeverExpires $true
```
6. Enable the account in Active Directory so it will authenticate to the Surface Hub. This should be set in the User Forest.
```PowerShell
Set-AdUser $acctUpn -Enabled $true
```
6. You now need to change the room mailbox to a linked mailbox:
```PowerShell
$cred=Get-Credential AuthForest\LinkedRoomTest1
Set-mailbox -Alias LinkedRoomTest1 -LinkedMasterAccount AuthForest\LinkedRoomTest1 -LinkedDomainController AuthForest-4939.AuthForest.extest.contoso.com -Name LinkedRoomTest1 -LinkedCredential $cred -Identity LinkedRoomTest1
```
7. Enable the device account with Skype for Business by enabling your Surface Hub AD account on a Skype for Business Server pool:
```PowerShell
Enable-CsMeetingRoom -SipAddress "sip:HUB01@contoso.com"
-DomainController DC-ND-001.contoso.com -RegistrarPool LYNCPool15.contoso.com
-Identity HUB01
```
You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity.
 

6
devices/surface-hub/prepare-your-environment-for-surface-hub.md
View File

@ -24,10 +24,10 @@ Review these dependencies to make sure Surface Hub features will work in your IT
|-------------------------------------------------------|-------------------------------------------------------|
| Active Directory or Azure Active Directory (Azure AD) | <p>The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device accounts credentials, as well as to access information like the device accounts display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.</p>You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. |
| Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync | <p>Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.</p>ActiveSync is used to sync the device accounts calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. |
| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing. |
| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.</br></br>If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. |
| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
| Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
| Network and Internet access | <p>In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.</p><p>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</p>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. |
| Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
| Network and Internet access | <p>In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.</p><p>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</p>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. |
Additionally, note that Surface Hub requires the following open ports:
- HTTPS: 443

36
devices/surface-hub/surface-hub-downloads.md Normal file
View File

@ -0,0 +1,36 @@
---
title: Useful downloads for Microsoft Surface Hub
description: Downloads related to the Microsoft Surface Hub.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerMS
localizationpriority: medium
---
# Useful downloads for Microsoft Surface Hub
This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide.
| Link | Description |
| --- | --- |
| [Surface Hub Site Readiness Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) |
| [Surface Hub Setup Guide (English, French, Spanish) (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-setup-guide) | Get a quick overview of how to set up the environment for your new Surface Hub. |
| [Surface Hub Quick Reference Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-quick-reference-guide) | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
| [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
| [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hubs internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. |
| [Surface Hub SSD Replacement Guide (PDF)](https://www.microsoft.com/surface/en-us/support/surfacehubssd) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface%20Hub%20RASK.zip) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
| [Unpacking Guide for 84-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-84) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
| [Unpacking Guide for 55-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-55) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |
| [Wall Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-wall-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) |
| [Floor-Supported Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-floor-supported-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the floor-supported brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/ed/de/edde468a-e1d4-4ce8-8b61-c4527dd25c81.mov?n=04.07.16_installation_video_06_floor_support_mount.mov) |
| [Rolling Stand Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-rolling-stand-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the rolling stand, and how to mount your Surface Hub onto it. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/1f/94/1f949613-3e4a-41e3-ad60-fe8aa7134115.mov?n=04.07.16_installation_video_04_rolling_stand_mount.mov) |
| [Mounts and Stands Datasheet (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-mounts-and-stands-datasheet) | Specifications and prices for all Surface Hub add-on stands and mounts that turn your workspace into a Surface Hub workspace. |
| [Surface Hub Stand and Wall Mount Specifications (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-stand-and-wall-mount-specs) | Illustrated specifications for the 55” and 84” Surface Hub rolling stands, wall mounts, and floor-supported wall mounts. |
| [Surface Hub Onsite Installation and Onsite Repair/Exchange Services FAQ (PDF)](https://www.microsoft.com/surface/en-us/support/surface-hub/onsite-installation-repair-faq) | Get answers to the most common questions about Surface Hub onsite service offerings and delivery. |

121
devices/surface-hub/surface-hub-wifi-direct.md Normal file
View File

@ -0,0 +1,121 @@
---
title: How Surface Hub addresses Wi-Fi Direct security issues
description: This topic provides guidance on Wi-Fi Direct security risks.
keywords: change history
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerMS
localizationpriority: medium
---
# How Surface Hub addresses Wi-Fi Direct security issues
Microsoft Surface Hub is an all-in-one productivity device that enables teams to better brainstorm, collaborate, and share ideas. Surface Hub relies on Miracast for wireless projection by using Wi-Fi Direct.
This topic provides guidance on Wi-Fi Direct security vulnerabilities, how Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. This hardening information will help customers with high security requirements understand how best to protect their Surface Hub connected networks and data in transit.
The intended audiences for this topic include IT and network administrators interested in deploying Microsoft Surface Hub in their corporate environment with optimal security settings.
## Overview
Microsoft Surface Hub's security depends extensively on Wi-Fi Direct / Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design.
It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hubs implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker even after compromising the Wi-Fi Direct / Miracast layer to move past the network interface onto other attack surfaces and connected enterprise networks see [Wi-Fi Direct vulnerabilities and how Surface Hub addresses them](#vulnerabilities).
## Wi-Fi Direct background
Miracast is part of the Wi-Fi Display standard, which itself is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
Wi-Fi Direct or Wi-Fi "Peer to Peer" (P2P) is a standard released by the Wi-Fi Alliance for "Ad-Hoc" networks. This allows supported devices to communicate directly and create groups of networks without requiring a traditional Wi-Fi Access Point or an Internet connection.
Security for Wi-Fi Direct is provided by WPA2 using the WPS standard. Authentication mechanism for devices can be a numerical pin (WPS-PIN), a physical or virtual Push Button (WPS-PBC), or an out-of-band message such as Near Field Communication (WPS-OOO). The Microsoft Surface Hub supports both Push Button (which is the default) and PIN methods.
In Wi-Fi Direct, groups are created as either "persistent," allowing for automatic reconnection using stored key material, or "temporary," where devices cannot re-authenticate without user intervention or action. Wi-Fi Direct groups will typically determine a Group Owner (GO) through a negotiation protocol, which mimics the "station" or "Access Point" functionality for the established Wi-Fi Direct Group. This Wi-Fi Direct GO provides authentication (via an “Internal Registrar”), and facilitate upstream network connections. For Surface Hub, this GO negotiation does not take place, as the network only operates in "autonomous" mode, where Surface Hub is always the Group Owner. Finally, Surface Hub does not and will not join other Wi-Fi Direct networks itself as a client.
<span id="vulnerabilities" />
## Wi-Fi Direct vulnerabilities and how Surface Hub addresses them
**Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process**: Wi-Fi Direct / Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.
|Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| The discovery process may remain active for an extended period of time, which could allow Invitations and connections to be established without the intent of the device owner. | Surface Hub only operates as the Group Owner (GO), which does not perform the client Discovery or GO negotiation process. Broadcast can be turned off by fully disabling wireless projection. |
| Invitation and discovery using PBC allows an unauthenticated attacker to perform repeated connection attempts or unauthenticated connections are automatically accepted. | By requiring WPS PIN security, Administrators can reduce the potential for such unauthorized connections or "Invitation bombs" (where invitations are repeatedly sent until a user mistakenly accepts one). |
**Wi-Fi Protected Setup (WPS) Push Button Connect (PBC) vs PIN Entry**: Public weaknesses have been demonstrated in WPS-PIN method design and implementation, other vulnerabilities exist within WPS-PBC involving active attacks against a protocol designed for one time use.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| WPS-PBC is vulnerable to active attackers. As stated within the WPS specification: "The PBC method has zero bits of entropy and only protects against passive eavesdropping attacks. PBC protects against eavesdropping attacks and takes measures to prevent a device from joining a network that was not selected by the device owner. The absence of authentication, however, means that PBC does not protect against active attack". Attackers can use selective wireless jamming or other potential denial-of-service vulnerabilities in order to trigger an unintended Wi-Fi Direct GO or connection. Additionally, an active attacker, with only physical proximity, can repeatedly teardown any Wi-Fi Direct group and attempt the described attack until it is successful. |Enable WPS-PIN security within Surface Hubs configuration. As discussed within the Wi-Fi WPS specification: "The PBC method should only be used if no PIN-capable Registrar is available and the WLAN user is willing to accept the risks associated with PBC". |
| WPS-PIN implementations can be brute-forced using a Vulnerability within the WPS standard. Due to the design of split PIN verification, a number of implementation vulnerabilities occurred in the past several years across a wide range of Wi-Fi hardware manufacturers. In 2011 two researchers (Stefan Viehböck and Craig Heffner) released information on this vulnerability and tools such as "Reaver" as a proof of concept. | The Microsoft implementation of WPS within Surface Hub changes the pin every 30 seconds. In order to crack the pin, an attacker must work through the entire exploit in less than 30 seconds. Given the current state of tools and research in this area, a brute-force pin-cracking attack through WPS is unlikely. |
| WPS-PIN can be cracked using an offline attack due to weak initial key (E-S1,E S2) entropy. In 2014, Dominique Bongard discussed a "Pixie Dust" attack where poor initial randomness for the pseudo random number generator (PRNG) within the wireless device lead to the ability to perform an offline brute-force attack. | The Microsoft implementation of WPS within Surface Hub is not susceptible to this offline PIN brute-force attack. The WPS-PIN is randomized for each connection. |
**Unintended exposure of network services**: Network daemons intended for Ethernet or WLAN services may be accidentally exposed due to misconfiguration (such as binding to “all”/0.0.0.0 interfaces), a poorly configured device firewall, or missing firewall rules altogether.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| Misconfiguration binds a vulnerable or unauthenticated network service to "all" interfaces, which includes the Wi-Fi Direct interface. This potentially exposes services not intended to be accessible to Wi-Fi Direct clients, which may be weakly or automatically authenticated. | Within Surface Hub, the default firewall rules only permit the required TCP and UDP network ports and by default deny all inbound connections. Strong authentication can be configured by enabling the WPS-PIN mode. |
**Bridging Wi-Fi Direct and other wired or wireless networks**: While network bridging between WLAN or Ethernet networks is a violation of the Wi-Fi Direct specification, such a bridge or misconfiguration may effectively lower or remove wireless access controls for the internal corporate network.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| Wi-Fi Direct devices could allow unauthenticated or poorly authenticated access to bridged network connections. This may allow Wi-Fi Direct networks to route traffic to internal Ethernet LAN or other infrastructure or enterprise WLAN networks in violation of existing IT security protocols. | Surface Hub cannot be configured to bridge Wireless interfaces or allow routing between disparate networks. The default firewall rules add defense in depth to any such routing or bridge connections. |
**The use of Wi-Fi Direct “legacy” mode**: Exposure to unintended networks or devices when operating in “legacy” mode may present a risk. Device spoofing or unintended connections could occur if WPS-PIN is not enabled.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| By supporting both Wi-Fi Direct and 802.11 infrastructure clients, the system is operating in a "legacy" support mode. This may expose the connection setup phase indefinitely, allowing for groups to be joined or devices invited to connect well after their intended setup phase terminates. | Surface Hub does not support Wi-Fi Direct legacy clients. Only Wi-Fi Direct connections can be made to Surface Hub even when WPS-PIN mode is enabled. |
**Wi-Fi Direct GO negotiation during connection setup**: The Group Owner within Wi-Fi Direct is analogous to the “Access Point” in a traditional 802.11 wireless network. The negotiation can be gamed by a malicious device.
|Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| If groups are dynamically established or if the Wi-Fi Direct device can be made to join new groups, the Group Owner (GO) negotiation can be won by a malicious device that always specifies the max Group Owner "intent" value of 15. (Unless such device is configured to always be a Group Owner, in which case the connection fails.) | Surface Hub takes advantage of Wi-Fi Direct "Autonomous mode", which skips the GO negotiation phase of the connection setup. Surface Hub is always the Group Owner. |
**Unintended or malicious Wi-Fi deauthentication**: Wi-Fi deauthentication is an age-old attack that can be used by a physically local attacker to expedite information leaks against the connection setup process, trigger new four-way handshakes, target Wi-Fi Direct WPS-PBC for active attack, or create denial-of-service attacks.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| Deauthentication packets can be sent by an unauthenticated attacker to cause the station to re-authenticate and sniff the resulting handshake. Cryptographic or brute-force attacks can be attempted on the resulting handshake. Mitigations for these attack include: enforcing length and complexity policies for pre-shared keys; configuring the Access Point (if applicable) to detect malicious levels of deauthentication packets; and using WPS to automatically generate strong keys. In PBC mode the user is interacting with a physical or virtual button to allow arbitrary device association. This process should happen only at setup within a small window, once the button is automatically "pushed", the device will accept any station associating via a canonical PIN value (all zeros). Deauthentication can force a repeated setup process. | The current Surface Hub design uses WPS in PIN or PBC mode. No PSK configuration is permitted, helping enforce the generation of strong keys. It is recommended to enable WPS-PIN. |
| Beyond denial-of-service attacks, deauthentication packets can also be used to trigger a reconnect which re-opens the window of opportunity for active attacks against WPS-PBC. | Enable WPS-PIN security within Surface Hubs configuration. |
**Basic wireless information disclosure**: Wireless networks, 802.11 or otherwise, are inherently sources of information disclosure. Although the information is largely connection or device metadata, it remains an accepted risk for any 802.11 administrator. Wi-Fi Direct with device authentication via WPS-PIN effectively reveals the same information as a PSK or Enterprise 802.11 network.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| During broadcast, connection setup, or even with already encrypted connections, basic information about the devices and packet sizes is wirelessly transmitted. At a basic level, a local attacker within wireless range can determine the names of wireless devices, the MAC addresses of communicating equipment, and possibly other details such as the version of the wireless stack, packet sizes, or the configured Access Point or Group Owner options by examining the relevant 802.11 Information Elements. | The Wi-Fi Direct network employed by Surface Hub cannot be further protected from metadata leaks, in the same way 802.11 Enterprise or PSK wireless networks also leak such metadata. Physical security and removing potential threats from the wireless proximity can be used to reduce any potential information leaks. |
**Wireless evil twin or spoofing attacks**: Spoofing the wireless name is a trivial and known exploit for a physically local attacker in order to lure unsuspecting or mistaken users to connect.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| By spoofing or cloning the wireless name or "SSID" of the target network, an attacker may trick the user into connecting to fake malicious network. By supporting unauthenticated, auto-join Miracast an attacker could capture the intended display materials or attempt to perform network attacks on the connecting device. | While no specific protections against joining a spoofed Surface Hub are in place, this attack is partially mitigated in two ways. First, any potential attack must be physically within Wi-Fi range. Second, this attack is only possible during the very first connection. Subsequent connections use a persistent Wi-Fi Direct group and Windows will remember and prioritize this prior connection during future Hub use. (Note: Spoofing the MAC address, Wi-Fi channel and SSID simultaneously was not considered for this report and may result in inconsistent Wi-Fi behavior.) Overall this weakness is a fundamental problem for any 802.11 wireless network not using Enterprise WPA2 protocols such as EAP-TLS or EAP-PWD, which are not supported in Wi-Fi Direct. |
## Surface Hub hardening guidelines
Surface Hub is designed to facilitate collaboration and allow users to start or join meetings quickly and efficiently. As such, the default Wi-Fi Direct settings for Surface Hub are optimized for this scenario.
For users who require additional security around the wireless interface, we recommend Surface Hub users enable the WPS-PIN security setting. This disables WPS-PBC mode and offers client authentication, and provides the strongest level of protection by preventing any unauthorized connections to Surface Hub.
If concerns remain around authentication and authorization of a Surface Hub, we recommend users connect the device to a separate network, either Wi-Fi (such as a "guest" Wi-Fi network) or using separate Ethernet network (preferably an entirely different physical network, but a VLAN can also provide some added security). Of course, this approach may preclude connections to internal network resources or services, and may require additional network configurations to regain access.
Also recommended:
- [Install regular system updates.](manage-windows-updates-for-surface-hub.md)
- Update the Miracast settings to disable auto-present mode.
## Learn more
- [Wi-Fi Direct specifications](http://www.wi-fi.org/discover-wi-fi/wi-fi-direct)
- [Wireless Protected Setup (WPS) specification](http://www.wi-fi.org/discover-wi-fi/wi-fi-protected-setup)

5
devices/surface-hub/use-room-control-system-with-surface-hub.md
View File

@ -267,6 +267,9 @@ The current volume level is a range from 0 to 100.
Changes to volume levels can be sent by a room control system, or other system.
>[!NOTE]
>The Volume command will only control the volume for embedded or Replacement PC mode, not from [Guest sources](connect-and-display-with-surface-hub.md).
<table>
<colgroup>
<col width="33%" />
@ -277,7 +280,7 @@ Changes to volume levels can be sent by a room control system, or other system.
<tr class="header">
<th align="left">Command</th>
<th align="left">State change</th>
<th align="left">Response</th>
<th align="left">Response</br>(On in [Replacement PC mode](connect-and-display-with-surface-hub.md#replacement-pc-mode))</th>
</tr>
</thead>
<tbody>

1
devices/surface/TOC.md
View File

@ -13,6 +13,7 @@
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md)
## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md)
## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)

7
devices/surface/change-history-for-surface.md
View File

@ -11,13 +11,18 @@ author: jdeckerMS
This topic lists new and updated topics in the Surface documentation library.
## January 2017
|New or changed topic | Description |
| --- | --- |
|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | New |
## December 2016
|New or changed topic | Description |
| --- | --- |
|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)|
## November 2016
|New or changed topic | Description |

BIN
devices/surface/images/sda-fig5-erase.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 276 KiB

After

Width:  |  Height:  |  Size: 74 KiB

2
devices/surface/index.md
View File

@ -33,7 +33,9 @@ For more information on planning for, deploying, and managing Surface devices in
| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
## Learn more
[Certifying Surface Pro 4 and Surface Book as standard devices at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/849/Certifying-Surface-Pro-4-and-Surface-Book-as-standard-devices-at-Microsoft)

42
devices/surface/microsoft-surface-data-eraser.md
View File

@ -16,7 +16,7 @@ author: miladCA
Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
[Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB tool is easy to create by using the provided wizard, the Microsoft Surface Data Eraser Wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy).
[Microsoft Surface Data Eraser](https://www.microsoft.com/download/details.aspx?id=46703) is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB stick is easy to create by using the provided wizard, the Microsoft Surface Data Eraser wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Microsoft uses during the service process for Surface, see [Protecting your data if you send your Surface in for service](https://www.microsoft.com/surface/support/security-sign-in-and-accounts/data-wiping-policy).
Compatible Surface devices include:
@ -100,43 +100,41 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
1. Insert the bootable Microsoft Surface Data Eraser USB stick into the supported Surface device.
2. Ensure your system firmware is set to boot to USB. To enter the firmware settings:
2. Boot your Surface device from the Microsoft Surface Data Eraser USB stick. To boot your device from the USB stick follow these steps:
1. Turn off your Surface device.
a. Turn off your Surface device.
2. Press and hold the **Volume Up** button.
b. Press and hold the **Volume Down** button.
3. Press and release the **Power** button.
c. Press and release the **Power** button.
4. Release the **Volume Up** button.
d. Release the **Volume Down** button.
>[!NOTE]
>If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed.
3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4.
![Booting the Microsoft Surface Data Eraser USB stick](images/data-eraser-3.png "Booting the Microsoft Surface Data Eraser USB stick")
*Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
4. Read the software license terms, and then close the notepad file.
4. Read the software license terms, and then close the Notepad file.
5. Accept or Decline the Software License Terms by typing **Accept** or **Decline**.
5. Accept or decline the software license terms by typing **Accept** or **Decline**. You must accept the license terms to continue.
6. Select one of the following three options:
6. The Microsoft Surface Data Eraser script detects the storage devices that are present in your Surface device and displays the details of the native storage device. To continue, press **Y** (this action runs Microsoft Surface Data Eraser and removes all data from the storage device) or press **N** (this action shuts down the device without removing data).
- **Enter S to start Data Erase** Select this option to begin the data erase process. You will have a chance to confirm in the next step.
>[!NOTE]
>The Microsoft Surface Data Eraser tool will delete all data, including Windows operating system files required to boot the device, in a secure and unrecoverable way. To boot a Surface device that has been wiped with Microsoft Surface Data Eraser, you will first need to reinstall the Windows operating system. To remove data from a Surface device without removing the Windows operating system, you can use the **Reset your PC** function. However, this does not prevent your data from being recovered with forensic or data recovery capabilities. See [Recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options) for more information.
- **Enter D to perform Diskpart** Select this option to use diskpart.exe to manage partitions on your disk.
![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed")
*Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
- **Enter X to shut device down** Select this option to perform no action and shut down the device.
7. If you pressed **Y** in step 6, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
7. If you typed **S** to begin the data erase process, the partition that will be erased is displayed, as shown in Figure 5. If this is correct, press **Y** to continue, or **N** to shut down the device.
![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed")
*Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
8. If you pressed **Y** in step 7, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
9. Click the **Yes** button to continue erasing data on the Surface device.
8. Click the **Yes** button to continue erasing data on the Surface device.
 

1
devices/surface/update.md
View File

@ -16,6 +16,7 @@ Find out how to download and manage the latest firmware and driver updates for y
| Topic | Description |
| --- | --- |
|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. |
| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.|
| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.|

9
devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
View File

@ -413,3 +413,12 @@ When you deploy SEMM using this script application and with a configuration that
Alternatively, you can configure the application installation to reboot automatically and to install invisibly to the user in this scenario, a technician will be required to enter the thumbprint on each device as it reboots. Any technician with access to the certificate file can read the thumbprint by viewing the certificate with CertMgr. Instructions for viewing the thumbprint with CertMgr are in the [Create or modify the SEMM Configuration Manager scripts](#create-or-modify-the-semm-configuration-manager-scripts) section of this article.
Removal of SEMM from a device deployed with Configuration Manager using these scripts is as easy as uninstalling the application with Configuration Manager. This action starts the ResetSEMM.ps1 script and properly unenrolls the device with the same certificate file that was used during the deployment of SEMM.
>[!NOTE]
>Microsoft Surface recommends that you create reset packages only when you need to unenroll a device. These reset packages are typically valid for only one device, identified by its serial number. You can, however, create a universal reset package that would work for any device enrolled in SEMM with this certificate.
>We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll devices in SEMM. Please remember that just like the certificate itself this universal reset package can be used to unenroll any of your organizations Surface devices from SEMM.
>When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package the device will prompt for the certificate thumbprint before ownership is taken.
>For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken.

56
devices/surface/wake-on-lan-for-surface-devices.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Wake On LAN for Surface devices (Surface)
description: See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically even if the devices are powered down.
keywords: update, deploy, driver, wol, wake-on-lan
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: jobotto
---
# Wake On LAN for Surface devices
Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anniversary Update) or later and use a Surface Ethernet adapter to connect to a wired network, are capable of Wake On LAN (WOL) from Connected Standby. With WOL, you can remotely wake up devices to perform management or maintenance tasks or enable management solutions (such as System Center Configuration Manager) automatically even if the devices are powered down. For example, you can deploy applications to Surface devices left docked with a Surface Dock or Surface Pro 3 Docking Station by using System Center Configuration Manager during a window in the middle of the night, when the office is empty.
>[!NOTE]
>Surface devices must be connected to AC power to support WOL.
## Supported devices
The following devices are supported for WOL:
* Surface Book
* Surface Pro 4
* Surface Pro 3
* Surface 3
* Surface Ethernet adapter
* Surface Dock
* Surface Docking Station for Surface Pro 3
## WOL driver
To enable WOL support on Surface devices, a specific driver for the Surface Ethernet adapter is required. This driver is not included in the standard driver and firmware pack for Surface devices you must download and install it separately. You can download the Surface WOL driver (SurfaceWOL.msi) from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
You can run this Microsoft Windows Installer (.msi) file on a Surface device to install the Surface WOL driver, or you can distribute it to Surface devices with an application deployment solution, such as System Center Configuration Manager. To include the Surface WOL driver during deployment, you can install the .msi file as an application during the deployment process. You can also extract the Surface WOL driver files to include them in the deployment process. For example, you can include them in your Microsoft Deployment Toolkit (MDT) deployment share. You can read more about Surface deployment with MDT in [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/deploy-windows-10-to-surface-devices-with-mdt).
>[!NOTE]
>During the installation of SurfaceWOL.msi, the following registry key is set to a value of 1, which allows easy identification of systems where the WOL driver has been installed. If you chose to extract and install these drivers separately during deployment, this registry key will not be configured and must be configured manually or with a script.
>**HKLM\SYSTEM\CurrentControlSet\Control\Power AllowSystemRequiredPowerRequests**
To extract the contents of SurfaceWOL.msi, use the MSIExec administrative installation option (**/a**), as shown in the following example, to extract the contents to the C:\WOL\ folder:
`msiexec /a surfacewol.msi targetdir=C:\WOL /qn`
## Using Surface WOL
The Surface WOL driver conforms to the WOL standard, whereby the device is woken by a special network communication known as a magic packet. The magic packet consists of 6 bytes of 255 (or FF in hexadecimal) followed by 16 repetitions of the target computers MAC address. You can read more about the magic packet and the WOL standard on [Wikipedia](https://wikipedia.org/wiki/Wake-on-LAN#Magic_packet).
>[!NOTE]
>To send a magic packet and wake up a device by using WOL, you must know the MAC address of the target device and Ethernet adapter. Because the magic packet does not use the IP network protocol, it is not possible to use the IP address or DNS name of the device.
Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL. There are also many solutions, including Windows Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center.
>[!NOTE]
>After a device has been woken up with a magic packet, the device will return to sleep if an application is not actively preventing sleep on the system or if the AllowSystemRequiredPowerRequests registry key is not configured to 1, which allows applications to prevent sleep. See the [WOL driver](#wol-driver) section of this article for more information about this registry key.

18
education/windows/index.md
View File

@ -1,11 +1,12 @@
---
title: Windows 10 for Education (Windows 10)
description: Learn how to use Windows 10 in schools.
description: Learn how to use Windows 10 in schools.
keywords: Windows 10, education
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
localizationpriority: high
author: CelesteDG
---
@ -29,8 +30,7 @@ author: CelesteDG
<li><a href="https://technet.microsoft.com/en-us/windows/mt723345" target="_blank">Automate common Windows 10 deployment and configuration tasks</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723346" target="_blank">Deploy a custom Windows 10 Start menu</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723347" target="_blank">Manage Windows 10 updates and upgrades</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723344" target="_blank">Reprovision devices at the end of the school year</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723343" target="_blank">Use MDT to deploy Windows 10</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723344" target="_blank">Reprovision devices at the end of the school year</a></li> <li><a href="https://technet.microsoft.com/en-us/windows/mt723343" target="_blank">Use MDT to deploy Windows 10</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723348" target="_blank">Use Windows Store for Business</a></li>
</ul>
</div>
@ -57,20 +57,16 @@ author: CelesteDG
<div class="side-by-side-content-right">
<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
</div>
</div></div>
</div></div>
### ![Upgrade to Windows 10 for education](images/windows.png) Upgrade
### ![Upgrade to Windows 10 for education](images/windows.png) Upgrade
<div class="side-by-side"> <div class="side-by-side-content">
<div class="side-by-side-content-left"><p><b>[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)</b><br />If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.</p></div>
<<<<<<< HEAD
<div class="side-by-side-content-right">
<p></p>
=======
<div class="side-by-side-content-right"><p></p>
>>>>>>> e04a8c5905ed4bcb1df7b6b60d48146df9095a12
</div>
</div>
</div></div>
## Windows 8.1
Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in an academic environment.

2
windows/keep-secure/TOC.md
View File

@ -572,7 +572,7 @@
###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
###### [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)
###### [Interactive logon: Don\'t display last signed-in](interactive-logon-do-not-display-last-user-name.md)
###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)

4
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -45,9 +45,7 @@ You can use System Center Configuration Managers existing functionality to cr
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Onboard your devices using SCCM by following the steps in the [Onboard devices to Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection#onboard-devices-for-windows-defender-atp) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.

2
windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
View File

@ -60,7 +60,7 @@ If you took corrective actions and the machine status is still misconfigured, [o
### No sensor data
A misconfigured machine with status No sensor data has communication with the service but can only report partial sensor data.
Follow theses actions to correct known issues related to a misconfigured machine with status Impaired communication:
Follow theses actions to correct known issues related to a misconfigured machine with status No sensor data:
- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.

BIN
windows/keep-secure/images/atp-machine-details-view.png.pdf Normal file
View File

Binary file not shown.

76
windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
View File

@ -12,77 +12,77 @@ author: brianlic-msft
# Interactive logon: Display user information when the session is locked
**Applies to**
- Windows 10
- Windows 10
Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting.
## Reference
This setting controls whether details such as email address or domain\username appear with the username on the sign-in screen.
For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows.
Due to a new **Privacy** setting in Windows 10 version 1607, this setting affects those clients differently.
This security setting controls whether details such as email address or domain\username appear with the username on the sign-in screen.
For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows.
However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently.
### Changes in Windows 10 version 1607
Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details.
This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
The Privacy setting is off by default, which hides the details.
Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details.
This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
The Privacy setting is off by default, which hides the details.
![Privacy setting](images\privacy-setting-in-sign-in-options.png)
The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
This setting has these possible values:
- **User display name, domain and user names**
For a local logon, the user's full name is displayed.
If the user signed in using a Microsoft Account, the user's email address is displayed.
For a domain logon, the domain\username is displayed.
This has the same effect as turning on the **Privacy** setting.
For a local logon, the user's full name is displayed.
If the user signed in using a Microsoft account, the user's email address is displayed.
For a domain logon, the domain\username is displayed.
This has the same effect as turning on the **Privacy** setting.
- **User display name only**
The full name of the user who locked the session is displayed.
The full name of the user who locked the session is displayed.
This has the same effect as turning off the **Privacy** setting.
- **Do not display user information**
No names are displayed.
Beginning with Windows 10 version 1607, this option is not supported.
If this option is chosen, the full name of the user who locked the session is displayed instead.
This change makes this setting consistent with the functionality of the new **Privacy** setting.
To have no user information displayed, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
No names are displayed.
Beginning with Windows 10 version 1607, this option is not supported.
If this option is chosen, the full name of the user who locked the session is displayed instead.
This change makes this setting consistent with the functionality of the new **Privacy** setting.
To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
- Blank.
Default setting.
This translates to “Not defined,” but it will display the users full name in the same manner as the option **User display name only**.
Default setting.
This translates to “Not defined,” but it will display the users full name in the same manner as the option **User display name only**.
When an option is set, you cannot reset this policy to blank, or not defined.
### Hotfix for Windows 10 version 1607
Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off.
If the **Privacy** setting is turned on, details will show.
Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off.
If the **Privacy** setting is turned on, details will show.
The **Privacy** setting cannot be changed for clients in bulk.
Instead, apply [KB 4013429](https://support.microsoft.com/help/4000825/windows-10-and-windows-server-2016-update-history) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
The **Privacy** setting cannot be changed for clients in bulk.
Instead, apply KB 4013429 to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
There are related Group Policy settings:
- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen.
- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen.
- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Dont display last signed-in** prevents the username of the last user to sign in from being shown.
- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Dont display user name at sign in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears.
- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Dont display username at sign-in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears.
### Interaction with related Group Policy settings
For all versions of Windows 10, only the user display name is shown by default.
For all versions of Windows 10, only the user display name is shown by default.
If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
Users will not be able to show details.
If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
In this case, clients that run Windows 10 version 1607 need [KB 4013429](https://support.microsoft.com/help/4000825/windows-10-and-windows-server-2016-update-history) applied.
Users will not be able to hide additional details.
If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
In this case, clients that run Windows 10 version 1607 need KB 4013429 applied.
Users will not be able to hide additional details.
If **Block user from showing account details on sign-in** is not enabled and **Dont display last signed-in** is enabled, the username will not be shown.
@ -100,13 +100,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or Group Policy object (GPO) | Default value |
| - | - |
| Default domain policy| Not defined|
| Default domain controller policy | Not defined|
| Stand-alone server default settings | Not defined|
| Domain controller effective default settings | **User display name, domain and user names**|
| Member server effective default settings | **User display name, domain and user names**|
| Effective GPO default settings on client computers | **User display name, domain and user names**|
 
| Default domain policy| Not defined|
| Default domain controller policy | Not defined|
| Stand-alone server default settings | Not defined|
| Domain controller effective default settings | **User display name, domain and user names**|
| Member server effective default settings | **User display name, domain and user names**|
| Effective GPO default settings on client computers | **User display name, domain and user names**|
## Policy management
This section describes features and tools that are available to help you manage this policy.

20
windows/keep-secure/interactive-logon-do-not-display-last-user-name.md
View File

@ -1,5 +1,5 @@
---
title: Interactive logon Do not display last user name (Windows 10)
title: Interactive logon Don't display last signed-in (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting.
ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
ms.prod: w10
@ -9,12 +9,12 @@ ms.pagetype: security
author: brianlic-msft
---
# Interactive logon: Do not display last user name
# Interactive logon: Don't display last signed-in
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.
Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting. Before Windows 10 version 1703, this policy setting was named **Interactive logon:Do not display last user name.**
## Reference
@ -40,14 +40,14 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
### Default values
| Server type or Group Policy object (GPO) | Default value|
| Server type or Group Policy object (GPO) | Default value|
| - | - |
| Default domain policy| Disabled|
| Default domain controller policy| Disabled|
| Stand-alone server default settings | Disabled|
| Domain controller effective default settings | Disabled|
| Member server effective default settings | Disabled|
| Effective GPO default settings on client computers | Disabled|
| Default domain policy| Disabled|
| Default domain controller policy| Disabled|
| Stand-alone server default settings | Disabled|
| Domain controller effective default settings | Disabled|
| Member server effective default settings | Disabled|
| Effective GPO default settings on client computers | Disabled|
 
## Policy management

5
windows/manage/TOC.md
View File

@ -3,11 +3,12 @@
## [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md)
#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md)
#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md)
#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md)
#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md)
#### [Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device](cortana-at-work-scenario-6.md)
#### [Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email](cortana-at-work-scenario-6.md)
#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device](cortana-at-work-scenario-7.md)
### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md)
### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md)
### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md)

23
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -14,6 +14,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
## March 2017
| New or changed topic | Description |
| --- | --- |
|[Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email](cortana-at-work-scenario-6.md) |New |
## February 2017
| New or changed topic | Description |
@ -26,11 +32,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Added Express updates. |
| [Distribute offline apps](distribute-offline-apps.md) | General updates to topic. Added links to supporting content for System Center Configuration Manager and Microsoft Intune. |
## January 2017
| New or changed topic | Description |
| --- | --- |
| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | New |
| [Cortana integration in your business or enterprise and sub-topics](cortana-at-work-overview.md) |New |
| [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) |
| [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) |
| [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. |
@ -58,7 +65,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Manage device restarts after updates](waas-restart.md) | New |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New |
| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. |
| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. |
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. |
| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. |
@ -85,7 +92,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
## RELEASE: Windows 10, version 1607
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
@ -117,7 +124,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** |
| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** |
@ -142,12 +149,12 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| New or changed topic | Description |
| ---|---|
| [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings &gt; Privacy section.<br />Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML |
| [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New |
| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New |
| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
 
| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
## December 2015
@ -185,5 +192,3 @@ The topics in this library have been updated for Windows 10, version 1607 (also
[Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
 

17
windows/manage/configure-windows-telemetry-in-your-organization.md
View File

@ -98,17 +98,17 @@ Windows telemetry also helps Microsoft better understand how customers use (or d
### Insights into your own organization
Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Windows 10 Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md).
Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md).
#### Windows 10 Upgrade Analytics
#### Upgrade Readiness
Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Analytics to get:
Use Upgrade Readiness to get:
- A visual workflow that guides you from pilot to production
- Detailed computer, driver, and application inventory
@ -118,7 +118,7 @@ Use Upgrade Analytics to get:
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools
The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
## How is telemetry data handled by Microsoft?
@ -179,7 +179,7 @@ The levels are cumulative and are illustrated in the following diagram. Also, th
### Security level
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions.
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
> [!NOTE]
> If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
@ -216,6 +216,8 @@ No user content, such as user files or communications, is gathered at the **Secu
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
The normal upload range for the Basic telemetry level is between 109 KB - 159 KB per day, per device.
The data gathered at this level includes:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include:
@ -256,12 +258,15 @@ The data gathered at this level includes:
- **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
The normal upload range for the Enhanced telemetry level is between 239 KB - 348 KB per day, per device.
The data gathered at this level includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.

37
windows/manage/cortana-at-work-scenario-6.md
View File

@ -1,13 +1,14 @@
---
title: Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device (Windows 10)
description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
title: Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email (Windows 10)
description: A test scenario about how to use Cortana with the Suggested reminders feature.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
localizationpriority: high
---
# Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device
# Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
@ -16,22 +17,32 @@ localizationpriority: high
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
This optional scenario helps you to protect your organizations data on a device, based on an inspection by Cortana.
Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you dont forget about them. For example, Cortana recognizes that if you include the text, _Ill get this to you by the end of the week_ in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it.
## Use Cortana and WIP to protect your organizations data
>[!NOTE]
>The Suggested reminders feature is currently only available in English (en-us).
1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
**To use Cortana to create Suggested reminders for you**
2. Create a new email from a non-protected or personal mailbox, including the text _Ill send you that presentation tomorrow_.
1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md).
3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**.
Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
3. Make sure the **Contacts, email, calendar, and communication history** option is turned on.
4. Create a new email from a protected mailbox, including the same text as above, _Ill send you that presentation tomorrow_.
![Permissions options for Cortana at work](images/cortana-communication-history-permissions.png)
5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**.
![Suggested reminders options for Cortana at work](images/cortana-suggested-reminder-settings.png)
5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, _Ill finish this project by end of day today_.
6. After you get the email, click on the Cortana **Home** icon, and scroll to todays events.
If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed.
![Cortana Home screen with your suggested reminder showing](images/cortana-suggested-reminder.png)
Because it was in an WIP-protected email, the presentation info isnt pulled out and it isnt shown to you.

38
windows/manage/cortana-at-work-scenario-7.md Normal file
View File

@ -0,0 +1,38 @@
---
title: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device (Windows 10)
description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
localizationpriority: high
---
# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This optional scenario helps you to protect your organizations data on a device, based on an inspection by Cortana.
## Use Cortana and WIP to protect your organizations data
1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md).
2. Create a new email from a non-protected or personal mailbox, including the text _Ill send you that presentation tomorrow_.
3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
4. Create a new email from a protected mailbox, including the same text as above, _Ill send you that presentation tomorrow_.
5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
Because it was in an WIP-protected email, the presentation info isnt pulled out and it isnt shown to you.

14
windows/manage/cortana-at-work-testing-scenarios.md
View File

@ -18,15 +18,19 @@ localizationpriority: high
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
- Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana.
- [Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana](cortana-at-work-scenario-1.md)
- Set a reminder and have it remind you when youve reached a specific location.
- [Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
- Search for your upcoming meetings on your work calendar.
- [Set a reminder and have it remind you when youve reached a specific location](cortana-at-work-scenario-3.md)
- Send an email to a co-worker from your work email app.
- [Search for your upcoming meetings on your work calendar](cortana-at-work-scenario-4.md)
- Use WIP to secure content on a device and then try to manage your organizations entries in the notebook.
- [Send an email to a co-worker from your work email app](cortana-at-work-scenario-5.md)
- [Review a reminder suggested by Cortana based on what youve promised in email](cortana-at-work-scenario-6.md)
- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organizations entries in the notebook](cortana-at-work-scenario-7.md)
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.

BIN
windows/manage/images/cortana-communication-history-permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/manage/images/cortana-suggested-reminder-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
windows/manage/images/cortana-suggested-reminder.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

2
windows/manage/start-layout-xml-desktop.md
View File

@ -224,7 +224,7 @@ The following example shows how to create a tile of the Web site's URL using the
Column="4"/>
```
The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to *8Size**, **Row**, and *8Column**.
The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**.
| Attribute | Required/optional | Description |
| --- | --- | --- |

2
windows/manage/waas-delivery-optimization.md
View File

@ -99,6 +99,8 @@ Download mode dictates which download sources clients are allowed to use when do
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
>[!NOTE]
>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
>
>This configuration is optional and not required for most implementations of Delivery Optimization.
### Max Cache Age

22
windows/manage/waas-optimize-windows-10-updates.md
View File

@ -13,24 +13,24 @@ localizationpriority: high
**Applies to**
- Windows 10
- Windows 10
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
Two methods of peer-to-peer content distribution are available in Windows 10.
Two methods of peer-to-peer content distribution are available in Windows 10.
- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
>[!NOTE]
>Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
</br></br>
@ -50,7 +50,7 @@ Windows 10 update downloads can be large because every package contains all prev
### How Microsoft supports Express
- **Express on WSUS Standalone**
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
- **Express on devices directly connected to Windows Update**
- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration.
@ -61,7 +61,7 @@ For OS updates that support Express, there are two versions of the file payload
1. **Full-file version** - essentially replacing the local versions of the update binaries.
2. **Express version** - containing the deltas needed to patch the existing binaries on the device.
Both the full-file version and the Express version are referenced in the udpate's metadata, which has been downloaded to the client as part of the scan phase.
Both the full-file version and the Express version are referenced in the update's metadata, which has been downloaded to the client as part of the scan phase.
**Express download works as follows:**
@ -96,7 +96,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
@ -104,5 +104,3 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)

62
windows/manage/windows-store-for-business-overview.md
View File

@ -89,50 +89,12 @@ For more information, see [Sign up for the Store for Business](../manage/sign-up
After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Permission</th>
<th align="left">Account settings</th>
<th align="left">Acquire apps</th>
<th align="left">Distribute apps</th>
<th align="left">Device Guard signing</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Admin</p></td>
<td align="left"><p>X</p></td>
<td align="left"><p>X</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left"><p>Purchaser</p></td>
<td align="left"></td>
<td align="left"><p>X</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>Device Guard signer</p></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"><p>X</p></td>
</tr>
</tbody>
</table>
| Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
| ---------- | ---------------- | ------------ | --------------- | -------------------- |
| Admin | X | X | X | |
| Purchaser | | X | X | |
| Device Guard signer | | | | X |
In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
Also, if your organization plans to use a management tool, youll need to configure your management tool to sync with the Store for Business.
@ -367,7 +329,19 @@ Store for Business is currently available in these markets.
</tr>
</table>
## Privacy notice
Microsoft Store for Business services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
- Granting and managing permissions
- Managing app licenses
- Distributing apps to people (names appear in a list that admins can select from)
Store for Business does not save names, or email addresses.
Your use of Store for Business is also governed by the Store for Business Terms of Use.
Information sent to Store for Business is subject to the [Store for Business Privacy Statement](https://privacy.microsoft.com/privacystatement/).
## <a href="" id="isv-wsfb"></a>ISVs and the Store for Business