deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

Browse Source
This commit is contained in:
Huaping Yu (Beyondsoft Consulting Inc) 2018-06-18 10:35:08 -07:00
commit 3d2ee75c11
13 changed files with 321 additions and 450 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
View File

@ -7,7 +7,7 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 06/16/2016
ms.date: 06/15/2018
---
@ -16,16 +16,15 @@ ms.date: 06/16/2016
In order to complete the **appv\_server\_setup.exe** Server setup successfully using the command line, you must specify and combine multiple parameters.
**To Install the App-V 5.0 server using a script**
Use the following tables for more information about installing the App-V 5.0 server using the command line.
- Use the following tables for more information about installing the App-V 5.0 server using the command line.
>[!NOTE]  
>The information in the following tables can also be accessed using the command line by typing the following command:
>```
> appv\_server\_setup.exe /?
>```
**Note**  
The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**.
 
**Common parameters and Examples**
## Common parameters and Examples
<table>
<colgroup>
@ -67,9 +66,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
@ -109,9 +106,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
<p>/EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”</p></td>
</tr>
</tbody>
</table>
 
</table>  
<table>
<colgroup>
@ -153,9 +148,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
@ -191,8 +184,6 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
@ -228,8 +219,6 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
@ -255,8 +244,6 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
@ -298,8 +285,6 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
@ -339,8 +324,6 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
@ -380,8 +363,6 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
@ -417,8 +398,6 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
@ -454,11 +433,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
## Parameter Definitions
**Parameter Definitions**
**General Parameters**
### General Parameters
<table>
<colgroup>
@ -503,9 +480,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
**Management Server Installation Parameters**
### Management Server Installation Parameters
<table>
<colgroup>
@ -538,9 +513,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
**Parameters for the Management Server Database**
### Parameters for the Management Server Database
<table>
<colgroup>
@ -585,9 +558,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
**Parameters for Installing Publishing Server**
### Parameters for Installing Publishing Server
<table>
<colgroup>
@ -620,9 +591,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
**Parameters for Reporting Server**
### Parameters for Reporting Server
<table>
<colgroup>
@ -653,7 +622,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
 
**Parameters for using an Existing Reporting Server Database**
### Parameters for using an Existing Reporting Server Database
<table>
<colgroup>
@ -690,9 +659,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
**Parameters for installing Reporting Server Database**
### Parameters for installing Reporting Server Database
<table>
<colgroup>
@ -733,9 +700,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
**Parameters for using an existing Management Server Database**
### Parameters for using an existing Management Server Database
<table>
<colgroup>
@ -773,12 +738,10 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tr>
</tbody>
</table>
 
## Related topics
[Deploying the App-V 5.0 Server](deploying-the-app-v-50-server.md)
 

171
mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
View File

@ -7,7 +7,7 @@ ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 05/23/2018
ms.date: 06/15/2018
---
# How to Move the MBAM 2.5 Databases
@ -64,8 +64,8 @@ The high-level steps for moving the Recovery Database are:
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
```syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
```powershell
Stop-Website "Microsoft BitLocker Administration and Monitoring"
```
@ -130,8 +130,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
4. In Windows PowerShell, run the script that is stored in the file and similar to the following:
```syntax
PS C:\> Invoke-Sqlcmd -InputFile
```powershell
Invoke-Sqlcmd -InputFile
'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
5. Use the following value to replace the values in the code example with values that match your environment:
@ -144,24 +144,24 @@ Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** fi
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak”
```powershell
Copy-Item “Z:\MBAM Recovery Database Data.bak”
\\$SERVERNAME$\$DESTINATIONSHARE$
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile”
Copy-Item “Z:\SQLServerInstanceCertificateFile”
\\$SERVERNAME$\$DESTINATIONSHARE$
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey”
Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey”
\\$SERVERNAME$\$DESTINATIONSHARE$
```
Use the information in the following table to replace the values in the code example with values that match your environment.
| **Parameter** | **Description** |
|----------------------|---------------------------------------------------------------|
|----------------------|------------------|
| $SERVERNAME$ | Name of the server to which the files will be copied. |
| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
|---|---|
### Restore the Recovery Database on Server B
@ -173,7 +173,7 @@ Use the information in the following table to replace the values in the code exa
4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
```syntax
```
-- Restore MBAM Recovery Database.
USE master
@ -219,8 +219,8 @@ Use the information in the following table to replace the values in the code exa
6. In Windows PowerShell, run the script that is stored in the file and similar to the following:
```syntax
PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```powershell
Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
7. Use the following value to replace the values in the code example with values that match your environment.
@ -245,19 +245,19 @@ Use the information in the following table to replace the values in the code exa
6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
```syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
```powershell
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
PS C:\> Set-WebConfigurationProperty
Set-WebConfigurationProperty
'connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath
"IIS:\sites\Microsoft Bitlocker Administration and
Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data
Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and
Hardware;Integrated Security=SSPI;”
PS C:\> Set-WebConfigurationProperty
Set-WebConfigurationProperty
'connectionStrings/add[\@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]'
-PSPath "IIS:\sites\Microsoft Bitlocker Administration and
Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value
@ -271,52 +271,11 @@ Use the information in the following table to replace the values in the code exa
7. Use the following table to replace the values in the code example with values that match your environment.
```html
<table>
|Parameter|Description|
|---------|-----------|
|$SERVERNAME$/\$SQLINSTANCENAME$|Server name and instance of SQL Server where the Recovery Database is located.|
|$DATABASE$|Name of the Recovery database.|
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the Recovery database.</p></td>
</tr>
</tbody>
</table>
```
### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
@ -334,8 +293,8 @@ On the server that is running the Administration and Monitoring Website, use the
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```powershell
Start-Website "Microsoft BitLocker Administration and Monitoring"
```
>[!NOTE]
@ -366,8 +325,8 @@ The high-level steps for moving the Compliance and Audit Database are:
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
```syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
```powershell
Stop-Website "Microsoft BitLocker Administration and Monitoring"
```
@ -380,8 +339,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
```syntax
```
USE master;
GO
@ -414,8 +372,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
3. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
```syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```powershell
Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
@ -429,10 +387,9 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak"
```powershell
Copy-Item "Z:\MBAM Compliance Status Database Data.bak"
\\$SERVERNAME$\$DESTINATIONSHARE$
```
3. Using the following table, replace the values in the code example with values that match your environment.
@ -441,7 +398,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
|----------------------|---------------------------------------------------------------|
| $SERVERNAME$ | Name of the server to which the files will be copied. |
| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
|---|---|
### Restore the Compliance and Audit Database on Server B
@ -453,7 +410,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
```syntax
```
-- Create MBAM Compliance Status Database Data logical backup devices.
Use master
@ -472,8 +429,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
5. In Windows PowerShell, run the script that is stored in the file and similar to the following:
```syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```powershell
Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
@ -500,8 +457,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
```syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
```powershell
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
@ -512,52 +469,10 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
7. Using the following table, replace the values in the code example with values that match your environment.
```html
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the recovered database.</p></td>
</tr>
</tbody>
</table>
```
|Parameter | Description |
|---------|------------|
|$SERVERNAME$\$SQLINSTANCENAME$ | Server name and instance of SQL Server where the Recovery Database is located.|
|$DATABASE$|Name of the recovered database.|
### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
@ -575,8 +490,8 @@ On the server that is running the Administration and Monitoring Website, use the
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```powershell
Start-Website "Microsoft BitLocker Administration and Monitoring"
```

175
mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
View File

@ -7,7 +7,7 @@ ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 06/16/2016
ms.date: 06/15/2018
---
@ -34,178 +34,61 @@ The following image and table explain the features in an MBAM Stand-alone topolo
![mbab2\-5](images/mbam2-5-standalonecomponents.png)
Feature type
Feature
Description
Database
Recovery Database
This database stores recovery data that is collected from MBAM client computers.
This feature is configured on a server running Windows Server and a supported SQL Server instance.
Compliance and Audit Database
This database stores compliance data, which is used primarily for the Reports that SQL Server Reporting Services hosts.
This feature is configured on a server running Windows Server and a supported SQL Server instance.
Compliance and Audit Reports
Reporting Web Service
This web service enables communication between the Administration and Monitoring Website and the SQL Server instance where reporting data is stored.
This feature is installed on a server running Windows Server.
Reporting Website (Administration and Monitoring Website)
You view Reports from the Administration and Monitoring Website. The Reports provide recovery audit and compliance status data about the client computers in your enterprise.
This feature is configured on a server running Windows Server.
SQL Server Reporting Services (SSRS)
Reports are configured in an SSRS database instance. Reports can be viewed directly from SSRS or from the Administration and Monitoring Website.
This feature is configured on a server running Windows Server and a supported SQL Server instance that is running SSRS.
Self-Service Server
Self-Service Web Service
This web service is used by the MBAM Client and the Administration and Monitoring Website and Self-Service Portal to communicate to the Recovery Database.
This feature is installed on a computer running Windows Server.
|Feature type|Description|Database|
|-|-|-|
|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
|Compliance and Audit Database|This database stores compliance data, which is used primarily for the Reports that SQL Server Reporting Services hosts.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
|Compliance and Audit Reports|||
|Reporting Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server instance where reporting data is stored.|This feature is installed on a server running Windows Server.|
|Reporting Website (Administration and Monitoring Website)|You view Reports from the Administration and Monitoring Website. The Reports provide recovery audit and compliance status data about the client computers in your enterprise.|This feature is configured on a server running Windows Server.|
|SQL Server Reporting Services (SSRS)|Reports are configured in an SSRS database instance. Reports can be viewed directly from SSRS or from the Administration and Monitoring Website.|This feature is configured on a server running Windows Server and a supported SQL Server instance that is running SSRS.|
|Self-Service Server|||
|Self-Service Web Service|This web service is used by the MBAM Client and the Administration and Monitoring Website and Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.|
|Self-Service Website (Self-Service Portal)|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.|
|Administration and Monitoring Server|||
|Administration and Monitoring Web Service|The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases.|This feature is installed on a computer running Windows Server.|
**Important**  
The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database.
 
Self-Service Website (Self-Service Portal)
This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.
This feature is configured on a computer running Windows Server.
Administration and Monitoring Server
Administration and Monitoring Web Service
The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases.
This feature is installed on a computer running Windows Server.
**Important**  
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
 
Administration and Monitoring Website (also known as the Help Desk
This Website is used by Help Desk users (users with the MBAM Report Users rights) to help end users regain access to their computers when they forget their PIN or password.
This feature is configured on a computer running Windows Server.
 
## <a href="" id="bkmk-cmintegrated"></a>System Center Configuration Manager Integration topology
The following image and table explain the features in the System Center Configuration Manager Integration topology.
![mbam2\-5](images/mbam2-5-cmcomponents.png)
Feature type
Feature
Description
Self-Service Server
Self-Service Web Service
This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.
This feature is installed on a computer running Windows Server.
**Important**  
The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database.
 
Self-Service Website
This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.
This feature is configured on a computer running Windows Server.
Administration and Monitoring Server/Recovery Audit Report
Administration and Monitoring Web Service
This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.
This feature is installed on a server running Windows Server.
**Warning**  
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
 
Administration and Monitoring Website
The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services.
This feature is configured on a server running Windows Server.
Databases
Recovery Database
This database stores recovery data that is collected from MBAM client computers.
This feature is configured on a server running Windows Server and a supported SQL Server instance.
Audit Database
This database stores audit information about recovery attempts and activity.
This feature is configured on a server running Windows Server and a supported SQL Server instance.
Configuration Manager Features
Configuration Manager Management console
This console is built into Configuration Manager and is used to view reports.
For viewing reports only, this feature can be installed on any server or client computer.
Configuration Manager Reports
Reports show compliance and recovery audit data for client computers in your enterprise.
The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.
SQL Server Reporting Services
SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.
SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.
 
|Feature type|Description|
|-|-|
|Self-Service Server|||
|Self-Service Web Service|This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.|
|Self-Service Website|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.|
|Administration and Monitoring Server/Recovery Audit Report|||
|Administration and Monitoring Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.|This feature is installed on a server running Windows Server.|
|Administration and Monitoring Website|The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services.|This feature is configured on a server running Windows Server.|
|Databases|||
|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
|Audit Database|This database stores audit information about recovery attempts and activity.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
|Configuration Manager Features|||
|Configuration Manager Management console|This console is built into Configuration Manager and is used to view reports.|For viewing reports only, this feature can be installed on any server or client computer.|
|Configuration Manager Reports|Reports show compliance and recovery audit data for client computers in your enterprise.|The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.|
|SQL Server Reporting Services|SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.|SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.|
## Related topics
[High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
 
 
## Got a suggestion for MBAM?
- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).

13
mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
View File

@ -7,7 +7,7 @@ ms.pagetype: mdop
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w8
ms.date: 07/26/2017
ms.date: 06/15/2018
---
@ -18,7 +18,6 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
## MDOP Group Policy templates
**How to download and deploy the MDOP Group Policy templates**
1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531)
@ -28,15 +27,13 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
**Warning**  
Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.
 
3. In the extracted folder, locate the technology-version .admx file. Certain MDOP technologies have multiple sets of Group Policy Objects (GPOs). For example, MBAM includes MBAM Management settings and MBAM User settings.
4. Locate the appropriate .adml file by language-culture (that is, *en-us* for English-United States).
5. Copy the .admx and .adml files to a policy definition folder. Depending on where you store the templates, you can configure Group Policy settings from the local device or from any computer on the domain.
**Local files:** To configure Group Policy settings from the local device, copy template files to the following locations:
- **Local files:** To configure Group Policy settings from the local device, copy template files to the following locations:
<table>
<colgroup>
@ -61,9 +58,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
</tbody>
</table>
 
**Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
- **Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
<table>
<colgroup>
@ -89,8 +84,6 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
</tbody>
</table>
 
6. Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology.
### MDOP Group Policy by technology

8
windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
View File

@ -1,14 +1,14 @@
---
title: How to configure access to packages by using the Management console (Windows 10)
description: How to configure access to packages by using the App-V Management console.
title: How to configure access to packages by using the Management Console (Windows 10)
description: How to configure access to packages by using the App-V Management Console.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 06/15/2018
ms.date: 06/18/2018
---
# How to configure access to packages by using the Management console
# How to configure access to packages by using the Management Console
>Applies to: Windows 10, version 1607

57
windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
View File

@ -1,64 +1,65 @@
---
title: How to Make a Connection Group Ignore the Package Version (Windows 10)
description: How to Make a Connection Group Ignore the Package Version
title: How to make a connection group ignore the package version (Windows 10)
description: How to make a connection group ignore the package version.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.date: 06/18/2018
---
# How to make a connection group ignore the package version
> Applies to: Windows 10, version 1607
# How to Make a Connection Group Ignore the Package Version
You can use Application Virtualization (App-V) to configure a connection group to use any version of a package, simplifying package upgrades and reducing the number of connection groups you need to create.
**Applies to**
- Windows 10, version 1607
You can also configure a connection group to accept any version of a package, so that you can upgrade the package without having to disable the connection group.
Application Virtualization (App-V) lets you configure a connection group to use any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
- If the connection group has access to multiple versions of a package, App-V will use the latest version.
You can configure a connection group to accept any version of a package, which enables you to upgrade the package without having to disable the connection group:
- If the connection group contains an optional package with an incorrect version, App-V ignores the package and wont block the connection groups virtual environment from being created.
- If the connection group has access to multiple versions of a package, the latest version is used.
- If the connection group contains a non-optional package that has an incorrect version, App-V won't be able to create the connection groups virtual environment.
- If the connection group contains an optional package that has an incorrect version, the package is ignored and wont block the connection groups virtual environment from being created.
## Make a connection group ignore the package version with the App-V Server Management Console
- If the connection group contains a non-optional package that has an incorrect version, the connection groups virtual environment cannot be created.
## To make a connection group ignore the package version by using the App-V Server Management Console
1. In the Management Console, select **CONNECTION GROUPS**.
1. In the Management Console, select **Connection Groups**.
2. Select the correct connection group from the Connection Groups library.
3. Click **EDIT** in the CONNECTED PACKAGES pane.
3. Select **Edit** in the Connected Packages pane.
4. Select **Use Any Version** check box next to the package name, and click **Apply**.
4. Select the **Use Any Version** check box next to the package name, then select **Apply**.
For more about adding or upgrading packages, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).
For more about adding or upgrading packages, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).
## To make a connection group ignore the package version from the App-V client on a stand-alone computer
## Make a connection group ignore the package version from the App-V client on a stand-alone computer
1. Create the connection group XML document.
2. For the package to be upgraded, set the **Package** tag attribute **VersionID** to an asterisk (<strong>*</strong>).
2. Set the **Package** tag attribute **VersionID** to an asterisk (<strong>*</strong>) to upgrade the package.
3. Use the following cmdlet to add the connection group, and include the path to the connection group XML document:
3. Enter the following cmdlet (including the path to the connection group XML document) to add the connection group:
`Add-AppvClientConnectionGroup`
```PowerShell
Add-AppvClientConnectionGroup
```
For more information about how to use the **Add-AppvClientConnectionGroup** cmdlet, see [**Add-AppvClientConnectionGroup**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientconnectiongroup?view=win10-ps).
4. When you upgrade a package, use the following cmdlets to remove the old package, add the upgraded package, and publish the upgraded package:
- RemoveAppvClientPackage
- Add-AppvClientPackage
- Publish-AppvClientPackage
- [**Remove-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/remove-appvclientpackage?view=win10-ps)
- [**Add-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientpackage?view=win10-ps)
- [**Publish-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/publish-appvclientpackage?view=win10-ps)
For more information, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).
For more information, see [How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).
## Have a suggestion for App-V?
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
[Managing Connection Groups](appv-managing-connection-groups.md)
- [Managing connection groups](appv-managing-connection-groups.md)

6
windows/deployment/upgrade/windows-10-downgrade-paths.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
ms.date: 06/07/2018
ms.date: 06/15/2018
---
# Windows 10 downgrade paths
@ -77,9 +77,9 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
<tr>
<td>Pro for Workstations</td>
<td></td>
<td align="center"></td>
<td></td>
<td align="center"></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>

6
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
View File

@ -64,7 +64,7 @@ A TPM virtual smart card simulates a physical smart card, and it uses the TPM to
- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employees possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
@ -261,7 +261,9 @@ The most common scenario in an organization is reissuing virtual smart cards, wh
#### Blocked virtual smart card
The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](https://docs.microsoft.com/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon).
## See also

80
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
ms.date: 06/18/2018
---
# BitLocker: How to enable Network Unlock
@ -83,7 +83,7 @@ The server side configuration to enable Network Unlock also requires provisionin
The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
### <a href="" id="bkmk-stepone"></a>Step One: Install the WDS Server role
### Install the WDS Server role
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
@ -95,7 +95,7 @@ Install-WindowsFeature WDS-Deployment
You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
### <a href="" id="bkmk-steptwo"></a>Step Two: Confirm the WDS Service is running
### Confirm the WDS Service is running
To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
@ -104,7 +104,7 @@ To confirm the service is running using Windows PowerShell, use the following co
``` syntax
Get-Service WDSServer
```
### <a href="" id="bkmk-stepthree"></a>Step Three: Install the Network Unlock feature
### Install the Network Unlock feature
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
@ -113,7 +113,37 @@ To install the feature using Windows PowerShell, use the following command:
``` syntax
Install-WindowsFeature BitLocker-NetworkUnlock
```
### <a href="" id="bkmk-stepfour"></a>Step Four: Create the Network Unlock certificate
### Create the certificate template for Network Unlock
A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
1. Open the Certificates Template snap-in (certtmpl.msc).
2. Locate the User template. Right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)
7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**.
8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
12. On the **Edit Application Policies Extension** dialog box, select **Add**.
13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
- **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template.
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
### Create the Network Unlock certificate
Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
@ -184,7 +214,7 @@ Certreq example:
5. Launch Certificates - Local Machine by running **certlm.msc**.
6. Create a .pfx file by opening the **Certificates Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server
### Deploy the private key and certificate to the WDS server
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
@ -193,7 +223,7 @@ With the certificate and key created, deploy them to the infrastructure to prope
3. In the **File to Import** dialog, choose the .pfx file created previously.
4. Enter the password used to create the .pfx and complete the wizard.
### <a href="" id="bkmk-stepsix"></a>Step Six: Configure Group Policy settings for Network Unlock
### Configure Group Policy settings for Network Unlock
With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
@ -218,7 +248,7 @@ The following steps describe how to deploy the required Group Policy setting:
>**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
 
### <a href="" id="bkmk-stepseven"></a>Step Seven: Require TPM+PIN protectors at startup
### Require TPM+PIN protectors at startup
An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
@ -226,36 +256,6 @@ An additional step is for enterprises to use TPM+PIN protectors for an extra lev
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
1. Open the Certificates Template snap-in (certtmpl.msc).
2. Locate the User template. Right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)
7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**.
8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
12. On the **Edit Application Policies Extension** dialog box, select **Add**.
13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
- **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template.
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
### Subnet policy configuration files on WDS Server (Optional)
By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
@ -285,13 +285,13 @@ The subnet policy configuration file must use a “\[SUBNETS\]” section to ide
To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
### <a href="" id="bkmk-turnoffnetworkunlock"></a>Turning off Network Unlock
## Turning off Network Unlock
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
>**Note:**  Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the servers ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
 
### <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates
## Update Network Unlock certificates
To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.

5
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -18,12 +18,11 @@ ms.date: 10/16/2017
This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
## <a href="" id="bkmk-over"></a>
## <a href="" id="bkmk-over"></a>BitLocker overview
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been
tampered with while the system was offline.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.

1
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -7,6 +7,7 @@
### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
## [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
#### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
#### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)

107
windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,107 @@
---
title: Onboard previous versions of Windows on Windows Defender ATP
description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 06/18/2018
---
# Onboard previous versions of Windows
**Applies to:**
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
- Windows 8.1 Pro
- Windows 8.1 Enterprise
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Windows Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to:
- Configure and update System Center Endpoint Protection clients.
- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as instructed below.
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
## Configure and update System Center Endpoint Protection clients
>[!IMPORTANT]
>This step is required only if your organization uses System Center Endpoint Protection (SCEP).
Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP
### Before you begin
Review the following details to verify minimum system requirements:
- Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
2. Obtain the workspace ID:
- In the Windows Defender ATP navigation pane, select **Settings > Machine management > Onboarding**
- Select **Windows 7 SP1 and 8.1** as the operating system
- Copy the workspace ID and workspace key
3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
- Manually install the agent using setup<br>
On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)**
- [Install the agent using command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script)
4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
Once completed, you should see onboarded endpoints in the portal within an hour.
### Configure proxy and Internet connectivity settings
- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
Agent Resource | Ports
:---|:---
| *.oms.opinsights.azure.com | 443 |
| *.blob.core.windows.net | 443 |
| *.azure-automation.net | 443 |
| *.ods.opinsights.azure.com | 443 |
| winatp-gw-cus.microsoft.com | 443 |
| winatp-gw-eus.microsoft.com | 443 |
| winatp-gw-neu.microsoft.com | 443 |
| winatp-gw-weu.microsoft.com | 443 |
|winatp-gw-uks.microsoft.com | 443 |
|winatp-gw-ukw.microsoft.com | 443 |
## Offboard client endpoints
To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Windows Defender ATP.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink)

9
windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 06/18/2018
---
# Windows Defender ATP preview features
@ -42,6 +42,12 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
- [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)<br>
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
- Windows 8.1 Enterprise
- Windows 8.1 Pro
- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)<br>
Windows Defender ATP supports the onboarding of the following servers:
@ -49,6 +55,7 @@ Windows Defender ATP supports the onboarding of the following servers:
- Windows Server 2016
- Windows Server, version 1803
- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.