From dc50b105393e4d49ac683f724c22494e6983ccf3 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 27 Apr 2016 10:02:53 -0700 Subject: [PATCH 01/38] adding author tag --- windows/manage/settings-reference-windows-store-for-business.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/windows/manage/settings-reference-windows-store-for-business.md index 48f59c5857..b3b1cf9083 100644 --- a/windows/manage/settings-reference-windows-store-for-business.md +++ b/windows/manage/settings-reference-windows-store-for-business.md @@ -5,6 +5,7 @@ ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678 ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library +author: TrudyHa --- # Settings reference: Windows Store for Business From 34d5c84ea3cc9ac3935bb0be2219f10884cf889b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 27 Apr 2016 11:39:23 -0700 Subject: [PATCH 02/38] finishing intro sentence --- windows/keep-secure/audit-removable-storage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md index 6046b1b29c..5c9276822b 100644 --- a/windows/keep-secure/audit-removable-storage.md +++ b/windows/keep-secure/audit-removable-storage.md @@ -1,6 +1,6 @@ --- title: Audit Removable Storage (Windows 10) -description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines . +description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive. ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 ms.prod: W10 ms.mktglfcycl: deploy @@ -15,9 +15,9 @@ author: brianlic-msft - Windows 10 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines . +This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines when there is a read or a write to a removable drive. -Event volume: +Event volume: Low Default: Not configured From 38d00dd402f9218de2f9497c0726050fa18ed012 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 27 Apr 2016 15:30:32 -0700 Subject: [PATCH 03/38] updates for paid apps --- .../windows-store-for-business-overview.md | 142 ++++++------------ 1 file changed, 50 insertions(+), 92 deletions(-) diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md index 9bf1212d06..f2eea69ec7 100644 --- a/windows/whats-new/windows-store-for-business-overview.md +++ b/windows/whats-new/windows-store-for-business-overview.md @@ -85,7 +85,7 @@ For more information, see [Sign up for the Store for Business](../manage/sign-up ### Set up -After your admin signs up for the Store for Business, they can assign roles to other employees in your company. These are the roles and their permissions. +After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions. @@ -137,7 +137,7 @@ Also, if your organization plans to use a management tool, you’ll need to conf ### Get apps and content -Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. For now, apps in the Store for Business are free. Over time, when paid apps are available, you’ll have more options for paying for apps. +Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. **App types** -- These app types are supported in the Store for Business: @@ -212,96 +212,54 @@ For more information, see [Manage settings in the Store for Business](../manage/ Store for Business is currently available in these markets. -- Argentina - -- Australia - -- Austria - -- Belgium (Dutch, French) - -- Brazil - -- Canada (English, French) - -- Chile - -- Columbia - -- Croatia - -- Czech Republic - -- Denmark - -- Finland - -- France - -- Germany - -- Greece - -- Hong Kong SAR - -- Hungary - -- India - -- Indonesia - -- Ireland - -- Italy - -- Japan - -- Malaysia - -- Mexico - -- Netherlands - -- New Zealand - -- Norway - -- Philippines - -- Poland - -- Portugal - -- Romania - -- Russia - -- Singapore - -- Slovakia - -- South Africa - -- Spain - -- Sweden - -- Switzerland (French, German) - -- Taiwan - -- Thailand - -- Turkey - -- Ukraine - -- United Kingdom - -- United States - -- Vietnam - +|Country or locale|Paid apps|Free apps| +|-----------------|---------|---------| +|Argentina|X|X| +|Australia|X|X| +|Austria|X|X| +|Belgium (Dutch, French)|X|X| +|Brazil| |X| +|Canada (English, French)|X|X| +|Chile|X|X| +|Columbia|X|X| +|Croatia|X|X| +|Czech Republic|X|X| +|Denmark|X|X| +|Finland|X|X| +|France|X|X| +|Germany|X|X| +|Greece|X|X| +|Hong Kong SAR|X|X| +|Hungary|X|X| +|India| |X| +|Indonesia|X|X| +|Ireland|X|X| +|Italy|X|X| +|Japan|X|X| +|Malaysia|X|X| +|Mexico|X|X| +|Netherlands|X|X| +|New Zealand|X|X| +|Norway|X|X| +|Philippines|X|X| +|Poland|X|X| +|Portugal|X|X| +|Romania|X|X| +|Russia| |X| +|Singapore|X|X| +|Slovakia|X|X| +|South Africa|X|X| +|Spain|X|X| +|Sweden|X|X| +|Switzerland (French, German)|X|X| +|Taiwan| |X| +|Thailand|X|X| +|Turkey|X|X| +|Ukraine| |X| +|United Kingdom|X|X| +|United States|X|X| +|Vietnam|X|X| + ## ISVs and the Store for Business From 7371e7c1305b498d874dcee17acf1beec34519de Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 27 Apr 2016 16:54:13 -0700 Subject: [PATCH 04/38] fixing table --- .../about-client-configuration-settings51.md | 478 ++---------------- 1 file changed, 40 insertions(+), 438 deletions(-) diff --git a/mdop/appv-v5/about-client-configuration-settings51.md b/mdop/appv-v5/about-client-configuration-settings51.md index e8512afd4f..f77a20a083 100644 --- a/mdop/appv-v5/about-client-configuration-settings51.md +++ b/mdop/appv-v5/about-client-configuration-settings51.md @@ -15,444 +15,46 @@ The Microsoft Application Virtualization (App-V) 5.1 client stores its configura The following table displays information about the App-V 5.1 client configuration settings: -
-------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Setting NameSetup FlagDescriptionSetting OptionsRegistry Key ValueDisabled Policy State Keys and Values

PackageInstallationRoot

PACKAGEINSTALLATIONROOT

Specifies directory where all new applications and updates will be installed.

String

Streaming\PackageInstallationRoot

Policy value not written (same as Not Configured)

PackageSourceRoot

PACKAGESOURCEROOT

Overrides source location for downloading package content.

String

Streaming\PackageSourceRoot

Policy value not written (same as Not Configured)

AllowHighCostLaunch

Not available.

This setting controls whether virtualized applications are launched on Windows 10 machines connected via a metered network connection (For example, 4G).

True (enabled); False (Disabled state)

Streaming\AllowHighCostLaunch

0

ReestablishmentRetries

Not available.

Specifies the number of times to retry a dropped session.

Integer (0-99)

Streaming\ReestablishmentRetries

Policy value not written (same as Not Configured)

ReestablishmentInterval

Not available.

Specifies the number of seconds between attempts to reestablish a dropped session.

Integer (0-3600)

Streaming\ReestablishmentInterval

Policy value not written (same as Not Configured)

AutoLoad

AUTOLOAD

Specifies how new packages should be loaded automatically by App-V on a specific computer.

(0x0) None; (0x1) Previously used; (0x2) All

Streaming\AutoLoad

Policy value not written (same as Not Configured)

LocationProvider

Not available.

Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.

String

Streaming\LocationProvider

Policy value not written (same as Not Configured)

CertFilterForClientSsl

Not available.

Specifies the path to a valid certificate in the certificate store.

String

Streaming\CertFilterForClientSsl

Policy value not written (same as Not Configured)

VerifyCertificateRevocationList

Not available.

Verifies Server certificate revocation status before steaming using HTTPS.

True(enabled); False(Disabled state)

Streaming\VerifyCertificateRevocationList

0

SharedContentStoreMode

SHAREDCONTENTSTOREMODE

Specifies that streamed package contents will be not be saved to the local hard disk.

True(enabled); False(Disabled state)

Streaming\SharedContentStoreMode

0

Name

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

PUBLISHINGSERVERNAME

Displays the name of publishing server.

String

Publishing\Servers\{serverId}\FriendlyName

Policy value not written (same as Not Configured)

URL

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

PUBLISHINGSERVERURL

Displays the URL of publishing server.

String

Publishing\Servers\{serverId}\URL

Policy value not written (same as Not Configured)

GlobalRefreshEnabled

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

GLOBALREFRESHENABLED

Enables global publishing refresh (Boolean)

True(enabled); False(Disabled state)

Publishing\Servers\{serverId}\GlobalEnabled

False

GlobalRefreshOnLogon

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

GLOBALREFRESHONLOGON

Triggers a global publishing refresh on logon. ( Boolean)

True(enabled); False(Disabled state)

Publishing\Servers\{serverId}\GlobalLogonRefresh

False

GlobalRefreshInterval

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

GLOBALREFRESHINTERVAL  

Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.

Integer (0-744

Publishing\Servers\{serverId}\GlobalPeriodicRefreshInterval

0

GlobalRefreshIntervalUnit

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

GLOBALREFRESHINTERVALUNI

Specifies the interval unit (Hour 0-23, Day 0-31). 

0 for hour, 1 for day

Publishing\Servers\{serverId}\GlobalPeriodicRefreshIntervalUnit

1

UserRefreshEnabled

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

USERREFRESHENABLED 

Enables user publishing refresh (Boolean)

True(enabled); False(Disabled state)

Publishing\Servers\{serverId}\UserEnabled

False

UserRefreshOnLogon

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

USERREFRESHONLOGON

Triggers a user publishing refresh onlogon. ( Boolean)

-

Word count (with spaces): 60

True(enabled); False(Disabled state)

Publishing\Servers\{serverId}\UserLogonRefresh

False

UserRefreshInterval

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

USERREFRESHINTERVAL     

Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.

-

Word count (with spaces): 85

Integer (0-744 Hours)

Publishing\Servers\{serverId}\UserPeriodicRefreshInterval

0

UserRefreshIntervalUnit

-
-Note   -

This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.

-
-
-  -

USERREFRESHINTERVALUNIT  

Specifies the interval unit (Hour 0-23, Day 0-31). 

0 for hour, 1 for day

Publishing\Servers\{serverId}\UserPeriodicRefreshIntervalUnit

1

MigrationMode

MIGRATIONMODE

Migration mode allows the App-V client to modify shortcuts and FTA’s for packages created using a previous version of App-V.

True(enabled state); False (disabled state)

Coexistence\MigrationMode

CEIPOPTIN

CEIPOPTIN

Allows the computer running the App-V 5.1 Client to collect and return certain usage information to help allow us to further improve the application.

0 for disabled; 1 for enabled

SOFTWARE/Microsoft/AppV/CEIP/CEIPEnable

0

EnablePackageScripts

ENABLEPACKAGESCRIPTS

Enables scripts defined in the package manifest of configuration files that should run.

True(enabled); False(Disabled state)

\Scripting\EnablePackageScripts

RoamingFileExclusions

ROAMINGFILEEXCLUSIONS

Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage:  /ROAMINGFILEEXCLUSIONS='desktop;my pictures'

RoamingRegistryExclusions

ROAMINGREGISTRYEXCLUSIONS

Specifies the registry paths that do not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients

String

Integration\RoamingReglstryExclusions

Policy value not written (same as Not Configured)

IntegrationRootUser

Not available.

Specifies the location to create symbolic links associated with the current version of a per-user published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %localappdata%\Microsoft\AppV\Client\Integration.

String

Integration\IntegrationRootUser

Policy value not written (same as Not Configured)

IntegrationRootGlobal

Not available.

Specifies the location to create symbolic links associated with the current version of a globally published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %allusersprofile%\Microsoft\AppV\Client\Integration

String

Integration\IntegrationRootGlobal

Policy value not written (same as Not Configured)

VirtualizableExtensions

Not available.

A comma -delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment.

-

When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application that is associated with the extension point is locally installed. If the extension is located, the RunVirtual command line parameter will be added, and the application will run virtually.

-

For more information about the RunVirtual parameter, see [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md).

String

Integration\VirtualizableExtensions

Policy value not written

ReportingEnabled

Not available.

Enables the client to return information to a reporting server.

True (enabled); False (Disabled state)

Reporting\EnableReporting

False

ReportingServerURL

Not available.

Specifies the location on the reporting server where client information is saved.

String

Reporting\ReportingServer

Policy value not written (same as Not Configured)

ReportingDataCacheLimit

Not available.

Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024.

Integer [0-1024]

Reporting\DataCacheLimit

Policy value not written (same as Not Configured)

ReportingDataBlockSize

Not available.

Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited.

Integer [1024 - Unlimited]

Reporting\DataBlockSize

Policy value not written (same as Not Configured)

ReportingStartTime

Not available.

Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0-23 corresponding to the hour of the day. By default the ReportingStartTime will start on the current day at 10 P.M.or 22.

-
-Note   -

You should configure this setting to a time when computers running the App-V 5.1 client are least likely to be offline.

-
-
-  -

Integer (0 – 23)

Reporting\ StartTime

Policy value not written (same as Not Configured)

ReportingInterval

Not available.

Specifies the retry interval that the client will use to resend data to the reporting server.

Integer

Reporting\RetryInterval

Policy value not written (same as Not Configured)

ReportingRandomDelay

Not available.

Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data. This can help to prevent collisions on the server.

Integer [0 - ReportingRandomDelay]

Reporting\RandomDelay

Policy value not written (same as Not Configured)

EnableDynamicVirtualization

-
-Important   -

This setting is available only with App-V 5.0 SP2 or later.

-
-
-  -

Not available.

Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications.

1 (Enabled), 0 (Disabled)

HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Virtualization

EnablePublishingRefreshUI

-
-Important   -

This setting is available only with App-V 5.0 SP2.

-
-
-  -

Not available.

Enables the publishing refresh progress bar for the computer running the App-V 5.1 Client.

1 (Enabled), 0 (Disabled)

HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing

HideUI

-
-Important   -

This setting is available only with App-V 5.0 SP2.

-
-
-  -

Not available.

Hides the publishing refresh progress bar.

1 (Enabled), 0 (Disabled)

ProcessesUsingVirtualComponents

Not available.

Specifies a list of process paths (that may contain wildcards), which are candidates for using dynamic virtualization (supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization.

String

Virtualization\ProcessesUsingVirtualComponents

Empty string.

- -  +|Setting name | Setup Flag | Description | Setting Options | Registry Key Value | Disabled Policy State Keys and Values | +|-------------|------------|-------------|-----------------|--------------------|--------------------------------------| +| PackageInstallationRoot | PACKAGEINSTALLATIONROOT | Specifies directory where all new applications and updates will be installed. | String | Streaming\PackageInstallationRoot | Policy value not written (same as Not Configured) | +| PackageSourceRoot | PACKAGESOURCEROOT | Overrides source location for downloading package content. | String | Streaming\PackageSourceRoot | Policy value not written (same as Not Configured) | +| AllowHighCostLaunch | Not available. |This setting controls whether virtualized applications are launched on Windows 10 machines connected via a metered network connection (For example, 4G). | True (enabled); False (Disabled state) | Streaming\AllowHighCostLaunch | 0 | +| ReestablishmentRetries | Not available. | Specifies the number of times to retry a dropped session. | Integer (0-99) | Streaming\ReestablishmentRetries | Policy value not written (same as Not Configured) | +| ReestablishmentInterval | Not available. | Specifies the number of seconds between attempts to reestablish a dropped session. | Integer (0-3600) | Streaming\ReestablishmentInterval | Policy value not written (same as Not Configured) | +| LocationProvider | Not available. | Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. | String | Streaming\LocationProvider | Policy value not written (same as Not Configured) | +| CertFilterForClientSsl | Not available. | Specifies the path to a valid certificate in the certificate store. | String | Streaming\CertFilterForClientSsl | Policy value not written (same as Not Configured) | +| VerifyCertificateRevocationList | Not available. | Verifies Server certificate revocation status before steaming using HTTPS. | True(enabled); False(Disabled state) | Streaming\VerifyCertificateRevocationList | 0 | +| SharedContentStoreMode | SHAREDCONTENTSTOREMODE | Specifies that streamed package contents will be not be saved to the local hard disk. | True(enabled); False(Disabled state) | Streaming\SharedContentStoreMode | 0 | +| Name
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | PUBLISHINGSERVERNAME | Displays the name of publishing server. | String | Publishing\Servers\{serverId}\FriendlyName | Policy value not written (same as Not Configured) | +| URL
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | PUBLISHINGSERVERURL | Displays the URL of publishing server. | String | Publishing\Servers\{serverId}\URL | Policy value not written (same as Not Configured) | +| GlobalRefreshEnabled
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | GLOBALREFRESHENABLED | Enables global publishing refresh (Boolean) | True(enabled); False(Disabled state) | Publishing\Servers\{serverId}\GlobalEnabled | False | +| GlobalRefreshOnLogon
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | GLOBALREFRESHONLOGON | Triggers a global publishing refresh on logon. ( Boolean) | True(enabled); False(Disabled state) | Publishing\Servers\{serverId}\GlobalLogonRefresh | False | +| GlobalRefreshInterval
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | GLOBALREFRESHINTERVAL | Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. | Integer (0-744) | Publishing\Servers\{serverId}\GlobalPeriodicRefreshInterval | 0 | +| GlobalRefreshIntervalUnit
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | GLOBALREFRESHINTERVALUNI | Specifies the interval unit (Hour 0-23, Day 0-31). | 0 for hour, 1 for day | Publishing\Servers\{serverId}\GlobalPeriodicRefreshIntervalUnit | 1 | +| UserRefreshEnabled
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | USERREFRESHENABLED | Enables user publishing refresh (Boolean) | True(enabled); False(Disabled state) | Publishing\Servers\{serverId}\UserEnabled | False | +| UserRefreshOnLogon
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | USERREFRESHONLOGON | Triggers a user publishing refresh onlogon. ( Boolean)
Word count (with spaces): 60 | True(enabled); False(Disabled state) | Publishing\Servers\{serverId}\UserLogonRefresh | False | +| UserRefreshInterval
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | USERREFRESHINTERVAL | Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. | Word count (with spaces): 85
Integer (0-744 Hours) | Publishing\Servers\{serverId}\UserPeriodicRefreshInterval | 0 | +| UserRefreshIntervalUnit
**Note** This setting cannot be modified using the **set-AppvclientConfiguration** cmdLet. You must use the **Set-AppvPublishingServer** cmdlet. | USERREFRESHINTERVALUNIT | Specifies the interval unit (Hour 0-23, Day 0-31). | 0 for hour, 1 for day | Publishing\Servers\{serverId}\UserPeriodicRefreshIntervalUnit | 1 | +| MigrationMode | MIGRATIONMODE | Migration mode allows the App-V client to modify shortcuts and FTA’s for packages created using a previous version of App-V. | True(enabled state); False (disabled state) | Coexistence\MigrationMode | | +| CEIPOPTIN | CEIPOPTIN | Allows the computer running the App-V 5.1 Client to collect and return certain usage information to help allow us to further improve the application. | 0 for disabled; 1 for enabled | SOFTWARE/Microsoft/AppV/CEIP/CEIPEnable | 0 | +| EnablePackageScripts | ENABLEPACKAGESCRIPTS | Enables scripts defined in the package manifest of configuration files that should run. | True(enabled); False(Disabled state) | \Scripting\EnablePackageScripts | | +| RoamingFileExclusions | ROAMINGFILEEXCLUSIONS | Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage:  /ROAMINGFILEEXCLUSIONS='desktop;my pictures' | | | | +| RoamingRegistryExclusions | ROAMINGREGISTRYEXCLUSIONS | Specifies the registry paths that do not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients | String | Integration\RoamingReglstryExclusions | Policy value not written (same as Not Configured) | +| IntegrationRootUser | Not available. | Specifies the location to create symbolic links associated with the current version of a per-user published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %localappdata%\Microsoft\AppV\Client\Integration.| String | Integration\IntegrationRootUser | Policy value not written (same as Not Configured) | +|IntegrationRootGlobal | Not available.| Specifies the location to create symbolic links associated with the current version of a globally published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %allusersprofile%\Microsoft\AppV\Client\Integration | String | Integration\IntegrationRootGlobal | Policy value not written (same as Not Configured) | +| VirtualizableExtensions | Not available. | A comma -delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment.
When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application that is associated with the extension point is locally installed. If the extension is located, the **RunVirtual** command line parameter will be added, and the application will run virtually.
For more information about the **RunVirtual** parameter, see [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md). | String | Integration\VirtualizableExtensions | Policy value not written | +| ReportingEnabled | Not available. | Enables the client to return information to a reporting server. | True (enabled); False (Disabled state) | Reporting\EnableReporting | False | +| ReportingServerURL | Not available. | Specifies the location on the reporting server where client information is saved. | String | Reporting\ReportingServer | Policy value not written (same as Not Configured) | +| ReportingDataCacheLimit | Not available. | Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024. | Integer [0-1024] | Reporting\DataCacheLimit | Policy value not written (same as Not Configured) | +| ReportingDataBlockSize| Not available. | Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited. | Integer [1024 - Unlimited] | Reporting\DataBlockSize | Policy value not written (same as Not Configured) | +| ReportingStartTime | Not available. | Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0-23 corresponding to the hour of the day. By default the **ReportingStartTime** will start on the current day at 10 P.M.or 22.
**Note** You should configure this setting to a time when computers running the App-V 5.1 client are least likely to be offline. | Integer (0 – 23) | Reporting\ StartTime | Policy value not written (same as Not Configured) | +| ReportingInterval | Not available. | Specifies the retry interval that the client will use to resend data to the reporting server. | Integer | Reporting\RetryInterval | Policy value not written (same as Not Configured) | +| ReportingRandomDelay | Not available. | Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This can help to prevent collisions on the server. | Integer [0 - ReportingRandomDelay] | Reporting\RandomDelay | Policy value not written (same as Not Configured) | +| EnableDynamicVirtualization
**Important** This setting is available only with App-V 5.0 SP2 or later. | Not available. | Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications. | 1 (Enabled), 0 (Disabled) | HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Virtualization | | +| EnablePublishingRefreshUI
**Important** This setting is available only with App-V 5.0 SP2. | Not available. | Enables the publishing refresh progress bar for the computer running the App-V 5.1 Client. | 1 (Enabled), 0 (Disabled) | HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing | | +| HideUI
**Important**  This setting is available only with App-V 5.0 SP2.| Not available. | Hides the publishing refresh progress bar. | 1 (Enabled), 0 (Disabled) | | | +| ProcessesUsingVirtualComponents | Not available. | Specifies a list of process paths (that may contain wildcards), which are candidates for using dynamic virtualization (supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization. | String | Virtualization\ProcessesUsingVirtualComponents | Empty string. | ## Got a suggestion for App-V? From 83248415131e37e6f4cef1d5c042f54dfd0451d6 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Apr 2016 07:59:48 -0700 Subject: [PATCH 05/38] Updated to fix VS #7371643 --- windows/keep-secure/index.md | 2 +- windows/keep-secure/protect-enterprise-data-using-edp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index 80a12f1d0e..f2a2ac4b8c 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -62,7 +62,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.

[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)

-

With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.

+

With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.

[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)

diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md index 6c688aa008..132514c566 100644 --- a/windows/keep-secure/protect-enterprise-data-using-edp.md +++ b/windows/keep-secure/protect-enterprise-data-using-edp.md @@ -17,7 +17,7 @@ author: eross-msft [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage. +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside EDP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. From 7fe006e16e35452b3be17ed50f182b916c3137ef Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 28 Apr 2016 08:53:39 -0700 Subject: [PATCH 06/38] fixing table --- ...aging-app-v-51-virtualized-applications.md | 182 ++++++------------ 1 file changed, 62 insertions(+), 120 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index bc1485ab15..cf8080c563 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -11,7 +11,7 @@ author: jamiejdt After you have properly deployed the Microsoft Application Virtualization (App-V) 5.1 sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. **Note**   -For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx) (http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). +For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).   @@ -146,125 +146,67 @@ Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to spec The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. -.acm - -.asa - -.asp - -.aspx - -.ax - -.bat - -.cer - -.chm - -.clb - -.cmd - -.cnt - -.cnv - -.com - -.cpl - -.cpx - -.crt - -.dll - -.drv - -.exe - -.fon - -.grp - -.hlp - -.hta - -.ime - -.inf - -.ins - -.isp - -.its - -.js - -.jse - -.lnk - -.msc - -.msi - -.msp - -.mst - -.mui - -.nls - -.ocx - -.pal - -.pcd - -.pif - -.reg - -.scf - -.scr - -.sct - -.shb - -.shs - -.sys - -.tlb - -.tsp - -.url - -.vb - -.vbe - -.vbs - -.vsmacros - -.ws - -.esc - -.wsf - -.wsh - -  +| File type | +| --------- | +| .acm | +| .asa | +| .asp | +| .aspx | +| .ax | +| .bat | +| .cer | +| .chm | +| .clb | +| .cmd | +| .cnt | +| .cnv | +| .com | +| .cpl | +| .cpx | +| .crt | +| .dll | +| .drv | +| .exe | +| .fon | +| .grp | +| .hlp | +| .hta | +| .ime | +| .inf | +| .ins | +| .isp | +| .its | +| .js | +| .jse | +| .lnk | +| .msc | +| .msi | +| .msp | +| .mst | +| .mui | +| .nls | +| .ocx | +| .pal | +| .pcd | +| .pif | +| .reg | +| .scf | +| .scr | +| .sct | +| .shb | +| .shs | +| .sys | +| .tlb | +| .tsp | +| .url | +| .vb | +| .vbe | +| .vbs | +| .vsmacros | +| .ws | +| .esc | +| .wsf | +| .wsh | ## Modifying an existing virtual application package From ca489520c534cec6962f8369b7635473eb8f607c Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 28 Apr 2016 09:12:53 -0700 Subject: [PATCH 07/38] paid apps updates --- windows/manage/apps-in-windows-store-for-business.md | 4 ++++ windows/manage/assign-apps-to-employees.md | 2 +- windows/manage/manage-inventory-windows-store-for-business.md | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md index 5e896b7a2f..1376953e1a 100644 --- a/windows/manage/apps-in-windows-store-for-business.md +++ b/windows/manage/apps-in-windows-store-for-business.md @@ -47,6 +47,10 @@ Apps in your inventory will have at least one of these supported platforms liste Apps that you acquire from the Store for Business only work on Windows 10-based devices. Even though an app might list Windows 8 as its supported platform, that tells you what platform the app was originally written for. Apps developed for Windows 8, or Windows phone 8 will work on Windows 10. +Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. + +Some apps which are available to consumers in Windows Store might not be available in Windows Store for Business. This can happen for a couple of reasons. The app developer might set the app availability so that it is only available to people using Windows Store. Also, business-to-business transaction regulatory requirements might prevent the app being available in Store for Business. + Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps. ## In-app purchases diff --git a/windows/manage/assign-apps-to-employees.md b/windows/manage/assign-apps-to-employees.md index 0864ee8dac..c6e8393f30 100644 --- a/windows/manage/assign-apps-to-employees.md +++ b/windows/manage/assign-apps-to-employees.md @@ -28,7 +28,7 @@ Administrators can assign online-licensed apps to employees in their organizatio 4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. -Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. +Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.   diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md index b506ec3b10..f2675df317 100644 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ b/windows/manage/manage-inventory-windows-store-for-business.md @@ -38,7 +38,7 @@ Another way to distribute apps is by assigning them to people in your organizati 3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. 4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. -Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **MyLibrary**. +Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**. ## Manage licenses For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. You can also remove an app from the private store. From ba47a67dc2145fe019869c9a6a0367ff16455ac6 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 28 Apr 2016 09:40:22 -0700 Subject: [PATCH 08/38] fixed code blocks --- ...ate-or-edit-the-sms-defmof-file-mbam-25.md | 36 +++++++++---------- .../edit-the-configurationmof-file-mbam-25.md | 36 +++++++++---------- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md b/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md index 89d24f23b8..104e174531 100644 --- a/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md +++ b/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md @@ -27,8 +27,8 @@ In the following sections, complete the instructions that correspond to the vers // Microsoft BitLocker Administration and Monitoring //=================================================== -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("BitLocker Encryption Details"), SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")] @@ -66,8 +66,8 @@ In the following sections, complete the instructions that correspond to the vers String EnforcePolicyDate; }; -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [ SMS_Report(TRUE), SMS_Group_Name("BitLocker Policy"), SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0")] @@ -110,8 +110,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Operating System Ex"), SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ] @@ -124,8 +124,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Computer System Ex"), SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ] @@ -193,8 +193,8 @@ In the following sections, complete the instructions that correspond to the vers // Microsoft BitLocker Administration and Monitoring //=================================================== -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("BitLocker Encryption Details"), SMS_Class_ID ("MICROSOFT|BITLOCKER_DETAILS|1.0")] @@ -232,8 +232,8 @@ In the following sections, complete the instructions that correspond to the vers String EnforcePolicyDate; }; -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [ SMS_Report(TRUE), SMS_Group_Name("BitLocker Policy"), SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"), @@ -278,8 +278,8 @@ In the following sections, complete the instructions that correspond to the vers string EncodedComputerName; }; -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) [ SMS_Report(TRUE), SMS_Group_Name("BitLocker Policy"), SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0"), @@ -325,8 +325,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_OperatingSystem.SKU WMI property in a new class - because SKU is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Operating System Ex"), SMS_Class_ID ("MICROSOFT|OPERATING_SYSTEM_EXT|1.0") ] @@ -339,8 +339,8 @@ In the following sections, complete the instructions that correspond to the vers }; //Read Win32_ComputerSystem.PCSystemType WMI property in a new class - because PCSystemType is not available before Vista. -#pragma namespace ("\\\\.\\root\\cimv2\\SMS") -#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2\\SMS") + #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [ SMS_Report (TRUE), SMS_Group_Name ("Computer System Ex"), SMS_Class_ID ("MICROSOFT|COMPUTER_SYSTEM_EXT|1.0") ] diff --git a/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md b/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md index f19930748f..b920db9b8e 100644 --- a/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md +++ b/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md @@ -25,8 +25,8 @@ To enable the client computers to report BitLocker compliance details through th // Microsoft BitLocker Administration and Monitoring //=================================================== -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled, NoncomplianceDetectedDate, EnforcePolicyDate from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")] class Win32_BitLockerEncryptionDetails { @@ -62,8 +62,8 @@ To enable the client computers to report BitLocker compliance details through th String EnforcePolicyDate; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [DYNPROPS] Class Win32Reg_MBAMPolicy { @@ -124,8 +124,8 @@ To enable the client computers to report BitLocker compliance details through th EncodedComputerName; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"}, dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")] class CCM_OperatingSystemExtended @@ -136,8 +136,8 @@ To enable the client computers to report BitLocker compliance details through th uint32 SKU; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"}, dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")] class CCM_ComputerSystemExtended @@ -168,8 +168,8 @@ To enable the client computers to report BitLocker compliance details through th // Microsoft BitLocker Administration and Monitoring //=================================================== -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled, NoncomplianceDetectedDate, EnforcePolicyDate from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")] class Win32_BitLockerEncryptionDetails { @@ -205,8 +205,8 @@ To enable the client computers to report BitLocker compliance details through th String EnforcePolicyDate; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [DYNPROPS] Class Win32Reg_MBAMPolicy { @@ -267,8 +267,8 @@ To enable the client computers to report BitLocker compliance details through th EncodedComputerName; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL) [DYNPROPS] Class Win32Reg_MBAMPolicy_64 { @@ -329,8 +329,8 @@ To enable the client computers to report BitLocker compliance details through th EncodedComputerName; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL) [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"}, dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")] class CCM_OperatingSystemExtended @@ -341,8 +341,8 @@ To enable the client computers to report BitLocker compliance details through th uint32 SKU; }; -#pragma namespace ("\\\\.\\root\\cimv2") -#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) + #pragma namespace ("\\\\.\\root\\cimv2") + #pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL) [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"}, dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")] class CCM_ComputerSystemExtended From 7eeb7b083f0a95e2bd8b355c6af71f29415084d1 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 09:48:22 -0700 Subject: [PATCH 09/38] fix formatting --- windows/manage/windows-10-start-layout-options-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md index 142e4e88a6..5a0c3eadfe 100644 --- a/windows/manage/windows-10-start-layout-options-and-policies.md +++ b/windows/manage/windows-10-start-layout-options-and-policies.md @@ -57,7 +57,7 @@ The following table lists the different parts of Start and any applicable policy

-and-

Dynamically inserted app tile

MDM: Allow Windows Consumer Features

-

Group Policy: Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences

+

Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences

Note  

This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.

From 56915118b2cc7fa9caa9012cee45bc878a3adeb4 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 28 Apr 2016 10:10:08 -0700 Subject: [PATCH 10/38] Updated for task #7360131 --- ...ct-data-using-enterprise-site-discovery.md | 87 +++++++++++-------- 1 file changed, 49 insertions(+), 38 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 3c72362e33..4d6f071016 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -16,9 +16,9 @@ title: Collect data using Enterprise Site Discovery - Windows 8.1 Update - Windows 7 with Service Pack 1 (SP1) -Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. +Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. -## Requirements +## Before you begin Before you start, you need to make sure you have the following: - Latest cumulative security update (for all supported versions of Internet Explorer): @@ -43,7 +43,7 @@ Before you start, you need to make sure you have the following: You must use System Center 2012 R2 Configuration Manager or later for these samples to work. -Both the PowerShell script and .mof file need to be copied to the same location on the client computer, before you run the scripts. +Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts. ## What data is collected? Data is collected on the configuration characteristics of IE and the sites it browses, as shown here. @@ -67,7 +67,7 @@ Data is collected on the configuration characteristics of IE and the sites it br The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. ## Where is the data stored and how do I collect it? -The data is stored locally, in an industry-standard WMI class, Managed Object Format (.MOF) file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: +The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: - **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer. @@ -80,48 +80,55 @@ On average, a website generates about 250bytes of data for each visit, causing o

**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. ## Getting ready to use Enterprise Site Discovery +Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.

**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output. - ![](images/wedge.gif) **To set up Enterprise Site Discovery** +![](images/wedge.gif) **To set up Enterprise Site Discovery** -- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1`. For more info, see [about Execution Policies](http://go.microsoft.com/fwlink/p/?linkid=517460). - -### Optional: Set up your firewall for WMI data +- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1`. For more info, see [about Execution Policies](http://go.microsoft.com/fwlink/p/?linkid=517460). +### WMI only: Set up your firewall for WMI data If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps: - ![](images/wedge.gif) **To set up your firewall** +![](images/wedge.gif) **To set up your firewall** -1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. +1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. -2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. +2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. -3. Restart your computer to start collecting your WMI data. +3. Restart your computer to start collecting your WMI data. -## Setting up Enterprise Site Discovery using PowerShell -After you finish the initial setup for Site Discovery using PowerShell, you have the option to continue with PowerShell or to switch to Group Policy. +## Use PowerShell to finish setting up Enterprise Site Discovery +You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).

**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device. -### Setting up zones or domains for data collection -You can determine which zones or domains are used for data collection, using PowerShell. +- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. -- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. - -- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. +- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. ![](images/wedge.gif) **To set up data collection using a domain allow list** - -- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. -

**Important**
Wildcards, like \*.microsoft.com, aren’t supported. + + - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. + + **Important**
Wildcards, like \*.microsoft.com, aren’t supported. ![](images/wedge.gif) **To set up data collection using a zone allow list** + + - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. + + **Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. -- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. -

**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. - -## Setting up Enterprise Site Discovery using Group Policy -If you don’t want to continue using PowerShell, you can switch to Group Policy after the initial Site Discovery setup. +## Use Group Policy to finish setting up Enterprise Site Discovery +You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).

**Note**
 All of the Group Policy settings can be used individually or as a group. ![](images/wedge.gif) **To set up Enterprise Site Discovery using Group Policy** @@ -136,7 +143,6 @@ If you don’t want to continue using PowerShell, you can switch to Group Policy |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:

microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com | ### Combining WMI and XML Group Policy settings - You can use both the WMI and XML settings individually or together, based on: ![](images/wedge.gif) **To turn off Enterprise Site Discovery** @@ -163,12 +169,17 @@ You can use both the WMI and XML settings individually or together, based on:

  • Turn on Site Discovery XML output: XML file path
    • - ## Use Configuration Manager to collect your data -After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, in one of the following ways. +After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: -### Collect your hardware inventory using the MOF Editor while connecting to a computer -You can collect your hardware inventory using the MOF Editor, while you’re connected to your client computers. +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

    +-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

    +-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### Collect your hardware inventory using the MOF Editor while connected to a client device +You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. ![](images/wedge.gif) **To collect your inventory** @@ -193,8 +204,8 @@ You can collect your hardware inventory using the MOF Editor, while you’re con 5. Click **OK** to close the default windows.
    Your environment is now ready to collect your hardware inventory and review the sample reports. -### Collect your hardware inventory using the MOF Editor with a MOF import file -You can collect your hardware inventory using the MOF Editor and a MOF import file. +### Collect your hardware inventory using the MOF Editor with a .MOF import file +You can collect your hardware inventory using the MOF Editor and a .MOF import file. ![](images/wedge.gif) **To collect your inventory** @@ -207,8 +218,8 @@ You can collect your hardware inventory using the MOF Editor and a MOF import fi 4. Click **OK** to close the default windows.
    Your environment is now ready to collect your hardware inventory and review the sample reports. -### Collect your hardware inventory using the SMS\DEF.MOF file -You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. +### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. ![](images/wedge.gif) **To collect your inventory** @@ -281,7 +292,7 @@ You can collect your hardware inventory using the using the Systems Management S 3. Save the file and close it to the same location.
    Your environment is now ready to collect your hardware inventory and review the sample reports. -### Viewing the sample reports +## View the sample reports with your collected data The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. ### SCCM Report Sample – ActiveX.rdl @@ -336,7 +347,7 @@ Each site is validated and if successful, added to the global site list when you 3. Click **OK** to close the **Bulk add sites to the list** menu. -## Turn off data collection on your client computers +## Turn off data collection on your client devices After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off. ![](images/wedge.gif) **To stop collecting data, using PowerShell** From 29fa4a92dd260f6b55bf2389fca6b7ab05e45ae4 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 28 Apr 2016 11:01:00 -0700 Subject: [PATCH 11/38] wsfb paid app updates --- windows/manage/TOC.md | 4 +- ...managemement-windows-store-for-business.md | 45 ++++++++++++++----- .../apps-in-windows-store-for-business.md | 2 +- ...ge-inventory-windows-store-for-business.md | 1 + 4 files changed, 40 insertions(+), 12 deletions(-) diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 2398446f4f..3324e10449 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -36,6 +36,7 @@ #### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md) ### [Find and acquire apps](find-and-acquire-apps-overview.md) #### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md) +#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md) #### [Working with line-of-business apps](working-with-line-of-business-apps.md) ### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md) #### [Distribute apps using your private store](distribute-apps-from-your-private-store.md) @@ -43,8 +44,9 @@ #### [Distribute apps with a management tool](distribute-apps-with-management-tool.md) #### [Distribute offline apps](distribute-offline-apps.md) ### [Manage apps](manage-apps-windows-store-for-business-overview.md) -#### [Manage access to private store](manage-access-to-private-store.md) #### [App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md) +#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md) +#### [Manage access to private store](manage-access-to-private-store.md) #### [Manage private store settings](manage-private-store-settings.md) #### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) ### [Device Guard signing portal](device-guard-signing-portal.md) diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md index 77c0e6e634..245d15cac1 100644 --- a/windows/manage/app-inventory-managemement-windows-store-for-business.md +++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md @@ -105,11 +105,6 @@ Each app in the Store for Business has an online, or an offline license. For mor   -**Note**   -Removing apps from inventory is not currently supported. - -  - The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). ### Distribute apps @@ -122,15 +117,45 @@ For online-licensed apps, there are a couple of ways to distribute apps from you If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md). -### Assign apps +Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md). -You can assign apps directly to people in your organization. You can assign apps to individuals, a few people, or to a group. For more information, see [Assign apps to employees](assign-apps-to-employees.md). +**To make an app in inventory available in your private store** -### Private store +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page. +4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**. -The private store is a feature in the Store for Business. Once an online-licensed app is in your inventory, you can make it available in your private store. When you add apps to the private store, all employees in your organization can view and download the app. Employees access the private store as a page in Windows Store app. +The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. -For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md). +Employees can claim apps that admins added to the private store by doing the following. + +**To claim an app from the private store** + +1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app. +2. Click the private store tab. +3. Click the app you want to install, and then click **Install**. + +Another way to distribute apps is by assigning them to people in your organization. + +If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store. + +**To remove an app from the private store** + +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**. + +The app will still be in your inventory, but your employees will not have access to the app from your private store. + +**To assign an app to an employee** + +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. +4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. + +Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**. ### Manage app licenses diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md index 1376953e1a..f1a9e6aaf5 100644 --- a/windows/manage/apps-in-windows-store-for-business.md +++ b/windows/manage/apps-in-windows-store-for-business.md @@ -49,7 +49,7 @@ Apps that you acquire from the Store for Business only work on Windows 10-based Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. -Some apps which are available to consumers in Windows Store might not be available in Windows Store for Business. This can happen for a couple of reasons. The app developer might set the app availability so that it is only available to people using Windows Store. Also, business-to-business transaction regulatory requirements might prevent the app being available in Store for Business. +Some apps which are available to consumers in Windows Store might not be available in Windows Store for Business. This can happen for a couple of reasons. The app developer might set the app availability so that it is only available to people using Windows Store. Also, tax requirements for business-to-business transactions might prevent the app being available in Store for Business. Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps. diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md index f2675df317..0a364336aa 100644 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ b/windows/manage/manage-inventory-windows-store-for-business.md @@ -1,6 +1,7 @@ --- title: Manage inventory in Windows Store for Business (Windows 10) description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses. +redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library From 552ffb838184fe7a559e109607e2eadc5d95b413 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 11:09:11 -0700 Subject: [PATCH 12/38] smb hardening --- .../keep-secure/windows-10-security-guide.md | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index fbcf34aefe..b5f748c2f1 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -355,7 +355,10 @@ Table 3. Threats and Windows 10 mitigations Windows 10 mitigation - + +

    "Man in the middle" attacks, when an attacker reroutes communications between two users through the attacker's computer without the knowledge of the two communicating users

    +

    Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).

    +

    Firmware bootkits replace the firmware with malware.

    All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.

    @@ -395,6 +398,22 @@ Table 3. Threats and Windows 10 mitigations The sections that follow describe these improvements in more detail. +**SMB hardening improvements for SYSVOL and NETLOGON connections** + +In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos). + +- **What value does this change add?** +This change reduces the likelihood of man-in-the-middle attacks. + +- **What works differently?** +If SMB signing and mutual authentication are unavailable, a Windows 10 or Windows Server 2016 computer won’t process domain-based Group Policy and scripts. + + +> **Note:** The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. + +For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](http://go.microsoft.com/fwlink/p/?LinkId=789216) and [MS15-011 & MS15-014: Hardening Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=789215). + + **Secure hardware** Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors. From 98e240371f24c63ce292bd3a6493f6477afea795 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 11:47:45 -0700 Subject: [PATCH 13/38] removed colgroup --- windows/keep-secure/windows-10-security-guide.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index b5f748c2f1..91964d3da0 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -345,10 +345,6 @@ Table 3 lists specific malware threats and the mitigation that Windows 10 provi Table 3. Threats and Windows 10 mitigations ---- From 3171b1c0e75a55367db573448a42fa8ac372e5bc Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 11:48:45 -0700 Subject: [PATCH 14/38] spell out smb --- windows/keep-secure/windows-10-security-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index 91964d3da0..586d509b57 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -396,7 +396,7 @@ The sections that follow describe these improvements in more detail. **SMB hardening improvements for SYSVOL and NETLOGON connections** -In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos). +In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). - **What value does this change add?** This change reduces the likelihood of man-in-the-middle attacks. From eb60deb49dc6bae0a2bc9bc633dd1846819e9760 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 12:03:03 -0700 Subject: [PATCH 15/38] added SM to changelist --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 3752693094..3940db84d1 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Clarified Credential Guard protections | +|[Windows 10 security overview](windows-10-security-guide.md) |Added SMB hardening improvements for SYSVOL and NETLOGON connections | ## March 2016 From 93bf847fc6f8eead8ac4d055d901789e119c054d Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 28 Apr 2016 14:55:11 -0700 Subject: [PATCH 16/38] fixing link --- windows/manage/distribute-offline-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md index f4f70c7983..8cb184da6b 100644 --- a/windows/manage/distribute-offline-apps.md +++ b/windows/manage/distribute-offline-apps.md @@ -34,7 +34,7 @@ Offline-licensed apps offer an alternative to online apps, and provide additiona You can't distribute offline-licensed apps directly from the Store for Business. Once you download the items for the offline-licensed app, you have three options for distributing the apps: -- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx). +- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows). - **Windows ICD**. ICD is GUI tool that you can use to create Windows provisioning answer files, and add third-party drivers, apps, or other assets to an answer file. For more information, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx). From 6a9302f2f07bad219c2ee7ac4f42d099d2c6aa3e Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Fri, 29 Apr 2016 11:11:21 -0700 Subject: [PATCH 17/38] changing wording on app availability --- windows/manage/apps-in-windows-store-for-business.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md index f1a9e6aaf5..30d0677d94 100644 --- a/windows/manage/apps-in-windows-store-for-business.md +++ b/windows/manage/apps-in-windows-store-for-business.md @@ -47,9 +47,12 @@ Apps in your inventory will have at least one of these supported platforms liste Apps that you acquire from the Store for Business only work on Windows 10-based devices. Even though an app might list Windows 8 as its supported platform, that tells you what platform the app was originally written for. Apps developed for Windows 8, or Windows phone 8 will work on Windows 10. -Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. +Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. -Some apps which are available to consumers in Windows Store might not be available in Windows Store for Business. This can happen for a couple of reasons. The app developer might set the app availability so that it is only available to people using Windows Store. Also, tax requirements for business-to-business transactions might prevent the app being available in Store for Business. +Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/en-us/windows/uwp/publish/organizational-licensing). + +**Note**
    +We are still setting up the catalog of apps for Windows Store for Business. If you are searching for an app and it isn’t available, please check again in a couple of days. Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps. From ca7b9c413b55d65328a8a5327fa89d4382444f91 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Fri, 29 Apr 2016 13:17:32 -0700 Subject: [PATCH 18/38] fixing broken link --- .../update-windows-store-for-business-account-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md index 1357a11b43..0150a4f7e4 100644 --- a/windows/manage/update-windows-store-for-business-account-settings.md +++ b/windows/manage/update-windows-store-for-business-account-settings.md @@ -133,6 +133,6 @@ Offline licensing is a new licensing option for Windows 10. With offline license You have the following distribution options for offline-licensed apps: - Include the app in a provisioning package, and then use it as part of imaging a device. - Distribute the app through a management tool. -For more information, see Distribute apps to your employees from the Store for Business. +For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-with-management-tool.md). From 08b99a852785e67c976ab235ec60c6283782f2ef Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Fri, 29 Apr 2016 15:05:05 -0700 Subject: [PATCH 19/38] Created multi-column table to replace single-column one The table holding the supported file extension types migrated as a single long list of items. I created a multi-column table so the info would take up less space. --- ...aging-app-v-51-virtualized-applications.md | 76 ++++--------------- 1 file changed, 15 insertions(+), 61 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index cf8080c563..bbdaf2448d 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -146,67 +146,21 @@ Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to spec The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. -| File type | -| --------- | -| .acm | -| .asa | -| .asp | -| .aspx | -| .ax | -| .bat | -| .cer | -| .chm | -| .clb | -| .cmd | -| .cnt | -| .cnv | -| .com | -| .cpl | -| .cpx | -| .crt | -| .dll | -| .drv | -| .exe | -| .fon | -| .grp | -| .hlp | -| .hta | -| .ime | -| .inf | -| .ins | -| .isp | -| .its | -| .js | -| .jse | -| .lnk | -| .msc | -| .msi | -| .msp | -| .mst | -| .mui | -| .nls | -| .ocx | -| .pal | -| .pcd | -| .pif | -| .reg | -| .scf | -| .scr | -| .sct | -| .shb | -| .shs | -| .sys | -| .tlb | -| .tsp | -| .url | -| .vb | -| .vbe | -| .vbs | -| .vsmacros | -| .ws | -| .esc | -| .wsf | -| .wsh | +**File type** + +| .acm | .cnv | .hta | .msp | .sct | .ws | +| .asa | .com | .ime | .mst | .shb | .esc | +| .asp | .cpl | .inf | .mui | .shs | .wsf | +| .aspx| .cpx | .ins | .nls | .sys | .wsh | +| .ax | .crt | .isp | .ocx | .tlb | +| .bat | .dll | .its | .pal | .tsp | +| .cer | .drv | .js | .pcd | .url | +| .chm | .exe | .jse | .pif | .vb | +| .clb | .fon | .lnk | .reg | .vbe | +| .cmd | .grp | .msc | .scf | .vbs | +| .cnt | .hlp | .msi | .scr |. vsmacros | + + ## Modifying an existing virtual application package From d0caccbcc374fdd4204ef62a01a9cd42c10661f5 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Fri, 29 Apr 2016 15:47:43 -0700 Subject: [PATCH 20/38] Trying to fix multi-column table. Looks like a table must have a header row in MDL. --- .../creating-and-managing-app-v-51-virtualized-applications.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index bbdaf2448d..e694467f90 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -146,8 +146,9 @@ Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to spec The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. -**File type** +File type +--------- | .acm | .cnv | .hta | .msp | .sct | .ws | | .asa | .com | .ime | .mst | .shb | .esc | | .asp | .cpl | .inf | .mui | .shs | .wsf | From fb97df54a0b0b2c538f8d3751c73beefab55729c Mon Sep 17 00:00:00 2001 From: jamiejdt Date: Fri, 29 Apr 2016 17:56:04 -0700 Subject: [PATCH 21/38] Bug 6613390: Fix Documentation for App-V 5.0 SP3 -> 5.1 Server upgrade Corrected several files to provide better flow and to highlight required registry key fixes --- mdop/appv-v5/TOC.md | 1 + mdop/appv-v5/about-app-v-50-sp3.md | 2 +- mdop/appv-v5/about-app-v-51.md | 38 ++- mdop/appv-v5/check-reg-key-svr.md | 238 ++++++++++++++++ .../how-to-deploy-the-app-v-51-server.1.md | 269 ++++++++++++++++++ ...ing-to-app-v-51-from-a-previous-version.md | 5 +- 6 files changed, 545 insertions(+), 8 deletions(-) create mode 100644 mdop/appv-v5/check-reg-key-svr.md create mode 100644 mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md diff --git a/mdop/appv-v5/TOC.md b/mdop/appv-v5/TOC.md index 2e81d5ad03..1a7c936696 100644 --- a/mdop/appv-v5/TOC.md +++ b/mdop/appv-v5/TOC.md @@ -79,6 +79,7 @@ ##### [How to Access the Client Management Console 5.1](how-to-access-the-client-management-console51.md) ##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server 5.1](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md) #### [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md) +##### [Check Registry Keys before installing App-V 5.x Server](check-reg-key-svr.md) ##### [How to Convert a Package Created in a Previous Version of App-V 5.1](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md) ##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md) ##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md) diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md index a4418a6430..84f1b27782 100644 --- a/mdop/appv-v5/about-app-v-50-sp3.md +++ b/mdop/appv-v5/about-app-v-50-sp3.md @@ -197,7 +197,7 @@ Complete the following steps to upgrade each component of the App-V infrastructu
    Threat

     

    -

  • If you are upgrading the App-V Server from App-V SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

    • +

  • If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

  • Follow the steps in [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md).

    • diff --git a/mdop/appv-v5/about-app-v-51.md b/mdop/appv-v5/about-app-v-51.md index 162630bae1..47d75bfb12 100644 --- a/mdop/appv-v5/about-app-v-51.md +++ b/mdop/appv-v5/about-app-v-51.md @@ -63,7 +63,7 @@ See the following links for the App-V 5.1 software prerequisites and supported c ## Migrating to App-V 5.1 -Use the following information to upgrade to App-V 5.1 from earlier versions. See [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md) for more information. +Use the following information to upgrade to App-V 5.1 from earlier versions. See [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md) for more information. ### Before you start the upgrade @@ -90,7 +90,7 @@ Review the following information before you start the upgrade:
    Note   -

    To use the App-V client user interface, download the existing version from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).

    +

    Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).

      @@ -98,7 +98,7 @@ Review the following information before you start the upgrade:

    Upgrading from App-V 4.x

    -

    For more information, see:

    +

    You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.1. For more information, see:

    • “Differences between App-V 4.6 and App-V 5.0” in [About App-V 5.0](about-app-v-50.md)

    • [Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v.md)

      • @@ -147,7 +147,35 @@ Complete the following steps to upgrade each component of the App-V infrastructu
       
      -

      See [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md)

      +

      Follow these steps:

      +
        +

      1. Do one of the following, depending on the method you are using to upgrade the Management database and/or Reporting database:

        + ++++ + + + + + + + + + + + + + + + + +
        Database upgrade methodStep

        Windows Installer

        Skip this step and go to step 2, “If you are upgrading the App-V Server...”

        SQL scripts

        Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts.md).

        +

      2. If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

        3. +

      3. Follow the steps in [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)

        4. +

         

        +

      Step 2: Upgrade the App-V Sequencer.

      @@ -174,7 +202,7 @@ App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no ## What’s New in App-V 5.1 -These sections are for users who are already familiar with App-V and want to know what has changed in App-V 5.1. If you are not already familiar with App-V, you should start by reading [Planning for App-V 5.0](planning-for-app-v-50-rc.md). +These sections are for users who are already familiar with App-V and want to know what has changed in App-V 5.1. If you are not already familiar with App-V, you should start by reading [Planning for App-V 5.1](planning-for-app-v-51.md). ### App-V support for Windows 10 diff --git a/mdop/appv-v5/check-reg-key-svr.md b/mdop/appv-v5/check-reg-key-svr.md new file mode 100644 index 0000000000..40deca6793 --- /dev/null +++ b/mdop/appv-v5/check-reg-key-svr.md @@ -0,0 +1,238 @@ +--- +title: Check Registry Keys before installing App-V 5.x Server +description: Check Registry Keys before installing App-V 5.x Server +ms.assetid: +author: jamiejdt +--- + +# Check Registry Keys before installing App-V 5.x Server + +If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in this section before installing the App-V 5.x Server + + ++++ + + + + + + + + + + + + + + + + + + +

      When this step is required

      You are upgrading from App-V 5.0 SP1 with any subsequent Hotfix Packages that you installed by using an .msp file.

      Which components require that you do this step

      Only the App-V Server components that you are upgrading.

      When you need to do this step

      Before you upgrade the App-V Server to App-V 5.x

      What you need to do

      Using the information in the following tables, update each registry key value under HKLM\Software\Microsoft\AppV\Server with the value that you provided in your original server installation. Completing this step restores registry values that may have been removed when App-V 5.0 SP1 Hotfix Packages were installed.

      + +  + +**ManagementDatabase key** + +If you are installing the Management database, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ManagementDatabase`. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Key nameDescription

      IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED

      Describes whether a public access account is required to access non-local management databases. Value is set to “1” if it is required.

      MANAGEMENT_DB_NAME

      Name of the Management database.

      MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT

      Account used for read (public) access to the Management database.

      +

      Used when IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

      MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_SID

      Secure identifier (SID) of the account used for read (public) access to the Management database.

      +

      Used when IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

      MANAGEMENT_DB_SQL_INSTANCE

      SQL Server instance for the Management database.

      +

      If the value is blank, the default database instance is used.

      MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT

      Account used for write (administrator) access to the Management database.

      MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT_SID

      Secure identifier (SID) of the account used for write (administrator) access to the Management database.

      MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT

      Management server remote computer account (domain\account).

      MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT

      Installation administrator login for the Management server (domain\account).

      MANAGEMENT_SERVER_MACHINE_USE_LOCAL

      Valid values are:

      +
        +

      • 1 – the Management service is on the local computer, that is, MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT is blank.

        • +

      • 0 - the Management service is on a different computer from the local computer.

        • +
      + +  + +**ManagementService key** + +If you are installing the Management server, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ManagementService`. + + ++++ + + + + + + + + + + + + + + + + + + + + +
      Key nameDescription

      MANAGEMENT_ADMINACCOUNT

      Active Directory Domain Services (AD DS) group or account that is authorized to manage App-V (domain\account).

      MANAGEMENT_DB_SQL_INSTANCE

      SQL server instance that contains the Management database.

      +

      If the value is blank, the default database instance is used.

      MANAGEMENT_DB_SQL_SERVER_NAME

      Name of the remote SQL server with the Management database.

      +

      If the value is blank, the local computer is used.

      + +  + +**ReportingDatabase key** + +If you are installing the Reporting database, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ReportingDatabase`. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Key nameDescription

      IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED

      Describes whether a public access account is required to access non-local reporting databases. Value is set to “1” if it is required.

      REPORTING_DB_NAME

      Name of the Reporting database.

      REPORTING_DB_PUBLIC_ACCESS_ACCOUNT

      Account used for read (public) access to the Reporting database.

      +

      Used when IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

      REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_SID

      Secure identifier (SID) of the account used for read (public) access to the Reporting database.

      +

      Used when IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

      REPORTING_DB_SQL_INSTANCE

      SQL Server instance for the Reporting database.

      +

      If the value is blank, the default database instance is used.

      REPORTING_DB_WRITE_ACCESS_ACCOUNT

      REPORTING_DB_WRITE_ACCESS_ACCOUNT_SID

      REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT

      Reporting server remote computer account (domain\account).

      REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT

      Installation administrator login for the Reporting server (domain\account).

      REPORTING_SERVER_MACHINE_USE_LOCAL

      Valid values are:

      +
        +

      • 1 – the Reporting service is on the local computer, that is, REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT is blank.

        • +

      • 0 - the Reporting service is on a different computer from the local computer.

        • +
      + +  + +**ReportingService key** + +If you are installing the Reporting server, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ReportingService`. + + ++++ + + + + + + + + + + + + + + + + +
      Key nameDescription

      REPORTING_DB_SQL_INSTANCE

      SQL Server instance for the Reporting database.

      +

      If the value is blank, the default database instance is used.

      REPORTING_DB_SQL_SERVER_NAME

      Name of the remote SQL server with the Reporting database.

      +

      If the value is blank, the local computer is used.

      + diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md new file mode 100644 index 0000000000..e524980035 --- /dev/null +++ b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md @@ -0,0 +1,269 @@ +--- +title: How to Deploy the App-V 5.1 Server +description: How to Deploy the App-V 5.1 Server +ms.assetid: 4729beda-b98f-481b-ae74-ad71c59b1d69 +author: jamiejdt +--- + +# How to Deploy the App-V 5.1 Server + + +Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.1 server. For information about deploying the App-V 5.1 Server, see [About App-V 5.1](about-app-v-51.md#bkmk-migrate-to-51). + +**Before you start:** + +- Ensure that you’ve installed prerequisite software. See [App-V 5.1 Prerequisites](app-v-51-prerequisites.md). + +- Review the server section of [App-V 5.1 Security Considerations](app-v-51-security-considerations.md). + +- Specify a port where each component will be hosted. + +- Add firewall rules to allow incoming requests to access the specified ports. + +- If you use SQL scripts, instead of the Windows Installer, to set up the Management database or Reporting database, you must run the SQL scripts before installing the Management Server or Reporting Server. See [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md). + +**To install the App-V 5.1 server** + +1. Copy the App-V 5.1 server installation files to the computer on which you want to install it. + +2. Start the App-V 5.1 server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**. + +3. Review and accept the license terms, and choose whether to enable Microsoft updates. + +4. On the **Feature Selection** page, select all of the following components. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      ComponentDescription

      Management server

      Provides overall management functionality for the App-V infrastructure.

      Management database

      Facilitates database predeployments for App-V management.

      Publishing server

      Provides hosting and streaming functionality for virtual applications.

      Reporting server

      Provides App-V 5.1 reporting services.

      Reporting database

      Facilitates database predeployments for App-V reporting.

      + +   + +5. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line. + +6. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below. + + + + + + + + + + + + + + + + + + + + + + +
      MethodWhat you need to do

      You are using a custom Microsoft SQL Server instance.

      Select Use the custom instance, and type the name of the instance.

      +

      Use the format INSTANCENAME. The assumed installation location is the local computer.

      +

      Not supported: A server name using the format ServerName\INSTANCE.

      You are using a custom database name.

      Select Custom configuration and type the database name.

      +

      The database name must be unique, or the installation will fail.

      + +   + +7. On the **Configure** page, accept the default value **Use this local computer**. + + **Note**   + If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed. + +   + +8. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below. + + + + + + + + + + + + + + + + + + + + + + +
      MethodWhat you need to do

      You are using a custom Microsoft SQL Server instance.

      Select Use the custom instance, and type the name of the instance.

      +

      Use the format INSTANCENAME. The assumed installation location is the local computer.

      +

      Not supported: A server name using the format ServerName\INSTANCE.

      You are using a custom database name.

      Select Custom configuration and type the database name.

      +

      The database name must be unique, or the installation will fail.

      + +   + +9. On the **Configure** page, accept the default value: **Use this local computer**. + + **Note**   + If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed. + +   + +10. On the **Configure** (Management Server Configuration) page, specify the following: + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Item to configureDescription and examples

      Type the AD group with sufficient permissions to manage the App-V environment.

      Example: MyDomain\MyUser

      +

      After installation, you can add additional users or groups by using the Management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use Domain local or Universal groups are required to perform this action.

      Website name: Specify the custom name that will be used to run the publishing service.

      If you do not have a custom name, do not make any changes.

      Port binding: Specify a unique port number that will be used by App-V.

      Example: 12345

      +

      Ensure that the port specified is not being used by another website.

      + +   + +11. On the **Configure** **Publishing Server Configuration** page, specify the following: + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Item to configureDescription and examples

      Specify the URL for the management service.

      Example: http://localhost:12345

      Website name: Specify the custom name that will be used to run the publishing service.

      If you do not have a custom name, do not make any changes.

      Port binding: Specify a unique port number that will be used by App-V.

      Example: 54321

      +

      Ensure that the port specified is not being used by another website.

      + +   + +12. On the **Reporting Server** page, specify the following: + + + + + + + + + + + + + + + + + + + + + + +
      Item to configureDescription and examples

      Website name: Specify the custom name that will be used to run the Reporting Service.

      If you do not have a custom name, do not make any changes.

      Port binding: Specify a unique port number that will be used by App-V.

      Example: 55555

      +

      Ensure that the port specified is not being used by another website.

      + +   + +13. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page. + +14. To verify that the setup completed successfully, open a web browser, and type the following URL: + + **http://<Management server machine name>:<Management service port number>/Console.html**. + + Example: **http://localhost:12345/console.html**. If the installation succeeded, the App-V Management console is displayed with no errors. + + **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). + +## Related topics + + +[Deploying App-V 5.1](deploying-app-v-51.md) + +[How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md) + +[How to Install the Publishing Server on a Remote Computer](how-to-install-the-publishing-server-on-a-remote-computer51.md) + +[How to Deploy the App-V 5.1 Server Using a Script](how-to-deploy-the-app-v-51-server-using-a-script.md) + +  + +  + + + + + diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md index 5e1395c0f0..64565f8e9c 100644 --- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md +++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md @@ -8,10 +8,11 @@ author: jamiejdt # Migrating to App-V 5.1 from a Previous Version -With Microsoft Application Virtualization (App-V) 5.1 you can migrate your existing App-V 4.6 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. +With Microsoft Application Virtualization (App-V) 5.1, you can migrate your existing App-V 4.6 or App-V 5.0 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. +However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-aap-v-50.md) **Note**   -App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and so there is no need to convert App-V 5.0 packages to App-V 5.1 packages. +App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and therefore, there is no need to convert App-V 5.0 packages to App-V 5.1 packages. For more information about the differences between App-V 4.6 and App-V 5.1, see the **Differences between App-4.6 and App-V 5.0 section** of [About App-V 5.0](about-app-v-50.md). From 88e61dee112546a85e5c2f3c26d9868c62c83308 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Sun, 1 May 2016 12:46:30 -0700 Subject: [PATCH 22/38] fixing link --- mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md index 64565f8e9c..0eb3ce6d09 100644 --- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md +++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md @@ -9,7 +9,7 @@ author: jamiejdt With Microsoft Application Virtualization (App-V) 5.1, you can migrate your existing App-V 4.6 or App-V 5.0 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. -However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-aap-v-50.md) +However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md) **Note**   App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and therefore, there is no need to convert App-V 5.0 packages to App-V 5.1 packages. From 1a33b2e854ef71a98586519f2f6c3a240ead62c8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 2 May 2016 09:26:19 -0700 Subject: [PATCH 23/38] testing broken link --- windows/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/index.md b/windows/index.md index 08ec4adaa7..33c6dfbb9f 100644 --- a/windows/index.md +++ b/windows/index.md @@ -14,7 +14,7 @@ This library provides the core content that IT pros need to evaluate, plan, depl ## In this library -[What's new in Windows 10](whats-new/index.md) +[What's new in Windows 10](whats-new/) [Plan for Windows 10 deployment](plan/index.md) From 9b7990442e9f7881a37393324430a15303514f69 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 2 May 2016 09:34:08 -0700 Subject: [PATCH 24/38] fixing other links --- windows/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/index.md b/windows/index.md index 33c6dfbb9f..51b64fe509 100644 --- a/windows/index.md +++ b/windows/index.md @@ -16,13 +16,13 @@ This library provides the core content that IT pros need to evaluate, plan, depl [What's new in Windows 10](whats-new/) -[Plan for Windows 10 deployment](plan/index.md) +[Plan for Windows 10 deployment](plan/) -[Deploy Windows 10](deploy/index.md) +[Deploy Windows 10](deploy/) -[Keep Windows 10 secure](keep-secure/index.md) +[Keep Windows 10 secure](keep-secure/) -[Manage and update Windows 10](manage/index.md) +[Manage and update Windows 10](manage/) ## Related topics From abe195ca4a01c1db48c794b6c2e74604fc94289c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 2 May 2016 09:36:42 -0700 Subject: [PATCH 25/38] fixing links again --- windows/index.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/index.md b/windows/index.md index 51b64fe509..08ec4adaa7 100644 --- a/windows/index.md +++ b/windows/index.md @@ -14,15 +14,15 @@ This library provides the core content that IT pros need to evaluate, plan, depl ## In this library -[What's new in Windows 10](whats-new/) +[What's new in Windows 10](whats-new/index.md) -[Plan for Windows 10 deployment](plan/) +[Plan for Windows 10 deployment](plan/index.md) -[Deploy Windows 10](deploy/) +[Deploy Windows 10](deploy/index.md) -[Keep Windows 10 secure](keep-secure/) +[Keep Windows 10 secure](keep-secure/index.md) -[Manage and update Windows 10](manage/) +[Manage and update Windows 10](manage/index.md) ## Related topics From 86395d42ce7e14bf155d14a2f53b4fece06b07f0 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 2 May 2016 10:59:59 -0700 Subject: [PATCH 26/38] Fixed spacing and other minor issues Fixed spacing and other minor issues --- ...aging-app-v-51-virtualized-applications.md | 91 +++++++++++++------ 1 file changed, 64 insertions(+), 27 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index e694467f90..f69e1ea016 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -14,7 +14,6 @@ After you have properly deployed the Microsoft Application Virtualization (App-V For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).   - ## Sequencing an application @@ -28,9 +27,7 @@ You can use the App-V 5.1 Sequencer to perform the following tasks: **Note**   You must create shortcuts and save them to an available network location to allow roaming. If a shortcut is created and saved in a private location, the package must be published locally to the computer running the App-V 5.1 client. - -   - +  - Convert existing virtual packages. The sequencer uses the **%TMP% \\ Scratch** or **%TEMP% \\ Scratch** directory and the **Temp** directory to store temporary files during sequencing. On the computer that runs the sequencer, you should configure these directories with free disk space equivalent to the estimated application installation requirements. Configuring the temp directories and the Temp directory on different hard drive partitions can help improve performance during sequencing. @@ -48,18 +45,14 @@ When you use the sequencer to create a new virtual application, the following li - User configuration file. The user configuration file determines how the virtual application will run on target computers. **Important**   -You must configure the %TMP% and %TEMP% folders that the package converter uses to be a secure location and directory. A secure location is only accessible by an administrator. Additionally, when you sequence the package you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion and monitoring process. - -  +You must configure the %TMP% and %TEMP% folders that the package converter uses to be a secure location and directory. A secure location is only accessible by an administrator. Additionally, when you sequence the package you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion and monitoring process.  The **Options** dialog box in the sequencer console contains the following tabs: - **General**. Use this tab to enable Microsoft Updates to run during sequencing. Select **Append Package Version to Filename** to configure the sequence to add a version number to the virtualized package that is being sequenced. Select **Always trust the source of Package Accelerators** to create virtualized packages using a package accelerator without being prompted for authorization. **Important**   - Package Accelerators created using App-V 4.6 are not supported by App-V 5.1. - -   + Package Accelerators created using App-V 4.6 are not supported by App-V 5.1.   - **Parse Items**. This tab displays the associated file path locations that will be parsed or tokenized into in the virtual environment. Tokens are useful for adding files using the **Package Files** tab in **Advanced Editing**. @@ -136,7 +129,6 @@ The following table lists the supported shell extensions: -   ## Copy on Write (CoW) file extension support @@ -146,22 +138,67 @@ Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to spec The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. - -File type ---------- -| .acm | .cnv | .hta | .msp | .sct | .ws | -| .asa | .com | .ime | .mst | .shb | .esc | -| .asp | .cpl | .inf | .mui | .shs | .wsf | -| .aspx| .cpx | .ins | .nls | .sys | .wsh | -| .ax | .crt | .isp | .ocx | .tlb | -| .bat | .dll | .its | .pal | .tsp | -| .cer | .drv | .js | .pcd | .url | -| .chm | .exe | .jse | .pif | .vb | -| .clb | .fon | .lnk | .reg | .vbe | -| .cmd | .grp | .msc | .scf | .vbs | -| .cnt | .hlp | .msi | .scr |. vsmacros | - - +| File type | +| --------- | +| .acm | +| .asa | +| .asp | +| .aspx | +| .ax | +| .bat | +| .cer | +| .chm | +| .clb | +| .cmd | +| .cnt | +| .cnv | +| .com | +| .cpl | +| .cpx | +| .crt | +| .dll | +| .drv | +| .exe | +| .fon | +| .grp | +| .hlp | +| .hta | +| .ime | +| .inf | +| .ins | +| .isp | +| .its | +| .js | +| .jse | +| .lnk | +| .msc | +| .msi | +| .msp | +| .mst | +| .mui | +| .nls | +| .ocx | +| .pal | +| .pcd | +| .pif | +| .reg | +| .scf | +| .scr | +| .sct | +| .shb | +| .shs | +| .sys | +| .tlb | +| .tsp | +| .url | +| .vb | +| .vbe | +| .vbs | +| .vsmacros | +| .ws | +| .esc | +| .wsf | +| .wsh | ## Modifying an existing virtual application package From a5556602650e56fb46a83a059a26eba7fa7d58eb Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 2 May 2016 11:06:55 -0700 Subject: [PATCH 27/38] Revert "fixing link" This reverts commit 88e61dee112546a85e5c2f3c26d9868c62c83308. --- mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md index 0eb3ce6d09..64565f8e9c 100644 --- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md +++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md @@ -9,7 +9,7 @@ author: jamiejdt With Microsoft Application Virtualization (App-V) 5.1, you can migrate your existing App-V 4.6 or App-V 5.0 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. -However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md) +However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-aap-v-50.md) **Note**   App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and therefore, there is no need to convert App-V 5.0 packages to App-V 5.1 packages. From ac479adc79f356acc47a0a12885f1b6a8392b42e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 2 May 2016 11:21:00 -0700 Subject: [PATCH 28/38] Revert "Migration fix" --- mdop/appv-v5/TOC.md | 1 - mdop/appv-v5/about-app-v-50-sp3.md | 2 +- mdop/appv-v5/about-app-v-51.md | 38 +-- mdop/appv-v5/check-reg-key-svr.md | 238 ---------------- .../how-to-deploy-the-app-v-51-server.1.md | 269 ------------------ ...ing-to-app-v-51-from-a-previous-version.md | 5 +- 6 files changed, 8 insertions(+), 545 deletions(-) delete mode 100644 mdop/appv-v5/check-reg-key-svr.md delete mode 100644 mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md diff --git a/mdop/appv-v5/TOC.md b/mdop/appv-v5/TOC.md index 1a7c936696..2e81d5ad03 100644 --- a/mdop/appv-v5/TOC.md +++ b/mdop/appv-v5/TOC.md @@ -79,7 +79,6 @@ ##### [How to Access the Client Management Console 5.1](how-to-access-the-client-management-console51.md) ##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server 5.1](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md) #### [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md) -##### [Check Registry Keys before installing App-V 5.x Server](check-reg-key-svr.md) ##### [How to Convert a Package Created in a Previous Version of App-V 5.1](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md) ##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md) ##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md) diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md index 84f1b27782..a4418a6430 100644 --- a/mdop/appv-v5/about-app-v-50-sp3.md +++ b/mdop/appv-v5/about-app-v-50-sp3.md @@ -197,7 +197,7 @@ Complete the following steps to upgrade each component of the App-V infrastructu

       

      -

    • If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

      • +

    • If you are upgrading the App-V Server from App-V SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

    • Follow the steps in [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md).

      • diff --git a/mdop/appv-v5/about-app-v-51.md b/mdop/appv-v5/about-app-v-51.md index 47d75bfb12..162630bae1 100644 --- a/mdop/appv-v5/about-app-v-51.md +++ b/mdop/appv-v5/about-app-v-51.md @@ -63,7 +63,7 @@ See the following links for the App-V 5.1 software prerequisites and supported c ## Migrating to App-V 5.1 -Use the following information to upgrade to App-V 5.1 from earlier versions. See [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md) for more information. +Use the following information to upgrade to App-V 5.1 from earlier versions. See [Migrating from a Previous Version](migrating-from-a-previous-version-app-v-50.md) for more information. ### Before you start the upgrade @@ -90,7 +90,7 @@ Review the following information before you start the upgrade:
      Note   -

      Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).

      +

      To use the App-V client user interface, download the existing version from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).

        @@ -98,7 +98,7 @@ Review the following information before you start the upgrade:

      Upgrading from App-V 4.x

      -

      You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.1. For more information, see:

      +

      For more information, see:

      • “Differences between App-V 4.6 and App-V 5.0” in [About App-V 5.0](about-app-v-50.md)

      • [Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v.md)

        • @@ -147,35 +147,7 @@ Complete the following steps to upgrade each component of the App-V infrastructu
         
        -

        Follow these steps:

        -
          -

        1. Do one of the following, depending on the method you are using to upgrade the Management database and/or Reporting database:

          - ---- - - - - - - - - - - - - - - - - -
          Database upgrade methodStep

          Windows Installer

          Skip this step and go to step 2, “If you are upgrading the App-V Server...”

          SQL scripts

          Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts.md).

          -

        2. If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).

          3. -

        3. Follow the steps in [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)

          4. -

           

          -
        +

        See [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md)

        Step 2: Upgrade the App-V Sequencer.

        @@ -202,7 +174,7 @@ App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no ## What’s New in App-V 5.1 -These sections are for users who are already familiar with App-V and want to know what has changed in App-V 5.1. If you are not already familiar with App-V, you should start by reading [Planning for App-V 5.1](planning-for-app-v-51.md). +These sections are for users who are already familiar with App-V and want to know what has changed in App-V 5.1. If you are not already familiar with App-V, you should start by reading [Planning for App-V 5.0](planning-for-app-v-50-rc.md). ### App-V support for Windows 10 diff --git a/mdop/appv-v5/check-reg-key-svr.md b/mdop/appv-v5/check-reg-key-svr.md deleted file mode 100644 index 40deca6793..0000000000 --- a/mdop/appv-v5/check-reg-key-svr.md +++ /dev/null @@ -1,238 +0,0 @@ ---- -title: Check Registry Keys before installing App-V 5.x Server -description: Check Registry Keys before installing App-V 5.x Server -ms.assetid: -author: jamiejdt ---- - -# Check Registry Keys before installing App-V 5.x Server - -If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in this section before installing the App-V 5.x Server - - ---- - - - - - - - - - - - - - - - - - - -

        When this step is required

        You are upgrading from App-V 5.0 SP1 with any subsequent Hotfix Packages that you installed by using an .msp file.

        Which components require that you do this step

        Only the App-V Server components that you are upgrading.

        When you need to do this step

        Before you upgrade the App-V Server to App-V 5.x

        What you need to do

        Using the information in the following tables, update each registry key value under HKLM\Software\Microsoft\AppV\Server with the value that you provided in your original server installation. Completing this step restores registry values that may have been removed when App-V 5.0 SP1 Hotfix Packages were installed.

        - -  - -**ManagementDatabase key** - -If you are installing the Management database, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ManagementDatabase`. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Key nameDescription

        IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED

        Describes whether a public access account is required to access non-local management databases. Value is set to “1” if it is required.

        MANAGEMENT_DB_NAME

        Name of the Management database.

        MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT

        Account used for read (public) access to the Management database.

        -

        Used when IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

        MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_SID

        Secure identifier (SID) of the account used for read (public) access to the Management database.

        -

        Used when IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

        MANAGEMENT_DB_SQL_INSTANCE

        SQL Server instance for the Management database.

        -

        If the value is blank, the default database instance is used.

        MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT

        Account used for write (administrator) access to the Management database.

        MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT_SID

        Secure identifier (SID) of the account used for write (administrator) access to the Management database.

        MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT

        Management server remote computer account (domain\account).

        MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT

        Installation administrator login for the Management server (domain\account).

        MANAGEMENT_SERVER_MACHINE_USE_LOCAL

        Valid values are:

        -
          -

        • 1 – the Management service is on the local computer, that is, MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT is blank.

          • -

        • 0 - the Management service is on a different computer from the local computer.

          • -
        - -  - -**ManagementService key** - -If you are installing the Management server, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ManagementService`. - - ---- - - - - - - - - - - - - - - - - - - - - -
        Key nameDescription

        MANAGEMENT_ADMINACCOUNT

        Active Directory Domain Services (AD DS) group or account that is authorized to manage App-V (domain\account).

        MANAGEMENT_DB_SQL_INSTANCE

        SQL server instance that contains the Management database.

        -

        If the value is blank, the default database instance is used.

        MANAGEMENT_DB_SQL_SERVER_NAME

        Name of the remote SQL server with the Management database.

        -

        If the value is blank, the local computer is used.

        - -  - -**ReportingDatabase key** - -If you are installing the Reporting database, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ReportingDatabase`. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Key nameDescription

        IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED

        Describes whether a public access account is required to access non-local reporting databases. Value is set to “1” if it is required.

        REPORTING_DB_NAME

        Name of the Reporting database.

        REPORTING_DB_PUBLIC_ACCESS_ACCOUNT

        Account used for read (public) access to the Reporting database.

        -

        Used when IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

        REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_SID

        Secure identifier (SID) of the account used for read (public) access to the Reporting database.

        -

        Used when IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED is set to 1.

        REPORTING_DB_SQL_INSTANCE

        SQL Server instance for the Reporting database.

        -

        If the value is blank, the default database instance is used.

        REPORTING_DB_WRITE_ACCESS_ACCOUNT

        REPORTING_DB_WRITE_ACCESS_ACCOUNT_SID

        REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT

        Reporting server remote computer account (domain\account).

        REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT

        Installation administrator login for the Reporting server (domain\account).

        REPORTING_SERVER_MACHINE_USE_LOCAL

        Valid values are:

        -
          -

        • 1 – the Reporting service is on the local computer, that is, REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT is blank.

          • -

        • 0 - the Reporting service is on a different computer from the local computer.

          • -
        - -  - -**ReportingService key** - -If you are installing the Reporting server, set these registry keys under `HKLM\Software\Microsoft\AppV\Server\ReportingService`. - - ---- - - - - - - - - - - - - - - - - -
        Key nameDescription

        REPORTING_DB_SQL_INSTANCE

        SQL Server instance for the Reporting database.

        -

        If the value is blank, the default database instance is used.

        REPORTING_DB_SQL_SERVER_NAME

        Name of the remote SQL server with the Reporting database.

        -

        If the value is blank, the local computer is used.

        - diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md deleted file mode 100644 index e524980035..0000000000 --- a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.1.md +++ /dev/null @@ -1,269 +0,0 @@ ---- -title: How to Deploy the App-V 5.1 Server -description: How to Deploy the App-V 5.1 Server -ms.assetid: 4729beda-b98f-481b-ae74-ad71c59b1d69 -author: jamiejdt ---- - -# How to Deploy the App-V 5.1 Server - - -Use the following procedure to install the Microsoft Application Virtualization (App-V) 5.1 server. For information about deploying the App-V 5.1 Server, see [About App-V 5.1](about-app-v-51.md#bkmk-migrate-to-51). - -**Before you start:** - -- Ensure that you’ve installed prerequisite software. See [App-V 5.1 Prerequisites](app-v-51-prerequisites.md). - -- Review the server section of [App-V 5.1 Security Considerations](app-v-51-security-considerations.md). - -- Specify a port where each component will be hosted. - -- Add firewall rules to allow incoming requests to access the specified ports. - -- If you use SQL scripts, instead of the Windows Installer, to set up the Management database or Reporting database, you must run the SQL scripts before installing the Management Server or Reporting Server. See [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md). - -**To install the App-V 5.1 server** - -1. Copy the App-V 5.1 server installation files to the computer on which you want to install it. - -2. Start the App-V 5.1 server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**. - -3. Review and accept the license terms, and choose whether to enable Microsoft updates. - -4. On the **Feature Selection** page, select all of the following components. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        ComponentDescription

        Management server

        Provides overall management functionality for the App-V infrastructure.

        Management database

        Facilitates database predeployments for App-V management.

        Publishing server

        Provides hosting and streaming functionality for virtual applications.

        Reporting server

        Provides App-V 5.1 reporting services.

        Reporting database

        Facilitates database predeployments for App-V reporting.

        - -   - -5. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line. - -6. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below. - - - - - - - - - - - - - - - - - - - - - - -
        MethodWhat you need to do

        You are using a custom Microsoft SQL Server instance.

        Select Use the custom instance, and type the name of the instance.

        -

        Use the format INSTANCENAME. The assumed installation location is the local computer.

        -

        Not supported: A server name using the format ServerName\INSTANCE.

        You are using a custom database name.

        Select Custom configuration and type the database name.

        -

        The database name must be unique, or the installation will fail.

        - -   - -7. On the **Configure** page, accept the default value **Use this local computer**. - - **Note**   - If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed. - -   - -8. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below. - - - - - - - - - - - - - - - - - - - - - - -
        MethodWhat you need to do

        You are using a custom Microsoft SQL Server instance.

        Select Use the custom instance, and type the name of the instance.

        -

        Use the format INSTANCENAME. The assumed installation location is the local computer.

        -

        Not supported: A server name using the format ServerName\INSTANCE.

        You are using a custom database name.

        Select Custom configuration and type the database name.

        -

        The database name must be unique, or the installation will fail.

        - -   - -9. On the **Configure** page, accept the default value: **Use this local computer**. - - **Note**   - If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed. - -   - -10. On the **Configure** (Management Server Configuration) page, specify the following: - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Item to configureDescription and examples

        Type the AD group with sufficient permissions to manage the App-V environment.

        Example: MyDomain\MyUser

        -

        After installation, you can add additional users or groups by using the Management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use Domain local or Universal groups are required to perform this action.

        Website name: Specify the custom name that will be used to run the publishing service.

        If you do not have a custom name, do not make any changes.

        Port binding: Specify a unique port number that will be used by App-V.

        Example: 12345

        -

        Ensure that the port specified is not being used by another website.

        - -   - -11. On the **Configure** **Publishing Server Configuration** page, specify the following: - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Item to configureDescription and examples

        Specify the URL for the management service.

        Example: http://localhost:12345

        Website name: Specify the custom name that will be used to run the publishing service.

        If you do not have a custom name, do not make any changes.

        Port binding: Specify a unique port number that will be used by App-V.

        Example: 54321

        -

        Ensure that the port specified is not being used by another website.

        - -   - -12. On the **Reporting Server** page, specify the following: - - - - - - - - - - - - - - - - - - - - - - -
        Item to configureDescription and examples

        Website name: Specify the custom name that will be used to run the Reporting Service.

        If you do not have a custom name, do not make any changes.

        Port binding: Specify a unique port number that will be used by App-V.

        Example: 55555

        -

        Ensure that the port specified is not being used by another website.

        - -   - -13. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page. - -14. To verify that the setup completed successfully, open a web browser, and type the following URL: - - **http://<Management server machine name>:<Management service port number>/Console.html**. - - Example: **http://localhost:12345/console.html**. If the installation succeeded, the App-V Management console is displayed with no errors. - - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). - -## Related topics - - -[Deploying App-V 5.1](deploying-app-v-51.md) - -[How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md) - -[How to Install the Publishing Server on a Remote Computer](how-to-install-the-publishing-server-on-a-remote-computer51.md) - -[How to Deploy the App-V 5.1 Server Using a Script](how-to-deploy-the-app-v-51-server-using-a-script.md) - -  - -  - - - - - diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md index 64565f8e9c..5e1395c0f0 100644 --- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md +++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md @@ -8,11 +8,10 @@ author: jamiejdt # Migrating to App-V 5.1 from a Previous Version -With Microsoft Application Virtualization (App-V) 5.1, you can migrate your existing App-V 4.6 or App-V 5.0 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. -However, you cannot migrate directly from App-V 4.x to App-V 5.1, you must migrate to App-V 5.0 first. For more information on migrating from App-V 4.x to App-V 5.0, see [Migrating from a Previous Version](migrating-from-a-previous-version-aap-v-50.md) +With Microsoft Application Virtualization (App-V) 5.1 you can migrate your existing App-V 4.6 infrastructure to the more flexible, integrated, and easier to manage App-V 5.1 infrastructure. **Note**   -App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and therefore, there is no need to convert App-V 5.0 packages to App-V 5.1 packages. +App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and so there is no need to convert App-V 5.0 packages to App-V 5.1 packages. For more information about the differences between App-V 4.6 and App-V 5.1, see the **Differences between App-4.6 and App-V 5.0 section** of [About App-V 5.0](about-app-v-50.md). From 59ec2be28637828cd589ee5fda5633cf4a5b9695 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 2 May 2016 15:25:11 -0700 Subject: [PATCH 29/38] Fixed spacing, added multi-column table Fixed spacing, added multi-column table --- ...aging-app-v-51-virtualized-applications.md | 86 +++---------------- 1 file changed, 13 insertions(+), 73 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index f69e1ea016..e48e9dd024 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -138,67 +138,19 @@ Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to spec The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. -| File type | -| --------- | -| .acm | -| .asa | -| .asp | -| .aspx | -| .ax | -| .bat | -| .cer | -| .chm | -| .clb | -| .cmd | -| .cnt | -| .cnv | -| .com | -| .cpl | -| .cpx | -| .crt | -| .dll | -| .drv | -| .exe | -| .fon | -| .grp | -| .hlp | -| .hta | -| .ime | -| .inf | -| .ins | -| .isp | -| .its | -| .js | -| .jse | -| .lnk | -| .msc | -| .msi | -| .msp | -| .mst | -| .mui | -| .nls | -| .ocx | -| .pal | -| .pcd | -| .pif | -| .reg | -| .scf | -| .scr | -| .sct | -| .shb | -| .shs | -| .sys | -| .tlb | -| .tsp | -| .url | -| .vb | -| .vbe | -| .vbs | -| .vsmacros | -| .ws | -| .esc | -| .wsf | -| .wsh | +| File Type | | | | | | +|------------ |------------- |------------- |------------ |------------ |------------ | +| .acm | .asa | .asp | .aspx | .ax | .bat | +| .cer | .chm | .clb | .cmd | .cnt | .cnv | +| .com | .cpl | .cpx | .crt | .dll | .drv | +| .esc | .exe | .fon | .grp | .hlp | .hta | +| .ime | .inf | .ins | .isp | .its | .js | +| .jse | .lnk | .msc | .msi | .msp | .mst | +| .mui | .nls | .ocx | .pal | .pcd | .pif | +| .reg | .scf | .scr | .sct | .shb | .shs | +| .sys | .tlb | .tsp | .url | .vb | .vbe | +| .vbs | .vsmacros | .ws | .wsf | .wsh | | + ## Modifying an existing virtual application package @@ -249,21 +201,9 @@ The App-V 5.1 Sequencer can detect common sequencing issues during sequencing. T You can also find additional information about sequencing errors using the Windows Event Viewer. -## Got a suggestion for App-V? - - -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Other resources for the App-V 5.1 sequencer - [Operations for App-V 5.1](operations-for-app-v-51.md) -  - -  - - - - - From 5b9cd8739a708413204795535d39bd480fda4f9d Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 2 May 2016 15:33:03 -0700 Subject: [PATCH 30/38] Update creating-and-managing-app-v-51-virtualized-applications.md --- .../creating-and-managing-app-v-51-virtualized-applications.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index e48e9dd024..9dcd40a111 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -13,7 +13,6 @@ After you have properly deployed the Microsoft Application Virtualization (App-V **Note**   For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). -  ## Sequencing an application @@ -182,8 +181,6 @@ A template can specify and store multiple settings as follows: **Note**   Package accelerators created using a previous version of App-V must be recreated using App-V 5.1. -  - You can use App-V 5.1 package accelerators to automatically generate a new virtual application packages. After you have successfully created a package accelerator, you can reuse and share the package accelerator. In some situations, to create the package accelerator, you might have to install the application locally on the computer that runs the sequencer. In such cases, you should first try to create the package accelerator with the installation media. If multiple missing files are required, you should install the application locally to the computer that runs the sequencer, and then create the package accelerator. From df223dccfa6a5c1be8a7774149f6ca0249787353 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 2 May 2016 15:35:07 -0700 Subject: [PATCH 31/38] Update creating-and-managing-app-v-51-virtualized-applications.md --- .../creating-and-managing-app-v-51-virtualized-applications.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index 9dcd40a111..9d9109d788 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -128,11 +128,9 @@ The following table lists the supported shell extensions: -  ## Copy on Write (CoW) file extension support - Copy on write (CoW) file extensions allow App-V 5.1 to dynamically write to specific locations contained in the virtual package while it is being used. The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V 5.1 client. All other files and directories can be modified. From 79300189127f7f2dd49db3a1139c1f69b18ebb7f Mon Sep 17 00:00:00 2001 From: coolriggs Date: Tue, 3 May 2016 14:58:13 -0700 Subject: [PATCH 32/38] update TPM page This includes the initial v1 of RS1 updates --- windows/keep-secure/tpm-recommendations.md | 32 ++++++++++++---------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index 82168aa9c3..e157d7c38b 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -31,7 +31,15 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based, The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system. -Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). +Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. + +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. + +The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). + +OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM. + +The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not. **Note**   Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -65,7 +73,6 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in ## Discrete or firmware TPM? - Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option. From a security standpoint, discrete and firmware share the same characteristics; @@ -77,20 +84,15 @@ From a security standpoint, discrete and firmware share the same characteristics For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236). -## TPM 2.0 Compliance for Windows 10 in the future - - -All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 discrete or firmware from **July 28, 2016**. This requirement will be enforced through our Windows Hardware Certification program. +## TPM 2.0 Compliance for Windows 10 ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- With Windows 10 as with Windows 8, all connected standby systems are required to include TPM 2.0 support. -- For Windows 10 and later, if a SoC is chosen that includes an integrated fTPM2.0, the device must ship with the fTPM FW support or a discrete TPM 1.2 or 2.0. -- Starting **July 28th, 2016** all devices shipping with Windows 10 desktop must implement TPM 2.0 and ship with the TPM enabled. +- As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) ### Windows 10 Mobile -- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM enabled. +- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled. ### IoT Core @@ -102,7 +104,6 @@ All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 d ## TPM and Windows Features - The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly. @@ -124,7 +125,7 @@ The following table defines which Windows features require TPM support. Some fea - + @@ -147,7 +148,7 @@ The following table defines which Windows features require TPM support. Some fea - + @@ -175,7 +176,7 @@ The following table defines which Windows features require TPM support. Some fea - + @@ -240,6 +241,7 @@ There are a variety of TPM manufacturers for both discrete and firmware. @@ -301,7 +303,7 @@ There are a variety of TPM manufacturers for both discrete and firmware. ### Certified TPM parts -Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have targeted completion of certification by the end of 2015. +Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification. ### Windows 7 32-bit support From ffddbb2d2c98d2533a222363aa5cb4bc52452681 Mon Sep 17 00:00:00 2001 From: coolriggs Date: Tue, 3 May 2016 15:20:52 -0700 Subject: [PATCH 33/38] minor tweaks throughout changes for RS1 --- windows/keep-secure/tpm-recommendations.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index e157d7c38b..651ed1468f 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -49,11 +49,10 @@ Some information relates to pre-released product which may be substantially modi ## TPM 1.2 vs. 2.0 comparison -From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0. As indicated in the table below, TPM 2.0 has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM. +From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM. ## Why TPM 2.0? - TPM 2.0 products and systems have important security advantages over TPM 1.2, including: - The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm. @@ -84,11 +83,18 @@ From a security standpoint, discrete and firmware share the same characteristics For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236). +## Is there any importance for TPM for consumer? +For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, secures streaming high quality 4K content and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage. + ## TPM 2.0 Compliance for Windows 10 ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) - As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) + +## Two implementation options: +• Discrete TPM chip as a separate discrete component +• Firmware TPM solution using Intel PTT (platform trust technology) or AMD ### Windows 10 Mobile @@ -276,11 +282,12 @@ There are a variety of TPM manufacturers for both discrete and firmware. From 7e2dcd3d1b626bf323b6f9c45c9040172ae9afe8 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 4 May 2016 08:01:21 -0700 Subject: [PATCH 34/38] 7431425 --- .../change-history-for-manage-and-update-windows-10.md | 5 +++++ .../set-up-a-kiosk-for-windows-10-for-desktop-editions.md | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 18be77205f..8767cf30ff 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -13,6 +13,11 @@ author: jdeckerMS This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## May 2016 + +New or changed topic | Description | +---|---| +[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher | ## April 2016 diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index b88902b04f..55945ea84b 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -350,7 +350,9 @@ Modify the following PowerShell script as appropriate. The comments in the sampl $ShellLauncherClass.SetEnabled($TRUE) - “`nEnabled is set to “ + $DefaultShellObject.IsEnabled() + $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + + “`nEnabled is set to “ + $IsShellLauncherEnabled.Enabled # Remove the new custom shells. From 59634eee2127458a7a2c8a66d999b91447f27424 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 4 May 2016 09:21:39 -0700 Subject: [PATCH 35/38] cleaning up content --- ...-as-part-of-a-windows-deploymentmbam-25.md | 373 ++++-------------- 1 file changed, 73 insertions(+), 300 deletions(-) diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md index 1924b4d39c..b2a620df28 100644 --- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md +++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md @@ -50,275 +50,70 @@ This topic explains how to enable BitLocker on an end user's computer by using M - Robust error handling - You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=48698). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server. + You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=48698). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server. - **WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script. + **WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script. - **MBAM\_Machine WMI Class** - **PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting. + **MBAM\_Machine WMI Class** + **PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting. -
        Measure BootMeasured Boot Required Required Required
        Passport: MSA or Local Account n/aNot RequiredRequired Required TPM 2.0 is required with HMAC and EK certificate for key attestation support.
        Device Health Attestation n/aNot RequiredRequired Required
        • Infineon
        • Nuvoton
          • +
        • Atmel
        • NationZ
        • ST Micro
        Intel
          -
        • Clovertrail
          • -
        • Haswell
          • -
        • Broadwell
          • -
        • Skylake
          • +
        • Atom (CloverTrail)
        • Baytrail
          • +
        • 4th generation(Haswell)
          • +
        • 5th generation(Broadwell)
          • +
        • Braswell
          • +
        • Skylake
        - - - - - - - - - - - - - - - - -
        ParameterDescription

        RecoveryServiceEndPoint

        A string specifying the MBAM recovery service endpoint.

        +| Parameter | Description | +| -------- | ----------- | +| RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. | -   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Common return valuesError message

        S_OK

        -

        0 (0x0)

        The method was successful

        MBAM_E_TPM_NOT_PRESENT

        -

        2147746304 (0x80040200)

        TPM is not present in the computer or is disabled in the BIOS configuration.

        MBAM_E_TPM_INCORRECT_STATE

        -

        2147746305 (0x80040201)

        TPM is not in the correct state (enabled, activated and owner installation allowed).

        MBAM_E_TPM_AUTO_PROVISIONING_PENDING

        -

        2147746306 (0x80040202)

        MBAM cannot take ownership of TPM because auto-provisioning is pending. Try again after auto-provisioning is completed.

        MBAM_E_TPM_OWNERAUTH_READFAIL

        -

        2147746307 (0x80040203)

        MBAM cannot read the TPM owner authorization value. The value might have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.

        MBAM_E_REBOOT_REQUIRED

        -

        2147746308 (0x80040204)

        The computer must be restarted to set TPM to the correct state. You might need to manually reboot the computer.

        MBAM_E_SHUTDOWN_REQUIRED

        -

        2147746309 (0x80040205)

        The computer must be shut down and turned back on to set TPM to the correct state. You might need to manually reboot the computer.

        WS_E_ENDPOINT_ACCESS_DENIED

        -

        2151481349 (0x803D0005)

        Access was denied by the remote endpoint.

        WS_E_ENDPOINT_NOT_FOUND

        -

        2151481357 (0x803D000D)

        The remote endpoint does not exist or could not be located.

        WS_E_ENDPOINT_FAILURE

        -

        2151481357 (0x803D000F)

        The remote endpoint could not process the request.

        WS_E_ENDPOINT_UNREACHABLE

        -

        2151481360 (0x803D0010)

        The remote endpoint was not reachable.

        WS_E_ENDPOINT_FAULT_RECEIVED

        -

        2151481363 (0x803D0013)

        A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.

        WS_E_INVALID_ENDPOINT_URL

        -

        2151481376 (0x803D0020)

        The endpoint address URL is not valid. The URL must start with “http” or “https”.

        +| Common return values | Error message | +| -------------------- | ------------- | +| **S_OK**
        0 (0x0) | The method was successful. | +| **MBAM_E_TPM_NOT_PRESENT**
        2147746304 (0x80040200) | TPM is not present in the computer or is disabled in the BIOS configuration. | +| **MBAM_E_TPM_INCORRECT_STATE**
        2147746305 (0x80040201) | TPM is not in the correct state (enabled, activated and owner installation allowed). | +| **MBAM_E_TPM_AUTO_PROVISIONING_PENDING**
        2147746306 (0x80040202) | MBAM cannot take ownership of TPM because auto-provisioning is pending. Try again after auto-provisioning is completed. | +| **MBAM_E_TPM_OWNERAUTH_READFAIL**
        2147746307 (0x80040203) | MBAM cannot read the TPM owner authorization value. The value might have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others. | +| **MBAM_E_REBOOT_REQUIRED**
        2147746308 (0x80040204) | The computer must be restarted to set TPM to the correct state. You might need to manually reboot the computer. | +| **MBAM_E_SHUTDOWN_REQUIRED**
        2147746309 (0x80040205) | The computer must be shut down and turned back on to set TPM to the correct state. You might need to manually reboot the computer. | +| **WS_E_ENDPOINT_ACCESS_DENIED**
        2151481349 (0x803D0005) | Access was denied by the remote endpoint. | +| **WS_E_ENDPOINT_NOT_FOUND**
        2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. | +| **WS_E_ENDPOINT_FAILURE
        2151481357 (0x803D000F) | The remote endpoint could not process the request. | +| **WS_E_ENDPOINT_UNREACHABLE**
        2151481360 (0x803D0010) | The remote endpoint was not reachable. | +| **WS_E_ENDPOINT_FAULT_RECEIVED**
        2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. | +| **WS_E_INVALID_ENDPOINT_URL** 2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. | -   - - **ReportStatus:** Reads the compliance status of the volume and sends it to the MBAM compliance status database by using the MBAM status reporting service. The status includes cipher strength, protector type, protector state and encryption state. If it fails, an error code is returned for troubleshooting. - - - - - - - - - - - - - - - - - - -
        ParameterDescription

        ReportingServiceEndPoint

        A string specifying the MBAM status reporting service endpoint.

        - -   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Common return valuesError message

        S_OK

        -

        0 (0x0)

        The method was successful

        WS_E_ENDPOINT_ACCESS_DENIED

        -

        2151481349 (0x803D0005)

        Access was denied by the remote endpoint.

        WS_E_ENDPOINT_NOT_FOUND

        -

        2151481357 (0x803D000D)

        The remote endpoint does not exist or could not be located.

        WS_E_ENDPOINT_FAILURE

        -

        2151481357 (0x803D000F)

        The remote endpoint could not process the request.

        WS_E_ENDPOINT_UNREACHABLE

        -

        2151481360 (0x803D0010)

        The remote endpoint was not reachable.

        WS_E_ENDPOINT_FAULT_RECEIVED

        -

        2151481363 (0x803D0013)

        A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.

        WS_E_INVALID_ENDPOINT_URL

        -

        2151481376 (0x803D0020)

        The endpoint address URL is not valid. The URL must start with “http” or “https”.

        - -   - - **MBAM\_Volume WMI Class** - **EscrowRecoveryKey:** Reads the recovery numerical password and key package of the volume and sends them to the MBAM recovery database by using the MBAM recovery service. If it fails, an error code is returned for troubleshooting. - - - - - - - - - - - - - - - - - - -
        ParameterDescription

        RecoveryServiceEndPoint

        A string specifying the MBAM recovery service endpoint.

        - -   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Common return valuesError message

        S_OK

        -

        0 (0x0)

        The method was successful

        FVE_E_LOCKED_VOLUME

        -

        2150694912 (0x80310000)

        The volume is locked.

        FVE_E_PROTECTOR_NOT_FOUND

        -

        2150694963 (0x80310033)

        A Numerical Password protector was not found for the volume.

        WS_E_ENDPOINT_ACCESS_DENIED

        -

        2151481349 (0x803D0005)

        Access was denied by the remote endpoint.

        WS_E_ENDPOINT_NOT_FOUND

        -

        2151481357 (0x803D000D)

        The remote endpoint does not exist or could not be located.

        WS_E_ENDPOINT_FAILURE

        -

        2151481357 (0x803D000F)

        The remote endpoint could not process the request.

        WS_E_ENDPOINT_UNREACHABLE

        -

        2151481360 (0x803D0010)

        The remote endpoint was not reachable.

        WS_E_ENDPOINT_FAULT_RECEIVED

        -

        2151481363 (0x803D0013)

        A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.

        WS_E_INVALID_ENDPOINT_URL

        -

        2151481376 (0x803D0020)

        The endpoint address URL is not valid. The URL must start with “http” or “https”.

        + **ReportStatus:** Reads the compliance status of the volume and sends it to the MBAM compliance status database by using the MBAM status reporting service. The status includes cipher strength, protector type, protector state and encryption state. If it fails, an error code is returned for troubleshooting. + + | Parameter | Description | + | --------- | ----------- | + | ReportingServiceEndPoint | A string specifying the MBAM status reporting service endpoint. | + + + | Common return values | Error message | + | -------------------- | ------------- | + | **S_OK**
        0 (0x0) | The method was successful | + | **WS_E_ENDPOINT_ACCESS_DENIED**
        2151481349 (0x803D0005) | Access was denied by the remote endpoint.| + | **WS_E_ENDPOINT_NOT_FOUND**
        2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. | + | **WS_E_ENDPOINT_FAILURE**
        2151481357 (0x803D000F) | The remote endpoint could not process the request. | + | **WS_E_ENDPOINT_UNREACHABLE**
        2151481360 (0x803D0010) | The remote endpoint was not reachable. | + | **WS_E_ENDPOINT_FAULT_RECEIVED**
        2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. | + | **WS_E_INVALID_ENDPOINT_URL**
        2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. | + **MBAM\_Volume WMI Class** + **EscrowRecoveryKey:** Reads the recovery numerical password and key package of the volume and sends them to the MBAM recovery database by using the MBAM recovery service. If it fails, an error code is returned for troubleshooting. + + | Parameter | Description | + | --------- | ----------- | + | RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. | + + + | Common return values | Error message | + | -------------------- | ------------- | + | **S_OK**
        0 (0x0) | The method was successful | + | **FVE_E_LOCKED_VOLUME**
        2150694912 (0x80310000) | The volume is locked. | + | **FVE_E_PROTECTOR_NOT_FOUND**
        2150694963 (0x80310033) | A Numerical Password protector was not found for the volume. | + | **WS_E_ENDPOINT_ACCESS_DENIED**
        2151481349 (0x803D0005) | Access was denied by the remote endpoint. | + | **WS_E_ENDPOINT_NOT_FOUND**
        2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. | + | **WS_E_ENDPOINT_FAILURE**
        2151481357 (0x803D000F) | The remote endpoint could not process the request. | + | **WS_E_ENDPOINT_UNREACHABLE**
        2151481360 (0x803D0010) | The remote endpoint was not reachable. | + | **WS_E_ENDPOINT_FAULT_RECEIVED**
        2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. | + | **WS_E_INVALID_ENDPOINT_URL**
        2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. |   2. **Deploy MBAM by using Microsoft Deployment Toolkit (MDT) and PowerShell** @@ -328,13 +123,9 @@ This topic explains how to enable BitLocker on an end user's computer by using M **Note**   The `Invoke-MbamClientDeployment.ps1` PowerShell script can be used with any imaging process or tool. This section shows how to integrate it by using MDT, but the steps are similar to integrating it with any other process or tool. -   - **Caution**   If you are using BitLocker pre-provisioning (WinPE) and want to maintain the TPM owner authorization value, you must add the `SaveWinPETpmOwnerAuth.wsf` script in WinPE immediately before the installation reboots into the full operating system. **If you do not use this script, you will lose the TPM owner authorization value on reboot.** - -   - + 2. Copy `Invoke-MbamClientDeployment.ps1` to **<DeploymentShare>\\Scripts**. If you are using pre-provisioning, copy the `SaveWinPETpmOwnerAuth.wsf` file into **<DeploymentShare>\\Scripts**. 3. Add the MBAM 2.5 SP1 client application to the Applications node in the deployment share. @@ -467,46 +258,40 @@ This topic explains how to enable BitLocker on an end user's computer by using M **Caution**   This step describes how to modify the Windows registry. Using Registry Editor incorrectly can cause serious issues that can require you to reinstall Windows. We cannot guarantee that issues resulting from the incorrect use of Registry Editor can be resolved. Use Registry Editor at your own risk. -   - 1. Set the TPM for **Operating system only encryption**, run Regedit.exe, and then import the registry key template from C:\\Program Files\\Microsoft\\MDOP MBAM\\MBAMDeploymentKeyTemplate.reg. 2. In Regedit.exe, go to HKLM\\SOFTWARE\\Microsoft\\MBAM, and configure the settings that are listed in the following table. **Note**   You can set Group Policy settings or registry values related to MBAM here. These settings will override previously set values. + + Registry entry + Configuration settings -   + DeploymentTime - Registry entry + 0 = Off - Configuration settings + 1 = Use deployment time policy settings (default) – use this setting to enable encryption at the time Windows is deployed to the client computer. - DeploymentTime + UseKeyRecoveryService - 0 = Off + 0 = Do not use key escrow (the next two registry entries are not required in this case) - 1 = Use deployment time policy settings (default) – use this setting to enable encryption at the time Windows is deployed to the client computer. + 1 = Use key escrow in Key Recovery system (default) - UseKeyRecoveryService + This is the recommended setting, which enables MBAM to store the recovery keys. The computer must be able to communicate with the MBAM Key Recovery service. Verify that the computer can communicate with the service before you proceed. - 0 = Do not use key escrow (the next two registry entries are not required in this case) + KeyRecoveryOptions - 1 = Use key escrow in Key Recovery system (default) + 0 = Uploads Recovery Key only - This is the recommended setting, which enables MBAM to store the recovery keys. The computer must be able to communicate with the MBAM Key Recovery service. Verify that the computer can communicate with the service before you proceed. + 1 = Uploads Recovery Key and Key Recovery Package (default) - KeyRecoveryOptions + KeyRecoveryServiceEndPoint - 0 = Uploads Recovery Key only + Set this value to the URL for the server running the Key Recovery service, for example, http://<computer name>/MBAMRecoveryAndHardwareService/CoreService.svc. - 1 = Uploads Recovery Key and Key Recovery Package (default) - - KeyRecoveryServiceEndPoint - - Set this value to the URL for the server running the Key Recovery service, for example, http://<computer name>/MBAMRecoveryAndHardwareService/CoreService.svc. - -   6. The MBAM Client will restart the system during the MBAM Client deployment. When you are ready for this restart, run the following command at a command prompt as an administrator: @@ -522,20 +307,8 @@ This topic explains how to enable BitLocker on an end user's computer by using M 9. To delete the bypass registry values, run Regedit.exe, and go to the HKLM\\SOFTWARE\\Microsoft registry entry. Right-click the **MBAM** node, and then click **Delete**. - **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopmbam). - ## Related topics - [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md) [Planning for MBAM 2.5 Client Deployment](planning-for-mbam-25-client-deployment.md) - -  - -  - - - - - From 3b619cfb18fda8b83a32a4d366d6a08f4c28ffe7 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 4 May 2016 09:52:28 -0700 Subject: [PATCH 36/38] cleaning up content --- ...ker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md index b2a620df28..b9d94fab8e 100644 --- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md +++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md @@ -61,6 +61,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M | -------- | ----------- | | RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. | +Here are a list of common error messages: | Common return values | Error message | | -------------------- | ------------- | @@ -84,6 +85,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M | --------- | ----------- | | ReportingServiceEndPoint | A string specifying the MBAM status reporting service endpoint. | + Here are a list of common error messages: | Common return values | Error message | | -------------------- | ------------- | @@ -102,6 +104,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M | --------- | ----------- | | RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. | + Here are a list of common error messages: | Common return values | Error message | | -------------------- | ------------- | From c749eb36a5d49a6700db25c4dda4001b288ecd1e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 4 May 2016 10:57:19 -0700 Subject: [PATCH 37/38] updating INF to remove SHA1 support --- .../keep-secure/bitlocker-how-to-enable-network-unlock.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 0ee061cb84..1c26ced248 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -196,7 +196,12 @@ To create a self-signed certificate, do the following: Exportable=true RequestType=Cert KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE" + KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG" KeyLength=2048 + Keyspec="AT_KEYEXCHANGE" + SMIME=FALSE + HashAlgorithm=sha512 + [Extensions] 1.3.6.1.4.1.311.21.10 = "{text}" From 37da37dc47360e34a77222d2d1fe7a8d71209108 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 4 May 2016 11:23:12 -0700 Subject: [PATCH 38/38] updating INF to remove SHA1 support --- .../bitlocker-how-to-enable-network-unlock.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 1c26ced248..20a2231f7e 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -196,12 +196,11 @@ To create a self-signed certificate, do the following: Exportable=true RequestType=Cert KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE" - KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG" + KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG" KeyLength=2048 - Keyspec="AT_KEYEXCHANGE" - SMIME=FALSE - HashAlgorithm=sha512 - + Keyspec="AT_KEYEXCHANGE" + SMIME=FALSE + HashAlgorithm=sha512 [Extensions] 1.3.6.1.4.1.311.21.10 = "{text}"