diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json new file mode 100644 index 0000000000..78c7959ac0 --- /dev/null +++ b/.openpublishing.redirection.json @@ -0,0 +1,1094 @@ +{ +"redirections": [ +{ +"source_path": "windows/manage/cortana-at-work-scenario-7.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-7", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md", +"redirect_url": "/itpro/surface-hub/finishing-your-surface-hub-meeting", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md", +"redirect_url": "/itpro/surface-hub/provisioning-packages-for-surface-hub", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md", +"redirect_url": "/itpro/surface-hub/admin-group-management-for-surface-hub", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/surface-hub-administrators-guide.md", +"redirect_url": "/itpro/surface-hub/index", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/intro-to-surface-hub.md", +"redirect_url": "/itpro/surface-hub/index", +"redirect_document_id": false +}, +{ +"source_path": "windows/manage/waas-quick-start.md", +"redirect_url": "/itpro/windows/update/waas-quick-start", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-overview.md", +"redirect_url": "/itpro/windows/update/waas-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-servicing-strategy-windows-10-updates.md", +"redirect_url": "/itpro/windows/update/waas-servicing-strategy-windows-10-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-deployment-rings-windows-10-updates.md", +"redirect_url": "/itpro/windows/update/waas-deployment-rings-windows-10-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-servicing-branches-windows-10-updates.md", +"redirect_url": "/itpro/windows/update/waas-servicing-branches-windows-10-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/update-compliance-monitor.md", +"redirect_url": "/itpro/windows/update/update-compliance-monitor", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/update-compliance-get-started.md", +"redirect_url": "/itpro/windows/update/update-compliance-get-started", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/update-compliance-using.md", +"redirect_url": "/itpro/windows/update/update-compliance-using", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-optimize-windows-10-updates.md", +"redirect_url": "/itpro/windows/update/waas-optimize-windows-10-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-delivery-optimization.md", +"redirect_url": "/itpro/windows/update/waas-delivery-optimization", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-branchcache.md", +"redirect_url": "/itpro/windows/update/waas-branchcache", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-mobile-updates.md", +"redirect_url": "/itpro/windows/update/waas-mobile-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-manage-updates-wufb.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-configure-wufb.md", +"redirect_url": "/itpro/windows/update/waas-configure-wufb", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-integrate-wufb.md", +"redirect_url": "/itpro/windows/update/waas-integrate-wufb", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-wufb-group-policy.md", +"redirect_url": "/itpro/windows/update/waas-wufb-group-policy", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-wufb-intune.md", +"redirect_url": "/itpro/windows/update/waas-wufb-intune.md", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-manage-updates-wsus.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-wsus", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-manage-updates-configuration-manager.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-configuration-manager", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-restart.md", +"redirect_url": "/itpro/windows/update/waas-restart", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-update-windows-10.md", +"redirect_url": "/itpro/windows/update/index", +"redirect_document_id": false +}, +{ +"source_path": "windows/manage/configure-windows-telemetry-in-your-organization.md", +"redirect_url": "/itpro/windows/configure/configure-windows-telemetry-in-your-organization", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md", +"redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", +"redirect_document_id": false +}, +{ +"source_path": "windows/manage/set-up-a-device-for-anyone-to-use.md", +"redirect_url": "/itpro/windows/configure/set-up-a-device-for-anyone-to-use", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md", +"redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/guidelines-for-assigned-access-app.md", +"redirect_url": "/itpro/windows/configure/guidelines-for-assigned-access-app", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/lock-down-windows-10-to-specific-apps.md", +"redirect_url": "/itpro/windows/configure/lock-down-windows-10-to-specific-apps", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md", +"redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/lockdown-xml.md", +"redirect_url": "/itpro/windows/configure/lockdown-xml", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/settings-that-can-be-locked-down.md", +"redirect_url": "/itpro/windows/configure/settings-that-can-be-locked-down", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/product-ids-in-windows-10-mobile.md", +"redirect_url": "/itpro/windows/configure/product-ids-in-windows-10-mobile", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/manage-tips-and-suggestions.md", +"redirect_url": "/itpro/windows/configure/manage-tips-and-suggestions", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/windows-10-start-layout-options-and-policies.md", +"redirect_url": "/itpro/windows/configure/windows-10-start-layout-options-and-policies", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/configure-windows-10-taskbar.md", +"redirect_url": "/itpro/windows/configure/configure-windows-10-taskbar", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/customize-and-export-start-layout.md", +"redirect_url": "/itpro/windows/configure/customize-and-export-start-layout", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/start-layout-xml-desktop.md", +"redirect_url": "/itpro/windows/configure/start-layout-xml-desktop", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/start-layout-xml-mobile.md", +"redirect_url": "/itpro/windows/configure/start-layout-xml-mobile", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/customize-windows-10-start-screens-by-using-group-policy.md", +"redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-group-policy", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md", +"redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md", +"redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-testing-scenarios.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-testing-scenarios", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-1.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-1", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-2.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-2", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-3.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-3", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-4.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-4", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-5.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-5", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-6.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-6", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-o365.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-o365", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-crm.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-crm", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-powerbi.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-powerbi", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-voice-commands.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-voice-commands", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-policy-settings.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-policy-settings", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-feedback.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-feedback", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/stop-employees-from-using-the-windows-store.md", +"redirect_url": "/itpro/windows/configure/stop-employees-from-using-the-windows-store", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/configure-devices-without-mdm.md", +"redirect_url": "/itpro/windows/configure/configure-devices-without-mdm", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/changes-to-start-policies-in-windows-10.md", +"redirect_url": "/itpro/windows/configure/changes-to-start-policies-in-windows-10", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/how-it-pros-can-use-configuration-service-providers.md", +"redirect_url": "/itpro/windows/configure/how-it-pros-can-use-configuration-service-providers", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/lock-down-windows-10.md", +"redirect_url": "/itpro/windows/configure/index", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/manage-wifi-sense-in-enterprise.md", +"redirect_url": "/itpro/windows/configure/manage-wifi-sense-in-enterprise", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-packages.md", +"redirect_url": "/itpro/windows/configure/provisioning-packages", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-how-it-works.md", +"redirect_url": "/itpro/windows/configure/provisioning-how-it-works", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-install-icd.md", +"redirect_url": "/itpro/windows/configure/provisioning-install-icd", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-create-package.md", +"redirect_url": "/itpro/windows/configure/provisioning-create-package", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-apply-package.md", +"redirect_url": "/itpro/windows/configure/provisioning-apply-package", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-uninstall-package.md", +"redirect_url": "/itpro/windows/configure/provisioning-uninstall-package", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provision-pcs-for-initial-deployment.md", +"redirect_url": "/itpro/windows/configure/provision-pcs-for-initial-deployment", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provision-pcs-with-apps-and-certificates.md", +"redirect_url": "/itpro/windows/configure/provision-pcs-with-apps", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-script-to-install-app.md", +"redirect_url": "/itpro/windows/configure/provisioning-script-to-install-app", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-nfc.md", +"redirect_url": "/itpro/windows/configure/provisioning-nfc", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-command-line.md", +"redirect_url": "/itpro/windows/configure/provisioning-command-line", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-multivariant.md", +"redirect_url": "/itpro/windows/configure/provisioning-multivariant", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/create-edp-policy-using-intune.md", +"redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-intune", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", +"redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-sccm", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/create-vpn-and-edp-policy-using-intune.md", +"redirect_url": "/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/hello-enable-phone-signin.md", +"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/deploy-edp-policy-using-intune.md", +"redirect_url": "/itpro/windows/keep-secure/deploy-wip-policy-using-intune", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/guidance-and-best-practices-edp.md", +"redirect_url": "/itpro/windows/keep-secure/guidance-and-best-practices-wip", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/overview-create-edp-policy.md", +"redirect_url": "/itpro/windows/keep-secure/overview-create-wip-policy", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/protect-enterprise-data-using-edp.md", +"redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/testing-scenarios-for-edp.md", +"redirect_url": "/itpro/windows/keep-secure/testing-scenarios-for-wip", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/wip-enterprise-overview.md", +"redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/enlightened-microsoft-apps-and-edp.md", +"redirect_url": "/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/update-windows-10-images-with-provisioning-packages.md", +"redirect_url": "/itpro/windows/configure/provisioning-packages", +"redirect_document_id": false +}, +{ +"source_path": "windows/deploy/upgrade-analytics-prepare-your-environment.md", +"redirect_url": "/itpro/windows/deploy/upgrade-analytics-identify-apps", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/upgrade-analytics-release-notes.md", +"redirect_url": "/itpro/windows/deploy/upgrade-analytics-requirements", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/upgrade-analytics-review-site-discovery.md", +"redirect_url": "/itpro/windows/deploy/upgrade-analytics-additional-insights", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md", +"redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md", +"redirect_url": "https://technet.microsoft.com/library/jj635854.aspx", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md", +"redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/device-guard-certification-and-compliance.md", +"redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md", +"redirect_url": "/itpro/windows/keep-secure/hello-enable-phone-signin", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md", +"redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/implement-microsoft-passport-in-your-organization.md", +"redirect_url": "/itpro/windows/keep-secure/hello-manage-in-organization", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/manage-identity-verification-using-microsoft-passport.md", +"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/microsoft-passport-and-password-changes.md", +"redirect_url": "/itpro/windows/keep-secure/hello-and-password-changes", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/microsoft-passport-errors-during-pin-creation.md", +"redirect_url": "/itpro/windows/keep-secure/hello-errors-during-pin-creation", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/microsoft-passport-guide.md", +"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md", +"redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/passport-event-300.md", +"redirect_url": "/itpro/windows/keep-secure/hello-event-300", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/prepare-people-to-use-microsoft-passport.md", +"redirect_url": "/itpro/windows/keep-secure/hello-prepare-people-to-use", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/why-a-pin-is-better-than-a-password.md", +"redirect_url": "/itpro/windows/keep-secure/hello-why-pin-is-better-than-password", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/windows-hello-in-enterprise.md", +"redirect_url": "/itpro/windows/keep-secure/hello-biometrics-in-enterprise", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/app-inventory-managemement-windows-store-for-business.md", +"redirect_url": "/itpro/windows/manage/app-inventory-management-windows-store-for-business", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/application-development-for-windows-as-a-service.md", +"redirect_url": "https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/appv-accessibility.md", +"redirect_url": "/itpro/windows/manage/appv-getting-started", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/appv-accessing-the-client-management-console.md", +"redirect_url": "/itpro/windows/manage/appv-using-the-client-management-console", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md", +"redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md", +"redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client", +"redirect_document_id": false +}, +{ +"source_path": "windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md", +"redirect_url": "/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md", +"redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/disconnect-your-organization-from-microsoft.md", +"redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", +"redirect_document_id": false +}, +{ +"source_path": "windows/manage/introduction-to-windows-10-servicing.md", +"redirect_url": "/itpro/windows/update/index", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/manage-cortana-in-enterprise.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/manage-inventory-windows-store-for-business.md", +"redirect_url": "/itpro/windows/manage/app-inventory-managemement-windows-store-for-business", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/uev-accessibility.md", +"redirect_url": "/itpro/windows/manage/uev-for-windows", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/uev-privacy-statement.md", +"redirect_url": "/itpro/windows/manage/uev-security-considerations", +"redirect_document_id": true +}, +{ +"source_path": "windows/plan/act-community-ratings-and-process.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": true +}, +{ +"source_path": "windows/plan/act-database-configuration.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-database-migration.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-deployment-options.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-glossary.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/activating-and-closing-windows-in-acm.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-lps-share-permissions.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-operatingsystem-application-report.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-operatingsystem-computer-report.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-operatingsystem-device-report.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-product-and-documentation-resources.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-settings-dialog-box-preferences-tab.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-settings-dialog-box-settings-tab.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-toolbar-icons-in-acm.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-tools-packages-and-services.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-user-interface-reference.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/adding-or-editing-an-issue.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/adding-or-editing-a-solution.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/analyzing-your-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/application-dialog-box.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/categorizing-your-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/chromebook-migration-guide.md", +"redirect_url": "edu/windows/chromebook-migration-guide", +"redirect_document_id": true +}, +{ +"source_path": "windows/plan/common-compatibility-issues.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/compatibility-monitor-users-guide.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/computer-dialog-box.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/configuring-act.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/creating-and-editing-issues-and-solutions.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/creating-an-inventory-collector-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/creating-a-runtime-analysis-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/customizing-your-report-views.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deciding-which-applications-to-test.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deleting-a-data-collection-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deploying-an-inventory-collector-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deploying-a-runtime-analysis-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deploy-windows-10-in-a-school.md", +"redirect_url": "/edu/windows/deploy-windows-10-in-a-school", +"redirect_document_id": true +}, +{ +"source_path": "windows/plan/example-filter-queries.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/exporting-a-data-collection-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/filtering-your-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/fixing-compatibility-issues.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/identifying-computers-for-inventory-collection.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/integration-with-management-solutions-.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/internet-explorer-web-site-report.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/labeling-data-in-acm.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/log-file-locations-for-data-collection-packages.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/managing-your-data-collection-packages.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/organizational-tasks-for-each-report-type.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/organizing-your-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/prioritizing-your-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/ratings-icons-in-acm.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/resolving-an-issue.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/saving-opening-and-exporting-reports.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/selecting-the-send-and-receive-status-for-an-application.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/selecting-your-compatibility-rating.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/selecting-your-deployment-status.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/sending-and-receiving-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/settings-for-acm.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/setup-and-deployment.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/software-requirements-for-act.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/software-requirements-for-rap.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/taking-inventory-of-your-organization.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/testing-compatibility-on-the-target-platform.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/troubleshooting-act.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/troubleshooting-act-database-issues.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/troubleshooting-the-act-configuration-wizard.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/troubleshooting-the-act-log-processing-service.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/using-act.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/using-compatibility-monitor-to-send-feedback.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/viewing-your-compatibility-reports.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/websiteurl-dialog-box.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/welcome-to-act.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/whats-new-in-act-60.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/windows-10-guidance-for-education-environments.md", +"redirect_url": "/edu/windows/index", +"redirect_document_id": true +}, +{ +"source_path": "windows/plan/windows-10-servicing-options.md", +"redirect_url": "/itpro/windows/update/waas-overview", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/windows-update-for-business.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/applocker.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/bitlocker.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/change-history-for-what-s-new-in-windows-10.md", +"redirect_url": "/itpro/windows/whats-new/index", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/credential-guard.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/device-guard-overview.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/device-management.md", +"redirect_url": "/itpro/windows/manage/manage-corporate-devices", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/edge-ie11-whats-new-overview.md", +"redirect_url": "/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/edp-whats-new-overview.md", +"redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/lockdown-features-windows-10.md", +"redirect_url": "/itpro/windows/configure/lockdown-features-windows-10", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/microsoft-passport.md", +"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/new-provisioning-packages.md", +"redirect_url": "/itpro/windows/configure/provisioning-packages", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/security-auditing.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/trusted-platform-module.md", +"redirect_url": "/itpro/windows/keep-secure/trusted-platform-module-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/user-account-control.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/windows-spotlight.md", +"redirect_url": "/itpro/windows/configure/windows-spotlight", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/windows-store-for-business-overview.md", +"redirect_url": "/itpro/windows/manage/windows-store-for-business-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/windows-update-for-business.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/windows-10-security-guide.md", +"redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/security.md", +"redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10", +"redirect_document_id": false +}, +] +} \ No newline at end of file diff --git a/1.ps1 b/1.ps1 deleted file mode 100644 index 61aa825eeb..0000000000 --- a/1.ps1 +++ /dev/null @@ -1,3 +0,0 @@ -git add . -git commit -m "changes" -git push -u origin vso-10788146 \ No newline at end of file diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index b22ded8a4f..207acd7b9a 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -60,7 +60,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don't configure this policy setting (default), it can be turned on and configured by the employee in the Clear browsing data options area, under Settings. ### Allow Developer Tools -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. - If you enable or don’t configure this setting (default), the F12 Developer Tools are available in Microsoft Edge. @@ -68,7 +68,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge. ### Allow Extensions -- **Supported versions:** Windows 10, Version 1607 or later +- **Supported versions:** Windows 10, version 1607 or later - **Description:** This policy setting lets you decide whether employees can use Edge Extensions. @@ -77,7 +77,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable this setting, employees can’t use Edge Extensions. ### Allow InPrivate browsing -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether employees can browse using InPrivate website browsing. @@ -86,7 +86,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable this setting, employees can’t use InPrivate website browsing. ### Allow Microsoft Compatibility List -- **Supported versions:** Windows 10, Version 1607 or later +- **Supported versions:** Windows 10, version 1607 or later - **Description:** This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. @@ -172,7 +172,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you don’t configure this setting (default), employees can choose whether to send Do Not Track requests to websites asking for tracking info. ### Configure Favorites -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time. @@ -214,7 +214,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you don’t configure this setting (default), employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. ### Configure Start pages -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it. @@ -282,7 +282,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don't configure this setting (default), employees can’t sync their favorites between Internet Explorer and Microsoft Edge. ### Prevent access to the about:flags page -- **Supported versions:** Windows 10, Version 1607 or later +- **Supported versions:** Windows 10, version 1607 or later - **Description:** This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. @@ -291,7 +291,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don’t configure this setting (default), employees can access the about:flags page. ### Prevent bypassing Windows Defender SmartScreen prompts for files -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. @@ -300,7 +300,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue the download process. ### Prevent bypassing Windows Defender SmartScreen prompts for sites -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. @@ -327,7 +327,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you disable or don't configure this setting (default), employees will see the First Run page when opening Microsoft Edge for the first time. ### Prevent using Localhost IP address for WebRTC -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Description:** This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off. @@ -362,7 +362,7 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A - If you don't configure this setting (default), the default search engine is set to the one specified in App settings. ### Show message when opening sites in Internet Explorer -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Description:** This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. @@ -452,7 +452,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **2.** Blocks all cookies from all sites. ### AllowDeveloperTools -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Desktop @@ -486,7 +486,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Employees can send Do Not Track headers to websites requesting tracking info. ### AllowExtensions -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Supported devices:** Desktop @@ -537,7 +537,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1 (default).** An employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. ### AllowInPrivate -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -730,7 +730,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U >If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. ### Favorites -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -752,7 +752,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U URLs must be on separate lines and aren't shared between Microsoft Edge and Internet Explorer 11. ### FirstRunURL -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Mobile @@ -771,7 +771,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U ### HomePages -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Desktop @@ -790,7 +790,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U ### PreventAccessToAboutFlagsInMicrosoftEdge -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Supported devices:** Desktop @@ -841,7 +841,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge. ### PreventSmartScreenPromptOverride -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -858,7 +858,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Turns on Windows Defender SmartScreen. ### PreventSmartScreenPromptOverrideForFiles -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Both @@ -875,7 +875,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Stops employees from ignoring the Windows Defender SmartScreen warnings about unverified files. ### PreventUsingLocalHostIPAddressForWebRTC -- **Supported versions:** Windows 10, Version 1511 or later +- **Supported versions:** Windows 10, version 1511 or later - **Supported devices:** Desktop @@ -926,7 +926,7 @@ All devices must be enrolled with Intune if you want to use the Windows Custom U - **1.** Allows you to configure the default search engine for your employees. ### ShowMessageWhenOpeningInteretExplorerSites -- **Supported versions:** Windows 10, Version 1607 and later +- **Supported versions:** Windows 10, version 1607 and later - **Supported devices:** Desktop diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index c341d5ffb2..c077292864 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -9,7 +9,7 @@ author: jdeckerMS localizationpriority: medium --- -# Configure HoloLens using a provisioning package +# Configure HoloLens using a provisioning package test Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index a9cde81f15..5d807a4e97 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -1,42 +1,41 @@ # [Microsoft Surface Hub](index.md) -## [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) -### [Intro to Microsoft Surface Hub](intro-to-surface-hub.md) -### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) -#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md) -#### [Create and test a device account](create-and-test-a-device-account-surface-hub.md) -##### [Online deployment](online-deployment-surface-hub-device-accounts.md) -##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md) -##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) -##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) -##### [Create a device account using UI](create-a-device-account-using-office-365.md) -##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) -##### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md) -##### [Password management](password-management-for-surface-hub-device-accounts.md) -#### [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) -#### [Admin group management](admin-group-management-for-surface-hub.md) -### [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) -#### [Setup worksheet](setup-worksheet-surface-hub.md) -#### [First-run program](first-run-program-surface-hub.md) -### [Manage Microsoft Surface Hub](manage-surface-hub.md) -#### [Remote Surface Hub management](remote-surface-hub-management.md) -##### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) -##### [Monitor your Surface Hub](monitor-surface-hub.md) -##### [Windows updates](manage-windows-updates-for-surface-hub.md) -#### [Manage Surface Hub settings](manage-surface-hub-settings.md) -##### [Local management for Surface Hub settings](local-management-surface-hub-settings.md) -##### [Accessibility](accessibility-surface-hub.md) -##### [Change the Surface Hub device account](change-surface-hub-device-account.md) -##### [Device reset](device-reset-surface-hub.md) -##### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md) -##### [Wireless network management](wireless-network-management-for-surface-hub.md) -#### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) -#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md) -#### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) -#### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) -#### [Using a room control system](use-room-control-system-with-surface-hub.md) -### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) -### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md) -## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) +## [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) ## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) +## [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) +### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md) +### [Create and test a device account](create-and-test-a-device-account-surface-hub.md) +#### [Online deployment](online-deployment-surface-hub-device-accounts.md) +#### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md) +#### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) +#### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) +#### [Create a device account using UI](create-a-device-account-using-office-365.md) +#### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) +#### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md) +#### [Password management](password-management-for-surface-hub-device-accounts.md) +### [Create provisioning packages](provisioning-packages-for-surface-hub.md) +### [Admin group management](admin-group-management-for-surface-hub.md) +## [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) +### [Setup worksheet](setup-worksheet-surface-hub.md) +### [First-run program](first-run-program-surface-hub.md) +## [Manage Microsoft Surface Hub](manage-surface-hub.md) +### [Remote Surface Hub management](remote-surface-hub-management.md) +#### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) +#### [Monitor your Surface Hub](monitor-surface-hub.md) +#### [Windows updates](manage-windows-updates-for-surface-hub.md) +### [Manage Surface Hub settings](manage-surface-hub-settings.md) +#### [Local management for Surface Hub settings](local-management-surface-hub-settings.md) +#### [Accessibility](accessibility-surface-hub.md) +#### [Change the Surface Hub device account](change-surface-hub-device-account.md) +#### [Device reset](device-reset-surface-hub.md) +#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md) +#### [Wireless network management](wireless-network-management-for-surface-hub.md) +### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) +### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md) +### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) +### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) +### [Using a room control system](use-room-control-system-with-surface-hub.md) +## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) +## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) +## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) ## [Change history for Surface Hub](change-history-surface-hub.md) \ No newline at end of file diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md index 46348c087d..7ea46504e4 100644 --- a/devices/surface-hub/accessibility-surface-hub.md +++ b/devices/surface-hub/accessibility-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surfacehub ms.sitesec: library -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -30,7 +30,7 @@ The full list of accessibility settings are available to IT admins in the **Sett | Mouse | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. | | Other options | Defaults selected for **Visual options** and **Touch feedback**. | -Additionally, these accessibility features and apps are returned to default settings when users press [I'm Done](i-am-done-finishing-your-surface-hub-meeting.md): +Additionally, these accessibility features and apps are returned to default settings when users press [End session](finishing-your-surface-hub-meeting.md): - Narrator - Magnifier - High contrast diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md index 7607199209..2abc8df009 100644 --- a/devices/surface-hub/admin-group-management-for-surface-hub.md +++ b/devices/surface-hub/admin-group-management-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 76275e3ec8..b04dd91222 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -1,5 +1,5 @@ --- -title: Appendix PowerShell (Surface Hub) +title: PowerShell for Surface Hub (Surface Hub) description: PowerShell scripts to help set up and manage your Microsoft Surface Hub . ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784 keywords: PowerShell, set up Surface Hub, manage Surface Hub @@ -7,14 +7,14 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- -# Appendix: PowerShell (Surface Hub) +# PowerShell for Surface Hub -PowerShell scripts to help set up and manage your Microsoft Surface Hub . +PowerShell scripts to help set up and manage your Microsoft Surface Hub. - [PowerShell scripts for Surface Hub admins](#scripts-for-admins) - [Create an on-premise account](#create-on-premise-ps-scripts) @@ -43,7 +43,8 @@ What do you need in order to run the scripts? - Remote PowerShell access to your organization's domain or tenant, Exchange servers, and Skype for Business servers. - Admin credentials for your organization's domain or tenant, Exchange servers, and Skype for Business servers. ->**Note**  Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub. +>[!NOTE] +>Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.   diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md index f6cad56654..e49731d001 100644 --- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 74ee57c2f5..d8d69bb450 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -14,6 +14,10 @@ localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). + ## February 2017 | New or changed topic | Description | diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md index 6dc6bf7016..2ad7a30571 100644 --- a/devices/surface-hub/change-surface-hub-device-account.md +++ b/devices/surface-hub/change-surface-hub-device-account.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 914b6136e6..b6719175f5 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md index 9930a748e3..5c6ab373e5 100644 --- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md +++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index f2cb38c5f2..0d070c1ae5 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -49,21 +49,49 @@ If you see a blank screen for long periods of time during the **Reset device** p ![Image showing Update & Security group in Settings app for Surface Hub.](images/sh-settings-update-security.png) -3. Click **Recovery**, and then click **Get started**. +3. Click **Recovery**, and then, under **Reset device**, click **Get started**. ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) -## Reset a Surface Hub from Windows Recovery Environment + +## Recover a Surface Hub from the cloud -On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from [Windows Recovery Environment](https://technet.microsoft.com/library/cc765966.aspx) (Windows RE). +In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support. -**To reset a Surface Hub from Windows Recovery Environment** +### Recover a Surface Hub in a bad state + +If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem. + +1. On your Surface Hub, go to **Settings** > **Update & security** > **Recovery**. + +2. Under **Recover from the cloud**, click **Restart now**. + + ![recover from the cloud](images/recover-from-the-cloud.png) + +### Recover a locked Surface Hub + +On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). 1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. -2. The device should automatically boot into Windows RE. Select **Advanced Repair**. -3. Select **Reset**. -4. If prompted, enter your device's BitLocker key. +2. The device should automatically boot into Windows RE. +3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.) + >[!NOTE] + >When using **Recover from the cloud**, an ethernet connection is recommended. + + ![Recover from the cloud](images/recover-from-cloud.png) + +4. Enter the Bitlocker key (if prompted). +5. When prompted, select **Reinstall**. + ![Reinstall](images/reinstall.png) + +6. Select **Yes** to repartition the disk. + + ![Repartition](images/repartition.png) + +Reset will begin after the image is downloaded from the cloud. You will see progress indicators. + +![downloading 97&](images/recover-progress.png) ## Related topics diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md index 73557c1f2c..e6d812ea78 100644 --- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md +++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md @@ -33,7 +33,7 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users. > [!NOTE] -> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**. +> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **End session**. *Organization policies that this may affect:*
Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub. @@ -46,7 +46,7 @@ Users have access to a limited set of directories on the Surface Hub: - Pictures - Downloads -Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive. +Files saved locally in these directories are deleted when users press **End session**. To save content created during a meeting, users should save files to a USB drive or to OneDrive. *Organization policies that this may affect:*
Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders. diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md index 3e9df023a1..527eaf6198 100644 --- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md new file mode 100644 index 0000000000..8733038060 --- /dev/null +++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md @@ -0,0 +1,92 @@ +--- +title: End session - ending a Surface Hub meeting +description: To end a Surface Hub meeting, tap End session. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. +keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerMS +localizationpriority: medium +--- + +# End a Surface Hub meeting with End session +Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states: +- Applications +- Operating system +- User interface + +This topic explains what **End session** resets for each of these states. + +## Applications +When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **End session** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs. + +### Close applications +Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**. + +### Delete browser history +Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **End session** also ensures that application states are cleared and data is removed before the next session, or meeting, starts. + +### Reset applications +**End session** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub. + +### Remove Skype logs +Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **End session** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs. + +## Operating System +The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. + +### File System +Meeting attendees have access to a limited set of directories on the Surface Hub. When **End session** is selected, Surface Hub clears these directories:
+- Music +- Videos +- Documents +- Pictures +- Downloads + +Surface Hub also clears these directories, since many applications often write to them: +- Desktop +- Favorites +- Recent +- Public Documents +- Public Music +- Public Videos +- Public Downloads + +### Credentials +User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **End session**. + +## User interface +User interface (UI) settings are returned to their default values when **End session** is selected. + +### UI items +- Reset Quick Actions to default state +- Clear Toast notifications +- Reset volume levels +- Reset sidebar width +- Reset tablet mode layout +- Sign user out of Office 365 meetings and files + +### Accessibility +Accessibility features and apps are returned to default settings when **End session** is selected. +- Filter keys +- High contrast +- Sticky keys +- Toggle keys +- Mouse keys +- Magnifier +- Narrator + +### Clipboard +The clipboard is cleared to remove data that was copied to the clipboard during the session. + +## Frequently asked questions +**What happens if I forget to tap End session at the end of a meeting, and someone else uses the Surface Hub later?**
+Surface Hub only cleans up meeting content when users tap **End session**. If you leave the meeting without tapping **End session**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one. You can also disable the ability to resume a session if **End session** is not pressed. + +**Are documents recoverable?**
+Removing files from the hard drive when **End session** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting. + +**Do the clean-up actions from End session comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
+No. Currently, the clean-up actions from **End session** do not comply with this standard. + diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 6ee36023cc..4e6ceac8b8 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -43,9 +43,10 @@ Each of these sections also contains information about paths you might take when This is the first screen you'll see when you power up the Surface Hub for the first time. It's where you input localization information for your device. ->**Note**  This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing. +>[!NOTE] +>This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing. -  + Select a language and the initial setup options are displayed. ![Image showing ICD options checklist.](images/setuplocale.png) @@ -326,6 +327,9 @@ This is what happens when you choose an option. - **Use Microsoft Azure Active Directory** Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. After joining, admins from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization. + + >[!IMPORTANT] + >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually. - **Use Active Directory Domain Services** @@ -382,7 +386,7 @@ Once the device has been domain joined, you must specify a security group from t The following input is required: - **Domain:** This is the fully qualified domain name (FQDN) of the domain that you want to join. A security group from this domain can be used to manage the device. -- **User name:** The user name of an account that has sufficient permission to join the specified domain. +- **User name:** The user name of an account that has sufficient permission to join the specified domain. This account must be a computer object. - **Password:** The password for the account. After the credentials are verified, you will be asked to type a security group name. This input is required. diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md deleted file mode 100644 index ccf99db112..0000000000 --- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: I am done - ending a Surface Hub meeting -description: To end a Surface Hub meeting, tap I am Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. -keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- - -# End a Surface Hub meeting with I'm Done -Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **I'm Done** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states: -- Applications -- Operating system -- User interface - -This topic explains what **I'm Done** resets for each of these states. - -## Applications -When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **I'm done** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs. - -### Close applications -Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**. - -### Delete browser history -Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **I'm Done** also ensures that application states are cleared and data is removed before the next session, or meeting, starts. - -### Reset applications -**I'm Done** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub. - -### Remove Skype logs -Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **I'm Done** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs. - -## Operating System -The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. - -### File System -Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:
-- Music -- Videos -- Documents -- Pictures -- Downloads - -Surface Hub also clears these directories, since many applications often write to them: -- Desktop -- Favorites -- Recent -- Public Documents -- Public Music -- Public Videos -- Public Downloads - -### Credentials -User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **I’m done**. - -## User interface -User interface (UI) settings are returned to their default values when **I'm Done** is selected. - -### UI items -- Reset Quick Actions to default state -- Clear Toast notifications -- Reset volume levels -- Reset sidebar width -- Reset tablet mode layout - -### Accessibility -Accessibility features and apps are returned to default settings when **I'm Done** is selected. -- Filter keys -- High contrast -- Sticky keys -- Toggle keys -- Mouse keys -- Magnifier -- Narrator - -### Clipboard -The clipboard is cleared to remove data that was copied to the clipboard during the session. - -## Frequently asked questions -**What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**
-Surface Hub only cleans up meeting content when users tap **I'm Done**. If you leave the meeting without tapping **I'm Done**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one. - -**Are documents recoverable?**
-Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting. - -**Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
-No. Currently, the clean-up actions from **I'm Done** do not comply with this standard. - diff --git a/devices/surface-hub/images/OOBE-2.jpg b/devices/surface-hub/images/OOBE-2.jpg new file mode 100644 index 0000000000..0c615a2ec4 Binary files /dev/null and b/devices/surface-hub/images/OOBE-2.jpg differ diff --git a/devices/surface-hub/images/account-management-details.PNG b/devices/surface-hub/images/account-management-details.PNG new file mode 100644 index 0000000000..66712394ec Binary files /dev/null and b/devices/surface-hub/images/account-management-details.PNG differ diff --git a/devices/surface-hub/images/account-management.PNG b/devices/surface-hub/images/account-management.PNG new file mode 100644 index 0000000000..34165dfcd6 Binary files /dev/null and b/devices/surface-hub/images/account-management.PNG differ diff --git a/devices/surface-hub/images/add-applications-details.PNG b/devices/surface-hub/images/add-applications-details.PNG new file mode 100644 index 0000000000..2efd3483ae Binary files /dev/null and b/devices/surface-hub/images/add-applications-details.PNG differ diff --git a/devices/surface-hub/images/add-applications.PNG b/devices/surface-hub/images/add-applications.PNG new file mode 100644 index 0000000000..2316deb2fd Binary files /dev/null and b/devices/surface-hub/images/add-applications.PNG differ diff --git a/devices/surface-hub/images/add-certificates-details.PNG b/devices/surface-hub/images/add-certificates-details.PNG new file mode 100644 index 0000000000..78cd783282 Binary files /dev/null and b/devices/surface-hub/images/add-certificates-details.PNG differ diff --git a/devices/surface-hub/images/add-certificates.PNG b/devices/surface-hub/images/add-certificates.PNG new file mode 100644 index 0000000000..24cb605d1c Binary files /dev/null and b/devices/surface-hub/images/add-certificates.PNG differ diff --git a/devices/surface-hub/images/add-config-file-details.PNG b/devices/surface-hub/images/add-config-file-details.PNG new file mode 100644 index 0000000000..c7b4db97e6 Binary files /dev/null and b/devices/surface-hub/images/add-config-file-details.PNG differ diff --git a/devices/surface-hub/images/add-config-file.PNG b/devices/surface-hub/images/add-config-file.PNG new file mode 100644 index 0000000000..5b779509d9 Binary files /dev/null and b/devices/surface-hub/images/add-config-file.PNG differ diff --git a/devices/surface-hub/images/apps.png b/devices/surface-hub/images/apps.png new file mode 100644 index 0000000000..5cb3b7ec8f Binary files /dev/null and b/devices/surface-hub/images/apps.png differ diff --git a/devices/surface-hub/images/developer-setup.PNG b/devices/surface-hub/images/developer-setup.PNG new file mode 100644 index 0000000000..8c93d5ed91 Binary files /dev/null and b/devices/surface-hub/images/developer-setup.PNG differ diff --git a/devices/surface-hub/images/enroll-mdm-details.PNG b/devices/surface-hub/images/enroll-mdm-details.PNG new file mode 100644 index 0000000000..f3a7fea8da Binary files /dev/null and b/devices/surface-hub/images/enroll-mdm-details.PNG differ diff --git a/devices/surface-hub/images/enroll-mdm.PNG b/devices/surface-hub/images/enroll-mdm.PNG new file mode 100644 index 0000000000..b7cfdbc767 Binary files /dev/null and b/devices/surface-hub/images/enroll-mdm.PNG differ diff --git a/devices/surface-hub/images/finish-details.png b/devices/surface-hub/images/finish-details.png new file mode 100644 index 0000000000..727efac696 Binary files /dev/null and b/devices/surface-hub/images/finish-details.png differ diff --git a/devices/surface-hub/images/finish.PNG b/devices/surface-hub/images/finish.PNG new file mode 100644 index 0000000000..7c65da1799 Binary files /dev/null and b/devices/surface-hub/images/finish.PNG differ diff --git a/devices/surface-hub/images/five.png b/devices/surface-hub/images/five.png new file mode 100644 index 0000000000..961f0e15b7 Binary files /dev/null and b/devices/surface-hub/images/five.png differ diff --git a/devices/surface-hub/images/four.png b/devices/surface-hub/images/four.png new file mode 100644 index 0000000000..0fef213b37 Binary files /dev/null and b/devices/surface-hub/images/four.png differ diff --git a/devices/surface-hub/images/icd-simple-edit.png b/devices/surface-hub/images/icd-simple-edit.png new file mode 100644 index 0000000000..aea2e24c8a Binary files /dev/null and b/devices/surface-hub/images/icd-simple-edit.png differ diff --git a/devices/surface-hub/images/one.png b/devices/surface-hub/images/one.png new file mode 100644 index 0000000000..42b4742c49 Binary files /dev/null and b/devices/surface-hub/images/one.png differ diff --git a/devices/surface-hub/images/ppkg-config.png b/devices/surface-hub/images/ppkg-config.png new file mode 100644 index 0000000000..10a2b7de58 Binary files /dev/null and b/devices/surface-hub/images/ppkg-config.png differ diff --git a/devices/surface-hub/images/ppkg-csv.png b/devices/surface-hub/images/ppkg-csv.png new file mode 100644 index 0000000000..0648f555e1 Binary files /dev/null and b/devices/surface-hub/images/ppkg-csv.png differ diff --git a/devices/surface-hub/images/proxy-details.PNG b/devices/surface-hub/images/proxy-details.PNG new file mode 100644 index 0000000000..fcc7b06a41 Binary files /dev/null and b/devices/surface-hub/images/proxy-details.PNG differ diff --git a/devices/surface-hub/images/proxy.PNG b/devices/surface-hub/images/proxy.PNG new file mode 100644 index 0000000000..cdfc02c454 Binary files /dev/null and b/devices/surface-hub/images/proxy.PNG differ diff --git a/devices/surface-hub/images/recover-from-cloud.png b/devices/surface-hub/images/recover-from-cloud.png new file mode 100644 index 0000000000..7d409edc5f Binary files /dev/null and b/devices/surface-hub/images/recover-from-cloud.png differ diff --git a/devices/surface-hub/images/recover-from-the-cloud.png b/devices/surface-hub/images/recover-from-the-cloud.png new file mode 100644 index 0000000000..07c1e22851 Binary files /dev/null and b/devices/surface-hub/images/recover-from-the-cloud.png differ diff --git a/devices/surface-hub/images/recover-progress.png b/devices/surface-hub/images/recover-progress.png new file mode 100644 index 0000000000..316d830a57 Binary files /dev/null and b/devices/surface-hub/images/recover-progress.png differ diff --git a/devices/surface-hub/images/reinstall.png b/devices/surface-hub/images/reinstall.png new file mode 100644 index 0000000000..2f307841aa Binary files /dev/null and b/devices/surface-hub/images/reinstall.png differ diff --git a/devices/surface-hub/images/repartition.png b/devices/surface-hub/images/repartition.png new file mode 100644 index 0000000000..26725a8c54 Binary files /dev/null and b/devices/surface-hub/images/repartition.png differ diff --git a/devices/surface-hub/images/set-up-device-admins-details.PNG b/devices/surface-hub/images/set-up-device-admins-details.PNG new file mode 100644 index 0000000000..42c04b4b3b Binary files /dev/null and b/devices/surface-hub/images/set-up-device-admins-details.PNG differ diff --git a/devices/surface-hub/images/set-up-device-admins.PNG b/devices/surface-hub/images/set-up-device-admins.PNG new file mode 100644 index 0000000000..e0e037903c Binary files /dev/null and b/devices/surface-hub/images/set-up-device-admins.PNG differ diff --git a/devices/surface-hub/images/set-up-device-details.PNG b/devices/surface-hub/images/set-up-device-details.PNG new file mode 100644 index 0000000000..be565ac8d9 Binary files /dev/null and b/devices/surface-hub/images/set-up-device-details.PNG differ diff --git a/devices/surface-hub/images/set-up-device.PNG b/devices/surface-hub/images/set-up-device.PNG new file mode 100644 index 0000000000..0c9eb0e3ff Binary files /dev/null and b/devices/surface-hub/images/set-up-device.PNG differ diff --git a/devices/surface-hub/images/set-up-network-details.PNG b/devices/surface-hub/images/set-up-network-details.PNG new file mode 100644 index 0000000000..7e1391326c Binary files /dev/null and b/devices/surface-hub/images/set-up-network-details.PNG differ diff --git a/devices/surface-hub/images/set-up-network.PNG b/devices/surface-hub/images/set-up-network.PNG new file mode 100644 index 0000000000..a0e856c103 Binary files /dev/null and b/devices/surface-hub/images/set-up-network.PNG differ diff --git a/devices/surface-hub/images/sh-quick-action.png b/devices/surface-hub/images/sh-quick-action.png index cb072a9793..3003e464b3 100644 Binary files a/devices/surface-hub/images/sh-quick-action.png and b/devices/surface-hub/images/sh-quick-action.png differ diff --git a/devices/surface-hub/images/sh-settings-reset-device.png b/devices/surface-hub/images/sh-settings-reset-device.png index b3e35bb385..f3a9a6dc5c 100644 Binary files a/devices/surface-hub/images/sh-settings-reset-device.png and b/devices/surface-hub/images/sh-settings-reset-device.png differ diff --git a/devices/surface-hub/images/sh-settings-update-security.png b/devices/surface-hub/images/sh-settings-update-security.png index a10d4ffb51..59212d1805 100644 Binary files a/devices/surface-hub/images/sh-settings-update-security.png and b/devices/surface-hub/images/sh-settings-update-security.png differ diff --git a/devices/surface-hub/images/sh-settings.png b/devices/surface-hub/images/sh-settings.png index 03125b3419..0134fda740 100644 Binary files a/devices/surface-hub/images/sh-settings.png and b/devices/surface-hub/images/sh-settings.png differ diff --git a/devices/surface-hub/images/six.png b/devices/surface-hub/images/six.png new file mode 100644 index 0000000000..2816328ec3 Binary files /dev/null and b/devices/surface-hub/images/six.png differ diff --git a/devices/surface-hub/images/surfacehub.png b/devices/surface-hub/images/surfacehub.png new file mode 100644 index 0000000000..1b9b484ab8 Binary files /dev/null and b/devices/surface-hub/images/surfacehub.png differ diff --git a/devices/surface-hub/images/three.png b/devices/surface-hub/images/three.png new file mode 100644 index 0000000000..887fa270d7 Binary files /dev/null and b/devices/surface-hub/images/three.png differ diff --git a/devices/surface-hub/images/two.png b/devices/surface-hub/images/two.png new file mode 100644 index 0000000000..b8c2d52eaf Binary files /dev/null and b/devices/surface-hub/images/two.png differ diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index 22e94d2746..dabf0f1f6e 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -12,19 +12,36 @@ localizationpriority: medium # Microsoft Surface Hub +>[Looking for the user's guide for Surface Hub?](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) + +
Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. The documentation in this library describes what needs to be done both before and during setup in order to help you optimize your use of the device.![image of a Surface Hub](images/surfacehub.png)
+  + +## Surface Hub setup process + +In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need: + +1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) +2. [Gather the information listed in the Setup worksheet](setup-worksheet-surface-hub.md) +2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md) +3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md) -Documents related to deploying and managing the Microsoft Surface Hub in your organization. ->[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub) ## In this section | Topic | Description | | --- | --- | -| [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) | This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.| +| [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) | Discover the changes and improvements for Microsoft Surface Hub in the Windows 10, version 1703 release (also known as Creators Update). | | [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise. | -| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. | +| [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) | This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. | +| [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) | Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. | +| [Manage Microsoft Surface Hub](manage-surface-hub.md) | How to manage your Surface Hub after finishing the first-run program. | +| [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | +| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. | PowerShell scripts to help set up and manage your Surface Hub. | +| [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. | | [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. | -| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation. | +| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation library. | + diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index d26712627a..dea976e29f 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub, store -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md deleted file mode 100644 index eb48a1fb78..0000000000 --- a/devices/surface-hub/intro-to-surface-hub.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Intro to Microsoft Surface Hub -description: Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. -ms.assetid: 5DAD4489-81CF-47ED-9567-A798B90C7E76 -keywords: Surface Hub, productivity, collaboration, presentations, setup -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- - -# Intro to Microsoft Surface Hub - - -Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device. -  -You’ll need to understand how each of these services interacts with Surface Hub. See [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) for details. - -## Surface Hub setup process - -In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need: - -1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) -2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md) -3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md) - diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md index dea2a514bd..7d17d33c38 100644 --- a/devices/surface-hub/local-management-surface-hub-settings.md +++ b/devices/surface-hub/local-management-surface-hub-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -16,29 +16,38 @@ After initial setup of Microsoft Surface Hub, the device’s settings can be loc ## Surface Hub settings -Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only cofigurable on Surface Hubs. +Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only configurable on Surface Hubs. | Setting | Location | Description | | ------- | -------- | ----------- | -| Device account | This device > Accounts | Set or change the Surface Hub's device account. | -| Device account sync status | This device > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. | -| Password rotation | This device > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. | -| Change admin account password | This device > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. | -| Configure Operations Management Suite (OMS) | This device > Device management | Set up monitoring for your Surface Hub using OMS. | -| Open the Windows Store app | This device > Apps & features | The Windows Store app is only available to admins through the Settings app. | -| Skype for Business domain name | This device > Calling | Configure a domain name for your Skype for Business server. | -| Default microphone and speaker settings | This device > Calling | Configure a default microphone and speaker for calls, and a default speaker for media playback. | -| Turn off wireless projection using Miracast | This device > Wireless projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. | -| Require a PIN for wireless projection | This device > Wireless projection | Choose whether people are required to enter a PIN before they use wireless projection. | -| Wireless projection (Miracast) channel | This device > Wireless projection | Set the channel for Miracast projection. | -| Meeting info shown on the welcome screen | This device > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. | -| Welcome screen background | This device > Welcome screen | Choose a background image for the welcome screen. | -| Turn on screen with motion sensors | This device > Session & clean up | Choose whether the screen turns on when motion is detected. | -| Session time out | This device > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. | -| Sleep time out | This device > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. | -| Friendly name | This device > About | Set the Surface Hub name that people will see when connecting wirelessly. | +| Device account | Surface Hub > Accounts | Set or change the Surface Hub's device account. | +| Device account sync status | Surface Hub > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. | +| Password rotation | Surface Hub > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. | +| Change admin account password | Surface Hub > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. | +| Device Management | Surface Hub > Device management | Manage policies and business applications using mobile device management (MDM). | +| Provisioning packages | Surface Hub > Device management | Set or change provisioning packages installed on the Surface Hub. | +| Configure Operations Management Suite (OMS) | Surface Hub > Device management | Set up monitoring for your Surface Hub using OMS. | +| Open the Windows Store app | Surface Hub > Apps & features | The Windows Store app is only available to admins through the Settings app. | +| Skype for Business domain name | Surface Hub > Calling & Audio | Configure a domain name for your Skype for Business server. | +| Default Speaker volume | Surface Hub > Calling & Audio | Configure the default speaker volume for the Surface Hub when it starts a session. | +| Default microphone and speaker settings | Surface Hub > Calling & Audio | Configure a default microphone and speaker for calls, and a default speaker for media playback. | +| Enable Dolby Audio X2 | Surface Hub > Calling & Audio | Configure the Dolby Audio X2 speaker enhancements. | +| Open Connect App automatically | Surface Hub > Projection | Choose whether projection will automatically open the Connect app or wait for user input before opening. | +| Turn off wireless projection using Miracast | Surface Hub > Projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. | +| Require a PIN for wireless projection | Surface Hub > Projection | Choose whether people are required to enter a PIN before they use wireless projection. | +| Wireless projection (Miracast) channel | Surface Hub > Projection | Set the channel for Miracast projection. | +| Meeting info shown on the welcome screen | Surface Hub > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. | +| Welcome screen background | Surface Hub > Welcome screen | Choose a background image for the welcome screen. | +| Idle timeout to Welcome screen | Surface Hub > Session & Power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. | +| Resume session | Surface Hub > Session & Power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. | +| Access to Office 365 meetings and files | Surface Hub > Session & Power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. | +| Turn on screen with motion sensors | Surface Hub > Session & clean up | Choose whether the screen turns on when motion is detected. | +| Session time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. | +| Sleep time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. | +| Friendly name | Surface Hub > About | Set the Surface Hub name that people will see when connecting wirelessly. | | Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. | | Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. | +| Recover from the cloud | Update & security > Recovery | Reinstall the operating system on Surface Hub to a manufacturer build from the cloud. | | Save BitLocker key | Update & security > Recovery | Backup your Surface Hub's BitLocker key to a USB drive. | | Collect logs | Update & security > Recovery | Save logs to a USB drive to send to Microsoft later. | diff --git a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md deleted file mode 100644 index db9230f9ad..0000000000 --- a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Manage settings with a local admin account (Surface Hub) -description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device. -ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679 -redirect_url: https://technet.microsoft.com/itpro/surface-hub/admin-group-management-for-surface-hub -keywords: local admin account, Surface Hub, change local admin options -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 8cadcb7309..c1913c01cc 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -69,9 +69,19 @@ For more information, see [SurfaceHub configuration service provider](https://ms | Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Friendly name for wireless projection | Properties/FriendlyName | Yes.
[Use a custom policy.](#example-intune)) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-intune)) | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Device account, including password rotation | DeviceAccount/*``*
See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Set default volume | Properties/DefaultVolume | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Set screen timeout | Properties/ScreenTimeout | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Set session timeout | Properties/SessionTimeout | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Set sleep timeout | Properties/SleepTimeout | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
[Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Supported Windows 10 settings @@ -87,7 +97,7 @@ The following tables include info on Windows 10 settings that have been validate | Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Browser settings @@ -102,7 +112,7 @@ The following tables include info on Windows 10 settings that have been validate | Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Windows Update settings @@ -115,7 +125,7 @@ The following tables include info on Windows 10 settings that have been validate | Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes| | Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Windows Defender settings @@ -123,7 +133,7 @@ The following tables include info on Windows 10 settings that have been validate | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | | Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Remote reboot @@ -132,7 +142,7 @@ The following tables include info on Windows 10 settings that have been validate | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes | | Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | | Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Install certificates @@ -142,7 +152,7 @@ The following tables include info on Windows 10 settings that have been validate -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Collect logs @@ -151,7 +161,7 @@ The following tables include info on Windows 10 settings that have been validate | Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Generate OMA URIs for settings You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager. @@ -252,7 +262,7 @@ For more information, see [Create configuration items for Windows 8.1 and Window [Manage Microsoft Surface Hub](manage-surface-hub.md) -[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) +   diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md index 5413d28a30..ecfbb7c584 100644 --- a/devices/surface-hub/manage-surface-hub-settings.md +++ b/devices/surface-hub/manage-surface-hub-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index b464c430f2..95b3b394bd 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -30,7 +30,7 @@ Learn about managing and updating Surface Hub. | [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. | | [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network | | [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Windows Store or the Windows Store for Business.| -| [End a meeting with I’m done](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap I'm Done to clean up any sensitive data and prepare the device for the next meeting.| +| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.| | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.| | [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.| | [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.| diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 659e2a6ae5..f54bd79038 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md index 4b96956704..27f722e175 100644 --- a/devices/surface-hub/monitor-surface-hub.md +++ b/devices/surface-hub/monitor-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 8914899056..7a4a8ed551 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 6510d41971..0c25519753 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md index c6c3db5d36..851ae60a58 100644 --- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md index 489e6a03a3..3ea7a56b63 100644 --- a/devices/surface-hub/physically-install-your-surface-hub-device.md +++ b/devices/surface-hub/physically-install-your-surface-hub-device.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, readiness -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index f5c342d43d..e11e0e6e42 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -27,11 +27,12 @@ Review these dependencies to make sure Surface Hub features will work in your IT | Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.

If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. | | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | | Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | -| Network and Internet access |

In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. | +| Network and Internet access |

In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1x Authentication is supported for both wired and wireless connections.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. | Additionally, note that Surface Hub requires the following open ports: - HTTPS: 443 - HTTP: 80 +- NTP: 123 Depending on your environment, access to additional ports may be needed: - For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). @@ -49,7 +50,7 @@ Surface Hub interacts with a few different products and services. Depending on t ## Create and verify device account -A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. +A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. After you've created your device account, there are a couple of ways to verify that it's setup correctly. - Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md deleted file mode 100644 index 73dd21ac2e..0000000000 --- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md +++ /dev/null @@ -1,221 +0,0 @@ ---- -title: Create provisioning packages (Surface Hub) -description: For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning. -ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345 -keywords: add certificate, provisioning package -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- - -# Create provisioning packages (Surface Hub) - -This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings. - -You can apply a provisioning package using a USB during first run, or through the **Settings** app. - - -## Advantages -- Quickly configure devices without using a MDM provider. - -- No network connectivity required. - -- Simple to apply. - -[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages) - - -## Requirements - -To create and apply a provisioning package to a Surface Hub, you'll need the following: - -- Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740). -- A PC running Windows 10. -- A USB flash drive. -- If you apply the package using the **Settings** app, you'll need device admin credentials. - -You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub. - - -## Supported items for Surface Hub provisioning packages - -Currently, you can add these items to provisioning packages for Surface Hub: -- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange. -- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Windows Store for Business, or an app created by an in-house dev. -- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD. -- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). - - -## Create the provisioning package - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD). [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) - -1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`). - -2. Click **Advanced provisioning**. - - ![ICD start options](images/ICDstart-option.PNG) - -3. Name your project and click **Next**. - -4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**. - - ![ICD new project](images/icd-new-project.png) - -5. In the project, under **Available customizations**, select **Common Team edition settings**. - - ![ICD common settings](images/icd-common-settings.png) - - -### Add a certificate to your package -You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange. - -> [!NOTE] -> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details. - -1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. - -2. Enter a **CertificateName** and then click **Add**. - -2. Enter the **CertificatePassword**. - -3. For **CertificatePath**, browse and select the certificate. - -4. Set **ExportCertificate** to **False**. - -5. For **KeyLocation**, select **Software only**. - - -### Add a Universal Windows Platform (UWP) app to your package -Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business. - -1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**. - -2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags. - -3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). - -4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies. - -If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package. - -1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license". - -2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**. - -3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute. - -4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1. - - -### Add a policy to your package -Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD. - -1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**. - -2. Select one of the available policy areas. - -3. Select and set the policy you want to add to your provisioning package. - - -### Add Surface Hub settings to your package - -You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. - -1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**. - -2. Select one of the available setting areas. - -3. Select and set the setting you want to add to your provisioning package. - - -## Build your package - -1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. - -2. Read the warning that project files may contain sensitive information, and click **OK**. - - > [!IMPORTANT] - > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -3. On the **Export** menu, click **Provisioning package**. - -4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources. - -5. Set a value for **Package Version**, and then select **Next.** - - > [!TIP] - > You can make changes to existing packages and change the version number to update previously applied packages. - -6. Optional: You can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package. - - > [!IMPORTANT] - > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  - -7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

-Optionally, you can click **Browse** to change the default output location. - -8. Click **Next**. - -9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

-If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

-If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive. - - -## Apply a provisioning package to Surface Hub - -There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). - - -### Apply a provisioning package during first run - -> [!IMPORTANT] -> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings. - -1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding. - -2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**. - - ![Set up device?](images/provisioningpackageoobe-01.png) - -3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - - ![Provision this device](images/provisioningpackageoobe-02.png) - -4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run. - - ![Choose a package](images/provisioningpackageoobe-03.png) - -5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program. - - ![Do you trust this package?](images/provisioningpackageoobe-04.png) - - -### Apply a package using Settings - -1. Insert the USB flash drive containing the .ppkg file into the Surface Hub. - -2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted. - -3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**. - -4. Select **Add a package**. - -5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted. - -6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**. diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md new file mode 100644 index 0000000000..0d3604f6ad --- /dev/null +++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md @@ -0,0 +1,319 @@ +--- +title: Create provisioning packages (Surface Hub) +description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages. +ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345 +keywords: add certificate, provisioning package +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerMS +localizationpriority: medium +--- + +# Create provisioning packages (Surface Hub) + +This topic explains how to create a provisioning package using the Windows Configuration Designer, and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings. + +You can apply a provisioning package using a USB stick during first-run setup, or through the **Settings** app. + + +## Advantages +- Quickly configure devices without using a mobile device management (MDM) provider. + +- No network connectivity required. + +- Simple to apply. + +[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/configure/provisioning-packages) + + +## Requirements + +To create and apply a provisioning package to a Surface Hub, you'll need the following: + +- Windows Configuration Designer, which can be installed from Windows Store or from the Windows 10 Assessment and Deployment Kit (ADK). [Learn how to install Windows Configuration Designer.](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd) +- A USB stick. +- If you apply the package using the **Settings** app, you'll need device admin credentials. + +You create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub. + + +## Supported items for Surface Hub provisioning packages + +Using the **Provision Surface Hub devices** wizard, you can: + +- Enroll in Active Directory, Azure Active Directory, or MDM +- Create an device administrator account +- Add applications and certificates +- Configure proxy settings +- Add a Surface Hub configuration file + +>[!WARNING] +>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using the wizard. + +Using the advanced provisioning editor, you can add these items to provisioning packages for Surface Hub: + +- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#surfacehubpolicies). +- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). + +>[!TIP] +> Use the wizard to create a package with the common settings, then switch to the advanced editor to add other settings. +> +>![open advanced editor](images/icd-simple-edit.png) + +## Use the Surface Hub provisioning wizard + +After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package. + +### Create the provisioning package + +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, + + or + + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + +2. Click **Provision Surface Hub devices**. + +3. Name your project and click **Next**. + +### Configure settings + + + + + + + + + +
![step one](images/one.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![step two](images/two.png) ![configure proxy settings](images/proxy.png)

Toggle **Yes** or **No** for proxy settings. The default configuration for Surface Hub is to automatically detect proxy settings, so you can select **No** if that is the setting that you want. However, if your infrastructure previously required using a proxy server and has changed to not require a proxy server, you can use a provisioning package to revert your Surface Hub devices to the default settings by selecting **Yes** and **Automatically detect settings**.

If you toggle **Yes**, you can select to automatically detect proxy settings, or you can manually configure the settings by entering a URL to a setup script, or a static proxy server address. You can also identify whether to use the proxy server for local addresses, and enter exceptions (addresses that Surface Hub should connect to directly without using the proxy server). 		![configure proxy settings](images/proxy-details.png)
![step three](images/three.png) ![device admins](images/set-up-device-admins.png)

You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Azure Active Directory to allow global admins to use the Settings app, or create a local administrator account on the device.

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain, and specify the security group to have admin credentials on Surface Hub. If a provisioning package that enrolls a device in Active Directory is going to be applied to a Surface Hub that was reset, the same domain account can only be used if the account listed is a domain administrator or is the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/set-up-device-admins-details.png)
![step four](images/four.png) ![enroll in device management](images/enroll-mdm.png)

Toggle **Yes** or **No** for enrollment in MDM.

If you toggle **Yes**, you must provide a service account and password or certificate thumbprint that is authorized to enroll the device, and also specify the authentication type. If required by your MDM provider, also enter the URLs for the discovery service, enrollment service, and policy service. [Learn more about managing Surface Hub with MDM.](manage-settings-with-mdm-for-surface-hub.md)		![enroll in mobile device management](images/enroll-mdm-details.png)
![step five](images/five.png) ![add applications](images/add-applications.png)

You can install multiple Universal Windows Platform (UWP) apps in a provisioning package. For help with the settings, see [Provision PCs with apps](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-with-apps).

**Important:** Although the wizard interface allows you to select a Classic Win32 app, only include UWP apps in a provisioning package that will be applied to Surface Hub. If you include a Classic Win32 app, provisioning will fail. 		![add an application](images/add-applications-details.png)
![step six](images/six.png) ![Add configuration file](images/add-config-file.png)

You don't configure any settings in this step. It provides instructions for including a configuration file that contains a list of device accounts. The configuration file must not contain column headers. When you apply the provisioning package to Surface Hub, if a Surface Hub configuration file is included on the USB drive, you can select the account and friendly name for the device from the file. See [Sample configuration file](#sample-configuration-file) for an example.

**Important:** The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703. 		![Add a Surface Hub configuration file](images/add-config-file-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
+ +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. + +## Sample configuration file + +A Surface Hub configuration file contains a list of device accounts that your device can use to connect to Exchange and Skype for Business. When you apply a provisioning package to Surface Hub, you can include a configuration file in the root directory of the USB flash drive, and then select the desired account to apply to that device. The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703. + +Use Microsoft Excel or other CSV editor to create a CSV file named `SurfaceHubConfiguration.csv`. In the file, enter a list of device accounts and friendly names in this format: + +``` +,, +``` +>[!IMPORTANT] +>Because the configuration file stores the device account passwords in plaintext, we recommend that you update the passwords after you've applied the provisioning package to your devices. You can use the [DeviceAccount node](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp#deviceaccount) in the [Surface Hub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) to update the passwords via MDM. + + +The following is an example of `SurfaceHubConfiguration.csv`. + +``` +Rainier@contoso.com,password,Rainier Surface Hub +Adams@contoso.com,password,Adams Surface Hub +Baker@contoso.com,password,Baker Surface Hub +Glacier@constoso.com,password,Glacier Surface Hub +Stuart@contoso.com,password,Stuart Surface Hub +Fernow@contoso.com,password,Fernow Surface Hub +Goode@contoso.com,password,Goode Surface Hub +Shuksan@contoso.com,password,Shuksan Surface Hub +Buckner@contoso.com,password,Buckner Surface Hub +Logan@contoso.com,password,Logan Surface Hub +Maude@consoto.com,password,Maude Surface hub +Spickard@contoso.com,password,Spickard Surface Hub +Redoubt@contoso.com,password,Redoubt Surface Hub +Dome@contoso.com,password,Dome Surface Hub +Eldorado@contoso.com,password,Eldorado Surface Hub +Dragontail@contoso.com,password,Dragontail Surface Hub +Forbidden@contoso.com,password,Forbidden Surface Hub +Oval@contoso.com,password,Oval Surface Hub +StHelens@contoso.com,password,St Helens Surface Hub +Rushmore@contoso.com,password,Rushmore Surface Hub +``` + +## Use advanced provisioning + +After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package. + +### Create the provisioning package (advanced) + +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, + + or + + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + +2. Click **Advanced provisioning**. + +3. Name your project and click **Next**. + +4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**. + + ![ICD new project](images/icd-new-project.png) + +5. In the project, under **Available customizations**, select **Common Team edition settings**. + + ![ICD common settings](images/icd-common-settings.png) + + +### Add a certificate to your package +You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange. + +> [!NOTE] +> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details. + +1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. + +2. Enter a **CertificateName** and then click **Add**. + +2. Enter the **CertificatePassword**. + +3. For **CertificatePath**, browse and select the certificate. + +4. Set **ExportCertificate** to **False**. + +5. For **KeyLocation**, select **Software only**. + + +### Add a Universal Windows Platform (UWP) app to your package +Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business. + +1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**. + +2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags. + +3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). + +4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies. + +If you acquired the app from the Windows Store for Business, you will also need to add the app license to your provisioning package. + +1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license". + +2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**. + +3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute. + +4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1. + + +### Add a policy to your package +Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD. + +1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**. + +2. Select one of the available policy areas. + +3. Select and set the policy you want to add to your provisioning package. + + +### Add Surface Hub settings to your package + +You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. + +1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**. + +2. Select one of the available setting areas. + +3. Select and set the setting you want to add to your provisioning package. + + +## Build your package + +1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. + +2. Read the warning that project files may contain sensitive information, and click **OK**. + + > [!IMPORTANT] + > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +3. On the **Export** menu, click **Provisioning package**. + +4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources. + +5. Set a value for **Package Version**, and then select **Next.** + + > [!TIP] + > You can make changes to existing packages and change the version number to update previously applied packages. + +6. Optional: You can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package. + + > [!IMPORTANT] + > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  + +7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

+Optionally, you can click **Browse** to change the default output location. + +8. Click **Next**. + +9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive. + + +## Apply a provisioning package to Surface Hub + +There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). + + +### Apply a provisioning package during first run + +> [!IMPORTANT] +> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings. + +1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding. + +2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**. + + ![Set up device?](images/provisioningpackageoobe-01.png) + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + + ![Provision this device](images/provisioningpackageoobe-02.png) + +4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run. + + ![Choose a package](images/provisioningpackageoobe-03.png) + +5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. + + ![Do you trust this package?](images/provisioningpackageoobe-04.png) + +6. If a configuration file is included in the root directory of the USB flash drive, you will see **Select a configuration**. The first device account in the configuration file will be shown with a summary of the account information that will be applied to the Surface Hub. + + ![select a configuration](images/ppkg-config.png) + +7. In **Select a configuration**, select the device name to apply, and then click **Next**. + + ![select a friendly device name](images/ppkg-csv.png) + +The settings from the provisioning package will be applied to the device and OOBE will be complete. After the device restarts, you can remove the USB flash drive. + +### Apply a package using Settings + +1. Insert the USB flash drive containing the .ppkg file into the Surface Hub. + +2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted. + +3. Navigate to **Surface Hub** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**. + +4. Select **Add a package**. + +5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted. + +6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**. + + diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md index 41588251fe..57bd619f8b 100644 --- a/devices/surface-hub/remote-surface-hub-management.md +++ b/devices/surface-hub/remote-surface-hub-management.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md index 2354de0f40..6e6b8b5317 100644 --- a/devices/surface-hub/save-bitlocker-key-surface-hub.md +++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md index 95b7c2c92f..96310f473c 100644 --- a/devices/surface-hub/set-up-your-surface-hub.md +++ b/devices/surface-hub/set-up-your-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md index a77cf5850f..d8e7f921c0 100644 --- a/devices/surface-hub/setup-worksheet-surface-hub.md +++ b/devices/surface-hub/setup-worksheet-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-administrators-guide.md b/devices/surface-hub/surface-hub-administrators-guide.md deleted file mode 100644 index 4786082d45..0000000000 --- a/devices/surface-hub/surface-hub-administrators-guide.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: Microsoft Surface Hub administrator's guide -description: This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers. -ms.assetid: e618aab7-3a94-4159-954e-d455ef7b8839 -keywords: Surface Hub, installation, administration, administrator's guide -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- - -# Microsoft Surface Hub administrator's guide - - -This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers. - -Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct. - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Intro to Microsoft Surface Hub](intro-to-surface-hub.md)

Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device.

[Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)

The Surface Hub Readiness Guide will help make sure that your site is ready for the installation. You can download the Guide from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718144). It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box.

[Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)

This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment.

[Set up Microsoft Surface Hub](set-up-your-surface-hub.md)

Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program.

[Manage Microsoft Surface Hub](manage-surface-hub.md)

How to manage your Surface Hub after finishing the first-run program.

[Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)

Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.

[Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)

PowerShell scripts to help set up and manage your Surface Hub .

- -  - -  - -  - - - - - diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md new file mode 100644 index 0000000000..537d6c55a9 --- /dev/null +++ b/devices/surface-hub/surfacehub-whats-new-1703.md @@ -0,0 +1,31 @@ +--- +title: What's new in Windows 10, version 1703 for Surface Hub +description: Windows 10, version 1703 (Creators Update) brings new features to Microsoft Surface Hub. +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: devices +ms.sitesec: library +author: jdeckerMS +localizationpriority: medium +--- + +# What's new in Windows 10, version 1703 for Microsoft Surface Hub? + +Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub: + + +- Settings have been added to mobile device management (MDM) and configuration service providers (CSPs) to expand the Surface Hub management capabilities. [Learn more about the new settings.](manage-settings-with-mdm-for-surface-hub.md) + +- An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md) + +- When you reset a Surface Hub device, you now have the ability to download and install a factory build of the operating system from the cloud. [Learn more about cloud recovery.](device-reset-surface-hub.md#cloud-recovery) + >[!NOTE] + >Cloud recovery doesn't work if you use proxy servers. + +- **I'm done** is now **End session**. [Learn how to use End session.](i-am-done-finishing-your-surface-hub-meeting.md) + + + + + + diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index cc3bd57b95..ff05c19f62 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: support ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md index fbed027215..512cf6b4bf 100644 --- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md +++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md @@ -3,7 +3,7 @@ title: Use fully qualified doman name with Surface Hub description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"] -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -16,7 +16,7 @@ There are a few scenarios where you need to specify the domain name of your Skyp **To configure the domain name for your Skype for Business server**
1. On Surface Hub, open **Settings**. -2. Click **This device**, and then click **Calling**. +2. Click **Surface Hub**, and then click **Calling & Audio**. 3. Under **Skype for Business configuration**, click **Configure domain name**. 4. Type the domain name for your Skype for Business server, and then click **Ok**. > [!TIP] diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index 16fd8c71d1..4ff4665c6a 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md index 0ccd6ad70d..db080ce397 100644 --- a/devices/surface-hub/wireless-network-management-for-surface-hub.md +++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, networking -author: TrudyHa +author: jdeckerMS localizationpriority: medium --- @@ -24,7 +24,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele ### Choose a wireless access point 1. On the Surface Hub, open **Settings** and enter your admin credentials. -2. Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**. +2. Click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**. ![Image showing Wi-Fi settings, Network & Internet page.](images/networkmgtwireless-01.png) @@ -35,7 +35,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele ### Review wireless settings 1. On the Surface Hub, open **Settings** and enter your admin credentials. -2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**. +2. Click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**. 3. Surface Hub shows you the properties for the wireless network connection. ![Image showing properties for connected Wi-Fi.](images/networkmgtwireless-04.png) diff --git a/windows/TOC.md b/windows/TOC.md index 67fcd1b517..7167858dab 100644 --- a/windows/TOC.md +++ b/windows/TOC.md @@ -2,5 +2,7 @@ ## [What's new in Windows 10](whats-new/index.md) ## [Plan for Windows 10 deployment](plan/index.md) ## [Deploy Windows 10](deploy/index.md) +## [Configure Windows 10](configure/index.md) +## [Update Windows 10](update/index.md) ## [Keep Windows 10 secure](keep-secure/index.md) -## [Manage and update Windows 10](manage/index.md) \ No newline at end of file +## [Manage Windows 10](manage/index.md) \ No newline at end of file diff --git a/windows/breadcrumb/toc.yml b/windows/breadcrumb/toc.yml index fa80416cab..40ff5fde9b 100644 --- a/windows/breadcrumb/toc.yml +++ b/windows/breadcrumb/toc.yml @@ -11,6 +11,12 @@ - name: Deploy tocHref: /itpro/windows/deploy/ topicHref: /itpro/windows/deploy/index + - name: Configure + tocHref: /itpro/windows/configure/ + topicHref: /itpro/windows/configure/index + - name: Update + tocHref: /itpro/windows/update/ + topicHref: /itpro/windows/update/index - name: Keep secure tocHref: /itpro/windows/keep-secure/ topicHref: /itpro/windows/keep-secure/index diff --git a/windows/configure/TOC.md b/windows/configure/TOC.md new file mode 100644 index 0000000000..7051cc29db --- /dev/null +++ b/windows/configure/TOC.md @@ -0,0 +1,61 @@ +# [Configure Windows 10](index.md) +## [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) +## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) +## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) +### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) +### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) +### [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) +## [Configure Windows 10 Mobile devices](configure-mobile.md) +### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) +### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) +#### [NFC-based device provisioning](provisioning-nfc.md) +#### [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md) +### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-lockdown-designer.md) +### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) +### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) +### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) +### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) +## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) +### [Configure Windows Spotlight on the lock screen](windows-spotlight.md) +### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) +### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +#### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +#### [Customize and export Start layout](customize-and-export-start-layout.md) +#### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +#### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +#### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +#### [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +#### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) +## [Cortana integration in your business or enterprise](cortana-at-work-overview.md) +### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md) +#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md) +#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md) +#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md) +#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md) +#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md) +#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email}(cortana-at-work-scenario-6.md) +#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-7.md) +### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md) +### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md) +### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md) +### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work-voice-commands.md) +### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work-policy-settings.md) +### [Send feedback about Cortana at work back to Microsoft](cortana-at-work-feedback.md) +## [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) +## [Provisioning packages for Windows 10](provisioning-packages.md) +### [How provisioning works in Windows 10](provisioning-how-it-works.md) +### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) +### [Install Windows Configuration Designer](provisioning-install-icd.md) +### [Create a provisioning package](provisioning-create-package.md) +### [Apply a provisioning package](provisioning-apply-package.md) +### [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +### [Provision PCs with common settings for initial deployment (desktop wizard)](provision-pcs-for-initial-deployment.md) +### [Provision PCs with apps](provision-pcs-with-apps.md) +### [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +### [Windows ICD command-line interface (reference)](provisioning-command-line.md) +### [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) +## [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) diff --git a/windows/configure/change-history-for-configure-windows-10.md b/windows/configure/change-history-for-configure-windows-10.md new file mode 100644 index 0000000000..4706cf6049 --- /dev/null +++ b/windows/configure/change-history-for-configure-windows-10.md @@ -0,0 +1,20 @@ +--- +title: Change history for Configure Windows 10 (Windows 10) +description: This topic lists changes to documentation for configuring Windows 10. +keywords: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Change history for Configure Windows 10 + +This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). + + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). \ No newline at end of file diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/configure/changes-to-start-policies-in-windows-10.md similarity index 92% rename from windows/manage/changes-to-start-policies-in-windows-10.md rename to windows/configure/changes-to-start-policies-in-windows-10.md index 6cba8aeed7..f15c016802 100644 --- a/windows/manage/changes-to-start-policies-in-windows-10.md +++ b/windows/configure/changes-to-start-policies-in-windows-10.md @@ -145,27 +145,6 @@ The Start policy settings listed below do not work on Windows 10. Most of them   -## Related topics - - -[Manage corporate devices](manage-corporate-devices.md) - -[New policies for Windows 10](new-policies-for-windows-10.md) - -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Customize Windows 10 Start screens with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start screens with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Customize Windows 10 Start screens with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -  - -  - diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/configure/configure-devices-without-mdm.md similarity index 100% rename from windows/manage/configure-devices-without-mdm.md rename to windows/configure/configure-devices-without-mdm.md diff --git a/windows/configure/configure-mobile.md b/windows/configure/configure-mobile.md new file mode 100644 index 0000000000..db4bb93e0f --- /dev/null +++ b/windows/configure/configure-mobile.md @@ -0,0 +1,28 @@ +--- +title: Configure Windows 10 Mobile devices +description: +keywords: Windows 10, MDM, WSUS, Windows update +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Configure Windows 10 Mobile devices + +Windows 10 Mobile enables administrators to define what users can see and do on a device, which you might think of as "configuring" or "customizing" or "device lockdown". Your device configuration can provide a standard Start screen with pre-installed apps, or restrict various settings and features, or even limit the device to run only a single app (kiosk). + +## In this section + +| Topic | Description | +| --- | --- | +| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | You can configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. | +| [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) | Use Windows Configuration Designer to create provisioning packages. Using provisioning packages, you can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. | +| [Use the Lockdown Designer app to configure Windows 10 Mobile devices](mobile-lockdown-designer.md) | The Lockdown Designer app provides a guided wizard-like process to generate a Lockdown XML file that you can apply to devices running Windows 10 Mobile. | +| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) | Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. | +| [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) | On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. This reference topic describes the supported elements and attributes for the LayoutModification.xml file. | +| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. | +| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) | You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. | + diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/configure/configure-windows-10-taskbar.md similarity index 100% rename from windows/manage/configure-windows-10-taskbar.md rename to windows/configure/configure-windows-10-taskbar.md diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/configure/configure-windows-telemetry-in-your-organization.md similarity index 100% rename from windows/manage/configure-windows-telemetry-in-your-organization.md rename to windows/configure/configure-windows-telemetry-in-your-organization.md diff --git a/windows/manage/cortana-at-work-crm.md b/windows/configure/cortana-at-work-crm.md similarity index 98% rename from windows/manage/cortana-at-work-crm.md rename to windows/configure/cortana-at-work-crm.md index 834bde8a92..914655aab2 100644 --- a/windows/manage/cortana-at-work-crm.md +++ b/windows/configure/cortana-at-work-crm.md @@ -4,6 +4,7 @@ description: How to set up Cortana to help your salespeople get proactive insigh ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-feedback.md b/windows/configure/cortana-at-work-feedback.md similarity index 98% rename from windows/manage/cortana-at-work-feedback.md rename to windows/configure/cortana-at-work-feedback.md index ca24c22703..6dac028eb7 100644 --- a/windows/manage/cortana-at-work-feedback.md +++ b/windows/configure/cortana-at-work-feedback.md @@ -4,6 +4,7 @@ description: How to send feedback to Microsoft about Cortana at work. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-o365.md b/windows/configure/cortana-at-work-o365.md similarity index 99% rename from windows/manage/cortana-at-work-o365.md rename to windows/configure/cortana-at-work-o365.md index 764b5638e0..aee4f7337d 100644 --- a/windows/manage/cortana-at-work-o365.md +++ b/windows/configure/cortana-at-work-o365.md @@ -4,6 +4,7 @@ description: How to connect Cortana to Office 365 so your employees are notified ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-overview.md b/windows/configure/cortana-at-work-overview.md similarity index 99% rename from windows/manage/cortana-at-work-overview.md rename to windows/configure/cortana-at-work-overview.md index 29a9ab3bba..fb138a6d24 100644 --- a/windows/manage/cortana-at-work-overview.md +++ b/windows/configure/cortana-at-work-overview.md @@ -4,6 +4,7 @@ description: The world’s first personal digital assistant helps users get thin ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-policy-settings.md b/windows/configure/cortana-at-work-policy-settings.md similarity index 99% rename from windows/manage/cortana-at-work-policy-settings.md rename to windows/configure/cortana-at-work-policy-settings.md index 83f10f7d3e..5a347b3245 100644 --- a/windows/manage/cortana-at-work-policy-settings.md +++ b/windows/configure/cortana-at-work-policy-settings.md @@ -4,6 +4,7 @@ description: The list of Group Policy and mobile device management (MDM) policy ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-powerbi.md b/windows/configure/cortana-at-work-powerbi.md similarity index 99% rename from windows/manage/cortana-at-work-powerbi.md rename to windows/configure/cortana-at-work-powerbi.md index 979cde3b57..b69282afa7 100644 --- a/windows/manage/cortana-at-work-powerbi.md +++ b/windows/configure/cortana-at-work-powerbi.md @@ -4,6 +4,7 @@ description: How to integrate Cortana with Power BI to help your employees get a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-scenario-1.md b/windows/configure/cortana-at-work-scenario-1.md similarity index 98% rename from windows/manage/cortana-at-work-scenario-1.md rename to windows/configure/cortana-at-work-scenario-1.md index 4a9714a455..f8c78aeb5c 100644 --- a/windows/manage/cortana-at-work-scenario-1.md +++ b/windows/configure/cortana-at-work-scenario-1.md @@ -4,6 +4,7 @@ description: A test scenario walking you through signing in and managing the not ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-scenario-2.md b/windows/configure/cortana-at-work-scenario-2.md similarity index 96% rename from windows/manage/cortana-at-work-scenario-2.md rename to windows/configure/cortana-at-work-scenario-2.md index fb7b00d578..9afdab45ec 100644 --- a/windows/manage/cortana-at-work-scenario-2.md +++ b/windows/configure/cortana-at-work-scenario-2.md @@ -4,6 +4,7 @@ description: A test scenario about how to perform a quick search with Cortana at ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-scenario-3.md b/windows/configure/cortana-at-work-scenario-3.md similarity index 98% rename from windows/manage/cortana-at-work-scenario-3.md rename to windows/configure/cortana-at-work-scenario-3.md index 89610c7093..2e187eb725 100644 --- a/windows/manage/cortana-at-work-scenario-3.md +++ b/windows/configure/cortana-at-work-scenario-3.md @@ -4,6 +4,7 @@ description: A test scenario about how to set a location-based reminder using Co ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-scenario-4.md b/windows/configure/cortana-at-work-scenario-4.md similarity index 99% rename from windows/manage/cortana-at-work-scenario-4.md rename to windows/configure/cortana-at-work-scenario-4.md index 56f1f6af66..203093cb15 100644 --- a/windows/manage/cortana-at-work-scenario-4.md +++ b/windows/configure/cortana-at-work-scenario-4.md @@ -4,6 +4,7 @@ description: A test scenario about how to use Cortana at work to find your upcom ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-scenario-5.md b/windows/configure/cortana-at-work-scenario-5.md similarity index 97% rename from windows/manage/cortana-at-work-scenario-5.md rename to windows/configure/cortana-at-work-scenario-5.md index 8373a4f4c2..820acedc37 100644 --- a/windows/manage/cortana-at-work-scenario-5.md +++ b/windows/configure/cortana-at-work-scenario-5.md @@ -4,6 +4,7 @@ description: A test scenario about how to use Cortana at work to send email to a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-scenario-6.md b/windows/configure/cortana-at-work-scenario-6.md similarity index 100% rename from windows/manage/cortana-at-work-scenario-6.md rename to windows/configure/cortana-at-work-scenario-6.md diff --git a/windows/manage/cortana-at-work-scenario-7.md b/windows/configure/cortana-at-work-scenario-7.md similarity index 100% rename from windows/manage/cortana-at-work-scenario-7.md rename to windows/configure/cortana-at-work-scenario-7.md diff --git a/windows/manage/cortana-at-work-testing-scenarios.md b/windows/configure/cortana-at-work-testing-scenarios.md similarity index 98% rename from windows/manage/cortana-at-work-testing-scenarios.md rename to windows/configure/cortana-at-work-testing-scenarios.md index 9f97783bca..d58e3e41e7 100644 --- a/windows/manage/cortana-at-work-testing-scenarios.md +++ b/windows/configure/cortana-at-work-testing-scenarios.md @@ -4,6 +4,7 @@ description: A list of suggested testing scenarios that you can use to test Cort ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/cortana-at-work-voice-commands.md b/windows/configure/cortana-at-work-voice-commands.md similarity index 99% rename from windows/manage/cortana-at-work-voice-commands.md rename to windows/configure/cortana-at-work-voice-commands.md index 2e2743fa61..1f081e3222 100644 --- a/windows/manage/cortana-at-work-voice-commands.md +++ b/windows/configure/cortana-at-work-voice-commands.md @@ -4,6 +4,7 @@ description: How to create voice commands that use Cortana to perform voice-enab ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/configure/customize-and-export-start-layout.md similarity index 95% rename from windows/manage/customize-and-export-start-layout.md rename to windows/configure/customize-and-export-start-layout.md index 102272ce54..cbff20b284 100644 --- a/windows/manage/customize-and-export-start-layout.md +++ b/windows/configure/customize-and-export-start-layout.md @@ -36,7 +36,7 @@ You can deploy the resulting .xml file to devices using one of the following met - [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -- [Windows Imaging and Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) @@ -47,7 +47,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a **To prepare a test computer** -1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display. +1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. 2. Create a new user account that you will use to customize the Start layout. @@ -70,7 +70,8 @@ To prepare a Start layout for export, you simply customize the Start layout on a - **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group. -## Export the Start layout + +## Export the Start layout When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file. diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md similarity index 91% rename from windows/manage/customize-windows-10-start-screens-by-using-group-policy.md rename to windows/configure/customize-windows-10-start-screens-by-using-group-policy.md index 47b68d045b..5a2c3940fa 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,6 +1,6 @@ --- -title: Customize Windows 10 Start with Group Policy (Windows 10) -description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. +title: Customize Windows 10 Start and tasbkar with Group Policy (Windows 10) +description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545 keywords: ["Start layout", "start menu", "layout", "group policy"] ms.prod: w10 @@ -19,7 +19,7 @@ localizationpriority: high >**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Pro, Enterprise, and Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain. @@ -33,7 +33,7 @@ This topic describes how to update Group Policy settings to display a customized ## Operating system requirements -Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, Version 1607. Start and taskbar layout control is not supported in Windows 10 Pro. +Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, version 1607. Start and taskbar layout control is supported in Windows 10 Pro in Windows 10, version 1703. The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](https://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base. diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md similarity index 81% rename from windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md rename to windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md index 2ccace55f5..16f95659b2 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -1,6 +1,6 @@ --- -title: Customize Windows 10 Start with mobile device management (MDM) (Windows 10) -description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. +title: Customize Windows 10 Start and taskbar with mobile device management (MDM) (Windows 10) +description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users. ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 keywords: ["start screen", "start menu"] ms.prod: w10 @@ -10,7 +10,7 @@ author: jdeckerMS localizationpriority: medium --- -# Customize Windows 10 Start with mobile device management (MDM) +# Customize Windows 10 Start and taskbar with mobile device management (MDM) **Applies to** @@ -18,18 +18,17 @@ localizationpriority: medium - Windows 10 - Windows 10 Mobile -**Looking for consumer information?** +>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. -In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. +>[!NOTE] +>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. -> **Note:** Customized taskbar configuration cannot be applied using MDM at this time. +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-lockdown-designer.md) for mobile. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile. - -**Warning**   -When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. +>[!WARNING]  +>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.   @@ -40,8 +39,8 @@ Two features enable Start layout control: - The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - **Note**   - To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >[!NOTE]   + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.   diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md similarity index 77% rename from windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md rename to windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 7cc8395f8b..aded7204d4 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -1,5 +1,5 @@ --- -title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10) +title: Customize Windows 10 Start and tasbkar with provisioning packages (Windows 10) description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC keywords: ["Start layout", "start menu"] @@ -10,7 +10,7 @@ author: jdeckerMS localizationpriority: medium --- -# Customize Windows 10 Start and taskbar with ICD and provisioning packages +# Customize Windows 10 Start and taskbar with provisioning packages **Applies to** @@ -18,16 +18,14 @@ localizationpriority: medium - Windows 10 - Windows 10 Mobile -**Looking for consumer information?** +>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. >[!IMPORTANT] >If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile. +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-lockdown-designer.md) for mobile. ## How Start layout control works @@ -42,17 +40,18 @@ Three features enable Start and taskbar layout control: - [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. -- In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start and taskbar layout. +- In Windows Configuration Designer, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start and taskbar layout. ## Create a provisioning package that contains a customized Start layout -Use the [Imaging and Configuration Designer (ICD) tool](https://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) >[!IMPORTANT] >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). + 2. Choose **Advanced provisioning**. 3. Name your project, and click **Next**. diff --git a/windows/manage/guidelines-for-assigned-access-app.md b/windows/configure/guidelines-for-assigned-access-app.md similarity index 89% rename from windows/manage/guidelines-for-assigned-access-app.md rename to windows/configure/guidelines-for-assigned-access-app.md index 0552f8af1a..30dd845161 100644 --- a/windows/manage/guidelines-for-assigned-access-app.md +++ b/windows/configure/guidelines-for-assigned-access-app.md @@ -20,7 +20,7 @@ localizationpriority: high You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. -The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607. +The following guidelines may help you choose an appropriate Windows app for your assigned access experience. ## General guidelines @@ -82,19 +82,7 @@ The above guidelines may help you select or develop an appropriate Windows app f [Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) -## Related topics -[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) - -[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md) - -[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) - -[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - -[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) - -    diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers.md b/windows/configure/how-it-pros-can-use-configuration-service-providers.md similarity index 94% rename from windows/manage/how-it-pros-can-use-configuration-service-providers.md rename to windows/configure/how-it-pros-can-use-configuration-service-providers.md index 26ab03140f..98152602d5 100644 --- a/windows/manage/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configure/how-it-pros-can-use-configuration-service-providers.md @@ -58,7 +58,7 @@ Generally, enterprises rely on Group Policy or MDM to configure and manage devic In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. -In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. +In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](cortana-at-work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. ### CSPs in Windows Imaging and Configuration Designer (ICD) @@ -68,7 +68,7 @@ Many settings in Windows ICD will display documentation for that setting in the ![how help content appears in icd](images/cspinicd.png) -[Configure devices without MDM](configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. +[Configure devices without MDM](../manage/configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. ### CSPs in MDM @@ -214,19 +214,6 @@ Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile E - [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723274) - [WindowsSecurityAuditing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723415) -## Related topics - -[What's new in MDM enrollment and management in Windows 10, version 1607](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607) - -[Lock down Windows 10](lock-down-windows-10.md) - -[Manage corporate devices](manage-corporate-devices.md) - -[New policies for Windows 10](new-policies-for-windows-10.md) - -[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) - -[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)   diff --git a/windows/configure/images/ActionCenterXML.jpg b/windows/configure/images/ActionCenterXML.jpg new file mode 100644 index 0000000000..b9832b2708 Binary files /dev/null and b/windows/configure/images/ActionCenterXML.jpg differ diff --git a/windows/configure/images/AppsXML.jpg b/windows/configure/images/AppsXML.jpg new file mode 100644 index 0000000000..ecc1869bb5 Binary files /dev/null and b/windows/configure/images/AppsXML.jpg differ diff --git a/windows/configure/images/AppsXML.png b/windows/configure/images/AppsXML.png new file mode 100644 index 0000000000..3981543264 Binary files /dev/null and b/windows/configure/images/AppsXML.png differ diff --git a/windows/configure/images/ButtonsXML.jpg b/windows/configure/images/ButtonsXML.jpg new file mode 100644 index 0000000000..238eca7e68 Binary files /dev/null and b/windows/configure/images/ButtonsXML.jpg differ diff --git a/windows/configure/images/CSPRunnerXML.jpg b/windows/configure/images/CSPRunnerXML.jpg new file mode 100644 index 0000000000..071b316a9e Binary files /dev/null and b/windows/configure/images/CSPRunnerXML.jpg differ diff --git a/windows/configure/images/ICD.png b/windows/configure/images/ICD.png new file mode 100644 index 0000000000..9cfcb845df Binary files /dev/null and b/windows/configure/images/ICD.png differ diff --git a/windows/configure/images/ICDstart-option.PNG b/windows/configure/images/ICDstart-option.PNG new file mode 100644 index 0000000000..1ba49bb261 Binary files /dev/null and b/windows/configure/images/ICDstart-option.PNG differ diff --git a/windows/configure/images/ISE.PNG b/windows/configure/images/ISE.PNG new file mode 100644 index 0000000000..edf53101f4 Binary files /dev/null and b/windows/configure/images/ISE.PNG differ diff --git a/windows/configure/images/MenuItemsXML.png b/windows/configure/images/MenuItemsXML.png new file mode 100644 index 0000000000..cc681250bb Binary files /dev/null and b/windows/configure/images/MenuItemsXML.png differ diff --git a/windows/configure/images/PoC-big.png b/windows/configure/images/PoC-big.png new file mode 100644 index 0000000000..de73506071 Binary files /dev/null and b/windows/configure/images/PoC-big.png differ diff --git a/windows/configure/images/PoC.png b/windows/configure/images/PoC.png new file mode 100644 index 0000000000..6d7b7eb5af Binary files /dev/null and b/windows/configure/images/PoC.png differ diff --git a/windows/configure/images/SettingsXML.png b/windows/configure/images/SettingsXML.png new file mode 100644 index 0000000000..98a324bdea Binary files /dev/null and b/windows/configure/images/SettingsXML.png differ diff --git a/windows/configure/images/StartGrid.jpg b/windows/configure/images/StartGrid.jpg new file mode 100644 index 0000000000..36136f3201 Binary files /dev/null and b/windows/configure/images/StartGrid.jpg differ diff --git a/windows/configure/images/StartGridPinnedApps.jpg b/windows/configure/images/StartGridPinnedApps.jpg new file mode 100644 index 0000000000..fbade52f53 Binary files /dev/null and b/windows/configure/images/StartGridPinnedApps.jpg differ diff --git a/windows/configure/images/TilesXML.png b/windows/configure/images/TilesXML.png new file mode 100644 index 0000000000..cec52bbbf7 Binary files /dev/null and b/windows/configure/images/TilesXML.png differ diff --git a/windows/configure/images/aadj1.jpg b/windows/configure/images/aadj1.jpg new file mode 100644 index 0000000000..2348fc4c84 Binary files /dev/null and b/windows/configure/images/aadj1.jpg differ diff --git a/windows/configure/images/aadj2.jpg b/windows/configure/images/aadj2.jpg new file mode 100644 index 0000000000..39486bfc66 Binary files /dev/null and b/windows/configure/images/aadj2.jpg differ diff --git a/windows/configure/images/aadj3.jpg b/windows/configure/images/aadj3.jpg new file mode 100644 index 0000000000..80e1f5762f Binary files /dev/null and b/windows/configure/images/aadj3.jpg differ diff --git a/windows/configure/images/aadj4.jpg b/windows/configure/images/aadj4.jpg new file mode 100644 index 0000000000..0db2910012 Binary files /dev/null and b/windows/configure/images/aadj4.jpg differ diff --git a/windows/configure/images/aadjbrowser.jpg b/windows/configure/images/aadjbrowser.jpg new file mode 100644 index 0000000000..c8d909688e Binary files /dev/null and b/windows/configure/images/aadjbrowser.jpg differ diff --git a/windows/configure/images/aadjcal.jpg b/windows/configure/images/aadjcal.jpg new file mode 100644 index 0000000000..1858886f5f Binary files /dev/null and b/windows/configure/images/aadjcal.jpg differ diff --git a/windows/configure/images/aadjcalmail.jpg b/windows/configure/images/aadjcalmail.jpg new file mode 100644 index 0000000000..5a5661259a Binary files /dev/null and b/windows/configure/images/aadjcalmail.jpg differ diff --git a/windows/configure/images/aadjmail1.jpg b/windows/configure/images/aadjmail1.jpg new file mode 100644 index 0000000000..89b1fcc3b7 Binary files /dev/null and b/windows/configure/images/aadjmail1.jpg differ diff --git a/windows/configure/images/aadjmail2.jpg b/windows/configure/images/aadjmail2.jpg new file mode 100644 index 0000000000..0608010c6a Binary files /dev/null and b/windows/configure/images/aadjmail2.jpg differ diff --git a/windows/configure/images/aadjmail3.jpg b/windows/configure/images/aadjmail3.jpg new file mode 100644 index 0000000000..d7154a7e0e Binary files /dev/null and b/windows/configure/images/aadjmail3.jpg differ diff --git a/windows/configure/images/aadjonedrive.jpg b/windows/configure/images/aadjonedrive.jpg new file mode 100644 index 0000000000..6fb1196d5f Binary files /dev/null and b/windows/configure/images/aadjonedrive.jpg differ diff --git a/windows/configure/images/aadjonenote.jpg b/windows/configure/images/aadjonenote.jpg new file mode 100644 index 0000000000..4ccd207f9f Binary files /dev/null and b/windows/configure/images/aadjonenote.jpg differ diff --git a/windows/configure/images/aadjonenote2.jpg b/windows/configure/images/aadjonenote2.jpg new file mode 100644 index 0000000000..1b6941e638 Binary files /dev/null and b/windows/configure/images/aadjonenote2.jpg differ diff --git a/windows/configure/images/aadjonenote3.jpg b/windows/configure/images/aadjonenote3.jpg new file mode 100644 index 0000000000..3ac6911046 Binary files /dev/null and b/windows/configure/images/aadjonenote3.jpg differ diff --git a/windows/configure/images/aadjpin.jpg b/windows/configure/images/aadjpin.jpg new file mode 100644 index 0000000000..dac6cfec30 Binary files /dev/null and b/windows/configure/images/aadjpin.jpg differ diff --git a/windows/configure/images/aadjppt.jpg b/windows/configure/images/aadjppt.jpg new file mode 100644 index 0000000000..268d5fe662 Binary files /dev/null and b/windows/configure/images/aadjppt.jpg differ diff --git a/windows/configure/images/aadjverify.jpg b/windows/configure/images/aadjverify.jpg new file mode 100644 index 0000000000..7b30210f39 Binary files /dev/null and b/windows/configure/images/aadjverify.jpg differ diff --git a/windows/configure/images/aadjword.jpg b/windows/configure/images/aadjword.jpg new file mode 100644 index 0000000000..db2a58406e Binary files /dev/null and b/windows/configure/images/aadjword.jpg differ diff --git a/windows/configure/images/aadjwsfb.jpg b/windows/configure/images/aadjwsfb.jpg new file mode 100644 index 0000000000..428f1a26d4 Binary files /dev/null and b/windows/configure/images/aadjwsfb.jpg differ diff --git a/windows/configure/images/account-management-details.PNG b/windows/configure/images/account-management-details.PNG new file mode 100644 index 0000000000..e4307d8f7b Binary files /dev/null and b/windows/configure/images/account-management-details.PNG differ diff --git a/windows/configure/images/account-management.PNG b/windows/configure/images/account-management.PNG new file mode 100644 index 0000000000..34165dfcd6 Binary files /dev/null and b/windows/configure/images/account-management.PNG differ diff --git a/windows/configure/images/add-applications-details.PNG b/windows/configure/images/add-applications-details.PNG new file mode 100644 index 0000000000..2efd3483ae Binary files /dev/null and b/windows/configure/images/add-applications-details.PNG differ diff --git a/windows/configure/images/add-applications.PNG b/windows/configure/images/add-applications.PNG new file mode 100644 index 0000000000..2316deb2fd Binary files /dev/null and b/windows/configure/images/add-applications.PNG differ diff --git a/windows/configure/images/add-certificates-details.PNG b/windows/configure/images/add-certificates-details.PNG new file mode 100644 index 0000000000..78cd783282 Binary files /dev/null and b/windows/configure/images/add-certificates-details.PNG differ diff --git a/windows/configure/images/add-certificates.PNG b/windows/configure/images/add-certificates.PNG new file mode 100644 index 0000000000..24cb605d1c Binary files /dev/null and b/windows/configure/images/add-certificates.PNG differ diff --git a/windows/configure/images/adk-install.png b/windows/configure/images/adk-install.png new file mode 100644 index 0000000000..c087d3bae5 Binary files /dev/null and b/windows/configure/images/adk-install.png differ diff --git a/windows/configure/images/admin-tools-folder.png b/windows/configure/images/admin-tools-folder.png new file mode 100644 index 0000000000..4831204f73 Binary files /dev/null and b/windows/configure/images/admin-tools-folder.png differ diff --git a/windows/configure/images/admin-tools.png b/windows/configure/images/admin-tools.png new file mode 100644 index 0000000000..1470cffdd5 Binary files /dev/null and b/windows/configure/images/admin-tools.png differ diff --git a/windows/configure/images/allow-rdp.png b/windows/configure/images/allow-rdp.png new file mode 100644 index 0000000000..55c13b53bc Binary files /dev/null and b/windows/configure/images/allow-rdp.png differ diff --git a/windows/configure/images/app-v-in-adk.png b/windows/configure/images/app-v-in-adk.png new file mode 100644 index 0000000000..a36ef9f00f Binary files /dev/null and b/windows/configure/images/app-v-in-adk.png differ diff --git a/windows/configure/images/apprule.png b/windows/configure/images/apprule.png new file mode 100644 index 0000000000..ec5417849a Binary files /dev/null and b/windows/configure/images/apprule.png differ diff --git a/windows/configure/images/apps.png b/windows/configure/images/apps.png new file mode 100644 index 0000000000..5cb3b7ec8f Binary files /dev/null and b/windows/configure/images/apps.png differ diff --git a/windows/configure/images/appwarning.png b/windows/configure/images/appwarning.png new file mode 100644 index 0000000000..877d8afebd Binary files /dev/null and b/windows/configure/images/appwarning.png differ diff --git a/windows/configure/images/azureadjoined.png b/windows/configure/images/azureadjoined.png new file mode 100644 index 0000000000..e1babffb8d Binary files /dev/null and b/windows/configure/images/azureadjoined.png differ diff --git a/windows/configure/images/backicon.png b/windows/configure/images/backicon.png new file mode 100644 index 0000000000..3007e448b1 Binary files /dev/null and b/windows/configure/images/backicon.png differ diff --git a/windows/configure/images/bulk-enroll-mobile-details.PNG b/windows/configure/images/bulk-enroll-mobile-details.PNG new file mode 100644 index 0000000000..8329d39cfc Binary files /dev/null and b/windows/configure/images/bulk-enroll-mobile-details.PNG differ diff --git a/windows/configure/images/bulk-enroll-mobile.PNG b/windows/configure/images/bulk-enroll-mobile.PNG new file mode 100644 index 0000000000..812b57e8e0 Binary files /dev/null and b/windows/configure/images/bulk-enroll-mobile.PNG differ diff --git a/windows/configure/images/check_blu.png b/windows/configure/images/check_blu.png new file mode 100644 index 0000000000..d5c703760f Binary files /dev/null and b/windows/configure/images/check_blu.png differ diff --git a/windows/configure/images/check_grn.png b/windows/configure/images/check_grn.png new file mode 100644 index 0000000000..f9f04cd6bd Binary files /dev/null and b/windows/configure/images/check_grn.png differ diff --git a/windows/configure/images/checklistbox.gif b/windows/configure/images/checklistbox.gif new file mode 100644 index 0000000000..cbcf4a4f11 Binary files /dev/null and b/windows/configure/images/checklistbox.gif differ diff --git a/windows/configure/images/checklistdone.png b/windows/configure/images/checklistdone.png new file mode 100644 index 0000000000..7e53f74d0e Binary files /dev/null and b/windows/configure/images/checklistdone.png differ diff --git a/windows/configure/images/checkmark.png b/windows/configure/images/checkmark.png new file mode 100644 index 0000000000..f9f04cd6bd Binary files /dev/null and b/windows/configure/images/checkmark.png differ diff --git a/windows/configure/images/choose-package.png b/windows/configure/images/choose-package.png new file mode 100644 index 0000000000..2bf7a18648 Binary files /dev/null and b/windows/configure/images/choose-package.png differ diff --git a/windows/configure/images/config-policy.png b/windows/configure/images/config-policy.png new file mode 100644 index 0000000000..b9cba70af6 Binary files /dev/null and b/windows/configure/images/config-policy.png differ diff --git a/windows/configure/images/config-source.png b/windows/configure/images/config-source.png new file mode 100644 index 0000000000..58938bacf7 Binary files /dev/null and b/windows/configure/images/config-source.png differ diff --git a/windows/configure/images/configconflict.png b/windows/configure/images/configconflict.png new file mode 100644 index 0000000000..011a2d76e7 Binary files /dev/null and b/windows/configure/images/configconflict.png differ diff --git a/windows/configure/images/connect-aad.png b/windows/configure/images/connect-aad.png new file mode 100644 index 0000000000..8583866165 Binary files /dev/null and b/windows/configure/images/connect-aad.png differ diff --git a/windows/configure/images/convert.png b/windows/configure/images/convert.png new file mode 100644 index 0000000000..224e763bc0 Binary files /dev/null and b/windows/configure/images/convert.png differ diff --git a/windows/configure/images/copy-to-change.png b/windows/configure/images/copy-to-change.png new file mode 100644 index 0000000000..21aa250c0c Binary files /dev/null and b/windows/configure/images/copy-to-change.png differ diff --git a/windows/configure/images/copy-to-path.png b/windows/configure/images/copy-to-path.png new file mode 100644 index 0000000000..1ef00fc86b Binary files /dev/null and b/windows/configure/images/copy-to-path.png differ diff --git a/windows/configure/images/copy-to.PNG b/windows/configure/images/copy-to.PNG new file mode 100644 index 0000000000..dad84cedc8 Binary files /dev/null and b/windows/configure/images/copy-to.PNG differ diff --git a/windows/configure/images/cortana-about-me.png b/windows/configure/images/cortana-about-me.png new file mode 100644 index 0000000000..32c1ccefab Binary files /dev/null and b/windows/configure/images/cortana-about-me.png differ diff --git a/windows/configure/images/cortana-add-reminder.png b/windows/configure/images/cortana-add-reminder.png new file mode 100644 index 0000000000..3f03528e11 Binary files /dev/null and b/windows/configure/images/cortana-add-reminder.png differ diff --git a/windows/configure/images/cortana-chicago-weather.png b/windows/configure/images/cortana-chicago-weather.png new file mode 100644 index 0000000000..9273bf201b Binary files /dev/null and b/windows/configure/images/cortana-chicago-weather.png differ diff --git a/windows/configure/images/cortana-communication-history-permissions.png b/windows/configure/images/cortana-communication-history-permissions.png new file mode 100644 index 0000000000..db182be13c Binary files /dev/null and b/windows/configure/images/cortana-communication-history-permissions.png differ diff --git a/windows/configure/images/cortana-complete-send-email-coworker-mic.png b/windows/configure/images/cortana-complete-send-email-coworker-mic.png new file mode 100644 index 0000000000..3238c8d31d Binary files /dev/null and b/windows/configure/images/cortana-complete-send-email-coworker-mic.png differ diff --git a/windows/configure/images/cortana-connect-crm.png b/windows/configure/images/cortana-connect-crm.png new file mode 100644 index 0000000000..c70c42f75e Binary files /dev/null and b/windows/configure/images/cortana-connect-crm.png differ diff --git a/windows/configure/images/cortana-connect-o365.png b/windows/configure/images/cortana-connect-o365.png new file mode 100644 index 0000000000..df1ffa449b Binary files /dev/null and b/windows/configure/images/cortana-connect-o365.png differ diff --git a/windows/configure/images/cortana-connect-uber.png b/windows/configure/images/cortana-connect-uber.png new file mode 100644 index 0000000000..724fecb5b5 Binary files /dev/null and b/windows/configure/images/cortana-connect-uber.png differ diff --git a/windows/configure/images/cortana-crm-screen.png b/windows/configure/images/cortana-crm-screen.png new file mode 100644 index 0000000000..ded5d80a59 Binary files /dev/null and b/windows/configure/images/cortana-crm-screen.png differ diff --git a/windows/configure/images/cortana-feedback.png b/windows/configure/images/cortana-feedback.png new file mode 100644 index 0000000000..6e14018c98 Binary files /dev/null and b/windows/configure/images/cortana-feedback.png differ diff --git a/windows/configure/images/cortana-final-reminder.png b/windows/configure/images/cortana-final-reminder.png new file mode 100644 index 0000000000..f114e058e5 Binary files /dev/null and b/windows/configure/images/cortana-final-reminder.png differ diff --git a/windows/configure/images/cortana-meeting-specific-time.png b/windows/configure/images/cortana-meeting-specific-time.png new file mode 100644 index 0000000000..a108355133 Binary files /dev/null and b/windows/configure/images/cortana-meeting-specific-time.png differ diff --git a/windows/configure/images/cortana-meeting-tomorrow.png b/windows/configure/images/cortana-meeting-tomorrow.png new file mode 100644 index 0000000000..13273b6600 Binary files /dev/null and b/windows/configure/images/cortana-meeting-tomorrow.png differ diff --git a/windows/configure/images/cortana-newyork-weather.png b/windows/configure/images/cortana-newyork-weather.png new file mode 100644 index 0000000000..b3879737be Binary files /dev/null and b/windows/configure/images/cortana-newyork-weather.png differ diff --git a/windows/configure/images/cortana-o365-screen.png b/windows/configure/images/cortana-o365-screen.png new file mode 100644 index 0000000000..ba06dd6de5 Binary files /dev/null and b/windows/configure/images/cortana-o365-screen.png differ diff --git a/windows/configure/images/cortana-place-reminder.png b/windows/configure/images/cortana-place-reminder.png new file mode 100644 index 0000000000..89ccdab3e3 Binary files /dev/null and b/windows/configure/images/cortana-place-reminder.png differ diff --git a/windows/configure/images/cortana-powerbi-create-report.png b/windows/configure/images/cortana-powerbi-create-report.png new file mode 100644 index 0000000000..a22789d72a Binary files /dev/null and b/windows/configure/images/cortana-powerbi-create-report.png differ diff --git a/windows/configure/images/cortana-powerbi-expand-nav.png b/windows/configure/images/cortana-powerbi-expand-nav.png new file mode 100644 index 0000000000..c8b47943f9 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-expand-nav.png differ diff --git a/windows/configure/images/cortana-powerbi-field-selection.png b/windows/configure/images/cortana-powerbi-field-selection.png new file mode 100644 index 0000000000..8aef58c23a Binary files /dev/null and b/windows/configure/images/cortana-powerbi-field-selection.png differ diff --git a/windows/configure/images/cortana-powerbi-getdata-samples.png b/windows/configure/images/cortana-powerbi-getdata-samples.png new file mode 100644 index 0000000000..3bfa4792df Binary files /dev/null and b/windows/configure/images/cortana-powerbi-getdata-samples.png differ diff --git a/windows/configure/images/cortana-powerbi-getdata.png b/windows/configure/images/cortana-powerbi-getdata.png new file mode 100644 index 0000000000..55b7b61589 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-getdata.png differ diff --git a/windows/configure/images/cortana-powerbi-myreport.png b/windows/configure/images/cortana-powerbi-myreport.png new file mode 100644 index 0000000000..cc04d9c6f0 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-myreport.png differ diff --git a/windows/configure/images/cortana-powerbi-pagesize.png b/windows/configure/images/cortana-powerbi-pagesize.png new file mode 100644 index 0000000000..fd1c1ef917 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-pagesize.png differ diff --git a/windows/configure/images/cortana-powerbi-report-qna.png b/windows/configure/images/cortana-powerbi-report-qna.png new file mode 100644 index 0000000000..d17949aa8a Binary files /dev/null and b/windows/configure/images/cortana-powerbi-report-qna.png differ diff --git a/windows/configure/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/configure/images/cortana-powerbi-retail-analysis-dashboard.png new file mode 100644 index 0000000000..5b94a2e2fc Binary files /dev/null and b/windows/configure/images/cortana-powerbi-retail-analysis-dashboard.png differ diff --git a/windows/configure/images/cortana-powerbi-retail-analysis-dataset.png b/windows/configure/images/cortana-powerbi-retail-analysis-dataset.png new file mode 100644 index 0000000000..b2ffec3b70 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-retail-analysis-dataset.png differ diff --git a/windows/configure/images/cortana-powerbi-retail-analysis-sample.png b/windows/configure/images/cortana-powerbi-retail-analysis-sample.png new file mode 100644 index 0000000000..e3b61dcaa2 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-retail-analysis-sample.png differ diff --git a/windows/configure/images/cortana-powerbi-search.png b/windows/configure/images/cortana-powerbi-search.png new file mode 100644 index 0000000000..88a8b40296 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-search.png differ diff --git a/windows/configure/images/cortana-powerbi-settings.png b/windows/configure/images/cortana-powerbi-settings.png new file mode 100644 index 0000000000..0f51229895 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-settings.png differ diff --git a/windows/configure/images/cortana-redmond-weather.png b/windows/configure/images/cortana-redmond-weather.png new file mode 100644 index 0000000000..7e8adc1929 Binary files /dev/null and b/windows/configure/images/cortana-redmond-weather.png differ diff --git a/windows/configure/images/cortana-reminder-edit.png b/windows/configure/images/cortana-reminder-edit.png new file mode 100644 index 0000000000..79cc280947 Binary files /dev/null and b/windows/configure/images/cortana-reminder-edit.png differ diff --git a/windows/configure/images/cortana-reminder-list.png b/windows/configure/images/cortana-reminder-list.png new file mode 100644 index 0000000000..1f57fc0f05 Binary files /dev/null and b/windows/configure/images/cortana-reminder-list.png differ diff --git a/windows/configure/images/cortana-reminder-mic.png b/windows/configure/images/cortana-reminder-mic.png new file mode 100644 index 0000000000..46a18e8e0b Binary files /dev/null and b/windows/configure/images/cortana-reminder-mic.png differ diff --git a/windows/configure/images/cortana-reminder-pending-mic.png b/windows/configure/images/cortana-reminder-pending-mic.png new file mode 100644 index 0000000000..159d408e0a Binary files /dev/null and b/windows/configure/images/cortana-reminder-pending-mic.png differ diff --git a/windows/configure/images/cortana-reminder-pending.png b/windows/configure/images/cortana-reminder-pending.png new file mode 100644 index 0000000000..a6b64b5621 Binary files /dev/null and b/windows/configure/images/cortana-reminder-pending.png differ diff --git a/windows/configure/images/cortana-send-email-coworker-mic.png b/windows/configure/images/cortana-send-email-coworker-mic.png new file mode 100644 index 0000000000..0cfa8fb731 Binary files /dev/null and b/windows/configure/images/cortana-send-email-coworker-mic.png differ diff --git a/windows/configure/images/cortana-send-email-coworker.png b/windows/configure/images/cortana-send-email-coworker.png new file mode 100644 index 0000000000..40ce18bdca Binary files /dev/null and b/windows/configure/images/cortana-send-email-coworker.png differ diff --git a/windows/configure/images/cortana-suggested-reminder-settings.png b/windows/configure/images/cortana-suggested-reminder-settings.png new file mode 100644 index 0000000000..176dbff483 Binary files /dev/null and b/windows/configure/images/cortana-suggested-reminder-settings.png differ diff --git a/windows/configure/images/cortana-suggested-reminder.png b/windows/configure/images/cortana-suggested-reminder.png new file mode 100644 index 0000000000..4184bd1b6c Binary files /dev/null and b/windows/configure/images/cortana-suggested-reminder.png differ diff --git a/windows/configure/images/cortana-weather-multipanel.png b/windows/configure/images/cortana-weather-multipanel.png new file mode 100644 index 0000000000..e8db031744 Binary files /dev/null and b/windows/configure/images/cortana-weather-multipanel.png differ diff --git a/windows/configure/images/crossmark.png b/windows/configure/images/crossmark.png new file mode 100644 index 0000000000..69432ff71c Binary files /dev/null and b/windows/configure/images/crossmark.png differ diff --git a/windows/configure/images/csp-placeholder.png b/windows/configure/images/csp-placeholder.png new file mode 100644 index 0000000000..fe6bcf4720 Binary files /dev/null and b/windows/configure/images/csp-placeholder.png differ diff --git a/windows/configure/images/cspinicd.png b/windows/configure/images/cspinicd.png new file mode 100644 index 0000000000..a60ad9e2bf Binary files /dev/null and b/windows/configure/images/cspinicd.png differ diff --git a/windows/configure/images/csptable.png b/windows/configure/images/csptable.png new file mode 100644 index 0000000000..ee210cad69 Binary files /dev/null and b/windows/configure/images/csptable.png differ diff --git a/windows/configure/images/dep-win8-l-usmt-migrationcomparemigstores.gif b/windows/configure/images/dep-win8-l-usmt-migrationcomparemigstores.gif new file mode 100644 index 0000000000..c23cf5f98c Binary files /dev/null and b/windows/configure/images/dep-win8-l-usmt-migrationcomparemigstores.gif differ diff --git a/windows/configure/images/dep-win8-l-usmt-pcrefresh.jpg b/windows/configure/images/dep-win8-l-usmt-pcrefresh.jpg new file mode 100644 index 0000000000..79f874d895 Binary files /dev/null and b/windows/configure/images/dep-win8-l-usmt-pcrefresh.jpg differ diff --git a/windows/configure/images/dep-win8-l-usmt-pcreplace.jpg b/windows/configure/images/dep-win8-l-usmt-pcreplace.jpg new file mode 100644 index 0000000000..507f783aff Binary files /dev/null and b/windows/configure/images/dep-win8-l-usmt-pcreplace.jpg differ diff --git a/windows/configure/images/dep-win8-l-vamt-findingcomputerdialog.gif b/windows/configure/images/dep-win8-l-vamt-findingcomputerdialog.gif new file mode 100644 index 0000000000..3d745d4a77 Binary files /dev/null and b/windows/configure/images/dep-win8-l-vamt-findingcomputerdialog.gif differ diff --git a/windows/configure/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif b/windows/configure/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif new file mode 100644 index 0000000000..21fc338e12 Binary files /dev/null and b/windows/configure/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif differ diff --git a/windows/configure/images/dep-win8-l-vamt-image001-enterprise.jpg b/windows/configure/images/dep-win8-l-vamt-image001-enterprise.jpg new file mode 100644 index 0000000000..b7a1411562 Binary files /dev/null and b/windows/configure/images/dep-win8-l-vamt-image001-enterprise.jpg differ diff --git a/windows/configure/images/dep-win8-l-vamt-makindependentactivationscenario.jpg b/windows/configure/images/dep-win8-l-vamt-makindependentactivationscenario.jpg new file mode 100644 index 0000000000..52203b7593 Binary files /dev/null and b/windows/configure/images/dep-win8-l-vamt-makindependentactivationscenario.jpg differ diff --git a/windows/configure/images/dep-win8-l-vamt-makproxyactivationscenario.jpg b/windows/configure/images/dep-win8-l-vamt-makproxyactivationscenario.jpg new file mode 100644 index 0000000000..3a02a1f17e Binary files /dev/null and b/windows/configure/images/dep-win8-l-vamt-makproxyactivationscenario.jpg differ diff --git a/windows/configure/images/deploy-finish.PNG b/windows/configure/images/deploy-finish.PNG new file mode 100644 index 0000000000..4f0d5cb859 Binary files /dev/null and b/windows/configure/images/deploy-finish.PNG differ diff --git a/windows/configure/images/deploymentworkflow.png b/windows/configure/images/deploymentworkflow.png new file mode 100644 index 0000000000..b665a0bfea Binary files /dev/null and b/windows/configure/images/deploymentworkflow.png differ diff --git a/windows/configure/images/developer-setup.PNG b/windows/configure/images/developer-setup.PNG new file mode 100644 index 0000000000..8c93d5ed91 Binary files /dev/null and b/windows/configure/images/developer-setup.PNG differ diff --git a/windows/configure/images/disk2vhd-convert.PNG b/windows/configure/images/disk2vhd-convert.PNG new file mode 100644 index 0000000000..f0614a5ab1 Binary files /dev/null and b/windows/configure/images/disk2vhd-convert.PNG differ diff --git a/windows/configure/images/disk2vhd-gen2.PNG b/windows/configure/images/disk2vhd-gen2.PNG new file mode 100644 index 0000000000..7f8d920f9d Binary files /dev/null and b/windows/configure/images/disk2vhd-gen2.PNG differ diff --git a/windows/configure/images/disk2vhd.PNG b/windows/configure/images/disk2vhd.PNG new file mode 100644 index 0000000000..7b9835f5f6 Binary files /dev/null and b/windows/configure/images/disk2vhd.PNG differ diff --git a/windows/configure/images/disk2vhd4.PNG b/windows/configure/images/disk2vhd4.PNG new file mode 100644 index 0000000000..97f9448441 Binary files /dev/null and b/windows/configure/images/disk2vhd4.PNG differ diff --git a/windows/configure/images/doneicon.png b/windows/configure/images/doneicon.png new file mode 100644 index 0000000000..d80389f35b Binary files /dev/null and b/windows/configure/images/doneicon.png differ diff --git a/windows/configure/images/download_vhd.png b/windows/configure/images/download_vhd.png new file mode 100644 index 0000000000..248a512040 Binary files /dev/null and b/windows/configure/images/download_vhd.png differ diff --git a/windows/configure/images/e3-activated.png b/windows/configure/images/e3-activated.png new file mode 100644 index 0000000000..7cca73443e Binary files /dev/null and b/windows/configure/images/e3-activated.png differ diff --git a/windows/configure/images/enterprise-e3-ad-connect.png b/windows/configure/images/enterprise-e3-ad-connect.png new file mode 100644 index 0000000000..195058f6f6 Binary files /dev/null and b/windows/configure/images/enterprise-e3-ad-connect.png differ diff --git a/windows/configure/images/enterprise-e3-choose-how.png b/windows/configure/images/enterprise-e3-choose-how.png new file mode 100644 index 0000000000..8e84535bfd Binary files /dev/null and b/windows/configure/images/enterprise-e3-choose-how.png differ diff --git a/windows/configure/images/enterprise-e3-connect-to-work-or-school.png b/windows/configure/images/enterprise-e3-connect-to-work-or-school.png new file mode 100644 index 0000000000..90e1b1131f Binary files /dev/null and b/windows/configure/images/enterprise-e3-connect-to-work-or-school.png differ diff --git a/windows/configure/images/enterprise-e3-lets-get-2.png b/windows/configure/images/enterprise-e3-lets-get-2.png new file mode 100644 index 0000000000..ef523d4af8 Binary files /dev/null and b/windows/configure/images/enterprise-e3-lets-get-2.png differ diff --git a/windows/configure/images/enterprise-e3-lets-get.png b/windows/configure/images/enterprise-e3-lets-get.png new file mode 100644 index 0000000000..582da1ab2d Binary files /dev/null and b/windows/configure/images/enterprise-e3-lets-get.png differ diff --git a/windows/configure/images/enterprise-e3-set-up-work-or-school.png b/windows/configure/images/enterprise-e3-set-up-work-or-school.png new file mode 100644 index 0000000000..72844d7622 Binary files /dev/null and b/windows/configure/images/enterprise-e3-set-up-work-or-school.png differ diff --git a/windows/configure/images/enterprise-e3-sign-in.png b/windows/configure/images/enterprise-e3-sign-in.png new file mode 100644 index 0000000000..3029d3ef2b Binary files /dev/null and b/windows/configure/images/enterprise-e3-sign-in.png differ diff --git a/windows/configure/images/enterprise-e3-who-owns.png b/windows/configure/images/enterprise-e3-who-owns.png new file mode 100644 index 0000000000..c3008869d2 Binary files /dev/null and b/windows/configure/images/enterprise-e3-who-owns.png differ diff --git a/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png b/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png new file mode 100644 index 0000000000..eb888b23b5 Binary files /dev/null and b/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png differ diff --git a/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png b/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png new file mode 100644 index 0000000000..e4ac7398be Binary files /dev/null and b/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png differ diff --git a/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png b/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png new file mode 100644 index 0000000000..5fedfe5d06 Binary files /dev/null and b/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png differ diff --git a/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png b/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png new file mode 100644 index 0000000000..84e39071db Binary files /dev/null and b/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png differ diff --git a/windows/configure/images/export-mgt-desktop.png b/windows/configure/images/export-mgt-desktop.png new file mode 100644 index 0000000000..13349c3b4e Binary files /dev/null and b/windows/configure/images/export-mgt-desktop.png differ diff --git a/windows/configure/images/export-mgt-mobile.png b/windows/configure/images/export-mgt-mobile.png new file mode 100644 index 0000000000..6a74c23e59 Binary files /dev/null and b/windows/configure/images/export-mgt-mobile.png differ diff --git a/windows/configure/images/express-settings.png b/windows/configure/images/express-settings.png new file mode 100644 index 0000000000..99e9c4825a Binary files /dev/null and b/windows/configure/images/express-settings.png differ diff --git a/windows/configure/images/fig1-deferupgrades.png b/windows/configure/images/fig1-deferupgrades.png new file mode 100644 index 0000000000..f8c52b943e Binary files /dev/null and b/windows/configure/images/fig1-deferupgrades.png differ diff --git a/windows/configure/images/fig10-contosoinstall.png b/windows/configure/images/fig10-contosoinstall.png new file mode 100644 index 0000000000..ac4eaf2aa0 Binary files /dev/null and b/windows/configure/images/fig10-contosoinstall.png differ diff --git a/windows/configure/images/fig10-unattend.png b/windows/configure/images/fig10-unattend.png new file mode 100644 index 0000000000..a9d2bc16df Binary files /dev/null and b/windows/configure/images/fig10-unattend.png differ diff --git a/windows/configure/images/fig13-captureimage.png b/windows/configure/images/fig13-captureimage.png new file mode 100644 index 0000000000..678a43ca73 Binary files /dev/null and b/windows/configure/images/fig13-captureimage.png differ diff --git a/windows/configure/images/fig16-contentstatus.png b/windows/configure/images/fig16-contentstatus.png new file mode 100644 index 0000000000..5ea8ba275a Binary files /dev/null and b/windows/configure/images/fig16-contentstatus.png differ diff --git a/windows/configure/images/fig17-win10image.png b/windows/configure/images/fig17-win10image.png new file mode 100644 index 0000000000..d16eee554d Binary files /dev/null and b/windows/configure/images/fig17-win10image.png differ diff --git a/windows/configure/images/fig18-distwindows.png b/windows/configure/images/fig18-distwindows.png new file mode 100644 index 0000000000..d8525ddd3e Binary files /dev/null and b/windows/configure/images/fig18-distwindows.png differ diff --git a/windows/configure/images/fig2-deploymenttimeline.png b/windows/configure/images/fig2-deploymenttimeline.png new file mode 100644 index 0000000000..a8061d2f15 Binary files /dev/null and b/windows/configure/images/fig2-deploymenttimeline.png differ diff --git a/windows/configure/images/fig2-gather.png b/windows/configure/images/fig2-gather.png new file mode 100644 index 0000000000..01ffca2770 Binary files /dev/null and b/windows/configure/images/fig2-gather.png differ diff --git a/windows/configure/images/fig2-importedos.png b/windows/configure/images/fig2-importedos.png new file mode 100644 index 0000000000..ed72d2ef4d Binary files /dev/null and b/windows/configure/images/fig2-importedos.png differ diff --git a/windows/configure/images/fig2-taskseq.png b/windows/configure/images/fig2-taskseq.png new file mode 100644 index 0000000000..1da70bd6e7 Binary files /dev/null and b/windows/configure/images/fig2-taskseq.png differ diff --git a/windows/configure/images/fig21-add-drivers.png b/windows/configure/images/fig21-add-drivers.png new file mode 100644 index 0000000000..f53fe672e2 Binary files /dev/null and b/windows/configure/images/fig21-add-drivers.png differ diff --git a/windows/configure/images/fig22-createcategories.png b/windows/configure/images/fig22-createcategories.png new file mode 100644 index 0000000000..8912ad974f Binary files /dev/null and b/windows/configure/images/fig22-createcategories.png differ diff --git a/windows/configure/images/fig27-driverpackage.png b/windows/configure/images/fig27-driverpackage.png new file mode 100644 index 0000000000..c2f66669be Binary files /dev/null and b/windows/configure/images/fig27-driverpackage.png differ diff --git a/windows/configure/images/fig28-addapp.png b/windows/configure/images/fig28-addapp.png new file mode 100644 index 0000000000..a7ba6b3709 Binary files /dev/null and b/windows/configure/images/fig28-addapp.png differ diff --git a/windows/configure/images/fig3-overlaprelease.png b/windows/configure/images/fig3-overlaprelease.png new file mode 100644 index 0000000000..58747a35cf Binary files /dev/null and b/windows/configure/images/fig3-overlaprelease.png differ diff --git a/windows/configure/images/fig30-settingspack.png b/windows/configure/images/fig30-settingspack.png new file mode 100644 index 0000000000..3479184140 Binary files /dev/null and b/windows/configure/images/fig30-settingspack.png differ diff --git a/windows/configure/images/fig32-deploywiz.png b/windows/configure/images/fig32-deploywiz.png new file mode 100644 index 0000000000..a1387b19d8 Binary files /dev/null and b/windows/configure/images/fig32-deploywiz.png differ diff --git a/windows/configure/images/fig4-oob-drivers.png b/windows/configure/images/fig4-oob-drivers.png new file mode 100644 index 0000000000..b1f6924665 Binary files /dev/null and b/windows/configure/images/fig4-oob-drivers.png differ diff --git a/windows/configure/images/fig5-selectprofile.png b/windows/configure/images/fig5-selectprofile.png new file mode 100644 index 0000000000..452ab4f581 Binary files /dev/null and b/windows/configure/images/fig5-selectprofile.png differ diff --git a/windows/configure/images/fig6-taskseq.png b/windows/configure/images/fig6-taskseq.png new file mode 100644 index 0000000000..8696cc04c4 Binary files /dev/null and b/windows/configure/images/fig6-taskseq.png differ diff --git a/windows/configure/images/fig8-cust-tasks.png b/windows/configure/images/fig8-cust-tasks.png new file mode 100644 index 0000000000..378215ee2b Binary files /dev/null and b/windows/configure/images/fig8-cust-tasks.png differ diff --git a/windows/configure/images/fig8-suspend.png b/windows/configure/images/fig8-suspend.png new file mode 100644 index 0000000000..8094f01274 Binary files /dev/null and b/windows/configure/images/fig8-suspend.png differ diff --git a/windows/configure/images/fig9-resumetaskseq.png b/windows/configure/images/fig9-resumetaskseq.png new file mode 100644 index 0000000000..0a83019f69 Binary files /dev/null and b/windows/configure/images/fig9-resumetaskseq.png differ diff --git a/windows/configure/images/figure4-deployment-workbench.png b/windows/configure/images/figure4-deployment-workbench.png new file mode 100644 index 0000000000..b5d0e7cc32 Binary files /dev/null and b/windows/configure/images/figure4-deployment-workbench.png differ diff --git a/windows/configure/images/finish-details-mobile.PNG b/windows/configure/images/finish-details-mobile.PNG new file mode 100644 index 0000000000..c25a6b4b2f Binary files /dev/null and b/windows/configure/images/finish-details-mobile.PNG differ diff --git a/windows/configure/images/finish-details.png b/windows/configure/images/finish-details.png new file mode 100644 index 0000000000..727efac696 Binary files /dev/null and b/windows/configure/images/finish-details.png differ diff --git a/windows/configure/images/finish-mobile.PNG b/windows/configure/images/finish-mobile.PNG new file mode 100644 index 0000000000..336e24289e Binary files /dev/null and b/windows/configure/images/finish-mobile.PNG differ diff --git a/windows/configure/images/finish.PNG b/windows/configure/images/finish.PNG new file mode 100644 index 0000000000..7c65da1799 Binary files /dev/null and b/windows/configure/images/finish.PNG differ diff --git a/windows/configure/images/five.png b/windows/configure/images/five.png new file mode 100644 index 0000000000..961f0e15b7 Binary files /dev/null and b/windows/configure/images/five.png differ diff --git a/windows/configure/images/four.png b/windows/configure/images/four.png new file mode 100644 index 0000000000..0fef213b37 Binary files /dev/null and b/windows/configure/images/four.png differ diff --git a/windows/configure/images/funfacts.png b/windows/configure/images/funfacts.png new file mode 100644 index 0000000000..71355ec370 Binary files /dev/null and b/windows/configure/images/funfacts.png differ diff --git a/windows/configure/images/genrule.png b/windows/configure/images/genrule.png new file mode 100644 index 0000000000..1d68f1ad0b Binary files /dev/null and b/windows/configure/images/genrule.png differ diff --git a/windows/configure/images/gp-branch.png b/windows/configure/images/gp-branch.png new file mode 100644 index 0000000000..997bcc830a Binary files /dev/null and b/windows/configure/images/gp-branch.png differ diff --git a/windows/configure/images/gp-exclude-drivers.png b/windows/configure/images/gp-exclude-drivers.png new file mode 100644 index 0000000000..0010749139 Binary files /dev/null and b/windows/configure/images/gp-exclude-drivers.png differ diff --git a/windows/configure/images/gp-feature.png b/windows/configure/images/gp-feature.png new file mode 100644 index 0000000000..b862d545d4 Binary files /dev/null and b/windows/configure/images/gp-feature.png differ diff --git a/windows/configure/images/gp-quality.png b/windows/configure/images/gp-quality.png new file mode 100644 index 0000000000..d7ff30172d Binary files /dev/null and b/windows/configure/images/gp-quality.png differ diff --git a/windows/configure/images/hyper-v-feature.png b/windows/configure/images/hyper-v-feature.png new file mode 100644 index 0000000000..d7293d808e Binary files /dev/null and b/windows/configure/images/hyper-v-feature.png differ diff --git a/windows/configure/images/icd-adv-shared-pc.PNG b/windows/configure/images/icd-adv-shared-pc.PNG new file mode 100644 index 0000000000..a8da5fa78a Binary files /dev/null and b/windows/configure/images/icd-adv-shared-pc.PNG differ diff --git a/windows/configure/images/icd-create-options-1703.PNG b/windows/configure/images/icd-create-options-1703.PNG new file mode 100644 index 0000000000..007e740683 Binary files /dev/null and b/windows/configure/images/icd-create-options-1703.PNG differ diff --git a/windows/configure/images/icd-create-options.PNG b/windows/configure/images/icd-create-options.PNG new file mode 100644 index 0000000000..e61cdd8fc0 Binary files /dev/null and b/windows/configure/images/icd-create-options.PNG differ diff --git a/windows/configure/images/icd-desktop-1703.PNG b/windows/configure/images/icd-desktop-1703.PNG new file mode 100644 index 0000000000..7c060af4d0 Binary files /dev/null and b/windows/configure/images/icd-desktop-1703.PNG differ diff --git a/windows/configure/images/icd-export-menu.png b/windows/configure/images/icd-export-menu.png new file mode 100644 index 0000000000..20bd5258eb Binary files /dev/null and b/windows/configure/images/icd-export-menu.png differ diff --git a/windows/configure/images/icd-install.PNG b/windows/configure/images/icd-install.PNG new file mode 100644 index 0000000000..a0c80683ff Binary files /dev/null and b/windows/configure/images/icd-install.PNG differ diff --git a/windows/configure/images/icd-multi-target-true.png b/windows/configure/images/icd-multi-target-true.png new file mode 100644 index 0000000000..5fec405fd6 Binary files /dev/null and b/windows/configure/images/icd-multi-target-true.png differ diff --git a/windows/configure/images/icd-multi-targetstate-true.png b/windows/configure/images/icd-multi-targetstate-true.png new file mode 100644 index 0000000000..7733b9c400 Binary files /dev/null and b/windows/configure/images/icd-multi-targetstate-true.png differ diff --git a/windows/configure/images/icd-runtime.PNG b/windows/configure/images/icd-runtime.PNG new file mode 100644 index 0000000000..d63544e206 Binary files /dev/null and b/windows/configure/images/icd-runtime.PNG differ diff --git a/windows/configure/images/icd-school.PNG b/windows/configure/images/icd-school.PNG new file mode 100644 index 0000000000..e6a944a193 Binary files /dev/null and b/windows/configure/images/icd-school.PNG differ diff --git a/windows/configure/images/icd-script1.png b/windows/configure/images/icd-script1.png new file mode 100644 index 0000000000..6c17f70809 Binary files /dev/null and b/windows/configure/images/icd-script1.png differ diff --git a/windows/configure/images/icd-script2.png b/windows/configure/images/icd-script2.png new file mode 100644 index 0000000000..7da2ae7e59 Binary files /dev/null and b/windows/configure/images/icd-script2.png differ diff --git a/windows/configure/images/icd-setting-help.PNG b/windows/configure/images/icd-setting-help.PNG new file mode 100644 index 0000000000..3f6e5fefa5 Binary files /dev/null and b/windows/configure/images/icd-setting-help.PNG differ diff --git a/windows/configure/images/icd-settings.PNG b/windows/configure/images/icd-settings.PNG new file mode 100644 index 0000000000..8d3ebc3ff6 Binary files /dev/null and b/windows/configure/images/icd-settings.PNG differ diff --git a/windows/configure/images/icd-simple-edit.png b/windows/configure/images/icd-simple-edit.png new file mode 100644 index 0000000000..3608dc18f3 Binary files /dev/null and b/windows/configure/images/icd-simple-edit.png differ diff --git a/windows/configure/images/icd-simple.PNG b/windows/configure/images/icd-simple.PNG new file mode 100644 index 0000000000..7ae8a1728b Binary files /dev/null and b/windows/configure/images/icd-simple.PNG differ diff --git a/windows/configure/images/icd-step1.PNG b/windows/configure/images/icd-step1.PNG new file mode 100644 index 0000000000..d2ad656d35 Binary files /dev/null and b/windows/configure/images/icd-step1.PNG differ diff --git a/windows/configure/images/icd-step2.PNG b/windows/configure/images/icd-step2.PNG new file mode 100644 index 0000000000..54e70d9193 Binary files /dev/null and b/windows/configure/images/icd-step2.PNG differ diff --git a/windows/configure/images/icd-step3.PNG b/windows/configure/images/icd-step3.PNG new file mode 100644 index 0000000000..ecac26f3d6 Binary files /dev/null and b/windows/configure/images/icd-step3.PNG differ diff --git a/windows/configure/images/icd-step4.PNG b/windows/configure/images/icd-step4.PNG new file mode 100644 index 0000000000..8fcfa2863b Binary files /dev/null and b/windows/configure/images/icd-step4.PNG differ diff --git a/windows/configure/images/icd-step5.PNG b/windows/configure/images/icd-step5.PNG new file mode 100644 index 0000000000..9e96edd812 Binary files /dev/null and b/windows/configure/images/icd-step5.PNG differ diff --git a/windows/configure/images/icd-switch.PNG b/windows/configure/images/icd-switch.PNG new file mode 100644 index 0000000000..e46e48a648 Binary files /dev/null and b/windows/configure/images/icd-switch.PNG differ diff --git a/windows/configure/images/icdbrowse.png b/windows/configure/images/icdbrowse.png new file mode 100644 index 0000000000..53c91074c7 Binary files /dev/null and b/windows/configure/images/icdbrowse.png differ diff --git a/windows/configure/images/identitychoices.png b/windows/configure/images/identitychoices.png new file mode 100644 index 0000000000..9a69c04f20 Binary files /dev/null and b/windows/configure/images/identitychoices.png differ diff --git a/windows/configure/images/image.PNG b/windows/configure/images/image.PNG new file mode 100644 index 0000000000..0bbadcb68f Binary files /dev/null and b/windows/configure/images/image.PNG differ diff --git a/windows/configure/images/installing-drivers.png b/windows/configure/images/installing-drivers.png new file mode 100644 index 0000000000..22d7808fad Binary files /dev/null and b/windows/configure/images/installing-drivers.png differ diff --git a/windows/configure/images/kiosk-account-details.PNG b/windows/configure/images/kiosk-account-details.PNG new file mode 100644 index 0000000000..53c31880ea Binary files /dev/null and b/windows/configure/images/kiosk-account-details.PNG differ diff --git a/windows/configure/images/kiosk-account.PNG b/windows/configure/images/kiosk-account.PNG new file mode 100644 index 0000000000..f78f9b9d56 Binary files /dev/null and b/windows/configure/images/kiosk-account.PNG differ diff --git a/windows/configure/images/kiosk-common-details.PNG b/windows/configure/images/kiosk-common-details.PNG new file mode 100644 index 0000000000..5eda9b293e Binary files /dev/null and b/windows/configure/images/kiosk-common-details.PNG differ diff --git a/windows/configure/images/kiosk-common.PNG b/windows/configure/images/kiosk-common.PNG new file mode 100644 index 0000000000..f5873a53aa Binary files /dev/null and b/windows/configure/images/kiosk-common.PNG differ diff --git a/windows/configure/images/launchicon.png b/windows/configure/images/launchicon.png new file mode 100644 index 0000000000..d469c68a2c Binary files /dev/null and b/windows/configure/images/launchicon.png differ diff --git a/windows/configure/images/ld-apps.PNG b/windows/configure/images/ld-apps.PNG new file mode 100644 index 0000000000..ef65ff9a52 Binary files /dev/null and b/windows/configure/images/ld-apps.PNG differ diff --git a/windows/configure/images/ld-buttons.PNG b/windows/configure/images/ld-buttons.PNG new file mode 100644 index 0000000000..d89eff3b35 Binary files /dev/null and b/windows/configure/images/ld-buttons.PNG differ diff --git a/windows/configure/images/ld-connect.PNG b/windows/configure/images/ld-connect.PNG new file mode 100644 index 0000000000..15094b0e2b Binary files /dev/null and b/windows/configure/images/ld-connect.PNG differ diff --git a/windows/configure/images/ld-csp.PNG b/windows/configure/images/ld-csp.PNG new file mode 100644 index 0000000000..6d7caa5163 Binary files /dev/null and b/windows/configure/images/ld-csp.PNG differ diff --git a/windows/configure/images/ld-export.PNG b/windows/configure/images/ld-export.PNG new file mode 100644 index 0000000000..970e5939bc Binary files /dev/null and b/windows/configure/images/ld-export.PNG differ diff --git a/windows/configure/images/ld-other.PNG b/windows/configure/images/ld-other.PNG new file mode 100644 index 0000000000..c8b5f7518a Binary files /dev/null and b/windows/configure/images/ld-other.PNG differ diff --git a/windows/configure/images/ld-pair.PNG b/windows/configure/images/ld-pair.PNG new file mode 100644 index 0000000000..0859810e73 Binary files /dev/null and b/windows/configure/images/ld-pair.PNG differ diff --git a/windows/configure/images/ld-quick.PNG b/windows/configure/images/ld-quick.PNG new file mode 100644 index 0000000000..63a6173103 Binary files /dev/null and b/windows/configure/images/ld-quick.PNG differ diff --git a/windows/configure/images/ld-role.PNG b/windows/configure/images/ld-role.PNG new file mode 100644 index 0000000000..b229af1a17 Binary files /dev/null and b/windows/configure/images/ld-role.PNG differ diff --git a/windows/configure/images/ld-settings.PNG b/windows/configure/images/ld-settings.PNG new file mode 100644 index 0000000000..eb6a37d925 Binary files /dev/null and b/windows/configure/images/ld-settings.PNG differ diff --git a/windows/configure/images/ld-start.PNG b/windows/configure/images/ld-start.PNG new file mode 100644 index 0000000000..4081f3e1e2 Binary files /dev/null and b/windows/configure/images/ld-start.PNG differ diff --git a/windows/configure/images/ld-sync.PNG b/windows/configure/images/ld-sync.PNG new file mode 100644 index 0000000000..3f54d910ac Binary files /dev/null and b/windows/configure/images/ld-sync.PNG differ diff --git a/windows/configure/images/ldstore.PNG b/windows/configure/images/ldstore.PNG new file mode 100644 index 0000000000..63f0eedee7 Binary files /dev/null and b/windows/configure/images/ldstore.PNG differ diff --git a/windows/configure/images/license-terms.png b/windows/configure/images/license-terms.png new file mode 100644 index 0000000000..8dd34b0a18 Binary files /dev/null and b/windows/configure/images/license-terms.png differ diff --git a/windows/configure/images/lily.jpg b/windows/configure/images/lily.jpg new file mode 100644 index 0000000000..eb144d1f2b Binary files /dev/null and b/windows/configure/images/lily.jpg differ diff --git a/windows/configure/images/lockdownapps.png b/windows/configure/images/lockdownapps.png new file mode 100644 index 0000000000..beb73e5370 Binary files /dev/null and b/windows/configure/images/lockdownapps.png differ diff --git a/windows/configure/images/lockscreen.png b/windows/configure/images/lockscreen.png new file mode 100644 index 0000000000..68c64e15ec Binary files /dev/null and b/windows/configure/images/lockscreen.png differ diff --git a/windows/configure/images/lockscreenpolicy.png b/windows/configure/images/lockscreenpolicy.png new file mode 100644 index 0000000000..30b6a7ae9d Binary files /dev/null and b/windows/configure/images/lockscreenpolicy.png differ diff --git a/windows/configure/images/mdm-diag-report-powershell.PNG b/windows/configure/images/mdm-diag-report-powershell.PNG new file mode 100644 index 0000000000..86f5b49211 Binary files /dev/null and b/windows/configure/images/mdm-diag-report-powershell.PNG differ diff --git a/windows/configure/images/mdm.png b/windows/configure/images/mdm.png new file mode 100644 index 0000000000..8ebcc00526 Binary files /dev/null and b/windows/configure/images/mdm.png differ diff --git a/windows/configure/images/mdt-01-fig01.png b/windows/configure/images/mdt-01-fig01.png new file mode 100644 index 0000000000..d7f8c4e452 Binary files /dev/null and b/windows/configure/images/mdt-01-fig01.png differ diff --git a/windows/configure/images/mdt-01-fig02.jpg b/windows/configure/images/mdt-01-fig02.jpg new file mode 100644 index 0000000000..1533bdd336 Binary files /dev/null and b/windows/configure/images/mdt-01-fig02.jpg differ diff --git a/windows/configure/images/mdt-03-fig01.png b/windows/configure/images/mdt-03-fig01.png new file mode 100644 index 0000000000..fc68fb0c25 Binary files /dev/null and b/windows/configure/images/mdt-03-fig01.png differ diff --git a/windows/configure/images/mdt-03-fig02.png b/windows/configure/images/mdt-03-fig02.png new file mode 100644 index 0000000000..d0fd979449 Binary files /dev/null and b/windows/configure/images/mdt-03-fig02.png differ diff --git a/windows/configure/images/mdt-03-fig03.png b/windows/configure/images/mdt-03-fig03.png new file mode 100644 index 0000000000..ba1de39aa0 Binary files /dev/null and b/windows/configure/images/mdt-03-fig03.png differ diff --git a/windows/configure/images/mdt-03-fig04.png b/windows/configure/images/mdt-03-fig04.png new file mode 100644 index 0000000000..26600a2036 Binary files /dev/null and b/windows/configure/images/mdt-03-fig04.png differ diff --git a/windows/configure/images/mdt-03-fig05.png b/windows/configure/images/mdt-03-fig05.png new file mode 100644 index 0000000000..9c44837022 Binary files /dev/null and b/windows/configure/images/mdt-03-fig05.png differ diff --git a/windows/configure/images/mdt-04-fig01.png b/windows/configure/images/mdt-04-fig01.png new file mode 100644 index 0000000000..8a90c1a934 Binary files /dev/null and b/windows/configure/images/mdt-04-fig01.png differ diff --git a/windows/configure/images/mdt-05-fig01.png b/windows/configure/images/mdt-05-fig01.png new file mode 100644 index 0000000000..490f1579d9 Binary files /dev/null and b/windows/configure/images/mdt-05-fig01.png differ diff --git a/windows/configure/images/mdt-05-fig02.png b/windows/configure/images/mdt-05-fig02.png new file mode 100644 index 0000000000..1223432581 Binary files /dev/null and b/windows/configure/images/mdt-05-fig02.png differ diff --git a/windows/configure/images/mdt-05-fig03.png b/windows/configure/images/mdt-05-fig03.png new file mode 100644 index 0000000000..a0ffbec429 Binary files /dev/null and b/windows/configure/images/mdt-05-fig03.png differ diff --git a/windows/configure/images/mdt-05-fig04.png b/windows/configure/images/mdt-05-fig04.png new file mode 100644 index 0000000000..778cbae1b7 Binary files /dev/null and b/windows/configure/images/mdt-05-fig04.png differ diff --git a/windows/configure/images/mdt-05-fig05.png b/windows/configure/images/mdt-05-fig05.png new file mode 100644 index 0000000000..e172a29754 Binary files /dev/null and b/windows/configure/images/mdt-05-fig05.png differ diff --git a/windows/configure/images/mdt-05-fig07.png b/windows/configure/images/mdt-05-fig07.png new file mode 100644 index 0000000000..135a2367c1 Binary files /dev/null and b/windows/configure/images/mdt-05-fig07.png differ diff --git a/windows/configure/images/mdt-05-fig08.png b/windows/configure/images/mdt-05-fig08.png new file mode 100644 index 0000000000..1f4534e89b Binary files /dev/null and b/windows/configure/images/mdt-05-fig08.png differ diff --git a/windows/configure/images/mdt-05-fig09.png b/windows/configure/images/mdt-05-fig09.png new file mode 100644 index 0000000000..a3d0155096 Binary files /dev/null and b/windows/configure/images/mdt-05-fig09.png differ diff --git a/windows/configure/images/mdt-05-fig10.png b/windows/configure/images/mdt-05-fig10.png new file mode 100644 index 0000000000..576da23ea6 Binary files /dev/null and b/windows/configure/images/mdt-05-fig10.png differ diff --git a/windows/configure/images/mdt-06-fig01.png b/windows/configure/images/mdt-06-fig01.png new file mode 100644 index 0000000000..466cfda0f4 Binary files /dev/null and b/windows/configure/images/mdt-06-fig01.png differ diff --git a/windows/configure/images/mdt-06-fig03.png b/windows/configure/images/mdt-06-fig03.png new file mode 100644 index 0000000000..9d2786e46a Binary files /dev/null and b/windows/configure/images/mdt-06-fig03.png differ diff --git a/windows/configure/images/mdt-06-fig04.png b/windows/configure/images/mdt-06-fig04.png new file mode 100644 index 0000000000..216e1f371b Binary files /dev/null and b/windows/configure/images/mdt-06-fig04.png differ diff --git a/windows/configure/images/mdt-06-fig05.png b/windows/configure/images/mdt-06-fig05.png new file mode 100644 index 0000000000..3af74bb5ee Binary files /dev/null and b/windows/configure/images/mdt-06-fig05.png differ diff --git a/windows/configure/images/mdt-06-fig06.png b/windows/configure/images/mdt-06-fig06.png new file mode 100644 index 0000000000..324c8960c1 Binary files /dev/null and b/windows/configure/images/mdt-06-fig06.png differ diff --git a/windows/configure/images/mdt-06-fig07.png b/windows/configure/images/mdt-06-fig07.png new file mode 100644 index 0000000000..399fac75f6 Binary files /dev/null and b/windows/configure/images/mdt-06-fig07.png differ diff --git a/windows/configure/images/mdt-06-fig08.png b/windows/configure/images/mdt-06-fig08.png new file mode 100644 index 0000000000..33cb90327a Binary files /dev/null and b/windows/configure/images/mdt-06-fig08.png differ diff --git a/windows/configure/images/mdt-06-fig10.png b/windows/configure/images/mdt-06-fig10.png new file mode 100644 index 0000000000..1d92505b96 Binary files /dev/null and b/windows/configure/images/mdt-06-fig10.png differ diff --git a/windows/configure/images/mdt-06-fig12.png b/windows/configure/images/mdt-06-fig12.png new file mode 100644 index 0000000000..f33eca6174 Binary files /dev/null and b/windows/configure/images/mdt-06-fig12.png differ diff --git a/windows/configure/images/mdt-06-fig13.png b/windows/configure/images/mdt-06-fig13.png new file mode 100644 index 0000000000..ab578f69fe Binary files /dev/null and b/windows/configure/images/mdt-06-fig13.png differ diff --git a/windows/configure/images/mdt-06-fig14.png b/windows/configure/images/mdt-06-fig14.png new file mode 100644 index 0000000000..13158231fd Binary files /dev/null and b/windows/configure/images/mdt-06-fig14.png differ diff --git a/windows/configure/images/mdt-06-fig15.png b/windows/configure/images/mdt-06-fig15.png new file mode 100644 index 0000000000..2f1a0eba18 Binary files /dev/null and b/windows/configure/images/mdt-06-fig15.png differ diff --git a/windows/configure/images/mdt-06-fig16.png b/windows/configure/images/mdt-06-fig16.png new file mode 100644 index 0000000000..40cb46adbd Binary files /dev/null and b/windows/configure/images/mdt-06-fig16.png differ diff --git a/windows/configure/images/mdt-06-fig20.png b/windows/configure/images/mdt-06-fig20.png new file mode 100644 index 0000000000..475fad7597 Binary files /dev/null and b/windows/configure/images/mdt-06-fig20.png differ diff --git a/windows/configure/images/mdt-06-fig21.png b/windows/configure/images/mdt-06-fig21.png new file mode 100644 index 0000000000..7cbd1d20bc Binary files /dev/null and b/windows/configure/images/mdt-06-fig21.png differ diff --git a/windows/configure/images/mdt-06-fig26.png b/windows/configure/images/mdt-06-fig26.png new file mode 100644 index 0000000000..fc56839b14 Binary files /dev/null and b/windows/configure/images/mdt-06-fig26.png differ diff --git a/windows/configure/images/mdt-06-fig31.png b/windows/configure/images/mdt-06-fig31.png new file mode 100644 index 0000000000..5e98d623b1 Binary files /dev/null and b/windows/configure/images/mdt-06-fig31.png differ diff --git a/windows/configure/images/mdt-06-fig33.png b/windows/configure/images/mdt-06-fig33.png new file mode 100644 index 0000000000..18ae4c82dd Binary files /dev/null and b/windows/configure/images/mdt-06-fig33.png differ diff --git a/windows/configure/images/mdt-06-fig35.png b/windows/configure/images/mdt-06-fig35.png new file mode 100644 index 0000000000..a68750925d Binary files /dev/null and b/windows/configure/images/mdt-06-fig35.png differ diff --git a/windows/configure/images/mdt-06-fig36.png b/windows/configure/images/mdt-06-fig36.png new file mode 100644 index 0000000000..a8350244bd Binary files /dev/null and b/windows/configure/images/mdt-06-fig36.png differ diff --git a/windows/configure/images/mdt-06-fig37.png b/windows/configure/images/mdt-06-fig37.png new file mode 100644 index 0000000000..5a89f2f431 Binary files /dev/null and b/windows/configure/images/mdt-06-fig37.png differ diff --git a/windows/configure/images/mdt-06-fig39.png b/windows/configure/images/mdt-06-fig39.png new file mode 100644 index 0000000000..650aec9a30 Binary files /dev/null and b/windows/configure/images/mdt-06-fig39.png differ diff --git a/windows/configure/images/mdt-06-fig42.png b/windows/configure/images/mdt-06-fig42.png new file mode 100644 index 0000000000..12b0e6817a Binary files /dev/null and b/windows/configure/images/mdt-06-fig42.png differ diff --git a/windows/configure/images/mdt-06-fig43.png b/windows/configure/images/mdt-06-fig43.png new file mode 100644 index 0000000000..015edd21e3 Binary files /dev/null and b/windows/configure/images/mdt-06-fig43.png differ diff --git a/windows/configure/images/mdt-07-fig01.png b/windows/configure/images/mdt-07-fig01.png new file mode 100644 index 0000000000..b2ccfec334 Binary files /dev/null and b/windows/configure/images/mdt-07-fig01.png differ diff --git a/windows/configure/images/mdt-07-fig03.png b/windows/configure/images/mdt-07-fig03.png new file mode 100644 index 0000000000..c178d6a15d Binary files /dev/null and b/windows/configure/images/mdt-07-fig03.png differ diff --git a/windows/configure/images/mdt-07-fig08.png b/windows/configure/images/mdt-07-fig08.png new file mode 100644 index 0000000000..66e2969916 Binary files /dev/null and b/windows/configure/images/mdt-07-fig08.png differ diff --git a/windows/configure/images/mdt-07-fig09.png b/windows/configure/images/mdt-07-fig09.png new file mode 100644 index 0000000000..ce320427ee Binary files /dev/null and b/windows/configure/images/mdt-07-fig09.png differ diff --git a/windows/configure/images/mdt-07-fig10.png b/windows/configure/images/mdt-07-fig10.png new file mode 100644 index 0000000000..7aff3c2d76 Binary files /dev/null and b/windows/configure/images/mdt-07-fig10.png differ diff --git a/windows/configure/images/mdt-07-fig11.png b/windows/configure/images/mdt-07-fig11.png new file mode 100644 index 0000000000..905f8bd572 Binary files /dev/null and b/windows/configure/images/mdt-07-fig11.png differ diff --git a/windows/configure/images/mdt-07-fig13.png b/windows/configure/images/mdt-07-fig13.png new file mode 100644 index 0000000000..849949a2f2 Binary files /dev/null and b/windows/configure/images/mdt-07-fig13.png differ diff --git a/windows/configure/images/mdt-07-fig14.png b/windows/configure/images/mdt-07-fig14.png new file mode 100644 index 0000000000..cfe7843eeb Binary files /dev/null and b/windows/configure/images/mdt-07-fig14.png differ diff --git a/windows/configure/images/mdt-07-fig15.png b/windows/configure/images/mdt-07-fig15.png new file mode 100644 index 0000000000..5271690c89 Binary files /dev/null and b/windows/configure/images/mdt-07-fig15.png differ diff --git a/windows/configure/images/mdt-07-fig16.png b/windows/configure/images/mdt-07-fig16.png new file mode 100644 index 0000000000..80e0925a40 Binary files /dev/null and b/windows/configure/images/mdt-07-fig16.png differ diff --git a/windows/configure/images/mdt-08-fig01.png b/windows/configure/images/mdt-08-fig01.png new file mode 100644 index 0000000000..7f795c42d4 Binary files /dev/null and b/windows/configure/images/mdt-08-fig01.png differ diff --git a/windows/configure/images/mdt-08-fig02.png b/windows/configure/images/mdt-08-fig02.png new file mode 100644 index 0000000000..50c97d8d0c Binary files /dev/null and b/windows/configure/images/mdt-08-fig02.png differ diff --git a/windows/configure/images/mdt-08-fig03.png b/windows/configure/images/mdt-08-fig03.png new file mode 100644 index 0000000000..e80b242192 Binary files /dev/null and b/windows/configure/images/mdt-08-fig03.png differ diff --git a/windows/configure/images/mdt-08-fig05.png b/windows/configure/images/mdt-08-fig05.png new file mode 100644 index 0000000000..62ae133bb8 Binary files /dev/null and b/windows/configure/images/mdt-08-fig05.png differ diff --git a/windows/configure/images/mdt-08-fig06.png b/windows/configure/images/mdt-08-fig06.png new file mode 100644 index 0000000000..97d83a20fb Binary files /dev/null and b/windows/configure/images/mdt-08-fig06.png differ diff --git a/windows/configure/images/mdt-08-fig14.png b/windows/configure/images/mdt-08-fig14.png new file mode 100644 index 0000000000..21b358d1f8 Binary files /dev/null and b/windows/configure/images/mdt-08-fig14.png differ diff --git a/windows/configure/images/mdt-08-fig15.png b/windows/configure/images/mdt-08-fig15.png new file mode 100644 index 0000000000..2a8bc4252e Binary files /dev/null and b/windows/configure/images/mdt-08-fig15.png differ diff --git a/windows/configure/images/mdt-09-fig01.png b/windows/configure/images/mdt-09-fig01.png new file mode 100644 index 0000000000..0549174435 Binary files /dev/null and b/windows/configure/images/mdt-09-fig01.png differ diff --git a/windows/configure/images/mdt-09-fig02.png b/windows/configure/images/mdt-09-fig02.png new file mode 100644 index 0000000000..dd69922d80 Binary files /dev/null and b/windows/configure/images/mdt-09-fig02.png differ diff --git a/windows/configure/images/mdt-09-fig03.png b/windows/configure/images/mdt-09-fig03.png new file mode 100644 index 0000000000..56102b2031 Binary files /dev/null and b/windows/configure/images/mdt-09-fig03.png differ diff --git a/windows/configure/images/mdt-09-fig04.png b/windows/configure/images/mdt-09-fig04.png new file mode 100644 index 0000000000..f123d85af5 Binary files /dev/null and b/windows/configure/images/mdt-09-fig04.png differ diff --git a/windows/configure/images/mdt-09-fig06.png b/windows/configure/images/mdt-09-fig06.png new file mode 100644 index 0000000000..49042d95f3 Binary files /dev/null and b/windows/configure/images/mdt-09-fig06.png differ diff --git a/windows/configure/images/mdt-09-fig07.png b/windows/configure/images/mdt-09-fig07.png new file mode 100644 index 0000000000..431f212f80 Binary files /dev/null and b/windows/configure/images/mdt-09-fig07.png differ diff --git a/windows/configure/images/mdt-09-fig08.png b/windows/configure/images/mdt-09-fig08.png new file mode 100644 index 0000000000..c73ef398e4 Binary files /dev/null and b/windows/configure/images/mdt-09-fig08.png differ diff --git a/windows/configure/images/mdt-09-fig09.png b/windows/configure/images/mdt-09-fig09.png new file mode 100644 index 0000000000..14614aaa42 Binary files /dev/null and b/windows/configure/images/mdt-09-fig09.png differ diff --git a/windows/configure/images/mdt-09-fig10.png b/windows/configure/images/mdt-09-fig10.png new file mode 100644 index 0000000000..c8dbe11eac Binary files /dev/null and b/windows/configure/images/mdt-09-fig10.png differ diff --git a/windows/configure/images/mdt-09-fig11.png b/windows/configure/images/mdt-09-fig11.png new file mode 100644 index 0000000000..dd38911dfc Binary files /dev/null and b/windows/configure/images/mdt-09-fig11.png differ diff --git a/windows/configure/images/mdt-09-fig12.png b/windows/configure/images/mdt-09-fig12.png new file mode 100644 index 0000000000..ed363ae01a Binary files /dev/null and b/windows/configure/images/mdt-09-fig12.png differ diff --git a/windows/configure/images/mdt-09-fig13.png b/windows/configure/images/mdt-09-fig13.png new file mode 100644 index 0000000000..5155b0ecf0 Binary files /dev/null and b/windows/configure/images/mdt-09-fig13.png differ diff --git a/windows/configure/images/mdt-09-fig14.png b/windows/configure/images/mdt-09-fig14.png new file mode 100644 index 0000000000..f294a8d69f Binary files /dev/null and b/windows/configure/images/mdt-09-fig14.png differ diff --git a/windows/configure/images/mdt-09-fig15.png b/windows/configure/images/mdt-09-fig15.png new file mode 100644 index 0000000000..f8de66afbd Binary files /dev/null and b/windows/configure/images/mdt-09-fig15.png differ diff --git a/windows/configure/images/mdt-09-fig16.png b/windows/configure/images/mdt-09-fig16.png new file mode 100644 index 0000000000..ad04b64077 Binary files /dev/null and b/windows/configure/images/mdt-09-fig16.png differ diff --git a/windows/configure/images/mdt-09-fig17.png b/windows/configure/images/mdt-09-fig17.png new file mode 100644 index 0000000000..fe4503b950 Binary files /dev/null and b/windows/configure/images/mdt-09-fig17.png differ diff --git a/windows/configure/images/mdt-09-fig18.png b/windows/configure/images/mdt-09-fig18.png new file mode 100644 index 0000000000..4f087172d9 Binary files /dev/null and b/windows/configure/images/mdt-09-fig18.png differ diff --git a/windows/configure/images/mdt-09-fig19.png b/windows/configure/images/mdt-09-fig19.png new file mode 100644 index 0000000000..917444c811 Binary files /dev/null and b/windows/configure/images/mdt-09-fig19.png differ diff --git a/windows/configure/images/mdt-09-fig20.png b/windows/configure/images/mdt-09-fig20.png new file mode 100644 index 0000000000..6c2d1c4dba Binary files /dev/null and b/windows/configure/images/mdt-09-fig20.png differ diff --git a/windows/configure/images/mdt-09-fig21.png b/windows/configure/images/mdt-09-fig21.png new file mode 100644 index 0000000000..628ea98ad9 Binary files /dev/null and b/windows/configure/images/mdt-09-fig21.png differ diff --git a/windows/configure/images/mdt-09-fig22.png b/windows/configure/images/mdt-09-fig22.png new file mode 100644 index 0000000000..9d71f62796 Binary files /dev/null and b/windows/configure/images/mdt-09-fig22.png differ diff --git a/windows/configure/images/mdt-09-fig23.png b/windows/configure/images/mdt-09-fig23.png new file mode 100644 index 0000000000..4cd29dc389 Binary files /dev/null and b/windows/configure/images/mdt-09-fig23.png differ diff --git a/windows/configure/images/mdt-09-fig24.png b/windows/configure/images/mdt-09-fig24.png new file mode 100644 index 0000000000..89cb67a048 Binary files /dev/null and b/windows/configure/images/mdt-09-fig24.png differ diff --git a/windows/configure/images/mdt-09-fig25.png b/windows/configure/images/mdt-09-fig25.png new file mode 100644 index 0000000000..fb308c0be5 Binary files /dev/null and b/windows/configure/images/mdt-09-fig25.png differ diff --git a/windows/configure/images/mdt-09-fig26.png b/windows/configure/images/mdt-09-fig26.png new file mode 100644 index 0000000000..681c6516cd Binary files /dev/null and b/windows/configure/images/mdt-09-fig26.png differ diff --git a/windows/configure/images/mdt-09-fig27.png b/windows/configure/images/mdt-09-fig27.png new file mode 100644 index 0000000000..396290346d Binary files /dev/null and b/windows/configure/images/mdt-09-fig27.png differ diff --git a/windows/configure/images/mdt-09-fig28.png b/windows/configure/images/mdt-09-fig28.png new file mode 100644 index 0000000000..d36dda43fa Binary files /dev/null and b/windows/configure/images/mdt-09-fig28.png differ diff --git a/windows/configure/images/mdt-09-fig29.png b/windows/configure/images/mdt-09-fig29.png new file mode 100644 index 0000000000..404842d49c Binary files /dev/null and b/windows/configure/images/mdt-09-fig29.png differ diff --git a/windows/configure/images/mdt-09-fig30.png b/windows/configure/images/mdt-09-fig30.png new file mode 100644 index 0000000000..be962f40ec Binary files /dev/null and b/windows/configure/images/mdt-09-fig30.png differ diff --git a/windows/configure/images/mdt-09-fig31.png b/windows/configure/images/mdt-09-fig31.png new file mode 100644 index 0000000000..a40aa9d3bb Binary files /dev/null and b/windows/configure/images/mdt-09-fig31.png differ diff --git a/windows/configure/images/mdt-09-fig32.png b/windows/configure/images/mdt-09-fig32.png new file mode 100644 index 0000000000..446812a3e8 Binary files /dev/null and b/windows/configure/images/mdt-09-fig32.png differ diff --git a/windows/configure/images/mdt-10-fig01.png b/windows/configure/images/mdt-10-fig01.png new file mode 100644 index 0000000000..8a3ebd9711 Binary files /dev/null and b/windows/configure/images/mdt-10-fig01.png differ diff --git a/windows/configure/images/mdt-10-fig02.png b/windows/configure/images/mdt-10-fig02.png new file mode 100644 index 0000000000..d9e5930152 Binary files /dev/null and b/windows/configure/images/mdt-10-fig02.png differ diff --git a/windows/configure/images/mdt-10-fig03.png b/windows/configure/images/mdt-10-fig03.png new file mode 100644 index 0000000000..f652db736c Binary files /dev/null and b/windows/configure/images/mdt-10-fig03.png differ diff --git a/windows/configure/images/mdt-10-fig04.png b/windows/configure/images/mdt-10-fig04.png new file mode 100644 index 0000000000..f98c0501df Binary files /dev/null and b/windows/configure/images/mdt-10-fig04.png differ diff --git a/windows/configure/images/mdt-10-fig05.png b/windows/configure/images/mdt-10-fig05.png new file mode 100644 index 0000000000..64c0c4a6ee Binary files /dev/null and b/windows/configure/images/mdt-10-fig05.png differ diff --git a/windows/configure/images/mdt-10-fig06.png b/windows/configure/images/mdt-10-fig06.png new file mode 100644 index 0000000000..91dc7c5c33 Binary files /dev/null and b/windows/configure/images/mdt-10-fig06.png differ diff --git a/windows/configure/images/mdt-10-fig07.png b/windows/configure/images/mdt-10-fig07.png new file mode 100644 index 0000000000..8613d905a4 Binary files /dev/null and b/windows/configure/images/mdt-10-fig07.png differ diff --git a/windows/configure/images/mdt-10-fig08.png b/windows/configure/images/mdt-10-fig08.png new file mode 100644 index 0000000000..ee00637019 Binary files /dev/null and b/windows/configure/images/mdt-10-fig08.png differ diff --git a/windows/configure/images/mdt-10-fig09.png b/windows/configure/images/mdt-10-fig09.png new file mode 100644 index 0000000000..ccdd05f34e Binary files /dev/null and b/windows/configure/images/mdt-10-fig09.png differ diff --git a/windows/configure/images/mdt-11-fig05.png b/windows/configure/images/mdt-11-fig05.png new file mode 100644 index 0000000000..b03c414fb8 Binary files /dev/null and b/windows/configure/images/mdt-11-fig05.png differ diff --git a/windows/configure/images/mdt-11-fig06.png b/windows/configure/images/mdt-11-fig06.png new file mode 100644 index 0000000000..b5944d909e Binary files /dev/null and b/windows/configure/images/mdt-11-fig06.png differ diff --git a/windows/configure/images/mdt-11-fig07.png b/windows/configure/images/mdt-11-fig07.png new file mode 100644 index 0000000000..b80f0908ab Binary files /dev/null and b/windows/configure/images/mdt-11-fig07.png differ diff --git a/windows/configure/images/mdt-11-fig08.png b/windows/configure/images/mdt-11-fig08.png new file mode 100644 index 0000000000..9c258bdd3e Binary files /dev/null and b/windows/configure/images/mdt-11-fig08.png differ diff --git a/windows/configure/images/mdt-11-fig09.png b/windows/configure/images/mdt-11-fig09.png new file mode 100644 index 0000000000..49b3d0b88f Binary files /dev/null and b/windows/configure/images/mdt-11-fig09.png differ diff --git a/windows/configure/images/mdt-11-fig10.png b/windows/configure/images/mdt-11-fig10.png new file mode 100644 index 0000000000..e5c71225f7 Binary files /dev/null and b/windows/configure/images/mdt-11-fig10.png differ diff --git a/windows/configure/images/mdt-11-fig11.png b/windows/configure/images/mdt-11-fig11.png new file mode 100644 index 0000000000..e3e2c70516 Binary files /dev/null and b/windows/configure/images/mdt-11-fig11.png differ diff --git a/windows/configure/images/mdt-11-fig12.png b/windows/configure/images/mdt-11-fig12.png new file mode 100644 index 0000000000..1e1a7888d6 Binary files /dev/null and b/windows/configure/images/mdt-11-fig12.png differ diff --git a/windows/configure/images/mdt-11-fig13.png b/windows/configure/images/mdt-11-fig13.png new file mode 100644 index 0000000000..36554c72a6 Binary files /dev/null and b/windows/configure/images/mdt-11-fig13.png differ diff --git a/windows/configure/images/mdt-11-fig14.png b/windows/configure/images/mdt-11-fig14.png new file mode 100644 index 0000000000..075d331bc1 Binary files /dev/null and b/windows/configure/images/mdt-11-fig14.png differ diff --git a/windows/configure/images/mdt-11-fig15.png b/windows/configure/images/mdt-11-fig15.png new file mode 100644 index 0000000000..302847c2a6 Binary files /dev/null and b/windows/configure/images/mdt-11-fig15.png differ diff --git a/windows/configure/images/mdt-11-fig16.png b/windows/configure/images/mdt-11-fig16.png new file mode 100644 index 0000000000..608c161797 Binary files /dev/null and b/windows/configure/images/mdt-11-fig16.png differ diff --git a/windows/configure/images/mobile-start-layout.png b/windows/configure/images/mobile-start-layout.png new file mode 100644 index 0000000000..d1055d6c87 Binary files /dev/null and b/windows/configure/images/mobile-start-layout.png differ diff --git a/windows/configure/images/multi-target.png b/windows/configure/images/multi-target.png new file mode 100644 index 0000000000..fb6ddd7a2d Binary files /dev/null and b/windows/configure/images/multi-target.png differ diff --git a/windows/configure/images/nfc.png b/windows/configure/images/nfc.png new file mode 100644 index 0000000000..bfee563205 Binary files /dev/null and b/windows/configure/images/nfc.png differ diff --git a/windows/configure/images/oma-uri-shared-pc.png b/windows/configure/images/oma-uri-shared-pc.png new file mode 100644 index 0000000000..68f9fa3b32 Binary files /dev/null and b/windows/configure/images/oma-uri-shared-pc.png differ diff --git a/windows/configure/images/one.png b/windows/configure/images/one.png new file mode 100644 index 0000000000..7766e7d470 Binary files /dev/null and b/windows/configure/images/one.png differ diff --git a/windows/configure/images/oobe.jpg b/windows/configure/images/oobe.jpg new file mode 100644 index 0000000000..53a5dab6bf Binary files /dev/null and b/windows/configure/images/oobe.jpg differ diff --git a/windows/configure/images/package-trust.png b/windows/configure/images/package-trust.png new file mode 100644 index 0000000000..4a996f23d5 Binary files /dev/null and b/windows/configure/images/package-trust.png differ diff --git a/windows/configure/images/package.png b/windows/configure/images/package.png new file mode 100644 index 0000000000..f5e975e3e9 Binary files /dev/null and b/windows/configure/images/package.png differ diff --git a/windows/configure/images/packageaddfileandregistrydata-global.png b/windows/configure/images/packageaddfileandregistrydata-global.png new file mode 100644 index 0000000000..775e290a36 Binary files /dev/null and b/windows/configure/images/packageaddfileandregistrydata-global.png differ diff --git a/windows/configure/images/packageaddfileandregistrydata-stream.png b/windows/configure/images/packageaddfileandregistrydata-stream.png new file mode 100644 index 0000000000..0e1205c62b Binary files /dev/null and b/windows/configure/images/packageaddfileandregistrydata-stream.png differ diff --git a/windows/configure/images/packageaddfileandregistrydata.png b/windows/configure/images/packageaddfileandregistrydata.png new file mode 100644 index 0000000000..603420e627 Binary files /dev/null and b/windows/configure/images/packageaddfileandregistrydata.png differ diff --git a/windows/configure/images/packages-mobile.png b/windows/configure/images/packages-mobile.png new file mode 100644 index 0000000000..4ce63dde78 Binary files /dev/null and b/windows/configure/images/packages-mobile.png differ diff --git a/windows/configure/images/phoneprovision.png b/windows/configure/images/phoneprovision.png new file mode 100644 index 0000000000..01ada29ac9 Binary files /dev/null and b/windows/configure/images/phoneprovision.png differ diff --git a/windows/configure/images/policytocsp.png b/windows/configure/images/policytocsp.png new file mode 100644 index 0000000000..80ca76cb62 Binary files /dev/null and b/windows/configure/images/policytocsp.png differ diff --git a/windows/configure/images/powericon.png b/windows/configure/images/powericon.png new file mode 100644 index 0000000000..b497ff859d Binary files /dev/null and b/windows/configure/images/powericon.png differ diff --git a/windows/configure/images/priv-telemetry-levels.png b/windows/configure/images/priv-telemetry-levels.png new file mode 100644 index 0000000000..9581cee54d Binary files /dev/null and b/windows/configure/images/priv-telemetry-levels.png differ diff --git a/windows/configure/images/prov.jpg b/windows/configure/images/prov.jpg new file mode 100644 index 0000000000..1593ccb36b Binary files /dev/null and b/windows/configure/images/prov.jpg differ diff --git a/windows/configure/images/provisioning-csp-assignedaccess.png b/windows/configure/images/provisioning-csp-assignedaccess.png new file mode 100644 index 0000000000..14d49cdd89 Binary files /dev/null and b/windows/configure/images/provisioning-csp-assignedaccess.png differ diff --git a/windows/configure/images/rdp.png b/windows/configure/images/rdp.png new file mode 100644 index 0000000000..ac088d0b06 Binary files /dev/null and b/windows/configure/images/rdp.png differ diff --git a/windows/configure/images/resetdevice.png b/windows/configure/images/resetdevice.png new file mode 100644 index 0000000000..4e265c3f8d Binary files /dev/null and b/windows/configure/images/resetdevice.png differ diff --git a/windows/configure/images/scanos.PNG b/windows/configure/images/scanos.PNG new file mode 100644 index 0000000000..d53a272018 Binary files /dev/null and b/windows/configure/images/scanos.PNG differ diff --git a/windows/configure/images/sccm-asset.PNG b/windows/configure/images/sccm-asset.PNG new file mode 100644 index 0000000000..4dacaeb565 Binary files /dev/null and b/windows/configure/images/sccm-asset.PNG differ diff --git a/windows/configure/images/sccm-assets.PNG b/windows/configure/images/sccm-assets.PNG new file mode 100644 index 0000000000..2cc50f5758 Binary files /dev/null and b/windows/configure/images/sccm-assets.PNG differ diff --git a/windows/configure/images/sccm-client.PNG b/windows/configure/images/sccm-client.PNG new file mode 100644 index 0000000000..45e0ad8883 Binary files /dev/null and b/windows/configure/images/sccm-client.PNG differ diff --git a/windows/configure/images/sccm-collection.PNG b/windows/configure/images/sccm-collection.PNG new file mode 100644 index 0000000000..01a1cca4a8 Binary files /dev/null and b/windows/configure/images/sccm-collection.PNG differ diff --git a/windows/configure/images/sccm-install-os.PNG b/windows/configure/images/sccm-install-os.PNG new file mode 100644 index 0000000000..53b314b132 Binary files /dev/null and b/windows/configure/images/sccm-install-os.PNG differ diff --git a/windows/configure/images/sccm-post-refresh.PNG b/windows/configure/images/sccm-post-refresh.PNG new file mode 100644 index 0000000000..e116e04312 Binary files /dev/null and b/windows/configure/images/sccm-post-refresh.PNG differ diff --git a/windows/configure/images/sccm-pxe.PNG b/windows/configure/images/sccm-pxe.PNG new file mode 100644 index 0000000000..39cb22c075 Binary files /dev/null and b/windows/configure/images/sccm-pxe.PNG differ diff --git a/windows/configure/images/sccm-site.PNG b/windows/configure/images/sccm-site.PNG new file mode 100644 index 0000000000..92319fdbf7 Binary files /dev/null and b/windows/configure/images/sccm-site.PNG differ diff --git a/windows/configure/images/sccm-software-cntr.PNG b/windows/configure/images/sccm-software-cntr.PNG new file mode 100644 index 0000000000..9c920c6d39 Binary files /dev/null and b/windows/configure/images/sccm-software-cntr.PNG differ diff --git a/windows/configure/images/sec-bios.png b/windows/configure/images/sec-bios.png new file mode 100644 index 0000000000..4498497d59 Binary files /dev/null and b/windows/configure/images/sec-bios.png differ diff --git a/windows/configure/images/set-up-device-details-desktop.PNG b/windows/configure/images/set-up-device-details-desktop.PNG new file mode 100644 index 0000000000..97c8a1b704 Binary files /dev/null and b/windows/configure/images/set-up-device-details-desktop.PNG differ diff --git a/windows/configure/images/set-up-device-details-mobile.PNG b/windows/configure/images/set-up-device-details-mobile.PNG new file mode 100644 index 0000000000..f41fe99a72 Binary files /dev/null and b/windows/configure/images/set-up-device-details-mobile.PNG differ diff --git a/windows/configure/images/set-up-device-details.PNG b/windows/configure/images/set-up-device-details.PNG new file mode 100644 index 0000000000..031dac6fe6 Binary files /dev/null and b/windows/configure/images/set-up-device-details.PNG differ diff --git a/windows/configure/images/set-up-device-mobile.PNG b/windows/configure/images/set-up-device-mobile.PNG new file mode 100644 index 0000000000..b8173385d4 Binary files /dev/null and b/windows/configure/images/set-up-device-mobile.PNG differ diff --git a/windows/configure/images/set-up-device.PNG b/windows/configure/images/set-up-device.PNG new file mode 100644 index 0000000000..0c9eb0e3ff Binary files /dev/null and b/windows/configure/images/set-up-device.PNG differ diff --git a/windows/configure/images/set-up-network-details-desktop.PNG b/windows/configure/images/set-up-network-details-desktop.PNG new file mode 100644 index 0000000000..83911ccbd0 Binary files /dev/null and b/windows/configure/images/set-up-network-details-desktop.PNG differ diff --git a/windows/configure/images/set-up-network-details-mobile.PNG b/windows/configure/images/set-up-network-details-mobile.PNG new file mode 100644 index 0000000000..8f515ba1f6 Binary files /dev/null and b/windows/configure/images/set-up-network-details-mobile.PNG differ diff --git a/windows/configure/images/set-up-network-details.PNG b/windows/configure/images/set-up-network-details.PNG new file mode 100644 index 0000000000..778b8497c4 Binary files /dev/null and b/windows/configure/images/set-up-network-details.PNG differ diff --git a/windows/configure/images/set-up-network-mobile.PNG b/windows/configure/images/set-up-network-mobile.PNG new file mode 100644 index 0000000000..9442b33e90 Binary files /dev/null and b/windows/configure/images/set-up-network-mobile.PNG differ diff --git a/windows/configure/images/set-up-network.PNG b/windows/configure/images/set-up-network.PNG new file mode 100644 index 0000000000..a0e856c103 Binary files /dev/null and b/windows/configure/images/set-up-network.PNG differ diff --git a/windows/configure/images/settings-table.png b/windows/configure/images/settings-table.png new file mode 100644 index 0000000000..ada56513fc Binary files /dev/null and b/windows/configure/images/settings-table.png differ diff --git a/windows/configure/images/settingsicon.png b/windows/configure/images/settingsicon.png new file mode 100644 index 0000000000..0ad27fc558 Binary files /dev/null and b/windows/configure/images/settingsicon.png differ diff --git a/windows/configure/images/setupmsg.jpg b/windows/configure/images/setupmsg.jpg new file mode 100644 index 0000000000..12935483c5 Binary files /dev/null and b/windows/configure/images/setupmsg.jpg differ diff --git a/windows/configure/images/seven.png b/windows/configure/images/seven.png new file mode 100644 index 0000000000..285a92df0b Binary files /dev/null and b/windows/configure/images/seven.png differ diff --git a/windows/configure/images/sign-in-prov.png b/windows/configure/images/sign-in-prov.png new file mode 100644 index 0000000000..55c9276203 Binary files /dev/null and b/windows/configure/images/sign-in-prov.png differ diff --git a/windows/configure/images/six.png b/windows/configure/images/six.png new file mode 100644 index 0000000000..e8906332ec Binary files /dev/null and b/windows/configure/images/six.png differ diff --git a/windows/configure/images/spotlight.png b/windows/configure/images/spotlight.png new file mode 100644 index 0000000000..515269740b Binary files /dev/null and b/windows/configure/images/spotlight.png differ diff --git a/windows/configure/images/spotlight2.png b/windows/configure/images/spotlight2.png new file mode 100644 index 0000000000..27401c1a2b Binary files /dev/null and b/windows/configure/images/spotlight2.png differ diff --git a/windows/configure/images/start-pinned-app.png b/windows/configure/images/start-pinned-app.png new file mode 100644 index 0000000000..e1e4a24a00 Binary files /dev/null and b/windows/configure/images/start-pinned-app.png differ diff --git a/windows/configure/images/startannotated.png b/windows/configure/images/startannotated.png new file mode 100644 index 0000000000..9261fd9078 Binary files /dev/null and b/windows/configure/images/startannotated.png differ diff --git a/windows/configure/images/starticon.png b/windows/configure/images/starticon.png new file mode 100644 index 0000000000..fa8cbdff10 Binary files /dev/null and b/windows/configure/images/starticon.png differ diff --git a/windows/configure/images/startlayoutpolicy.jpg b/windows/configure/images/startlayoutpolicy.jpg new file mode 100644 index 0000000000..d3c8d054fe Binary files /dev/null and b/windows/configure/images/startlayoutpolicy.jpg differ diff --git a/windows/configure/images/starttemplate.jpg b/windows/configure/images/starttemplate.jpg new file mode 100644 index 0000000000..900eed08c5 Binary files /dev/null and b/windows/configure/images/starttemplate.jpg differ diff --git a/windows/configure/images/svr_mgr2.png b/windows/configure/images/svr_mgr2.png new file mode 100644 index 0000000000..dd2e6737c6 Binary files /dev/null and b/windows/configure/images/svr_mgr2.png differ diff --git a/windows/configure/images/sysprep-error.png b/windows/configure/images/sysprep-error.png new file mode 100644 index 0000000000..aa004efbb6 Binary files /dev/null and b/windows/configure/images/sysprep-error.png differ diff --git a/windows/configure/images/taskbar-blank.png b/windows/configure/images/taskbar-blank.png new file mode 100644 index 0000000000..185027f2fd Binary files /dev/null and b/windows/configure/images/taskbar-blank.png differ diff --git a/windows/configure/images/taskbar-default-plus.png b/windows/configure/images/taskbar-default-plus.png new file mode 100644 index 0000000000..8afcebac09 Binary files /dev/null and b/windows/configure/images/taskbar-default-plus.png differ diff --git a/windows/configure/images/taskbar-default-removed.png b/windows/configure/images/taskbar-default-removed.png new file mode 100644 index 0000000000..b3ff924e9f Binary files /dev/null and b/windows/configure/images/taskbar-default-removed.png differ diff --git a/windows/configure/images/taskbar-default.png b/windows/configure/images/taskbar-default.png new file mode 100644 index 0000000000..41c6c72258 Binary files /dev/null and b/windows/configure/images/taskbar-default.png differ diff --git a/windows/configure/images/taskbar-generic.png b/windows/configure/images/taskbar-generic.png new file mode 100644 index 0000000000..6d47a6795a Binary files /dev/null and b/windows/configure/images/taskbar-generic.png differ diff --git a/windows/configure/images/taskbar-region-defr.png b/windows/configure/images/taskbar-region-defr.png new file mode 100644 index 0000000000..6d707b16f4 Binary files /dev/null and b/windows/configure/images/taskbar-region-defr.png differ diff --git a/windows/configure/images/taskbar-region-other.png b/windows/configure/images/taskbar-region-other.png new file mode 100644 index 0000000000..fab367ef7a Binary files /dev/null and b/windows/configure/images/taskbar-region-other.png differ diff --git a/windows/configure/images/taskbar-region-usuk.png b/windows/configure/images/taskbar-region-usuk.png new file mode 100644 index 0000000000..6bba65ee81 Binary files /dev/null and b/windows/configure/images/taskbar-region-usuk.png differ diff --git a/windows/configure/images/taskbarSTARTERBLANK.png b/windows/configure/images/taskbarSTARTERBLANK.png new file mode 100644 index 0000000000..e206bdc196 Binary files /dev/null and b/windows/configure/images/taskbarSTARTERBLANK.png differ diff --git a/windows/configure/images/three.png b/windows/configure/images/three.png new file mode 100644 index 0000000000..887fa270d7 Binary files /dev/null and b/windows/configure/images/three.png differ diff --git a/windows/configure/images/trust-package.png b/windows/configure/images/trust-package.png new file mode 100644 index 0000000000..8a293ea4da Binary files /dev/null and b/windows/configure/images/trust-package.png differ diff --git a/windows/configure/images/twain.png b/windows/configure/images/twain.png new file mode 100644 index 0000000000..53cd5eadc7 Binary files /dev/null and b/windows/configure/images/twain.png differ diff --git a/windows/configure/images/two.png b/windows/configure/images/two.png new file mode 100644 index 0000000000..b8c2d52eaf Binary files /dev/null and b/windows/configure/images/two.png differ diff --git a/windows/configure/images/ua-cg-01.png b/windows/configure/images/ua-cg-01.png new file mode 100644 index 0000000000..4b41bd67ba Binary files /dev/null and b/windows/configure/images/ua-cg-01.png differ diff --git a/windows/configure/images/ua-cg-02.png b/windows/configure/images/ua-cg-02.png new file mode 100644 index 0000000000..4cbfaf26d8 Binary files /dev/null and b/windows/configure/images/ua-cg-02.png differ diff --git a/windows/configure/images/ua-cg-03.png b/windows/configure/images/ua-cg-03.png new file mode 100644 index 0000000000..cfad7911bb Binary files /dev/null and b/windows/configure/images/ua-cg-03.png differ diff --git a/windows/configure/images/ua-cg-04.png b/windows/configure/images/ua-cg-04.png new file mode 100644 index 0000000000..c818d15d02 Binary files /dev/null and b/windows/configure/images/ua-cg-04.png differ diff --git a/windows/configure/images/ua-cg-05.png b/windows/configure/images/ua-cg-05.png new file mode 100644 index 0000000000..a8788f0eb9 Binary files /dev/null and b/windows/configure/images/ua-cg-05.png differ diff --git a/windows/configure/images/ua-cg-06.png b/windows/configure/images/ua-cg-06.png new file mode 100644 index 0000000000..ed983c96c8 Binary files /dev/null and b/windows/configure/images/ua-cg-06.png differ diff --git a/windows/configure/images/ua-cg-07.png b/windows/configure/images/ua-cg-07.png new file mode 100644 index 0000000000..2aba43be53 Binary files /dev/null and b/windows/configure/images/ua-cg-07.png differ diff --git a/windows/configure/images/ua-cg-08.png b/windows/configure/images/ua-cg-08.png new file mode 100644 index 0000000000..4d7f924d76 Binary files /dev/null and b/windows/configure/images/ua-cg-08.png differ diff --git a/windows/configure/images/ua-cg-09.png b/windows/configure/images/ua-cg-09.png new file mode 100644 index 0000000000..b9aa1cea41 Binary files /dev/null and b/windows/configure/images/ua-cg-09.png differ diff --git a/windows/configure/images/ua-cg-10.png b/windows/configure/images/ua-cg-10.png new file mode 100644 index 0000000000..54e222338d Binary files /dev/null and b/windows/configure/images/ua-cg-10.png differ diff --git a/windows/configure/images/ua-cg-11.png b/windows/configure/images/ua-cg-11.png new file mode 100644 index 0000000000..4e930a5905 Binary files /dev/null and b/windows/configure/images/ua-cg-11.png differ diff --git a/windows/configure/images/ua-cg-12.png b/windows/configure/images/ua-cg-12.png new file mode 100644 index 0000000000..2fbe11b814 Binary files /dev/null and b/windows/configure/images/ua-cg-12.png differ diff --git a/windows/configure/images/ua-cg-13.png b/windows/configure/images/ua-cg-13.png new file mode 100644 index 0000000000..f04252796e Binary files /dev/null and b/windows/configure/images/ua-cg-13.png differ diff --git a/windows/configure/images/ua-cg-14.png b/windows/configure/images/ua-cg-14.png new file mode 100644 index 0000000000..6105fdf4d1 Binary files /dev/null and b/windows/configure/images/ua-cg-14.png differ diff --git a/windows/configure/images/ua-cg-15.png b/windows/configure/images/ua-cg-15.png new file mode 100644 index 0000000000..5362db66da Binary files /dev/null and b/windows/configure/images/ua-cg-15.png differ diff --git a/windows/configure/images/ua-cg-16.png b/windows/configure/images/ua-cg-16.png new file mode 100644 index 0000000000..6d5b8a84b6 Binary files /dev/null and b/windows/configure/images/ua-cg-16.png differ diff --git a/windows/configure/images/ua-cg-17.png b/windows/configure/images/ua-cg-17.png new file mode 100644 index 0000000000..d66c41917b Binary files /dev/null and b/windows/configure/images/ua-cg-17.png differ diff --git a/windows/configure/images/uc-01.png b/windows/configure/images/uc-01.png new file mode 100644 index 0000000000..7f4df9f6d7 Binary files /dev/null and b/windows/configure/images/uc-01.png differ diff --git a/windows/configure/images/uc-02.png b/windows/configure/images/uc-02.png new file mode 100644 index 0000000000..8317f051c3 Binary files /dev/null and b/windows/configure/images/uc-02.png differ diff --git a/windows/configure/images/uc-02a.png b/windows/configure/images/uc-02a.png new file mode 100644 index 0000000000..d12544e3a0 Binary files /dev/null and b/windows/configure/images/uc-02a.png differ diff --git a/windows/configure/images/uc-03.png b/windows/configure/images/uc-03.png new file mode 100644 index 0000000000..58494c4128 Binary files /dev/null and b/windows/configure/images/uc-03.png differ diff --git a/windows/configure/images/uc-03a.png b/windows/configure/images/uc-03a.png new file mode 100644 index 0000000000..39412fc8f3 Binary files /dev/null and b/windows/configure/images/uc-03a.png differ diff --git a/windows/configure/images/uc-04.png b/windows/configure/images/uc-04.png new file mode 100644 index 0000000000..ef9a37d379 Binary files /dev/null and b/windows/configure/images/uc-04.png differ diff --git a/windows/configure/images/uc-04a.png b/windows/configure/images/uc-04a.png new file mode 100644 index 0000000000..537d4bbe72 Binary files /dev/null and b/windows/configure/images/uc-04a.png differ diff --git a/windows/configure/images/uc-05.png b/windows/configure/images/uc-05.png new file mode 100644 index 0000000000..21c8e9f9e0 Binary files /dev/null and b/windows/configure/images/uc-05.png differ diff --git a/windows/configure/images/uc-05a.png b/windows/configure/images/uc-05a.png new file mode 100644 index 0000000000..2271181622 Binary files /dev/null and b/windows/configure/images/uc-05a.png differ diff --git a/windows/configure/images/uc-06.png b/windows/configure/images/uc-06.png new file mode 100644 index 0000000000..03a559800b Binary files /dev/null and b/windows/configure/images/uc-06.png differ diff --git a/windows/configure/images/uc-06a.png b/windows/configure/images/uc-06a.png new file mode 100644 index 0000000000..15df1cfea0 Binary files /dev/null and b/windows/configure/images/uc-06a.png differ diff --git a/windows/configure/images/uc-07.png b/windows/configure/images/uc-07.png new file mode 100644 index 0000000000..de1ae35e82 Binary files /dev/null and b/windows/configure/images/uc-07.png differ diff --git a/windows/configure/images/uc-07a.png b/windows/configure/images/uc-07a.png new file mode 100644 index 0000000000..c0f2d9fd73 Binary files /dev/null and b/windows/configure/images/uc-07a.png differ diff --git a/windows/configure/images/uc-08.png b/windows/configure/images/uc-08.png new file mode 100644 index 0000000000..877fcd64c0 Binary files /dev/null and b/windows/configure/images/uc-08.png differ diff --git a/windows/configure/images/uc-08a.png b/windows/configure/images/uc-08a.png new file mode 100644 index 0000000000..89da287d3d Binary files /dev/null and b/windows/configure/images/uc-08a.png differ diff --git a/windows/configure/images/uc-09.png b/windows/configure/images/uc-09.png new file mode 100644 index 0000000000..37d7114f19 Binary files /dev/null and b/windows/configure/images/uc-09.png differ diff --git a/windows/configure/images/uc-09a.png b/windows/configure/images/uc-09a.png new file mode 100644 index 0000000000..f6b6ec5b60 Binary files /dev/null and b/windows/configure/images/uc-09a.png differ diff --git a/windows/configure/images/uc-10.png b/windows/configure/images/uc-10.png new file mode 100644 index 0000000000..3ab72d10d2 Binary files /dev/null and b/windows/configure/images/uc-10.png differ diff --git a/windows/configure/images/uc-10a.png b/windows/configure/images/uc-10a.png new file mode 100644 index 0000000000..1c6b8b01dc Binary files /dev/null and b/windows/configure/images/uc-10a.png differ diff --git a/windows/configure/images/uc-11.png b/windows/configure/images/uc-11.png new file mode 100644 index 0000000000..8b4fc568ea Binary files /dev/null and b/windows/configure/images/uc-11.png differ diff --git a/windows/configure/images/uc-12.png b/windows/configure/images/uc-12.png new file mode 100644 index 0000000000..4198684c99 Binary files /dev/null and b/windows/configure/images/uc-12.png differ diff --git a/windows/configure/images/uc-13.png b/windows/configure/images/uc-13.png new file mode 100644 index 0000000000..117f9b9fd8 Binary files /dev/null and b/windows/configure/images/uc-13.png differ diff --git a/windows/configure/images/uc-14.png b/windows/configure/images/uc-14.png new file mode 100644 index 0000000000..66047984e7 Binary files /dev/null and b/windows/configure/images/uc-14.png differ diff --git a/windows/configure/images/uc-15.png b/windows/configure/images/uc-15.png new file mode 100644 index 0000000000..c241cd9117 Binary files /dev/null and b/windows/configure/images/uc-15.png differ diff --git a/windows/configure/images/uc-16.png b/windows/configure/images/uc-16.png new file mode 100644 index 0000000000..e7aff4d4ed Binary files /dev/null and b/windows/configure/images/uc-16.png differ diff --git a/windows/configure/images/uc-17.png b/windows/configure/images/uc-17.png new file mode 100644 index 0000000000..cb8e42ca5e Binary files /dev/null and b/windows/configure/images/uc-17.png differ diff --git a/windows/configure/images/uc-18.png b/windows/configure/images/uc-18.png new file mode 100644 index 0000000000..5eff59adc9 Binary files /dev/null and b/windows/configure/images/uc-18.png differ diff --git a/windows/configure/images/uc-19.png b/windows/configure/images/uc-19.png new file mode 100644 index 0000000000..791900eafc Binary files /dev/null and b/windows/configure/images/uc-19.png differ diff --git a/windows/configure/images/uc-20.png b/windows/configure/images/uc-20.png new file mode 100644 index 0000000000..7dbb027b9f Binary files /dev/null and b/windows/configure/images/uc-20.png differ diff --git a/windows/configure/images/uc-21.png b/windows/configure/images/uc-21.png new file mode 100644 index 0000000000..418db41fe4 Binary files /dev/null and b/windows/configure/images/uc-21.png differ diff --git a/windows/configure/images/uc-22.png b/windows/configure/images/uc-22.png new file mode 100644 index 0000000000..2ca5c47a61 Binary files /dev/null and b/windows/configure/images/uc-22.png differ diff --git a/windows/configure/images/uc-23.png b/windows/configure/images/uc-23.png new file mode 100644 index 0000000000..58b82db82d Binary files /dev/null and b/windows/configure/images/uc-23.png differ diff --git a/windows/configure/images/uc-24.png b/windows/configure/images/uc-24.png new file mode 100644 index 0000000000..00bc61e3e1 Binary files /dev/null and b/windows/configure/images/uc-24.png differ diff --git a/windows/configure/images/uc-25.png b/windows/configure/images/uc-25.png new file mode 100644 index 0000000000..4e0f0bdb03 Binary files /dev/null and b/windows/configure/images/uc-25.png differ diff --git a/windows/configure/images/uev-adk-select-uev-feature.png b/windows/configure/images/uev-adk-select-uev-feature.png new file mode 100644 index 0000000000..1556f115c0 Binary files /dev/null and b/windows/configure/images/uev-adk-select-uev-feature.png differ diff --git a/windows/configure/images/uev-archdiagram.png b/windows/configure/images/uev-archdiagram.png new file mode 100644 index 0000000000..eae098e666 Binary files /dev/null and b/windows/configure/images/uev-archdiagram.png differ diff --git a/windows/configure/images/uev-checklist-box.gif b/windows/configure/images/uev-checklist-box.gif new file mode 100644 index 0000000000..8af13c51d1 Binary files /dev/null and b/windows/configure/images/uev-checklist-box.gif differ diff --git a/windows/configure/images/uev-deployment-preparation.png b/windows/configure/images/uev-deployment-preparation.png new file mode 100644 index 0000000000..b665a0bfea Binary files /dev/null and b/windows/configure/images/uev-deployment-preparation.png differ diff --git a/windows/configure/images/uev-generator-process.png b/windows/configure/images/uev-generator-process.png new file mode 100644 index 0000000000..e16cedd0a7 Binary files /dev/null and b/windows/configure/images/uev-generator-process.png differ diff --git a/windows/configure/images/upgrade-analytics-apps-known-issues.png b/windows/configure/images/upgrade-analytics-apps-known-issues.png new file mode 100644 index 0000000000..ec99ac92cf Binary files /dev/null and b/windows/configure/images/upgrade-analytics-apps-known-issues.png differ diff --git a/windows/configure/images/upgrade-analytics-apps-no-known-issues.png b/windows/configure/images/upgrade-analytics-apps-no-known-issues.png new file mode 100644 index 0000000000..9fb09ffd65 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-apps-no-known-issues.png differ diff --git a/windows/configure/images/upgrade-analytics-architecture.png b/windows/configure/images/upgrade-analytics-architecture.png new file mode 100644 index 0000000000..93d3acba0b Binary files /dev/null and b/windows/configure/images/upgrade-analytics-architecture.png differ diff --git a/windows/configure/images/upgrade-analytics-create-iedataoptin.png b/windows/configure/images/upgrade-analytics-create-iedataoptin.png new file mode 100644 index 0000000000..60f5ccbc90 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-create-iedataoptin.png differ diff --git a/windows/configure/images/upgrade-analytics-deploy-eligible.png b/windows/configure/images/upgrade-analytics-deploy-eligible.png new file mode 100644 index 0000000000..8da91cebc4 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-deploy-eligible.png differ diff --git a/windows/configure/images/upgrade-analytics-drivers-known.png b/windows/configure/images/upgrade-analytics-drivers-known.png new file mode 100644 index 0000000000..35d61f87c7 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-drivers-known.png differ diff --git a/windows/configure/images/upgrade-analytics-most-active-sites.png b/windows/configure/images/upgrade-analytics-most-active-sites.png new file mode 100644 index 0000000000..180c5ddced Binary files /dev/null and b/windows/configure/images/upgrade-analytics-most-active-sites.png differ diff --git a/windows/configure/images/upgrade-analytics-namepub-rollup.PNG b/windows/configure/images/upgrade-analytics-namepub-rollup.PNG new file mode 100644 index 0000000000..2041f14fd4 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-namepub-rollup.PNG differ diff --git a/windows/configure/images/upgrade-analytics-overview.png b/windows/configure/images/upgrade-analytics-overview.png new file mode 100644 index 0000000000..ba02ee0a8c Binary files /dev/null and b/windows/configure/images/upgrade-analytics-overview.png differ diff --git a/windows/configure/images/upgrade-analytics-pilot.png b/windows/configure/images/upgrade-analytics-pilot.png new file mode 100644 index 0000000000..1c1de328ea Binary files /dev/null and b/windows/configure/images/upgrade-analytics-pilot.png differ diff --git a/windows/configure/images/upgrade-analytics-prioritize.png b/windows/configure/images/upgrade-analytics-prioritize.png new file mode 100644 index 0000000000..d6227694c1 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-prioritize.png differ diff --git a/windows/configure/images/upgrade-analytics-query-activex-name.png b/windows/configure/images/upgrade-analytics-query-activex-name.png new file mode 100644 index 0000000000..5068e7d20e Binary files /dev/null and b/windows/configure/images/upgrade-analytics-query-activex-name.png differ diff --git a/windows/configure/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG b/windows/configure/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG new file mode 100644 index 0000000000..4d22cc9353 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG differ diff --git a/windows/configure/images/upgrade-analytics-ready-for-windows-status.PNG b/windows/configure/images/upgrade-analytics-ready-for-windows-status.PNG new file mode 100644 index 0000000000..c233db2340 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-ready-for-windows-status.PNG differ diff --git a/windows/configure/images/upgrade-analytics-site-activity-by-doc-mode.png b/windows/configure/images/upgrade-analytics-site-activity-by-doc-mode.png new file mode 100644 index 0000000000..d1a46f1791 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-site-activity-by-doc-mode.png differ diff --git a/windows/configure/images/upgrade-analytics-site-domain-detail.png b/windows/configure/images/upgrade-analytics-site-domain-detail.png new file mode 100644 index 0000000000..15a7ee20c4 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-site-domain-detail.png differ diff --git a/windows/configure/images/upgrade-analytics-telemetry.png b/windows/configure/images/upgrade-analytics-telemetry.png new file mode 100644 index 0000000000..bf60935616 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-telemetry.png differ diff --git a/windows/configure/images/upgrade-analytics-unsubscribe.png b/windows/configure/images/upgrade-analytics-unsubscribe.png new file mode 100644 index 0000000000..402db94d6f Binary files /dev/null and b/windows/configure/images/upgrade-analytics-unsubscribe.png differ diff --git a/windows/configure/images/upgrade-process.png b/windows/configure/images/upgrade-process.png new file mode 100644 index 0000000000..b2b77708fc Binary files /dev/null and b/windows/configure/images/upgrade-process.png differ diff --git a/windows/configure/images/upgradecfg-fig2-upgrading.png b/windows/configure/images/upgradecfg-fig2-upgrading.png new file mode 100644 index 0000000000..c53de79c29 Binary files /dev/null and b/windows/configure/images/upgradecfg-fig2-upgrading.png differ diff --git a/windows/configure/images/upgradecfg-fig3-upgrade.png b/windows/configure/images/upgradecfg-fig3-upgrade.png new file mode 100644 index 0000000000..d0c1ceaaf9 Binary files /dev/null and b/windows/configure/images/upgradecfg-fig3-upgrade.png differ diff --git a/windows/configure/images/upgrademdt-fig1-machines.png b/windows/configure/images/upgrademdt-fig1-machines.png new file mode 100644 index 0000000000..38129332e6 Binary files /dev/null and b/windows/configure/images/upgrademdt-fig1-machines.png differ diff --git a/windows/configure/images/upgrademdt-fig2-importedos.png b/windows/configure/images/upgrademdt-fig2-importedos.png new file mode 100644 index 0000000000..93b92efd93 Binary files /dev/null and b/windows/configure/images/upgrademdt-fig2-importedos.png differ diff --git a/windows/configure/images/upgrademdt-fig3-tasksequence.png b/windows/configure/images/upgrademdt-fig3-tasksequence.png new file mode 100644 index 0000000000..1ad66c2098 Binary files /dev/null and b/windows/configure/images/upgrademdt-fig3-tasksequence.png differ diff --git a/windows/configure/images/upgrademdt-fig4-selecttask.png b/windows/configure/images/upgrademdt-fig4-selecttask.png new file mode 100644 index 0000000000..dcbc73871a Binary files /dev/null and b/windows/configure/images/upgrademdt-fig4-selecttask.png differ diff --git a/windows/configure/images/upgrademdt-fig5-winupgrade.png b/windows/configure/images/upgrademdt-fig5-winupgrade.png new file mode 100644 index 0000000000..f3bc05508a Binary files /dev/null and b/windows/configure/images/upgrademdt-fig5-winupgrade.png differ diff --git a/windows/configure/images/uwp-dependencies.PNG b/windows/configure/images/uwp-dependencies.PNG new file mode 100644 index 0000000000..4e2563169f Binary files /dev/null and b/windows/configure/images/uwp-dependencies.PNG differ diff --git a/windows/configure/images/uwp-family.PNG b/windows/configure/images/uwp-family.PNG new file mode 100644 index 0000000000..bec731eec4 Binary files /dev/null and b/windows/configure/images/uwp-family.PNG differ diff --git a/windows/configure/images/uwp-license.PNG b/windows/configure/images/uwp-license.PNG new file mode 100644 index 0000000000..ccb5cf7cf4 Binary files /dev/null and b/windows/configure/images/uwp-license.PNG differ diff --git a/windows/configure/images/vamtuserinterfaceupdated.jpg b/windows/configure/images/vamtuserinterfaceupdated.jpg new file mode 100644 index 0000000000..32ce362c60 Binary files /dev/null and b/windows/configure/images/vamtuserinterfaceupdated.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-01.jpg b/windows/configure/images/volumeactivationforwindows81-01.jpg new file mode 100644 index 0000000000..f6042a82a9 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-01.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-02.jpg b/windows/configure/images/volumeactivationforwindows81-02.jpg new file mode 100644 index 0000000000..630d9a03e2 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-02.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-03.jpg b/windows/configure/images/volumeactivationforwindows81-03.jpg new file mode 100644 index 0000000000..27962b207c Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-03.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-04.jpg b/windows/configure/images/volumeactivationforwindows81-04.jpg new file mode 100644 index 0000000000..d5b572f1aa Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-04.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-05.jpg b/windows/configure/images/volumeactivationforwindows81-05.jpg new file mode 100644 index 0000000000..a4bd9776ac Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-05.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-06.jpg b/windows/configure/images/volumeactivationforwindows81-06.jpg new file mode 100644 index 0000000000..c29a628b05 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-06.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-07.jpg b/windows/configure/images/volumeactivationforwindows81-07.jpg new file mode 100644 index 0000000000..346cbaa5c1 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-07.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-08.jpg b/windows/configure/images/volumeactivationforwindows81-08.jpg new file mode 100644 index 0000000000..eff421d6bb Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-08.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-09.jpg b/windows/configure/images/volumeactivationforwindows81-09.jpg new file mode 100644 index 0000000000..1e3cf9c0d8 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-09.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-10.jpg b/windows/configure/images/volumeactivationforwindows81-10.jpg new file mode 100644 index 0000000000..d3cd196c34 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-10.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-11.jpg b/windows/configure/images/volumeactivationforwindows81-11.jpg new file mode 100644 index 0000000000..72e4b613da Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-11.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-12.jpg b/windows/configure/images/volumeactivationforwindows81-12.jpg new file mode 100644 index 0000000000..9e44ec24f0 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-12.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-13.jpg b/windows/configure/images/volumeactivationforwindows81-13.jpg new file mode 100644 index 0000000000..e599fcd528 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-13.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-14.jpg b/windows/configure/images/volumeactivationforwindows81-14.jpg new file mode 100644 index 0000000000..3b3cbc18cb Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-14.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-15.jpg b/windows/configure/images/volumeactivationforwindows81-15.jpg new file mode 100644 index 0000000000..792b24b282 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-15.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-16.jpg b/windows/configure/images/volumeactivationforwindows81-16.jpg new file mode 100644 index 0000000000..facdf1d084 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-16.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-17.jpg b/windows/configure/images/volumeactivationforwindows81-17.jpg new file mode 100644 index 0000000000..0f4c683b7e Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-17.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-18.jpg b/windows/configure/images/volumeactivationforwindows81-18.jpg new file mode 100644 index 0000000000..8728697ed8 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-18.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-19.jpg b/windows/configure/images/volumeactivationforwindows81-19.jpg new file mode 100644 index 0000000000..db97a0ba0e Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-19.jpg differ diff --git a/windows/configure/images/w10servicing-f1-branches.png b/windows/configure/images/w10servicing-f1-branches.png new file mode 100644 index 0000000000..ac4a549aed Binary files /dev/null and b/windows/configure/images/w10servicing-f1-branches.png differ diff --git a/windows/configure/images/waas-active-hours-policy.PNG b/windows/configure/images/waas-active-hours-policy.PNG new file mode 100644 index 0000000000..af80ef6652 Binary files /dev/null and b/windows/configure/images/waas-active-hours-policy.PNG differ diff --git a/windows/configure/images/waas-active-hours.PNG b/windows/configure/images/waas-active-hours.PNG new file mode 100644 index 0000000000..c262c302ed Binary files /dev/null and b/windows/configure/images/waas-active-hours.PNG differ diff --git a/windows/configure/images/waas-auto-update-policy.PNG b/windows/configure/images/waas-auto-update-policy.PNG new file mode 100644 index 0000000000..52a1629cbf Binary files /dev/null and b/windows/configure/images/waas-auto-update-policy.PNG differ diff --git a/windows/configure/images/waas-do-fig1.png b/windows/configure/images/waas-do-fig1.png new file mode 100644 index 0000000000..2a2b6872e9 Binary files /dev/null and b/windows/configure/images/waas-do-fig1.png differ diff --git a/windows/configure/images/waas-do-fig2.png b/windows/configure/images/waas-do-fig2.png new file mode 100644 index 0000000000..cc42b328eb Binary files /dev/null and b/windows/configure/images/waas-do-fig2.png differ diff --git a/windows/configure/images/waas-do-fig3.png b/windows/configure/images/waas-do-fig3.png new file mode 100644 index 0000000000..d9182d3b20 Binary files /dev/null and b/windows/configure/images/waas-do-fig3.png differ diff --git a/windows/configure/images/waas-do-fig4.png b/windows/configure/images/waas-do-fig4.png new file mode 100644 index 0000000000..a66741ed90 Binary files /dev/null and b/windows/configure/images/waas-do-fig4.png differ diff --git a/windows/configure/images/waas-overview-patch.png b/windows/configure/images/waas-overview-patch.png new file mode 100644 index 0000000000..6ac0a03227 Binary files /dev/null and b/windows/configure/images/waas-overview-patch.png differ diff --git a/windows/configure/images/waas-restart-policy.PNG b/windows/configure/images/waas-restart-policy.PNG new file mode 100644 index 0000000000..936f9aeb08 Binary files /dev/null and b/windows/configure/images/waas-restart-policy.PNG differ diff --git a/windows/configure/images/waas-rings.png b/windows/configure/images/waas-rings.png new file mode 100644 index 0000000000..041a59ce87 Binary files /dev/null and b/windows/configure/images/waas-rings.png differ diff --git a/windows/configure/images/waas-sccm-fig1.png b/windows/configure/images/waas-sccm-fig1.png new file mode 100644 index 0000000000..6bf2b1c621 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig1.png differ diff --git a/windows/configure/images/waas-sccm-fig10.png b/windows/configure/images/waas-sccm-fig10.png new file mode 100644 index 0000000000..ad3b5c922f Binary files /dev/null and b/windows/configure/images/waas-sccm-fig10.png differ diff --git a/windows/configure/images/waas-sccm-fig11.png b/windows/configure/images/waas-sccm-fig11.png new file mode 100644 index 0000000000..6c4f905630 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig11.png differ diff --git a/windows/configure/images/waas-sccm-fig12.png b/windows/configure/images/waas-sccm-fig12.png new file mode 100644 index 0000000000..87464dd5f1 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig12.png differ diff --git a/windows/configure/images/waas-sccm-fig2.png b/windows/configure/images/waas-sccm-fig2.png new file mode 100644 index 0000000000..c83e7bc781 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig2.png differ diff --git a/windows/configure/images/waas-sccm-fig3.png b/windows/configure/images/waas-sccm-fig3.png new file mode 100644 index 0000000000..dcbc83b8ff Binary files /dev/null and b/windows/configure/images/waas-sccm-fig3.png differ diff --git a/windows/configure/images/waas-sccm-fig4.png b/windows/configure/images/waas-sccm-fig4.png new file mode 100644 index 0000000000..782c5ca6ef Binary files /dev/null and b/windows/configure/images/waas-sccm-fig4.png differ diff --git a/windows/configure/images/waas-sccm-fig5.png b/windows/configure/images/waas-sccm-fig5.png new file mode 100644 index 0000000000..cb399a6c6f Binary files /dev/null and b/windows/configure/images/waas-sccm-fig5.png differ diff --git a/windows/configure/images/waas-sccm-fig6.png b/windows/configure/images/waas-sccm-fig6.png new file mode 100644 index 0000000000..77dd02d61e Binary files /dev/null and b/windows/configure/images/waas-sccm-fig6.png differ diff --git a/windows/configure/images/waas-sccm-fig7.png b/windows/configure/images/waas-sccm-fig7.png new file mode 100644 index 0000000000..a74c7c8133 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig7.png differ diff --git a/windows/configure/images/waas-sccm-fig8.png b/windows/configure/images/waas-sccm-fig8.png new file mode 100644 index 0000000000..2dfaf75ddf Binary files /dev/null and b/windows/configure/images/waas-sccm-fig8.png differ diff --git a/windows/configure/images/waas-sccm-fig9.png b/windows/configure/images/waas-sccm-fig9.png new file mode 100644 index 0000000000..311d79dc94 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig9.png differ diff --git a/windows/configure/images/waas-strategy-fig1a.png b/windows/configure/images/waas-strategy-fig1a.png new file mode 100644 index 0000000000..7a924c43bc Binary files /dev/null and b/windows/configure/images/waas-strategy-fig1a.png differ diff --git a/windows/configure/images/waas-wsus-fig1.png b/windows/configure/images/waas-wsus-fig1.png new file mode 100644 index 0000000000..14bf35958a Binary files /dev/null and b/windows/configure/images/waas-wsus-fig1.png differ diff --git a/windows/configure/images/waas-wsus-fig10.png b/windows/configure/images/waas-wsus-fig10.png new file mode 100644 index 0000000000..3efa119693 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig10.png differ diff --git a/windows/configure/images/waas-wsus-fig11.png b/windows/configure/images/waas-wsus-fig11.png new file mode 100644 index 0000000000..ae6d79221a Binary files /dev/null and b/windows/configure/images/waas-wsus-fig11.png differ diff --git a/windows/configure/images/waas-wsus-fig12.png b/windows/configure/images/waas-wsus-fig12.png new file mode 100644 index 0000000000..47479ea1df Binary files /dev/null and b/windows/configure/images/waas-wsus-fig12.png differ diff --git a/windows/configure/images/waas-wsus-fig13.png b/windows/configure/images/waas-wsus-fig13.png new file mode 100644 index 0000000000..f0b1578094 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig13.png differ diff --git a/windows/configure/images/waas-wsus-fig14.png b/windows/configure/images/waas-wsus-fig14.png new file mode 100644 index 0000000000..b5b930ddad Binary files /dev/null and b/windows/configure/images/waas-wsus-fig14.png differ diff --git a/windows/configure/images/waas-wsus-fig15.png b/windows/configure/images/waas-wsus-fig15.png new file mode 100644 index 0000000000..95e38c039e Binary files /dev/null and b/windows/configure/images/waas-wsus-fig15.png differ diff --git a/windows/configure/images/waas-wsus-fig16.png b/windows/configure/images/waas-wsus-fig16.png new file mode 100644 index 0000000000..3848ac1772 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig16.png differ diff --git a/windows/configure/images/waas-wsus-fig17.png b/windows/configure/images/waas-wsus-fig17.png new file mode 100644 index 0000000000..5511da3e5c Binary files /dev/null and b/windows/configure/images/waas-wsus-fig17.png differ diff --git a/windows/configure/images/waas-wsus-fig18.png b/windows/configure/images/waas-wsus-fig18.png new file mode 100644 index 0000000000..f9ac774754 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig18.png differ diff --git a/windows/configure/images/waas-wsus-fig19.png b/windows/configure/images/waas-wsus-fig19.png new file mode 100644 index 0000000000..f69d793afe Binary files /dev/null and b/windows/configure/images/waas-wsus-fig19.png differ diff --git a/windows/configure/images/waas-wsus-fig2.png b/windows/configure/images/waas-wsus-fig2.png new file mode 100644 index 0000000000..167774a6c9 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig2.png differ diff --git a/windows/configure/images/waas-wsus-fig20.png b/windows/configure/images/waas-wsus-fig20.png new file mode 100644 index 0000000000..ea6bbb350a Binary files /dev/null and b/windows/configure/images/waas-wsus-fig20.png differ diff --git a/windows/configure/images/waas-wsus-fig3.png b/windows/configure/images/waas-wsus-fig3.png new file mode 100644 index 0000000000..272e8c05e9 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig3.png differ diff --git a/windows/configure/images/waas-wsus-fig4.png b/windows/configure/images/waas-wsus-fig4.png new file mode 100644 index 0000000000..bb5f27e3da Binary files /dev/null and b/windows/configure/images/waas-wsus-fig4.png differ diff --git a/windows/configure/images/waas-wsus-fig5.png b/windows/configure/images/waas-wsus-fig5.png new file mode 100644 index 0000000000..23faf303c6 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig5.png differ diff --git a/windows/configure/images/waas-wsus-fig6.png b/windows/configure/images/waas-wsus-fig6.png new file mode 100644 index 0000000000..7857351d19 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig6.png differ diff --git a/windows/configure/images/waas-wsus-fig7.png b/windows/configure/images/waas-wsus-fig7.png new file mode 100644 index 0000000000..e7f02649d2 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig7.png differ diff --git a/windows/configure/images/waas-wsus-fig8.png b/windows/configure/images/waas-wsus-fig8.png new file mode 100644 index 0000000000..da5f620425 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig8.png differ diff --git a/windows/configure/images/waas-wsus-fig9.png b/windows/configure/images/waas-wsus-fig9.png new file mode 100644 index 0000000000..f3d5a4eb6a Binary files /dev/null and b/windows/configure/images/waas-wsus-fig9.png differ diff --git a/windows/configure/images/waas-wufb-gp-broad.png b/windows/configure/images/waas-wufb-gp-broad.png new file mode 100644 index 0000000000..92b71c8936 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-broad.png differ diff --git a/windows/configure/images/waas-wufb-gp-cb2-settings.png b/windows/configure/images/waas-wufb-gp-cb2-settings.png new file mode 100644 index 0000000000..ae6ed4d856 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-cb2-settings.png differ diff --git a/windows/configure/images/waas-wufb-gp-cb2.png b/windows/configure/images/waas-wufb-gp-cb2.png new file mode 100644 index 0000000000..006a8c02d3 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-cb2.png differ diff --git a/windows/configure/images/waas-wufb-gp-cbb1-settings.png b/windows/configure/images/waas-wufb-gp-cbb1-settings.png new file mode 100644 index 0000000000..c9e1029b8b Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-cbb1-settings.png differ diff --git a/windows/configure/images/waas-wufb-gp-cbb2-settings.png b/windows/configure/images/waas-wufb-gp-cbb2-settings.png new file mode 100644 index 0000000000..e5aff1cc89 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-cbb2-settings.png differ diff --git a/windows/configure/images/waas-wufb-gp-cbb2q-settings.png b/windows/configure/images/waas-wufb-gp-cbb2q-settings.png new file mode 100644 index 0000000000..33a02165c6 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-cbb2q-settings.png differ diff --git a/windows/configure/images/waas-wufb-gp-create.png b/windows/configure/images/waas-wufb-gp-create.png new file mode 100644 index 0000000000..d74eec4b2e Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-create.png differ diff --git a/windows/configure/images/waas-wufb-gp-edit-defer.png b/windows/configure/images/waas-wufb-gp-edit-defer.png new file mode 100644 index 0000000000..c697b42ffd Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-edit-defer.png differ diff --git a/windows/configure/images/waas-wufb-gp-edit.png b/windows/configure/images/waas-wufb-gp-edit.png new file mode 100644 index 0000000000..1b8d21a175 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-edit.png differ diff --git a/windows/configure/images/waas-wufb-gp-scope-cb2.png b/windows/configure/images/waas-wufb-gp-scope-cb2.png new file mode 100644 index 0000000000..fcacdbea57 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-scope-cb2.png differ diff --git a/windows/configure/images/waas-wufb-gp-scope.png b/windows/configure/images/waas-wufb-gp-scope.png new file mode 100644 index 0000000000..a04d8194df Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-scope.png differ diff --git a/windows/configure/images/waas-wufb-intune-cb2a.png b/windows/configure/images/waas-wufb-intune-cb2a.png new file mode 100644 index 0000000000..3e8c1ce19e Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-cb2a.png differ diff --git a/windows/configure/images/waas-wufb-intune-cbb1a.png b/windows/configure/images/waas-wufb-intune-cbb1a.png new file mode 100644 index 0000000000..bc394fe563 Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-cbb1a.png differ diff --git a/windows/configure/images/waas-wufb-intune-cbb2a.png b/windows/configure/images/waas-wufb-intune-cbb2a.png new file mode 100644 index 0000000000..a980e0e43a Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-cbb2a.png differ diff --git a/windows/configure/images/waas-wufb-intune-step11a.png b/windows/configure/images/waas-wufb-intune-step11a.png new file mode 100644 index 0000000000..7291484c93 Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-step11a.png differ diff --git a/windows/configure/images/waas-wufb-intune-step19a.png b/windows/configure/images/waas-wufb-intune-step19a.png new file mode 100644 index 0000000000..de132abd28 Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-step19a.png differ diff --git a/windows/configure/images/waas-wufb-intune-step2a.png b/windows/configure/images/waas-wufb-intune-step2a.png new file mode 100644 index 0000000000..9a719b8fda Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-step2a.png differ diff --git a/windows/configure/images/waas-wufb-intune-step7a.png b/windows/configure/images/waas-wufb-intune-step7a.png new file mode 100644 index 0000000000..daa96ba18c Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-step7a.png differ diff --git a/windows/configure/images/who-owns-pc.png b/windows/configure/images/who-owns-pc.png new file mode 100644 index 0000000000..d3ce1def8d Binary files /dev/null and b/windows/configure/images/who-owns-pc.png differ diff --git a/windows/configure/images/wifisense-grouppolicy.png b/windows/configure/images/wifisense-grouppolicy.png new file mode 100644 index 0000000000..1142d834bd Binary files /dev/null and b/windows/configure/images/wifisense-grouppolicy.png differ diff --git a/windows/configure/images/wifisense-registry.png b/windows/configure/images/wifisense-registry.png new file mode 100644 index 0000000000..cbb1fa8347 Binary files /dev/null and b/windows/configure/images/wifisense-registry.png differ diff --git a/windows/configure/images/wifisense-settingscreens.png b/windows/configure/images/wifisense-settingscreens.png new file mode 100644 index 0000000000..cbb6903177 Binary files /dev/null and b/windows/configure/images/wifisense-settingscreens.png differ diff --git a/windows/configure/images/win-10-adk-select.png b/windows/configure/images/win-10-adk-select.png new file mode 100644 index 0000000000..1dfaa23175 Binary files /dev/null and b/windows/configure/images/win-10-adk-select.png differ diff --git a/windows/configure/images/win10-mobile-mdm-fig1.png b/windows/configure/images/win10-mobile-mdm-fig1.png new file mode 100644 index 0000000000..6ddac1df99 Binary files /dev/null and b/windows/configure/images/win10-mobile-mdm-fig1.png differ diff --git a/windows/configure/images/win10-set-up-work-or-school.png b/windows/configure/images/win10-set-up-work-or-school.png new file mode 100644 index 0000000000..0ca83fb0e1 Binary files /dev/null and b/windows/configure/images/win10-set-up-work-or-school.png differ diff --git a/windows/configure/images/win10servicing-fig2-featureupgrade.png b/windows/configure/images/win10servicing-fig2-featureupgrade.png new file mode 100644 index 0000000000..e4dc76b44f Binary files /dev/null and b/windows/configure/images/win10servicing-fig2-featureupgrade.png differ diff --git a/windows/configure/images/win10servicing-fig3.png b/windows/configure/images/win10servicing-fig3.png new file mode 100644 index 0000000000..688f92b173 Binary files /dev/null and b/windows/configure/images/win10servicing-fig3.png differ diff --git a/windows/configure/images/win10servicing-fig4-upgradereleases.png b/windows/configure/images/win10servicing-fig4-upgradereleases.png new file mode 100644 index 0000000000..961c8bebe2 Binary files /dev/null and b/windows/configure/images/win10servicing-fig4-upgradereleases.png differ diff --git a/windows/configure/images/win10servicing-fig5.png b/windows/configure/images/win10servicing-fig5.png new file mode 100644 index 0000000000..dc4b2fc5b2 Binary files /dev/null and b/windows/configure/images/win10servicing-fig5.png differ diff --git a/windows/configure/images/win10servicing-fig6.png b/windows/configure/images/win10servicing-fig6.png new file mode 100644 index 0000000000..4cdc5f9c6f Binary files /dev/null and b/windows/configure/images/win10servicing-fig6.png differ diff --git a/windows/configure/images/win10servicing-fig7.png b/windows/configure/images/win10servicing-fig7.png new file mode 100644 index 0000000000..0a9a851449 Binary files /dev/null and b/windows/configure/images/win10servicing-fig7.png differ diff --git a/windows/configure/images/windows-10-management-cyod-byod-flow.png b/windows/configure/images/windows-10-management-cyod-byod-flow.png new file mode 100644 index 0000000000..6121e93832 Binary files /dev/null and b/windows/configure/images/windows-10-management-cyod-byod-flow.png differ diff --git a/windows/configure/images/windows-10-management-gp-intune-flow.png b/windows/configure/images/windows-10-management-gp-intune-flow.png new file mode 100644 index 0000000000..c9e3f2ea31 Binary files /dev/null and b/windows/configure/images/windows-10-management-gp-intune-flow.png differ diff --git a/windows/configure/images/windows-10-management-range-of-options.png b/windows/configure/images/windows-10-management-range-of-options.png new file mode 100644 index 0000000000..e4de546709 Binary files /dev/null and b/windows/configure/images/windows-10-management-range-of-options.png differ diff --git a/windows/configure/images/windows-icd.png b/windows/configure/images/windows-icd.png new file mode 100644 index 0000000000..4bc8a18f4c Binary files /dev/null and b/windows/configure/images/windows-icd.png differ diff --git a/windows/configure/images/wsfb-distribute.png b/windows/configure/images/wsfb-distribute.png new file mode 100644 index 0000000000..d0482f6ebe Binary files /dev/null and b/windows/configure/images/wsfb-distribute.png differ diff --git a/windows/configure/images/wsfb-firstrun.png b/windows/configure/images/wsfb-firstrun.png new file mode 100644 index 0000000000..2673567a1e Binary files /dev/null and b/windows/configure/images/wsfb-firstrun.png differ diff --git a/windows/configure/images/wsfb-inventory-viewlicense.png b/windows/configure/images/wsfb-inventory-viewlicense.png new file mode 100644 index 0000000000..9fafad1aff Binary files /dev/null and b/windows/configure/images/wsfb-inventory-viewlicense.png differ diff --git a/windows/configure/images/wsfb-inventory.png b/windows/configure/images/wsfb-inventory.png new file mode 100644 index 0000000000..b060fb30e4 Binary files /dev/null and b/windows/configure/images/wsfb-inventory.png differ diff --git a/windows/configure/images/wsfb-inventoryaddprivatestore.png b/windows/configure/images/wsfb-inventoryaddprivatestore.png new file mode 100644 index 0000000000..bb1152e35b Binary files /dev/null and b/windows/configure/images/wsfb-inventoryaddprivatestore.png differ diff --git a/windows/configure/images/wsfb-landing.png b/windows/configure/images/wsfb-landing.png new file mode 100644 index 0000000000..beae0b52af Binary files /dev/null and b/windows/configure/images/wsfb-landing.png differ diff --git a/windows/configure/images/wsfb-licenseassign.png b/windows/configure/images/wsfb-licenseassign.png new file mode 100644 index 0000000000..5904abb3b9 Binary files /dev/null and b/windows/configure/images/wsfb-licenseassign.png differ diff --git a/windows/configure/images/wsfb-licensedetails.png b/windows/configure/images/wsfb-licensedetails.png new file mode 100644 index 0000000000..53e0f5c935 Binary files /dev/null and b/windows/configure/images/wsfb-licensedetails.png differ diff --git a/windows/configure/images/wsfb-licensereclaim.png b/windows/configure/images/wsfb-licensereclaim.png new file mode 100644 index 0000000000..9f94cd3600 Binary files /dev/null and b/windows/configure/images/wsfb-licensereclaim.png differ diff --git a/windows/configure/images/wsfb-manageinventory.png b/windows/configure/images/wsfb-manageinventory.png new file mode 100644 index 0000000000..9a544ddc21 Binary files /dev/null and b/windows/configure/images/wsfb-manageinventory.png differ diff --git a/windows/configure/images/wsfb-offline-distribute-mdm.png b/windows/configure/images/wsfb-offline-distribute-mdm.png new file mode 100644 index 0000000000..ec0e77a9a9 Binary files /dev/null and b/windows/configure/images/wsfb-offline-distribute-mdm.png differ diff --git a/windows/configure/images/wsfb-onboard-1.png b/windows/configure/images/wsfb-onboard-1.png new file mode 100644 index 0000000000..012e91a845 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-1.png differ diff --git a/windows/configure/images/wsfb-onboard-2.png b/windows/configure/images/wsfb-onboard-2.png new file mode 100644 index 0000000000..2ff98fb1f7 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-2.png differ diff --git a/windows/configure/images/wsfb-onboard-3.png b/windows/configure/images/wsfb-onboard-3.png new file mode 100644 index 0000000000..ed9a61d353 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-3.png differ diff --git a/windows/configure/images/wsfb-onboard-4.png b/windows/configure/images/wsfb-onboard-4.png new file mode 100644 index 0000000000..d99185ddc6 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-4.png differ diff --git a/windows/configure/images/wsfb-onboard-5.png b/windows/configure/images/wsfb-onboard-5.png new file mode 100644 index 0000000000..68049f4425 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-5.png differ diff --git a/windows/configure/images/wsfb-onboard-7.png b/windows/configure/images/wsfb-onboard-7.png new file mode 100644 index 0000000000..38b7348b21 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-7.png differ diff --git a/windows/configure/images/wsfb-online-distribute-mdm.png b/windows/configure/images/wsfb-online-distribute-mdm.png new file mode 100644 index 0000000000..4b0f7cbf3a Binary files /dev/null and b/windows/configure/images/wsfb-online-distribute-mdm.png differ diff --git a/windows/configure/images/wsfb-paid-app-temp.png b/windows/configure/images/wsfb-paid-app-temp.png new file mode 100644 index 0000000000..89e3857d07 Binary files /dev/null and b/windows/configure/images/wsfb-paid-app-temp.png differ diff --git a/windows/configure/images/wsfb-permissions-assignrole.png b/windows/configure/images/wsfb-permissions-assignrole.png new file mode 100644 index 0000000000..de2e1785ba Binary files /dev/null and b/windows/configure/images/wsfb-permissions-assignrole.png differ diff --git a/windows/configure/images/wsfb-private-store-gpo.PNG b/windows/configure/images/wsfb-private-store-gpo.PNG new file mode 100644 index 0000000000..5e7fe44ec2 Binary files /dev/null and b/windows/configure/images/wsfb-private-store-gpo.PNG differ diff --git a/windows/configure/images/wsfb-privatestore.png b/windows/configure/images/wsfb-privatestore.png new file mode 100644 index 0000000000..74c9f1690d Binary files /dev/null and b/windows/configure/images/wsfb-privatestore.png differ diff --git a/windows/configure/images/wsfb-privatestoreapps.png b/windows/configure/images/wsfb-privatestoreapps.png new file mode 100644 index 0000000000..1ddb543796 Binary files /dev/null and b/windows/configure/images/wsfb-privatestoreapps.png differ diff --git a/windows/configure/images/wsfb-renameprivatestore.png b/windows/configure/images/wsfb-renameprivatestore.png new file mode 100644 index 0000000000..c6db282581 Binary files /dev/null and b/windows/configure/images/wsfb-renameprivatestore.png differ diff --git a/windows/configure/images/wsfb-settings-mgmt.png b/windows/configure/images/wsfb-settings-mgmt.png new file mode 100644 index 0000000000..2a7b590d19 Binary files /dev/null and b/windows/configure/images/wsfb-settings-mgmt.png differ diff --git a/windows/configure/images/wsfb-settings-permissions.png b/windows/configure/images/wsfb-settings-permissions.png new file mode 100644 index 0000000000..63d04d270b Binary files /dev/null and b/windows/configure/images/wsfb-settings-permissions.png differ diff --git a/windows/configure/images/wsfb-wsappaddacct.png b/windows/configure/images/wsfb-wsappaddacct.png new file mode 100644 index 0000000000..5c0bd9a4ce Binary files /dev/null and b/windows/configure/images/wsfb-wsappaddacct.png differ diff --git a/windows/configure/images/wsfb-wsappprivatestore.png b/windows/configure/images/wsfb-wsappprivatestore.png new file mode 100644 index 0000000000..9c29e7604c Binary files /dev/null and b/windows/configure/images/wsfb-wsappprivatestore.png differ diff --git a/windows/configure/images/wsfb-wsappsignin.png b/windows/configure/images/wsfb-wsappsignin.png new file mode 100644 index 0000000000..c2c2631a94 Binary files /dev/null and b/windows/configure/images/wsfb-wsappsignin.png differ diff --git a/windows/configure/images/wsfb-wsappworkacct.png b/windows/configure/images/wsfb-wsappworkacct.png new file mode 100644 index 0000000000..5eb9035124 Binary files /dev/null and b/windows/configure/images/wsfb-wsappworkacct.png differ diff --git a/windows/configure/images/wufb-config1a.png b/windows/configure/images/wufb-config1a.png new file mode 100644 index 0000000000..1514b87528 Binary files /dev/null and b/windows/configure/images/wufb-config1a.png differ diff --git a/windows/configure/images/wufb-config2.png b/windows/configure/images/wufb-config2.png new file mode 100644 index 0000000000..f54eef9a50 Binary files /dev/null and b/windows/configure/images/wufb-config2.png differ diff --git a/windows/configure/images/wufb-config3a.png b/windows/configure/images/wufb-config3a.png new file mode 100644 index 0000000000..538028cfdc Binary files /dev/null and b/windows/configure/images/wufb-config3a.png differ diff --git a/windows/configure/images/wufb-do.png b/windows/configure/images/wufb-do.png new file mode 100644 index 0000000000..8d6c9d0b8a Binary files /dev/null and b/windows/configure/images/wufb-do.png differ diff --git a/windows/configure/images/wufb-groups.png b/windows/configure/images/wufb-groups.png new file mode 100644 index 0000000000..13cdea04b0 Binary files /dev/null and b/windows/configure/images/wufb-groups.png differ diff --git a/windows/configure/images/wufb-pause-feature.png b/windows/configure/images/wufb-pause-feature.png new file mode 100644 index 0000000000..afeac43e29 Binary files /dev/null and b/windows/configure/images/wufb-pause-feature.png differ diff --git a/windows/configure/images/wufb-qual.png b/windows/configure/images/wufb-qual.png new file mode 100644 index 0000000000..4a93408522 Binary files /dev/null and b/windows/configure/images/wufb-qual.png differ diff --git a/windows/configure/images/wufb-sccm.png b/windows/configure/images/wufb-sccm.png new file mode 100644 index 0000000000..1d568c1fe4 Binary files /dev/null and b/windows/configure/images/wufb-sccm.png differ diff --git a/windows/configure/images/x_blk.png b/windows/configure/images/x_blk.png new file mode 100644 index 0000000000..69432ff71c Binary files /dev/null and b/windows/configure/images/x_blk.png differ diff --git a/windows/configure/index.md b/windows/configure/index.md new file mode 100644 index 0000000000..bbe9b61e15 --- /dev/null +++ b/windows/configure/index.md @@ -0,0 +1,35 @@ +--- +title: Configure Windows 10 (Windows 10) +description: Learn about configuring Windows 10. +keywords: Windows 10, MDM, WSUS, Windows update +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Configure Windows 10 + +Enterprises often need to apply custom configurations to devices for their users. Windows 10 provides a number of features and methods to help you configure or lock down specific parts of Windows 10. + +## In this section + +| Topic | Description | +| --- | --- | +| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. | +| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. | +| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | +| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. | +| [Configure Windows 10 Mobile devices](configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | +| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. | +| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. | +| [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. | +| [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Configuration Designer and provisioning packages to easily configure multiple devices. | +| [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. | +| [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) | This topic lists new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile. | + + + + diff --git a/windows/configure/kiosk-shared-pc.md b/windows/configure/kiosk-shared-pc.md new file mode 100644 index 0000000000..2afc67e022 --- /dev/null +++ b/windows/configure/kiosk-shared-pc.md @@ -0,0 +1,23 @@ +--- +title: Configure kiosk and shared devices running Windows desktop editions (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: jdeckerMS +--- + +# Configure kiosk and shared devices running Windows desktop editions + +Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app). + +## In this section + +| Topic | Description | +| --- | --- | +| [Set up a shared or guest PC with Windows 10](set-up-a-device-for-anyone-to-use.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | +| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. | +| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. | +| [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. | \ No newline at end of file diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/configure/lock-down-windows-10-to-specific-apps.md similarity index 97% rename from windows/manage/lock-down-windows-10-to-specific-apps.md rename to windows/configure/lock-down-windows-10-to-specific-apps.md index 8ab992a6f0..8ae79ef7f2 100644 --- a/windows/manage/lock-down-windows-10-to-specific-apps.md +++ b/windows/configure/lock-down-windows-10-to-specific-apps.md @@ -112,14 +112,11 @@ In addition to specifying the apps that users can run, you should also restrict To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442). -## Customize Start screen layout for the device +## Customize Start screen layout for the device (recommended) Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md). -## Related topics - -- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)   diff --git a/windows/configure/lock-down-windows-10.md b/windows/configure/lock-down-windows-10.md new file mode 100644 index 0000000000..d4ab1e35cb --- /dev/null +++ b/windows/configure/lock-down-windows-10.md @@ -0,0 +1,15 @@ +--- +title: Lock down Windows 10 (Windows 10) +description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. +ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D +keywords: lockdown +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security, mobile +author: jdeckerMS +localizationpriority: high +--- + +# Lock down Windows 10 + diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/configure/lockdown-features-windows-10.md similarity index 100% rename from windows/manage/lockdown-features-windows-10.md rename to windows/configure/lockdown-features-windows-10.md diff --git a/windows/manage/lockdown-xml.md b/windows/configure/lockdown-xml.md similarity index 88% rename from windows/manage/lockdown-xml.md rename to windows/configure/lockdown-xml.md index 936ed8c310..7525f64aa6 100644 --- a/windows/manage/lockdown-xml.md +++ b/windows/configure/lockdown-xml.md @@ -19,9 +19,9 @@ localizationpriority: high Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. -This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. +This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. -Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). +In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file. > [!NOTE] > On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). @@ -33,17 +33,17 @@ If you're not familiar with CSPs, read [Introduction to configuration service pr Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml. ```xml - - + + - - - - - - - - + + + + + + + + ``` @@ -52,7 +52,8 @@ Let's start by looking at the basic structure of the lockdown XML file. You can The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device. -> **Tip**  Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure. +>[!TIP] +>Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure. ## Action Center @@ -325,27 +326,28 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when ![XML for settings](images/SettingsXML.png) -The **Settings** section contains an `allow` list of pages in the Settings app. The following example allows all settings. +The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings. ```xml ``` -In the following example, all system setting pages are enabled. +In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI. + +In the following example for Windows 10, version 1703, all system setting pages that have a settings URI are enabled. ```xml - - - - - - - - - - + + + + + + + + + ``` @@ -372,58 +374,61 @@ For a list of the settings and quick actions that you can allow or block, see [S ## Start screen size Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: - * Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). - * Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). - + - Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). + - Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). + If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. [Learn about effective pixel width (epx) for different device size classes.](https://go.microsoft.com/fwlink/p/?LinkId=733340) - ## Configure additional roles +## Configure additional roles - You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied. +You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied. - [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown). +[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown). - In the XML file, you define each role with a GUID and name, as shown in the following example: +In the XML file, you define each role with a GUID and name, as shown in the following example: - ```xml - - ``` +```xml + +``` + +You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file. - You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file. +You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. - You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. - - ```xml +```xml - - - - - - - - + + + + + + + + - - - - - - - + + + + + + + - ``` + +## Validate your XML + +You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-xsd). ## Add lockdown XML to a provisioning package @@ -605,13 +610,12 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting - - - - + + + - - + + @@ -706,17 +710,16 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting - - - - - + + + + - - + + - - + + @@ -858,13 +861,4 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) - -  - -  - - - - - +[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) \ No newline at end of file diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md similarity index 99% rename from windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md rename to windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 83ba743e69..e0cfbed2c9 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1259,7 +1259,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. -For more info, see [Windows Spotlight on the lock screen](../manage/windows-spotlight.md). +For more info, see [Windows Spotlight on the lock screen](../configure/windows-spotlight.md). ### 24. Windows Store diff --git a/windows/manage/manage-tips-and-suggestions.md b/windows/configure/manage-tips-and-suggestions.md similarity index 97% rename from windows/manage/manage-tips-and-suggestions.md rename to windows/configure/manage-tips-and-suggestions.md index 547f77a1aa..c3394002a8 100644 --- a/windows/manage/manage-tips-and-suggestions.md +++ b/windows/configure/manage-tips-and-suggestions.md @@ -49,7 +49,7 @@ Windows 10, version 1607 (also known as the Anniversary Update), provides organi ## Related topics - [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md) -- [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) +- [Cortana integration in your business or enterprise](cortana-at-work-overview.md) - [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md) - [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers) diff --git a/windows/manage/manage-wifi-sense-in-enterprise.md b/windows/configure/manage-wifi-sense-in-enterprise.md similarity index 100% rename from windows/manage/manage-wifi-sense-in-enterprise.md rename to windows/configure/manage-wifi-sense-in-enterprise.md diff --git a/windows/configure/mobile-lockdown-designer.md b/windows/configure/mobile-lockdown-designer.md new file mode 100644 index 0000000000..ee7d0aa8b6 --- /dev/null +++ b/windows/configure/mobile-lockdown-designer.md @@ -0,0 +1,165 @@ +--- +title: Use the Lockdown Designer app to create a Lockdown XML file (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: jdeckerMS +--- + +# Use the Lockdown Designer app to create a Lockdown XML file + +![Lockdown Designer in the Store](images/ldstore.png) + +Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. + +When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. + +The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md). + + + +## Overview + +Lockdown Designer can be installed on a PC running Windows 10, version 1607 or later. After you install the app, you connect a mobile device running Windows 10 Mobile, version 1703, to the PC. + +>[!NOTE] +>Lockdown Designer will not make any changes to the connected device, but we recommend that you use a test device. + +Lockdown Designer will populate the available settings and apps to configure from the connected device. Using the different pages in the app, you select the settings, apps, and layout to be included in the lockdown XML. + +When you're done, you export the configuration to a lockdown XML file. This configuration can be applied to any device running Windows 10 Mobile, version 1703. + +>[!NOTE] +>You can also import an existing WEHLockdown.xml file to Lockdown Designer and modify it in the app. + +## Prepare the test mobile device + +Perform these steps on the device running Windows 10 Mobile that you will use to supply the settings, apps, and layout to Lockdown Designer. + +1. Install all apps on the device that you want to include in the configuration, including line-of-business apps. + +2. On the mobile device, go to **Settings** > **Update & security** > **For developers**, enable **Developer mode**. + +3. Read the disclaimer, then click **Yes** to accept the change. + +4. Enable **Device discovery**, and then turn on **Device Portal**. + +## Prepare the PC + +[Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC. + +If the PC and the test mobile device are on the same Wi-Fi network, you can connect the devices using Wi-Fi. + +If you want to connect the PC and the test mobile device using a USB cable, perform the following steps on the PC: + +1. [Install the Windows 10 Software Development Kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-10-sdk). This enables the **Windows Phone IP over USB Transport (IpOverUsbSvc)** service. + +2. Open a command prompt as an administrator and run `checknetisolation LoopbackExempt -a -n=microsoft.lockdowndesigner_8wekyb3d8bbwe` + + >[!NOTE] + >Loopback is permitted only for development purposes. To remove the loopback exemption when you're done using Lockdown Designer, run `checknetisolation LoopbackExempt -d -n=microsoft.lockdowndesigner_8wekyb3d8bbwe` + + + + +## Connect the mobile device to Lockdown Designer + +**Using Wi-Fi** + +1. Open Lockdown Designer. + +2. Click **Create new project**. + +3. On the test mobile device, go to **Settings** > **Update & security** > **For developers** > **Connect using:** and get the IP address listed for **Wi-Fi**. + +2. On the **Project setting** > **General settings** page, in **Remote device IP address**, enter the IP address for the test mobile device, using `https://`. + +3. Click **Pair**. + + ![Pair](images/ld-pair.png) + + **Connect to remote device** appears. + +4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed. + +5. On the PC, in **Connect to remote device**, enter the code from the mobile device. + +6. Next, click **Sync** to pull information from the device in to Lockdown Designer. + + ![Sync](images/ld-sync.png) + +7. Click the **Save** icon and enter a name for your project. + +**Using a USB cable** + +1. Open Lockdown Designer. + +2. Click **Create new project**. + +2. Connect a Windows 10 Mobile device to the PC by USB and unlock the device. + +3. On the **Project setting** > **General settings** page, click **Pair**. + + ![Pair](images/ld-pair.png) + + **Connect to remote device** appears. + +4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed. + +5. On the PC, in **Connect to remote device**, enter the code from the mobile device. + +6. Next, click **Sync** to pull information from the device in to Lockdown Designer. + + ![Sync](images/ld-sync.png) + +7. Click the **Save** icon and enter a name for your project. + + +## Configure your lockdown XML settings + +The apps and settings available in the pages of Lockdown Designer should now be populated from the test mobile device. The following table describes what you can configure on each page. + +| Page | Description | +| --- | --- | +| ![Applications](images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.

You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. | +| ![CSP Runner](images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) | +| ![Settings](images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. | +| ![Quick actions](images/ld-quick.png) | On this page, you select the settings that you want visible to users. | +| ![Buttons](images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.

Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | +| ![Other settings](images/ld-other.png) | This page contains several settings that you can configure:

- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.

- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.

- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | +| ![Start screen](images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)

On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.

When you are done changing the layout on the test mobile device, click **Accept** on the PC. | + + +## Validate and export + +On the **Validate and export** page, click **Validate** to make sure your lockdown XML is valid. + +>[!WARNING] +>Lockdown Designer cannot validate SyncML that you imported to CSPRunner. + +Click **Export** to generate the XML file for your project. You can select the location to save the file. + +## Create and configure multiple roles + +You can create additional roles for the device and have unique configurations for each role. For example, you could have one configuration for a **Manager** role and a different configuration for a **Salesperson** role. + +>[!NOTE] +>Using multiple roles on a device requires a login application that displays the list of roles and allows users to sign in to Azure Active Directory. [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) + +**For each role:** + +1. On the **Project setting** page, click **Role management**. + +2. Click **Add a role**. + +3. Enter a name for the role, and then click **Save**. + +4. Configure the settings for the role as above, but make sure on each page that you select the correct role. + + ![Current role selection box](images/ld-role.png) + + + diff --git a/windows/manage/product-ids-in-windows-10-mobile.md b/windows/configure/product-ids-in-windows-10-mobile.md similarity index 100% rename from windows/manage/product-ids-in-windows-10-mobile.md rename to windows/configure/product-ids-in-windows-10-mobile.md diff --git a/windows/configure/provision-pcs-for-initial-deployment.md b/windows/configure/provision-pcs-for-initial-deployment.md new file mode 100644 index 0000000000..c23f3d854c --- /dev/null +++ b/windows/configure/provision-pcs-for-initial-deployment.md @@ -0,0 +1,117 @@ +--- +title: Provision PCs with common settings (Windows 10) +description: Create a provisioning package to apply common settings to a PC running Windows 10. +ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E +keywords: ["runtime provisioning", "provisioning package"] +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Provision PCs with common settings for initial deployment (desktop wizard) + + +**Applies to** + +- Windows 10 + +This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home. + +You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. + +## Advantages +- You can configure new devices without reimaging. + +- Works on both mobile and desktop devices. + +- No network connectivity required. + +- Simple to apply. + +[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) + +## What does the desktop wizard do? + +The desktop wizard helps you configure the following settings in a provisioning package: + +- Set device name +- Upgrade product edition +- Configure the device for shared use +- Remove pre-installed software +- Configure Wi-Fi network +- Enroll device in Active Directory or Azure Active Directory +- Create local administrator account +- Add applications and certificates + +>[!WARNING] +>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. + +Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. + +> [!TIP] +> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. +> +>![open advanced editor](images/icd-simple-edit.png) + +## Create the provisioning package + +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) + +1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). + +2. Click **Provision desktop devices**. + + ![ICD start options](images/icd-create-options-1703.png) + +3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. + + ![ICD desktop provisioning](images/icd-desktop-1703.png) + +> [!IMPORTANT] +> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +## Configure settings + + + + + + + + + +
![step one](images/one.png)![set up device](images/set-up-device.png)

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](set-up-shared-or-guest-pc.md)

You can also select to remove pre-installed software from the device. 		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details-desktop.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details-desktop.png)
![step three](images/three.png) ![account management](images/account-management.png)

Enable account management if you want to configure settings on this page.

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
![step four](images/four.png) ![add applications](images/add-applications.png)

You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). 		![add an application](images/add-applications-details.png)
![step five](images/five.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
+ +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. + + **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) + + +## Learn more + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) + +  +## Related topics + +- [Provisioning packages for Windows 10](provisioning-packages.md) +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [NFC-based device provisioning](provisioning-nfc.md) +- [Use the package splitter tool](provisioning-package-splitter.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + + + + diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/configure/provision-pcs-with-apps-and-certificates.md similarity index 97% rename from windows/deploy/provision-pcs-with-apps-and-certificates.md rename to windows/configure/provision-pcs-with-apps-and-certificates.md index 6e4614a977..b5e03dbb14 100644 --- a/windows/deploy/provision-pcs-with-apps-and-certificates.md +++ b/windows/configure/provision-pcs-with-apps-and-certificates.md @@ -17,6 +17,7 @@ localizationpriority: high - Windows 10 +DEPRECATED - See [Provision PCs with apps](provision-pcs-with-apps.md) This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. @@ -183,14 +184,15 @@ If your build is successful, the name of the provisioning package, output direct - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) - [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [Use the package splitter tool](provisioning-package-splitter.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configure/provision-pcs-with-apps.md b/windows/configure/provision-pcs-with-apps.md new file mode 100644 index 0000000000..2314c30c16 --- /dev/null +++ b/windows/configure/provision-pcs-with-apps.md @@ -0,0 +1,207 @@ +--- +title: Provision PCs with apps (Windows 10) +description: Add apps to a Windows 10 provisioning package. +ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E +keywords: ["runtime provisioning", "provisioning package"] +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Provision PCs with apps + + +**Applies to** + +- Windows 10 + + +In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. + +When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). + +## Settings for UWP apps + +- **License Path**: Specify the license file if it is an app from the Windows Store. This is optional if you have a certificate for the app. + +- **Package family name**: Specify the package family name if you don’t specify a license. This field will be auto-populated after you specify a license. + +- **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app + +## Settings for Classic Windows apps + +### MSI installer + +- **Command line arguments**: Optionally, append additional command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE + +- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install + +- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app + +- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. + +### Exe or other installer + +- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append additional flags + +- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited. + +- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install + +- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app + +- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. + + + +## Add an app using advanced editor in Windows Configuration Designer + + +1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. + +2. Add all the files required for the app install, including the data files and the installer. + +3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. + +> [!NOTE] +> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md). + + +### Add a universal app to your package + +Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. + +1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. + +2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page. + + ![details for offline app package](images/uwp-family.png) + +3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). + +4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. + + ![required frameworks for offline app package](images/uwp-dependencies.png) + +5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. + + - In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**. + + ![generate license for offline app](images/uwp-license.png) + + - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. + +6. In the **Available customizations** pane, click the **LicenseProductId** that you just added. + +7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed **.**ms-windows-store-license**, and select the license file. + +[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md) + +> [!NOTE] +> Removing a provisioning package will not remove any apps installed by device context in that provisioning package. + + + +### Add a certificate to your package + +1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. + +2. Enter a **CertificateName** and then click **Add**. + +2. Enter the **CertificatePassword**. + +3. For **CertificatePath**, browse and select the certificate to be used. + +4. Set **ExportCertificate** to **False**. + +5. For **KeyLocation**, select **Software only**. + + +### Add other settings to your package + +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). + +### Build your package + +1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. + +2. Read the warning that project files may contain sensitive information, and click **OK**. +> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +3. On the **Export** menu, click **Provisioning package**. + +1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +10. Set a value for **Package Version**. + + > [!TIP]   + > You can make changes to existing packages and change the version number to update previously applied packages. + +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + + **Important**   + We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  + +12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

+Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: + + - Shared network folder + + - SharePoint site + + - Removable media (USB/SD) + + - Email + + - USB tether (mobile only) + + - NFC (mobile only) + + + +**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) + +## Learn more + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +  + +## Related topics + +- [Provisioning packages for Windows 10](provisioning-packages.md) +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [NFC-based device provisioning](provisioning-nfc.md) +- [Use the package splitter tool](provisioning-package-splitter.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + diff --git a/windows/deploy/provisioning-apply-package.md b/windows/configure/provisioning-apply-package.md similarity index 70% rename from windows/deploy/provisioning-apply-package.md rename to windows/configure/provisioning-apply-package.md index 1125dd6985..2fa9efb09a 100644 --- a/windows/deploy/provisioning-apply-package.md +++ b/windows/configure/provisioning-apply-package.md @@ -42,25 +42,7 @@ Provisioning packages can be applied to a device during the first-run experience ![Do you trust this package?](images/trust-package.png) -6. Read and accept the Microsoft Software License Terms. - ![Sign in](images/license-terms.png) - -7. Select **Use Express settings**. - - ![Get going fast](images/express-settings.png) - -8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. - - ![Who owns this PC?](images/who-owns-pc.png) - -9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. - - ![Connect to Azure AD](images/connect-aad.png) - -10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. - - ![Sign in](images/sign-in-prov.png) ### After setup, from a USB drive, network folder, or SharePoint site @@ -97,23 +79,17 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Access work o -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) ## Related topics - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-command-line.md b/windows/configure/provisioning-command-line.md similarity index 55% rename from windows/deploy/provisioning-command-line.md rename to windows/configure/provisioning-command-line.md index d5c52aabac..a2e16343b0 100644 --- a/windows/deploy/provisioning-command-line.md +++ b/windows/configure/provisioning-command-line.md @@ -1,5 +1,5 @@ --- -title: Windows ICD command-line interface (Windows 10) +title: Windows Configuration Designer command-line interface (Windows 10) description: ms.prod: w10 ms.mktglfcycl: deploy @@ -8,7 +8,7 @@ author: jdeckerMS localizationpriority: high --- -# Windows ICD command-line interface (reference) +# Windows Configuration Designer command-line interface (reference) **Applies to** @@ -16,11 +16,11 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -You can use the Windows Imaging and Configuration Designer (ICD) command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. +You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. -- IT pros can use the Windows ICD CLI to require less re-tooling of existing processes. You must run the Windows ICD CLI from a command window with administrator privileges. +- IT pros can use the Windows Configuration Designer CLI to require less re-tooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges. -- You must use the Windows ICD CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows ICD CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). +- You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). @@ -38,9 +38,9 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: | --- | --- | --- | | /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. | | /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. | -| /StoreFile | No


See Important note. | For partners using a settings store other than the default store(s) used by Windows ICD, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows ICD.


**Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. | +| /StoreFile | No


See Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows Configuration Designer.


**Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. | | /Variables | No | Specifies a semicolon separated and macro pair. The format for the argument must be =. | -| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows ICD auto-generates the decryption password and includes this information in the output.


Precede with + for encryption or - for no encryption. The default is no encryption. | +| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer auto-generates the decryption password and includes this information in the output.


Precede with + for encryption or - for no encryption. The default is no encryption. | | Overwrite | No | Denotes whether to overwrite an existing provisioning package.


Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). | | /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | @@ -51,14 +51,13 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)   diff --git a/windows/configure/provisioning-configure-mobile.md b/windows/configure/provisioning-configure-mobile.md new file mode 100644 index 0000000000..5c1a5048cf --- /dev/null +++ b/windows/configure/provisioning-configure-mobile.md @@ -0,0 +1,86 @@ +--- +title: Use Windows Configuration Designer to configure Windows 10 Mobile devices (Windows 10) +description: +keywords: phone, handheld, lockdown, customize +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Use Windows Configuration Designer to configure Windows 10 Mobile devices + +Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, ayou can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes. + +A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. + +Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). Windows Configuration Designer is also available as an app in the Windows Store. [Learn more about installing Windows Configuration Designer.](provisioning-install-icd.md) + +## Create a provisioning package using the wizard + +The **Provision Windows mobile devices** wizard lets you configure common settings for devices running Windows 10 Mobile in a simple, graphical workflow. + +### Start a new project + +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click the Windows Configuration Designer shortcut, + + or + + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + +2. On the **Start** page, choose **Provision Windows mobile devices**. + +3. Enter a name for your project, and then click **Next**. + + +### Configure settings in the wizard + + + + + + +
![step one](images/one.png)![set up device](images/set-up-device-mobile.png)

Enter a device name.

Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise. 		![device name, upgrade license](images/set-up-device-details-mobile.png)
![step two](images/two.png) ![set up network](images/set-up-network-mobile.png)

Toggle **On** or **Off** for wireless network connectivity.

If you select **On**, enter the SSID, network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details-mobile.png)
![step three](images/three.png) ![bulk enrollment in Azure Active Directory](images/bulk-enroll-mobile.png)

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used.

Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. 		![Enter expiration and get bulk token](images/bulk-enroll-mobile-details.png)
![step four](images/four.png) ![finish](images/finish-mobile.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details-mobile.png)
+ +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. + +### Apply provisioning package + +You can apply a provisioning package to a device running Windows 10 Mobile by using: + +- removable media +- copying the provisioning package to the device +- [NFC tags](provisioning-nfc.md) +- [barcodes](provisioning-package-splitter.md) + +### Using removable media + +1. Insert an SD card containing the provisioning package into the device. +2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. + + ![add a package option](images/packages-mobile.png) + +3. Click **Add**. + +4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. + + ![Is this package from a source you trust](images/package-trust.png) + +### Copying the provisioning package to the device + +1. Connect the device to your PC through USB. + +2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device. + +3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. + + ![Is this package from a source you trust](images/package-trust.png) + + +## Related topics + +- [NFC-based device provisioning](provisioning-nfc.md) +- [Use the package splitter tool](provisioning-package-splitter.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-create-package.md b/windows/configure/provisioning-create-package.md similarity index 66% rename from windows/deploy/provisioning-create-package.md rename to windows/configure/provisioning-create-package.md index f543e6d10f..a73b54f4f8 100644 --- a/windows/deploy/provisioning-create-package.md +++ b/windows/configure/provisioning-create-package.md @@ -16,30 +16,40 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -You use Windows Imaging and Configuration Designer (ICD) to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10. +You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile. ->[Learn how to install Windows ICD.](provisioning-install-icd.md) +>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) + +>[!TIP] +>We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain. ## Start a new project -1. Open Windows ICD: - - From either the Start screen or Start menu search, type 'Imaging and Configuration Designer' and click on the Windows ICD shortcut, +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, or - - Navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. -2. Select your desired option on the **Start** page, which offers three options for creating a provisioning package, as shown in the following image: +2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: - ![Simple provisioning or provision school devices or advanced provisioning](images/icd-create-options.png) + ![Configuration Designer wizards](images/icd-create-options-1703.png) - - The **Simple provisioning** and **Provision school devices** options provide wizard-style walkthroughs for creating a provisioning package based on a set of common settings. - - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. + - The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards). - >[!TIP] - >You can start a project in the simple editor and then switch the project to the advanced editor. - > - >![Switch to advanced editor](images/icd-switch.png) + - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) + - [Instructions for the mobile wizard](provisioning-configure-mobile.md) + - [Instructions for the kiosk wizard](set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard) + - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) + - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) + + - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. *The rest of this procedure uses advanced provisioning.* + + >[!TIP] + > You can start a project in the simple wizard editor and then switch the project to the advanced editor. + > + > ![Switch to advanced editor](images/icd-switch.png) 3. Enter a name for your project, and then click **Next**. @@ -59,19 +69,18 @@ You use Windows Imaging and Configuration Designer (ICD) to create a provisionin >[!TIP] >**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly. -After you click **Finish**, Windows ICD will open the appropriate walkthrough page if you selected **Simple provisioning** or **Provision school devices**, or the **Available customizations** pane if you selected **Advanced provisioning**. The remainder of this topic will explain the **Advanced provisioning scenario**. +After you click **Finish**, Windows Configuration Designer will open the **Available customizations** pane and you can then configure settings for the package. + -- For instructions on **Simple provisioning**, see [Provision PCs with common settings](provision-pcs-for-initial-deployment.md). -- For instructions on **Provision school devices**, see [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain). ## Configure settings -For an advanced provisioning project, Windows ICD opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. +For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. ![What the ICD interface looks like](images/icd-runtime.png) -The settings in Windows ICD are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). +The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). The process for configuring settings is similar for all settings. The following table shows an example. @@ -83,9 +92,9 @@ The process for configuring settings is similar for all settings. The following ![step five](images/five.png)
When the setting is configured, it is displayed in the **Selected customizations** pane.![Selected customizations pane](images/icd-step5.png) -For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows ICD when you select the setting, as shown in the following image. +For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. -![Windows ICD opens the reference topic when you select a setting](images/icd-setting-help.png) +![Windows Configuration Designer opens the reference topic when you select a setting](images/icd-setting-help.png) ## Build package @@ -110,7 +119,7 @@ For details on each specific setting, see [Windows Provisioning settings referen > >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. -4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows ICD uses the project folder as the output location. +4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location. 5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. @@ -128,22 +137,21 @@ For details on each specific setting, see [Windows Provisioning settings referen ## Learn more -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +- [How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://docs.microsoft.com/sccm/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) ## Related topics - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-how-it-works.md b/windows/configure/provisioning-how-it-works.md similarity index 78% rename from windows/deploy/provisioning-how-it-works.md rename to windows/configure/provisioning-how-it-works.md index 1f9b72eb6c..349dfd08c2 100644 --- a/windows/deploy/provisioning-how-it-works.md +++ b/windows/configure/provisioning-how-it-works.md @@ -16,7 +16,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Imaging and Configuration Designer (Windows ICD) is a tool that makes it easy to create a provisioning package. Windows ICD is contained in the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). +Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) or through the Windows Store. ## Provisioning packages @@ -58,9 +58,9 @@ When setting conflicts are encountered, the final values provisioned on the devi Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner. -Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows ICD to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows ICD translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format. +Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows Configuration Designer to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows Configuration Designer translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format. -When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the Windows provisioning CSP. The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. +When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the [Windows provisioning CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/provisioning-csp). The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. ## Provisioning engine @@ -77,7 +77,7 @@ The provisioning engine provides the following functionality: ## Configuration manager -The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to Configuration Service Providers (CSPs) to perform the specific management requests and settings. +The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference) to perform the specific management requests and settings. The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied. @@ -115,9 +115,9 @@ When a trigger occurs, provisioning is initiated for a particular provisioning s ## Device provisioning during OOBE -The provisioning engine always applies provisioning packages persisted in the C:\Recovery\Customizations folder on the OS partition. When the provisioning engine applies provisioning packages in the %ProgramData%\Microsoft\Provisioning folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. +The provisioning engine always applies provisioning packages persisted in the `C:\Recovery\Customizations` folder on the OS partition. When the provisioning engine applies provisioning packages in the `%ProgramData%\Microsoft\Provisioning` folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. -Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. +Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. The following table shows how device provisioning can be initiated when a user first boots to OOBE. @@ -125,17 +125,15 @@ The following table shows how device provisioning can be initiated when a user f | Package delivery | Initiation method | Supported device | | --- | --- | --- | | Removable media - USB drive or SD card
(Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices | -| From an administrator device through machine to machine NFC or NFC tag
(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices | +| From an administrator device through machine-to-machine NFC or NFC tag
(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices | -The provisioning engine always copies the acquired provisioning packages to the %ProgramData%\Microsoft\Provisioning folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. +The provisioning engine always copies the acquired provisioning packages to the `%ProgramData%\Microsoft\Provisioning` folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s). ## Device provisioning at runtime -At device runtime, standalone provisioning packages can be applied by user initiation. Only runtime configuration settings including multivariant settings contained in a provisioning package can be applied at device runtime. - -The following table shows when provisioning at device runtime can be initiated. +At device runtime, stand-alone provisioning packages can be applied by user initiation. The following table shows when provisioning at device runtime can be initiated. | Package delivery | Initiation method | Supported device | | --- | --- | --- | @@ -147,7 +145,7 @@ When applying provisioning packages from a removable media attached to the devic When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device. -After a standalone provisioning package is applied to the device, the package is persisted in the %ProgramData%\Microsoft\Provisioning folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. However, Windows 10 doesn't provide an uninstall option to revert runtime settings when removing a provisioning package from the device. +After a stand-alone provisioning package is applied to the device, the package is persisted in the `%ProgramData%\Microsoft\Provisioning` folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. ## Learn more @@ -160,15 +158,14 @@ After a standalone provisioning package is applied to the device, the package is ## Related topics - [Provisioning packages for Windows 10](provisioning-packages.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configure/provisioning-install-icd.md b/windows/configure/provisioning-install-icd.md new file mode 100644 index 0000000000..16ae7f94d5 --- /dev/null +++ b/windows/configure/provisioning-install-icd.md @@ -0,0 +1,115 @@ +--- +title: Install Windows Configuration Designer (Windows 10) +description: Learn how to install and run Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Install Windows Configuration Designer + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows 10. Windows Configuration Designer is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. + +## Supported platforms + +Windows Configuration Designer can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core, as well as Microsoft Surface Hub and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems: + +- Windows 10 - x86 and amd64 +- Windows 8.1 Update - x86 and amd64 +- Windows 8.1 - x86 and amd64 +- Windows 8 - x86 and amd64 +- Windows 7 - x86 and amd64 +- Windows Server 2016 +- Windows Server 2012 R2 Update +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +>[!WARNING] +>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. + +## Install Windows Configuration Designer + +On devices running Windows 10, you can install [the Windows Configuration Designer app from the Windows Store](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on other operating systems or in languages other than English, install it from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). + +>[!NOTE] +>If you install Windows Configuration Designer from both the ADK and Windows Store, the Store app will not open. +> +>The Windows Configuration Designer App from Windows Store currently supports only English. For a localized version of the Windows Configuration Designer, install it from the Windows ADK. + +1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511, 1607, or 1703). + + >[!NOTE] + >The rest of this procedure uses Windows ADK for Windows 10, version 1703 as an example. + +2. Save **adksetup.exe** and then run it. + +3. On the **Specify Location** page, select an installation path and then click **Next**. + >[!NOTE] + >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows Configuration Designer, the space requirement is approximately 32 MB. +4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**. + +5. Accept the **License Agreement**, and then click **Next**. + +6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**. + + ![Only Configuration Designer selected for installation](images/icd-install.png) + +## Current Windows Configuration Designer limitations + + +- You can only run one instance of Windows Configuration Designer on your computer at a time. + +- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process. + +- The Windows Configuration Designer UI does not support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). + +- While you can open multiple projects at the same time within Windows Configuration Designer, you can only build one project at a time. + +- In order to enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. + +- If you copy a Windows Configuration Designer project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. + + For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows Configuration Designer. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows Configuration Designer might attempt to resolve the path to the files that point to the original PC. + +- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device. + +**Next step**: [How to create a provisioning package](provisioning-create-package.md) + +## Learn more + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) + +## Related topics + +- [Provisioning packages for Windows 10](provisioning-packages.md) +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + + +  + +  + + + + + diff --git a/windows/deploy/provisioning-multivariant.md b/windows/configure/provisioning-multivariant.md similarity index 97% rename from windows/deploy/provisioning-multivariant.md rename to windows/configure/provisioning-multivariant.md index d33f1206b5..d28ac354ee 100644 --- a/windows/deploy/provisioning-multivariant.md +++ b/windows/configure/provisioning-multivariant.md @@ -302,15 +302,14 @@ The following events trigger provisioning on Windows 10 devices: - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)   diff --git a/windows/deploy/provisioning-nfc.md b/windows/configure/provisioning-nfc.md similarity index 88% rename from windows/deploy/provisioning-nfc.md rename to windows/configure/provisioning-nfc.md index 114e6d5545..fad3428d0c 100644 --- a/windows/deploy/provisioning-nfc.md +++ b/windows/configure/provisioning-nfc.md @@ -17,7 +17,7 @@ localizationpriority: high Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package. -The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup or the out-of-box experience (OOBE) phase. Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE. +The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE. ## Provisioning OOBE UI @@ -131,18 +131,9 @@ For detailed information and code samples on how to implement an NFC-enabled dev ## Related topics -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) +- [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md)     diff --git a/windows/configure/provisioning-package-splitter.md b/windows/configure/provisioning-package-splitter.md new file mode 100644 index 0000000000..00a62a1ae4 --- /dev/null +++ b/windows/configure/provisioning-package-splitter.md @@ -0,0 +1,88 @@ +--- +title: Barcode provisioning and the package splitter tool (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Barcode provisioning and the package splitter tool + + +**Applies to** + +- Windows 10 Mobile + +Enterprises that do bulk provisioning can use barcode-based device provisioning to provide a provisioning package to the device that's being provisioned. + +The barcode provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). To use barcodes to provision a device, your devices must have an integrated barcode scanner. You can get the barcode format that the scanner supports from your OEM or device provider, and use your existing tools and processes to convert a provisioning package into barcodes. + +Enterprise IT professionals who want to use a barcode to provision mobile devices during OOBE can use the package splitter tool, **ppkgtobase64.exe**, which is a command-line tool to split the provisioning package into smaller files. + +The smallest provisioning package is typically 5-6 KB, which cannot fit into one single barcode. The package splitter tool allows partners to split the original provisioning package into multiple smaller sized chunks that are encoded with Base64 so that enterprises can leverage their existing tools to convert these files into barcodes. + +When you [install Windows Configuration Designer](provisioning-install-icd.md) from the Windows Assessment and Deployment Kit (ADK), **ppkgtobase64.exe** is installed to the same folder. + +## Prerequisites + +Before you can use the tool, you must have a built provisioning package. The package file is the input to the package splitter tool. + +- To build a provisioning package using the Windows Configuration Designer UI, see [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md). +- To build a provisioning package using the Windows Configuration Designer CLI, see [Windows Configuration Designer command-line interface](provisioning-command-line.md). + +## To use the package splitter tool (ppkgtobase64.exe) + +1. Open a command-line window with administrator privileges. + + +2. From the command-line, navigate to the Windows Configuration Designer install directory. + + On an x64 computer, type: + ``` + cd C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 + ``` + + - or - + + On an x86 computer, type: + + ``` + cd C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 + ``` + +3. Run `ppkgtobase64.exe`. The [syntax](#syntax) and [switches and arguments](#switches-and-arguments) sections provide details for the command. + + +### Syntax + +``` +ppkgtobase64.exe -i -o -s [-c] [/?] +``` + +### Switches and arguments + +| Switch | Required? | Arguments | +| --- | --- | --- | +| -i | Yes | Use to specify the path and file name of the provisioning package that you want to divide into smaller files.

The tool allows you to specify the absolute path of the provisioning package file. However, if you don't specify the path, the tool will search the current folder for a package that matches the file name you specified. | +| -o | Yes | Use to specify the directory where the output files will be saved. | +| -s | Yes | Use to specify the size of the block that will be encoded in Base64. | +| -c | No | Use to delete any files in the output directory if the directory already exists. This parameter is optional. | +| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | + + + + + +## Related topics + + +  + +  + + + + + diff --git a/windows/configure/provisioning-packages.md b/windows/configure/provisioning-packages.md new file mode 100644 index 0000000000..8732d8c5a3 --- /dev/null +++ b/windows/configure/provisioning-packages.md @@ -0,0 +1,169 @@ +--- +title: Provisioning packages (Windows 10) +description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Provisioning packages for Windows 10 + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + +A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. + +Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. + +The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages. Windows Configuration Designer is also available as an [app in the Windows Store](https://www.microsoft.com/store/apps/9nblggh4tx22). + + + + +## New in Windows 10, version 1703 + +- The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Imaging and Configuration Designer (ICD) tool. The components for creating images have been removed from Windows Configuration Designer, which now provides access to runtime settings only. +- Windows Configuration Designer can still be installed from the Windows ADK. You can also install it from the Windows Store. +- Windows Configuration Designer adds more wizards to make it easier to create provisioning packages for specific scenarios. See [What you can configure](#configuration-designer-wizards) for wizard descriptions. +- The wizard **Provision desktop devices** (previously called **Simple provisioning**) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning. +- When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning. +- Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors. +- The **Provision school devices** wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Windows Store. + + + +## Benefits of provisioning packages + + +Provisioning packages let you: + +- Quickly configure a new device without going through the process of installing a new image. + +- Save time by configuring multiple devices using one provisioning package. + +- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. + +- Set up a device without the device having network connectivity. + +Provisioning packages can be: + +- Installed using removable media such as an SD card or USB flash drive. + +- Attached to an email. + +- Downloaded from a network share. + +- Deployed in NFC tags or barcodes. + +## What you can configure + +### Configuration Designer wizards + +The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages. + + + + + + + + + +
**Step****Description****Desktop
wizard**		**Mobile
wizard**		**Kiosk
wizard**
Set up deviceAssign device name,
enter product key to upgrade Windows,
configure shared used,
remove pre-installed software		![yes](images/checkmark.png)![yes](images/checkmark.png)
(Only device name and upgrade key)		![yes](images/checkmark.png)
Set up networkConnect to a Wi-Fit network![yes](images/checkmark.png)![yes](images/checkmark.png)![yes](images/checkmark.png)
Account managementEnroll device in Active Directory,
enroll device in Azure Active Directory,
or create a local administrator account		![yes](images/checkmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
Bulk Enrollment in Azure ADEnroll device in Azure Active Directory

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).		![no](images/crossmark.png)![yes](images/checkmark.png)![no](images/crossmark.png)
Add applicationsInstall applications using the provisioning package.![yes](images/checkmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
Add certificatesInclude a certificate file in the provisioning package.![yes](images/checkmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
Configure kiosk account and appCreate local account to run the kiosk mode app,
specify the app to run in kiosk mode		![no](images/crossmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
Configure kiosk common settingsSet tablet mode,
configure welcome and shutdown screens,
turn off timeout settings		![no](images/crossmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
+ +- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) +- [Instructions for the mobile wizard](provisioning-configure-mobile.md) +- [Instructions for the kiosk wizard](set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard) + + + +>[!NOTE] +>After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package. + +### Configuration Designer advanced editor + +The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages. + +| Customization options | Examples | +|--------------------------|-----------------------------------------------------------------------------------------------| +| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | +| Applications | Windows apps, line-of-business applications | +| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | +| Certificates | Root certification authority (CA), client certificates | +| Connectivity profiles | Wi-Fi, proxy settings, Email | +| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | +| Data assets | Documents, music, videos, pictures | +| Start menu customization | Start menu layout, application pinning | +| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | +\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices. +  + +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). + +## Changes to provisioning in Windows 10, version 1607 + +>[!NOTE] +>This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703. + +Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios. + +![Configuration Designer options](images/icd.png) + +Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators: + +* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. + + > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md) + +* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. + +* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: + + * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) + * AirWatch (password-string based enrollment) + * Mobile Iron (password-string based enrollment) + * Other MDMs (cert-based enrollment) + +> [!NOTE] +> Windows ICD in Windows 10, version 1607, also provided a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index). + +## Learn more + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) + +## Related topics + +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) + + + + + +  + +  + + + + + diff --git a/windows/configure/provisioning-powershell.md b/windows/configure/provisioning-powershell.md new file mode 100644 index 0000000000..508bada17f --- /dev/null +++ b/windows/configure/provisioning-powershell.md @@ -0,0 +1,72 @@ +--- +title: PowerShell cmdlets for provisioning Windows 10 (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# PowerShell cmdlets for provisioning Windows 10 (reference) + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Windows 10, version 1703, ships with Windows Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions. + + + + + + + + + + + +
CmdletUse this cmdlet toSyntax
Add-ProvisioningPackage Apply a provisioning package```Add-ProvisioningPackage [-Path] [-ForceInstall] [-LogsFolder ] [-WprpFile ] []```
Remove-ProvisioningPackageRemove a provisioning package ```Remove-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []```
```Remove-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []```
```Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []```
Get-ProvisioningPackage Get information about an installed provisioning package ```Get-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []```
```Get-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []```
```Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []```
Export-ProvisioningPackage Extract the contents of a provisioning package ```Export-ProvisioningPackage -PackageId -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []```
```Export-ProvisioningPackage -Path -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []```
Install-TrustedProvisioningCertificate Adds a certificate to the Trusted Certificate store ```Install-TrustedProvisioningCertificate ```
Get-TrustedProvisioningCertificate List all installed trusted provisioning certificates; use this cmdlet to get the certificate thumbprint to use with the **Uninstall-TrustedProvisioningCertificate** cmdlet```Get-TrustedProvisioningCertificate```
Uninstall-TrustedProvisioningCertificate Remove a previously installed provisioning certificate```Uninstall-TrustedProvisioningCertificate ```
+ +>[!NOTE] +> You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage` + +Trace logs are captured when using cmdlets. The following logs are available in the logs folder after the cmdlet completes: + +- ProvTrace.<timestamp>.ETL - ETL trace file, unfiltered +- ProvTrace.<timestamp>.XML - ETL trace file converted into raw trace events, unfiltered +- ProvTrace.<timestamp>.TXT - TEXT file containing trace output formatted for easy reading, filtered to only show events logged by providers in the WPRP file +- ProvLogReport.<timestamp>.XLS - Excel file containing trace output, filtered to only show events logged by providers in WPRP file + + + +>[!NOTE] +>When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts. + + +## Related topics + +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + + + + +  + +  + + + + + diff --git a/windows/deploy/provisioning-script-to-install-app.md b/windows/configure/provisioning-script-to-install-app.md similarity index 91% rename from windows/deploy/provisioning-script-to-install-app.md rename to windows/configure/provisioning-script-to-install-app.md index 8754c66299..20ada61de8 100644 --- a/windows/deploy/provisioning-script-to-install-app.md +++ b/windows/configure/provisioning-script-to-install-app.md @@ -168,21 +168,21 @@ Here’s a table describing this relationship, using the PowerShell example from ### Add script to provisioning package -When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Imaging and Configuration Designer (Windows ICD). +When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer. -Using ICD, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: +Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: ``` cmd /c InstallMyApp.bat ``` -In ICD, this looks like: +In Windows Configuration Designer, this looks like: ![Command line in Selected customizations](images/icd-script1.png) You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files. -In ICD, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. +In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. ![Command files in Selected customizations](images/icd-script2.png) @@ -211,12 +211,11 @@ When you are done, [build the package](provisioning-create-package.md#build-pack - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-uninstall-package.md b/windows/configure/provisioning-uninstall-package.md similarity index 91% rename from windows/deploy/provisioning-uninstall-package.md rename to windows/configure/provisioning-uninstall-package.md index b3836ede88..e4ee9c442e 100644 --- a/windows/deploy/provisioning-uninstall-package.md +++ b/windows/configure/provisioning-uninstall-package.md @@ -27,7 +27,7 @@ Only settings in the following lists are revertible. ## Registry-based settings -The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Graphical User Interface of the Windows Imaging and Configuration Designer (Windows ICD). +The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Windows Configuration Designer. - [Wi-Fi Sense](https://msdn.microsoft.com/library/windows/hardware/mt219706.aspx) @@ -78,14 +78,13 @@ Here is the list of revertible settings based on configuration service providers - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)   diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/configure/set-up-a-device-for-anyone-to-use.md similarity index 96% rename from windows/manage/set-up-a-device-for-anyone-to-use.md rename to windows/configure/set-up-a-device-for-anyone-to-use.md index f274498ed1..7a58deaa8f 100644 --- a/windows/manage/set-up-a-device-for-anyone-to-use.md +++ b/windows/configure/set-up-a-device-for-anyone-to-use.md @@ -1,5 +1,5 @@ --- -title: Set up a device for anyone to use (kiosk mode) (Windows 10) +title: Set up a device for anyone to use in kiosk mode (Windows 10) description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8 keywords: ["kiosk", "lockdown", "assigned access"] @@ -8,6 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS localizationpriority: high +redirect_url: https://technet.microsoft.com/itpro/windows/configure/kiosk-shared-pc --- # Set up a device for anyone to use (kiosk mode) diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md similarity index 55% rename from windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md rename to windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index 211f47f9c2..e9f19dfa8f 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -19,52 +19,65 @@ localizationpriority: high > **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) -A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). +A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions. -**Note**   -A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. +- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). + + or + +- For a kiosk device to run a Universal Windows app, use the [assigned access](#assigned-access) feature (Windows 10 Pro, Enterprise, or Education). + + or + +- For a kiosk device to run a Classic Windows application, use [Shell Launcher](#shell-launcher) to set a custom user interface as the shell (Windows 10 Enterprise or Education only). + +To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). + +>[!NOTE] +>A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.   -## Other settings to lock down -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device: + +## Set up a kiosk using Windows Configuration Designer -- Put device in **Tablet mode**. +When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application. - If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -- Hide **Ease of access** feature on the logon screen. - Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. +[Install Windows Configuration Designer](provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. -- Disable the hardware power button. - Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -- Remove the power button from the sign-in screen. + + + + + + + + + +
![step one](images/one.png)![set up device](images/set-up-device.png)

Enable device setup if you want to configure settings on this page.

**If enabled:**

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device. 		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Enable network setup if you want to configure settings on this page.

**If enabled:**

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details.png)
![step three](images/three.png) ![account management](images/account-management.png)

Enable account management if you want to configure settings on this page.

**If enabled:**

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
![step four](images/four.png) ![add applications](images/add-applications.png)

You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md)

**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. 		![add an application](images/add-applications-details.png)
![step five](images/five.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

**Important:** You must use the Windows Configuration Designer app from Windows Store to select a Classic Windows application as the kiosk app in a provisioning package.

You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.		![Configure kiosk account and app](images/kiosk-account-details.png)
![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
- Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -- Disable the camera. +>[!NOTE] +>If you want to use the advanced editor in Windows Configuration Designer, specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** - Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -- Turn off app notifications on the lock screen. - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -- Disable removable media. - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. +[Learn how to apply a provisioning package.](provisioning-apply-package.md) - **Note**   - To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.   - -## Assigned access method for Universal Windows apps + +## Assigned access method for Universal Windows apps Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access: @@ -73,7 +86,7 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo | --- | --- | --- | | [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education | | [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education | -| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education | +| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Enterprise, Education | | [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education | @@ -88,8 +101,8 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs. -**Note**   -Assigned access does not work on a device that is connected to more than one monitor. +>[!NOTE]   +>Assigned access does not work on a device that is connected to more than one monitor.   @@ -105,7 +118,7 @@ Assigned access does not work on a device that is connected to more than one mon 5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. -To remove assigned access, in step 3, choose **Don't use assigned access**. +To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. ### Set up assigned access in MDM @@ -115,69 +128,9 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you [See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608) -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) + -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -**Create a provisioning package for a kiosk device** - -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). - -2. Choose **Advanced provisioning**. - -3. Name your project, and click **Next**. - -4. Choose **All Windows desktop editions** and click **Next**. - -5. On **New project**, click **Finish**. The workspace for your package opens. - -6. Expand **Runtime settings** > **AssignedAccess**, and click **AssignedAccessSettings**. - -7. Enter a string to specify the user account and app (by AUMID). For example: - - "Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084" - -8. On the **File** menu, select **Save.** - -9. On the **Export** menu, select **Provisioning package**. - -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - -12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -**Apply the provisioning package** - -1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges. - -2. Consent to allow the package to be installed. - - After you allow the package to be installed, the settings will be applied to the device - -[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) ### Set up assigned access using Windows PowerShell @@ -201,7 +154,9 @@ Set-AssignedAccess -AppName -UserName Set-AssignedAccess -AppName -UserSID ``` -> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. +> [!NOTE] +> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. + [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). [Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). @@ -223,8 +178,8 @@ Edit the registry to have an account automatically logged on. 1. Open Registry Editor (regedit.exe). - **Note**   - If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). + >[!NOTE]   + >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).   2. Go to @@ -239,7 +194,8 @@ Edit the registry to have an account automatically logged on. - *DefaultPassword*: set value as the password for the account. - > **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + > [!NOTE] + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. @@ -255,11 +211,15 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. -## Shell Launcher for Classic Windows applications + +## Shell Launcher for Classic Windows applications Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. +>[!NOTE] +>You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard). + ### Requirements - A domain or local user account. @@ -274,10 +234,13 @@ To set a Classic Windows application as the shell, you first turn on the Shell L **To turn on Shell Launcher in Windows features** -1. Go to Control Panel > **Programs and Features** > **Turn Windows features on or off**. -2. Select **Embedded Shell Launcher** and **OK**. +1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. -Alternatively, you can turn on Shell Launcher using the Deployment Image Servicing and Management (DISM.exe) tool. +2. Expand **Device Lockdown**. + +2. Select **Shell Launcher** and **OK**. + +Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. **To turn on Shell Launcher using DISM** @@ -425,19 +388,46 @@ $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled ``` +## Other settings to lock down + + +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device: + +- Put device in **Tablet mode**. + + If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** + +- Hide **Ease of access** feature on the logon screen. + + Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. + +- Disable the hardware power button. + + Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. + +- Remove the power button from the sign-in screen. + + Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** + +- Disable the camera. + + Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. + +- Turn off app notifications on the lock screen. + + Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. + +- Disable removable media. + + Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. + + >[!NOTE]   + >To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. + +  ## Related topics - -[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md) - -[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - -[Manage and update Windows 10](index.md) - -  - -  - +- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md similarity index 58% rename from windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md rename to windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index 1a11ff9c20..3ef7f7e374 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -18,51 +18,18 @@ localizationpriority: high - Windows 10 Mobile -A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience. -**Note**   -The specified app must be an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386). - -  - -## Apps Corner +A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You use the [Enterprise Assigned Access](#enterprise-assigned-access) configuration service provider (CSP) to configure a kiosk experience. You can also configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise, version 1607 or earlier, for kiosk mode by using the [Apps Corner](#apps-corner) feature. (Apps Corner is removed in version 1703.) -Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner. - -**To set up Apps Corner** - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png) - -3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings. - -4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. - -5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. - -6. Press **Back** ![back](images/backicon.png) when you're done. - -**To use Apps Corner** - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](images/launchicon.png). - - **Tip**   - Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. - -   - -2. Give the device to someone else, so they can use the device and only the one app you chose. - -3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner. ## Enterprise Assigned Access -Enterprise Assigned Access allows you to lock down your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list. +Enterprise Assigned Access allows you to put your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list. -**Note**  The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app. +>[!NOTE] +>The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.   @@ -72,21 +39,24 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r [See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](https://go.microsoft.com/fwlink/p/?LinkID=618601) -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) +### Set up assigned access using Windows Configuration Designer -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -**To create and apply a provisioning package for a kiosk device** +#### Create the *AssignedAccess*.xml file 1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601). - **Note**   - Do not escape the xml in *AssignedAccess*.xml file as Windows Imaging and Configuration Designer (ICD) will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail. + >[!NOTE] + >Do not escape the xml in *AssignedAccess*.xml file as Windows Configuration Designer will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail. + +#### Create the provisioning package -   +1. [Install Windows Configuration Designer.](provisioning-install-icd.md) + +2. Open Windows Configuration Designer (if you installed it from the Windows ADK, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). -2. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). 3. Choose **Advanced provisioning**. @@ -130,55 +100,91 @@ When you build a provisioning package, you may include sensitive information in - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -17. Select the **output location** link to go to the location of the package. You can distribute that .ppkg to mobile devices using any of the following methods: +17. Select the **output location** link to go to the location of the package. - - Removable media (USB/SD) +#### Distribute the provisioning package - **To apply a provisioning package from removable media** +You can distribute that .ppkg to mobile devices using any of the following methods: - 1. Copy the provisioning package file to the root directory on a micro SD card. +- Removable media (USB/SD) - 2. On the device, insert the micro SD card containing the provisioning package. + **To apply a provisioning package from removable media** - 3. Go to **Settings** > **Accounts** > **Provisioning.** + 1. Copy the provisioning package file to the root directory on a micro SD card. - 4. Tap **Add a package**. + 2. On the device, insert the micro SD card containing the provisioning package. - 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**. + 3. Go to **Settings** > **Accounts** > **Provisioning.** - 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**. + 4. Tap **Add a package**. - 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**. - 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**. - - Email + 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - **To apply a provisioning package sent in email** + 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - 1. Send the provisioning package in email to an account on the device. +- Email - 2. Open the email on the device, and then double-tap the attached file. + **To apply a provisioning package sent in email** - 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + 1. Send the provisioning package in email to an account on the device. - 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + 2. Open the email on the device, and then double-tap the attached file. - - USB tether (mobile only) + 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - **To apply a provisioning package using USB tether** + 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - 1. Connect the device to your PC by USB. +- USB tether - 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device. + **To apply a provisioning package using USB tether** - 3. The provisioning package installation dialog will appear on the phone. + 1. Connect the device to your PC by USB. - 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device. - 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + 3. The provisioning package installation dialog will appear on the phone. - [Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) + 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + + 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + + + +## Apps Corner + +>[!NOTE] +>For Windows 10, versions 1507, 1511, and 1607 only. + +Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner. + +**To set up Apps Corner** + +1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. + +2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png) + +3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings. + +4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. + +5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. + +6. Press **Back** ![back](images/backicon.png) when you're done. + +**To use Apps Corner** + +1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](images/launchicon.png). + + >[!TIP]   + >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. +   +2. Give the device to someone else, so they can use the device and only the one app you chose. + +3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner. ## Related topics @@ -191,9 +197,5 @@ When you build a provisioning package, you may include sensitive information in   -  - - - diff --git a/windows/manage/set-up-shared-or-guest-pc.md b/windows/configure/set-up-shared-or-guest-pc.md similarity index 95% rename from windows/manage/set-up-shared-or-guest-pc.md rename to windows/configure/set-up-shared-or-guest-pc.md index f641f80569..d0998d18c6 100644 --- a/windows/manage/set-up-shared-or-guest-pc.md +++ b/windows/configure/set-up-shared-or-guest-pc.md @@ -16,7 +16,7 @@ localizationpriority: high - Windows 10 -Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise. +Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise. > [!NOTE] > If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. @@ -69,16 +69,16 @@ You can configure Windows to be in shared PC mode in a couple different ways: ![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) -- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC. +- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**. ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) ### Create a provisioning package for shared use -Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) +1. [install Windows Configuration Designer](provisioning-install-icd.md) -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open Windows Configuration Designer. 2. On the **Start page**, select **Advanced provisioning**. @@ -287,15 +287,10 @@ Shared PC mode sets local group policies to configure the device. Some of these -## Related topics - -[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md)   -  - diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/configure/settings-that-can-be-locked-down.md similarity index 85% rename from windows/manage/settings-that-can-be-locked-down.md rename to windows/configure/settings-that-can-be-locked-down.md index c0348677ba..6e0e342400 100644 --- a/windows/manage/settings-that-can-be-locked-down.md +++ b/windows/configure/settings-that-can-be-locked-down.md @@ -20,7 +20,15 @@ localizationpriority: high This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. -## Settings lockdown +## Settings lockdown in Windows 10, version 1703 + +In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI. + +For example, in place of **SettingsPageDisplay**, you would use **ms-settings:display**. + +See the [ms-settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each Settings page. + +## Settings lockdown in Windows 10, version 1607 and earlier You can use Lockdown.xml to configure lockdown settings. @@ -451,52 +459,26 @@ You can specify the quick actions as follows: ``` syntax - - - - - - - - - - - - - - + + + + + + + + + + + + + + ``` -Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden. -**Note**   -Dependent settings group/pages will be automatically enabled when a quick action is specified in the lockdown xml file. For example, if the Rotation quick setting is specified, the following group and page will automatically be added to the allow list: “SettingsPageSystemDisplay” and “SettingsPageDisplay”. - -  - -The following table lists the dependencies between quick actions and Settings groups/pages. - -| Quick action | Settings group | Settings page | -|-----|-------|-------| -| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay | -| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay | -| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi | -| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing | -| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular | -| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode | -| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation | -| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN | -| SystemSettings\_Launcher\_QuickNote | N/A | N/A | -| SystemSettings\_Flashlight\_Toggle | N/A | N/A | -| SystemSettings\_Device\_BluetoothQuickAction | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth | -| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver | -| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A | -| QuickActions\_Launcher\_AllSettings | N/A | N/A | -| SystemSettings\_QuickAction\_QuietHours | N/A | N/A | -| SystemSettings\_QuickAction\_Camera | N/A | N/A |   diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/configure/start-layout-xml-desktop.md similarity index 96% rename from windows/manage/start-layout-xml-desktop.md rename to windows/configure/start-layout-xml-desktop.md index db4bf8dd66..2a8a20dfd2 100644 --- a/windows/manage/start-layout-xml-desktop.md +++ b/windows/configure/start-layout-xml-desktop.md @@ -30,6 +30,9 @@ On Windows 10 for desktop editions, the customized Start works by: >[!NOTE] >Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx). +>[!NOTE] +>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). + ## LayoutModification XML IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions. @@ -473,17 +476,13 @@ Once you have created the LayoutModification.xml file and it is present in the d ## Related topics -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)   diff --git a/windows/manage/start-layout-xml-mobile.md b/windows/configure/start-layout-xml-mobile.md similarity index 95% rename from windows/manage/start-layout-xml-mobile.md rename to windows/configure/start-layout-xml-mobile.md index 9d10466302..f25c2d2413 100644 --- a/windows/manage/start-layout-xml-mobile.md +++ b/windows/configure/start-layout-xml-mobile.md @@ -370,17 +370,13 @@ This should set the value of **StartLayout**. The setting appears in the **Selec ## Related topics -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)   diff --git a/windows/configure/start-taskbar-lockscreen.md b/windows/configure/start-taskbar-lockscreen.md new file mode 100644 index 0000000000..966ef97fca --- /dev/null +++ b/windows/configure/start-taskbar-lockscreen.md @@ -0,0 +1,27 @@ +--- +title: Configure Start layout, taskbar, and lock screen for Windows 10 PCs (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Configure Start layout, taskbar, and lock screen for Windows 10 PCs + + + +## In this section + +| Topic | Description | +| --- | --- | +| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

**Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. | +| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Windows Store. | +| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. | + + +## Related topics + +- [Configure Windows 10 Mobile devices](configure-mobile.md) \ No newline at end of file diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/configure/stop-employees-from-using-the-windows-store.md similarity index 95% rename from windows/manage/stop-employees-from-using-the-windows-store.md rename to windows/configure/stop-employees-from-using-the-windows-store.md index d09e5ae2be..04c5aa20d2 100644 --- a/windows/manage/stop-employees-from-using-the-windows-store.md +++ b/windows/configure/stop-employees-from-using-the-windows-store.md @@ -89,7 +89,7 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS - [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only) -For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md). +For more information, see [Configure an MDM provider](../manage/configure-mdm-provider-windows-store-for-business.md). ## Show private store only using Group Policy Applies to Windows 10 Enterprise, version 1607, Windows 10 Education @@ -110,9 +110,9 @@ If you're using Windows Store for Business and you want employees to only see ap ## Related topics -[Distribute apps using your private store](distribute-apps-from-your-private-store.md) +[Distribute apps using your private store](../manage/distribute-apps-from-your-private-store.md) -[Manage access to private store](manage-access-to-private-store.md) +[Manage access to private store](../manage/manage-access-to-private-store.md)   diff --git a/windows/configure/windows-10-start-layout-options-and-policies.md b/windows/configure/windows-10-start-layout-options-and-policies.md new file mode 100644 index 0000000000..4829818f49 --- /dev/null +++ b/windows/configure/windows-10-start-layout-options-and-policies.md @@ -0,0 +1,121 @@ +--- +title: Manage Windows 10 Start and taskbar layout (Windows 10) +description: Organizations might want to deploy a customized Start and taskbar layout to devices. +ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A +keywords: ["start screen", "start menu"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Manage Windows 10 Start and taskbar layout + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) + +Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. + +>[!NOTE] +>Taskbar configuration is available starting in Windows 10, version 1607. +> +>Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703. +> +>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). + + + +## Start options + +![start layout sections](images/startannotated.png) + +Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy. + +The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table. + +| Start | Policy | Local setting | +| --- | --- | --- | +| User tile | MDM: **Start/HideUserTile**
**Start/HideSwitchAccount**
**Start/HideSignOut**
**Start/HideLock**
**Start/HideChangeAccountSettings**

Group Policy: **Remove Logoff on the Start menu** | none | +| Most used | MDM: **Start/HideFrequentlyUsedApps**

Group Policy: **Remove frequent programs from the Start menu** | **Settings** > **Personalization** > **Start** > **Show most used apps** | +| Suggestions
-and-
Dynamically inserted app tile | MDM: **Allow Windows Consumer Features**

Group Policy: **Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences**

**Note:** This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. | **Settings** > **Personalization** > **Start** > **Occasionally show suggestions in Start** | +| Recently added | MDM: **Start/HideRecentlyAddedApps** | **Settings** > **Personalization** > **Start** > **Show recently added apps** | +| Pinned folders | MDM: **AllowPinnedFolder** | **Settings** > **Personalization** > **Start** > **Choose which folders appear on Start** | +| Power | MDM: **Start/HidePowerButton**
**Start/HideHibernate**
**Start/HideRestart**
**Start/HideShutDown**
**Start/HideSleep**

Group Policy: **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | none | +| Start layout | MDM: **Start layout**
**ImportEdgeAssets**

Group Policy: **Prevent users from customizing their Start screen**

**Note:** When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

**Start layout** policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. | none | +| Jump lists | MDM: **Start/HideRecentJumplists**

Group Policy: **Do not keep history of recently opened documents** | **Settings** > **Personalization** > **Start** > **Show recently opened items in Jump Lists on Start or the taskbar** | +| Start size | MDM: **Force Start size**

Group Policy: **Force Start to be either full screen size or menu size** | **Settings** > **Personalization** > **Start** > **Use Start full screen** | +| App list | MDM: **Start/HideAppList** | **Settings** > **Personalization** > **Start** > **Show app list in Start menu** | +| All Settings | Group Policy: **Prevent changes to Taskbar and Start Menu Settings** | none | +| Taskbar | MDM: **Start/NoPinningToTaskbar** | none | + + + ## Taskbar options + +Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region. + +There are three categories of apps that might be pinned to a taskbar: +* Apps pinned by the user +* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) +* Apps pinned by the enterprise, such as in an unattended Windows setup + + >[!NOTE] + >The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. + +The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). + +![Windows left, user center, enterprise to the right](images/taskbar-generic.png) + +>[!NOTE] +>In operating systems configured to use a right-to-left language, the taskbar order will be reversed. + + + +Whether you apply the taskbar configuration to a clean install or an update, users will still be able to: +* Pin additional apps +* Change the order of pinned apps +* Unpin any app + +### Taskbar configuration applied to clean install of Windows 10 + +In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied. + +### Taskbar configuration applied to Windows 10 upgrades + +When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. + +The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior: +* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right. +* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned. +* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. +* New apps specified in updated layout file are pinned to right of user's pinned apps. + + + +## Related topics + + +[Customize and export Start layout](customize-and-export-start-layout.md) + +[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) + +[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) + +[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) + +[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) + +[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) + +  + +  + + + + + diff --git a/windows/configure/windows-spotlight.md b/windows/configure/windows-spotlight.md new file mode 100644 index 0000000000..c3a078d793 --- /dev/null +++ b/windows/configure/windows-spotlight.md @@ -0,0 +1,91 @@ +--- +title: Configure Windows Spotlight on the lock screen (Windows 10) +description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. +ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A +keywords: ["lockscreen"] +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Configure Windows Spotlight on the lock screen + + +**Applies to** + +- Windows 10 + + +Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. + +For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. + + +>[!NOTE] +>In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**. +> +>In Windows 10, version 1703, you can use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. + +## What does Windows Spotlight include? + + +- **Background image** + + The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis. + + ![lock screen image](images/lockscreen.png) + +- **Feature suggestions, fun facts, tips** + + The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. + + ![fun facts](images/funfacts.png) + +## How do you turn off Windows Spotlight locally? + + +To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background + +![personalization background](images/spotlight.png) + +## How do you disable Windows Spotlight for managed devices? + + +Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers. + +| Group Policy | MDM | Description | Applies to | +| --- | --- | --- | --- | +| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | +| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | +| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | +| **Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | +| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | +| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | + + + In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + +>[!WARNING] +> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release. + +![lockscreen policy details](images/lockscreenpolicy.png) + +Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages. + + + +## Related topics + + +[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md) + +  + +  + + + + + diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index b5049f3c39..d31baa9297 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -55,18 +55,6 @@ ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md) ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) -## [Provisioning packages for Windows 10](provisioning-packages.md) -### [How provisioning works in Windows 10](provisioning-how-it-works.md) -### [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -### [Create a provisioning package](provisioning-create-package.md) -### [Apply a provisioning package](provisioning-apply-package.md) -### [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -### [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -### [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -### [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -### [NFC-based device provisioning](provisioning-nfc.md) -### [Windows ICD command-line interface (reference)](provisioning-command-line.md) -### [Create a provisioning package with multivariant settings](provisioning-multivariant.md) ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md) ## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) ## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md) diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index d2629f839f..a3c2c4364e 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -11,6 +11,9 @@ author: greg-lindsay # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## RELEASE: Windows 10, version 1703 +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](../configure/index.md). + ## March 2017 | New or changed topic | Description | |----------------------|-------------| diff --git a/windows/deploy/images/icd-create-options-1703.PNG b/windows/deploy/images/icd-create-options-1703.PNG new file mode 100644 index 0000000000..007e740683 Binary files /dev/null and b/windows/deploy/images/icd-create-options-1703.PNG differ diff --git a/windows/deploy/index.md b/windows/deploy/index.md index 0bf5f91e98..8b1846f60e 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -27,7 +27,6 @@ Learn about deploying Windows 10 for IT professionals. |[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | -| [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Imaging and Configuration Designer (ICD) and provisioning packages to easily configure multiple devices. | |[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. | |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. | diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md deleted file mode 100644 index 86c8e234ff..0000000000 --- a/windows/deploy/provision-pcs-for-initial-deployment.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -title: Provision PCs with common settings (Windows 10) -description: Create a provisioning package to apply common settings to a PC running Windows 10. -ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E -keywords: ["runtime provisioning", "provisioning package"] -ms.prod: W10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Provision PCs with common settings for initial deployment (simple provisioning) - - -**Applies to** - -- Windows 10 - -This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home. - -You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. - -## Advantages -- You can configure new devices without reimaging. - -- Works on both mobile and desktop devices. - -- No network connectivity required. - -- Simple to apply. - -[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) - -## What does simple provisioning do? - -In a simple provisioning package, you can configure: - -- Device name -- Upgraded product edition -- Wi-Fi network -- Active Directory enrollment -- Local administrator account - -Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md). - -> [!TIP] -> Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. - -![open advanced editor](images/icd-simple-edit.png) - -## Create the provisioning package - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - -1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). - -2. Click **Simple provisioning**. - - ![ICD start options](images/icdstart-option.png) - -3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps. - - ![ICD simple provisioning](images/icd-simple.png) - -4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. - -5. (*Optional*) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. - - Pro to Education - - Pro to Enterprise - - Enterprise to Education - -6. Click **Set up network**. - -7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. - -8. Click **Enroll into Active Directory**. - -9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (*Optional*) Enter a user name and password to create a local administrator account. - - > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: - - Use a least-privileged domain account to join the device to the domain. - - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. - -10. Click **Finish**. - -11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. - -12. Click **Create**. - -> [!IMPORTANT] -> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - - - **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) - - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -  -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - - - diff --git a/windows/deploy/provisioning-install-icd.md b/windows/deploy/provisioning-install-icd.md deleted file mode 100644 index 9727bc089d..0000000000 --- a/windows/deploy/provisioning-install-icd.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Install Windows Imaging and Configuration Designer (Windows 10) -description: Learn how to install and run Windows ICD. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Install Windows Imaging and Configuration Designer (ICD) - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Use the Windows Imaging and Configuration Designer (ICD) tool in the Windows Assessment and Deployment Kit (ADK) to create provisioning packages to easily configure devices running Windows 10. Windows ICD is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. - -## Supported platforms - -Windows ICD can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core. You can run Windows ICD on the following operating systems: - -- Windows 10 - x86 and amd64 -- Windows 8.1 Update - x86 and amd64 -- Windows 8.1 - x86 and amd64 -- Windows 8 - x86 and amd64 -- Windows 7 - x86 and amd64 -- Windows Server 2016 -- Windows Server 2012 R2 Update -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -## Install Windows ICD - -1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511 or version 1607). - - >[!NOTE] - >The rest of this procedure uses Windows ADK for Windows 10, version 1607 as an example. - -2. Save **adksetup.exe** and then run it. - -3. On the **Specify Location** page, select an installation path and then click **Next**. - >[!NOTE] - >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows ICD, the space requirement is approximately 32 MB. -4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**. - -5. Accept the **License Agreement**, and then click **Next**. - -6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**. - - ![Only Configuration Designer selected for installation](images/icd-install.png) - -## Current Windows ICD limitations - - -- You can only run one instance of Windows ICD on your computer at a time. - -- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process. - -- The Windows ICD UI does not support multivariant configurations. Instead, you must use the Windows ICD command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). - -- While you can open multiple projects at the same time within Windows ICD, you can only build one project at a time. - -- In order to enable the simplified authoring jscripts to work on a server SKU running Windows ICD, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. - -- If you copy a Windows ICD project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. - - For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows ICD. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows ICD might attempt to resolve the path to the files that point to the original PC. - -- **Recommended**: Before starting, copy all source files to the PC running Windows ICD, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device. - -**Next step**: [How to create a provisioning package](provisioning-create-package.md) - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - -  - -  - - - - - diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md deleted file mode 100644 index 557bf3e595..0000000000 --- a/windows/deploy/provisioning-packages.md +++ /dev/null @@ -1,127 +0,0 @@ ---- -title: Provisioning packages (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Provisioning packages for Windows 10 - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. - -A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. - -Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. - -The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Imaging and Configuration Designer (ICD), a tool for configuring provisioning packages. - -## New in Windows 10, version 1607 - -Windows ICD for Windows 10, version 1607, simplifies common provisioning scenarios. - -![Configuration Designer options](images/icd.png) - -Windows ICD in Windows 10, version 1607, supports the following scenarios for IT administrators: - -* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. - - > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md) - -* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. - - > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md) - -* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: - - * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) - * AirWatch (password-string based enrollment) - * Mobile Iron (password-string based enrollment) - * Other MDMs (cert-based enrollment) - -> [!NOTE] -> Windows ICD in Windows 10, version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index). - -## Benefits of provisioning packages - - -Provisioning packages let you: - -- Quickly configure a new device without going through the process of installing a new image. - -- Save time by configuring multiple devices using one provisioning package. - -- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. - -- Set up a device without the device having network connectivity. - -Provisioning packages can be: - -- Installed using removable media such as an SD card or USB flash drive. - -- Attached to an email. - -- Downloaded from a network share. - -## What you can configure - - -The following table provides some examples of what you can configure using provisioning packages. - -| Customization options | Examples | -|--------------------------|-----------------------------------------------------------------------------------------------| -| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | -| Applications | Windows apps, line-of-business applications | -| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | -| Certificates | Root certification authority (CA), client certificates | -| Connectivity profiles | Wi-Fi, proxy settings, Email | -| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | -| Data assets | Documents, music, videos, pictures | -| Start menu customization | Start menu layout, application pinning | -| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | -\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices. -  - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics - -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - - - -  - -  - - - - - diff --git a/windows/deploy/update-windows-10-images-with-provisioning-packages.md b/windows/deploy/update-windows-10-images-with-provisioning-packages.md deleted file mode 100644 index 27b3025c15..0000000000 --- a/windows/deploy/update-windows-10-images-with-provisioning-packages.md +++ /dev/null @@ -1,125 +0,0 @@ ---- -title: Update Windows 10 images with provisioning packages (Windows 10) -description: Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. -ms.assetid: 3CA345D2-B60A-4860-A3BF-174713C3D3A6 -keywords: provisioning, bulk deployment, image -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages ---- - -# Update Windows 10 images with provisioning packages -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. - -In Windows 10, you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. - -You can include provisioning packages when you build a Windows image. This way, you can create a single provisioning package that you can add to different hardware-specific images. - -You can also put a provisioning package on a USB drive or SD card to apply to off-the-shelf devices. You can even send the provisioning package to someone in email. - -Rather than wiping a device and applying a new system image when you need to change configuration, you can reset the device to its original state and then apply a new provisioning package. - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - -## Advantages -- You can configure new devices without reimaging. - -- Works on both mobile and desktop devices. - -- No network connectivity required. - -- Simple for people to apply. - -- Ensure compliance and security before a device is enrolled in MDM. - -## Create package -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740) - -1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`). - -2. Choose **New provisioning package**. - -3. Name your project, and click **Next**. - -4. Choose **Common to all Windows editions** and click **Next**. - -5. On **New project**, click **Finish**. The workspace for your package opens. - -6. Configure settings. [Learn more about specific settings in provisioning packages.]( https://go.microsoft.com/fwlink/p/?LinkId=615916) - -7. On the **File** menu, select **Save.** - -8. On the **Export** menu, select **Provisioning package**. - -9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -10. Set a value for **Package Version**. - - **Tip**   - You can make changes to existing packages and change the version number to update previously applied packages. - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - - **Important**   - We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  - -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

-Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

-If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

-If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - - Shared network folder - - - SharePoint site - - - Removable media (USB/SD) - - - Email - - - USB tether (mobile only) - - - NFC (mobile only) - -## Add package to image -**To add a provisioning package to Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)** - -- Follow the steps in the "To build an image for Windows 10 for desktop editions" section in [Use the Windows ICD command-line interface]( https://go.microsoft.com/fwlink/p/?LinkId=617371). - -**To add a provisioning package to a Windows 10 Mobile image** - -- Follow the steps in the "To build an image for Windows 10 Mobile or Windows 10 IoT Core (IoT Core)" section in [Use the Windows ICD command-line interface]( https://go.microsoft.com/fwlink/p/?LinkId=617371).

-The provisioning package is placed in the FFU image and is flashed or sector written to the device. During device setup time, the provisioning engine starts and consumes the packages. - -## Learn more -- [Build and apply a provisioning package]( https://go.microsoft.com/fwlink/p/?LinkId=629651) - -- [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics -- [Configure devices without MDM](../manage/configure-devices-without-mdm.md) \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-prepare-your-environment.md b/windows/deploy/upgrade-analytics-prepare-your-environment.md deleted file mode 100644 index 796b1298d8..0000000000 --- a/windows/deploy/upgrade-analytics-prepare-your-environment.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Upgrade Analytics - Identify important apps (Windows 10) -redirect_url: upgrade-readiness-identify-apps ---- \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-release-notes.md b/windows/deploy/upgrade-analytics-release-notes.md deleted file mode 100644 index 694618d4d7..0000000000 --- a/windows/deploy/upgrade-analytics-release-notes.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Upgrade Analytics release notes (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-requirements#important-information-about-this-release ---- \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-review-site-discovery.md b/windows/deploy/upgrade-analytics-review-site-discovery.md deleted file mode 100644 index 00fd0a4784..0000000000 --- a/windows/deploy/upgrade-analytics-review-site-discovery.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -title: Review site discovery -redirect_url: upgrade-readiness-additional-insights ---- - - - diff --git a/windows/index.md b/windows/index.md index 31050c6bd6..08a4bee465 100644 --- a/windows/index.md +++ b/windows/index.md @@ -21,9 +21,13 @@ This library provides the core content that IT pros need to evaluate, plan, depl [Deploy Windows 10](deploy/index.md) +[Configure Windows 10](configure/index.md) + +[Update Windows 10](update/index.md) + [Keep Windows 10 secure](keep-secure/index.md) -[Manage and update Windows 10](manage/index.md) +[Manage Windows 10](manage/index.md) ## Related topics diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index fe68a6ecc9..239f81ce31 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -3,7 +3,6 @@ ## [Windows Hello for Business](hello-identity-verification.md) ### [How Windows Hello for Business works](hello-how-it-works.md) ### [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) ### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) ### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) ### [Windows Hello and password changes](hello-and-password-changes.md) @@ -22,6 +21,7 @@ #### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) #### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) ### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) +## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) ## [Protect derived domain credentials with Credential Guard](credential-guard.md) ## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) @@ -41,6 +41,9 @@ #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) #### [Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) +## [Windows Defender SmartScreen](windows-defender-smartscreen-overview.md) +### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md) +### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen-set-individual-device.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) ## [VPN technical guide](vpn-guide.md) @@ -152,6 +155,7 @@ ###### [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md) ##### [AppLocker Settings](applocker-settings.md) ### [BitLocker](bitlocker-overview.md) +#### [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) #### [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) #### [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) #### [BitLocker basic deployment](bitlocker-basic-deployment.md) @@ -918,7 +922,6 @@ ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) -### [Windows 10 security overview](windows-10-security-guide.md) ### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) ### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) ## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) diff --git a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md deleted file mode 100644 index 0efd393b76..0000000000 --- a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: AD DS schema extensions to support TPM backup -redirect_url: https://technet.microsoft.com/library/jj635854.aspx ---- - diff --git a/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md deleted file mode 100644 index 1f2d6310fd..0000000000 --- a/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md +++ /dev/null @@ -1,7 +0,0 @@ - --- - redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection - --- - -# Additional Windows Defender ATP configuration settings - -This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection) \ No newline at end of file diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md index 1f83aad42f..edf4af5b1b 100644 --- a/windows/keep-secure/app-behavior-with-wip.md +++ b/windows/keep-secure/app-behavior-with-wip.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.pagetype: security ms.sitesec: library +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/bitlocker-device-encryption-overview-windows-10.md b/windows/keep-secure/bitlocker-device-encryption-overview-windows-10.md new file mode 100644 index 0000000000..5a323847e9 --- /dev/null +++ b/windows/keep-secure/bitlocker-device-encryption-overview-windows-10.md @@ -0,0 +1,134 @@ +--- +title: Overview of BitLocker and device encryption in Windows 10 +description: This topic provides an overview of how BitLocker and device encryption can help protect data on devices running Windows 10. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: Justinha +--- + +# Overview of BitLocker and device encryption in Windows 10 + +**Applies to** +- Windows 10 + +This topic provides an overview of the ways that BitLocker and device encryption can help protect data on devices running Windows 10. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). + +When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies. + +Table 2 lists specific data-protection concerns and how they are addressed in Windows 10 and Windows 7. + +**Table 2. Data Protection in Windows 10 and Windows 7** + +| Windows 7 | Windows 10 | +|---|---| +| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

Network Unlock allows PCs to start automatically when connected to the internal network. | +| Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.

Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. | +| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. | +| There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. | +| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. | +| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds. | +| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. | +| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | + +The sections that follow describe these improvements in more detail. Also see: + +- Additional description of improvements in BitLocker: see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511." +- Introduction and requirements for BitLocker: see [BitLocker](bitlocker-overview.md). + +## Prepare for drive and file encryption + +The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid. +Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 10 meets your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth. + +### TPM pre-provisioning + +In Windows 7, preparing the TPM for use offered a couple of challenges: + +* You can turn on the TPM in the BIOS, which requires someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows. +* When you enable the TPM, it may require one or more restarts. + +Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled. + +Microsoft includes instrumentation in Windows 10 that enables the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated. + +## Deploy hard drive encryption + +BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker. +With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 10. + +## Device encryption + +Beginning in Windows 8.1, Windows automatically enables BitLocker device encryption on devices that support InstantGo. With Windows 10, Microsoft offers device encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes device encryption pervasive across modern Windows devices. Device encryption further protects the system by transparently implementing device-wide data encryption. + +Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: + +* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). +* If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials. +* If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. +* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. + +Microsoft recommends that device encryption be enabled on any systems that support it, but the automatic device encryption process can be prevented by changing the following registry setting: +- **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker +- **Value**: PreventDeviceEncryption equal to True (1) +- **Type**: REG\_DWORD + +Administrators can manage domain-joined devices that have device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. + +## Used Disk Space Only encryption + +BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted, in which case traces of the confidential data could remain on portions of the drive marked as unused. +But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 10 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent. +Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk. + +## Encrypted hard drive support + +SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. +Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements. +For more information about encrypted hard drives, see [Encrypted Hard Drive](encrypted-hard-drive.md). + +## Preboot information protection + +An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. +It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided. +Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md) and [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md). + +## Manage passwords and PINs + +When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files. + +Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis. +Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, InstantGo devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. +For more information about how startup security works and the countermeasures that Windows 10 provides, see [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md). + +## Configure Network Unlock + +Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs should not leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. + +Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled). +Network Unlock requires the following infrastructure: + +* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) +* A server running at least Windows Server 2012 with the Windows Deployment Services role +* A server with the DHCP server role installed + +For more information about how to configure Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + +## Microsoft BitLocker Administration and Monitoring + +Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features: + +* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise. +* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself. +* Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager. +* Reduces the workload on the help desk to assist end users with BitLocker recovery requests. +* Enables end users to recover encrypted devices independently by using the Self-Service Portal. +* Enables security officers to easily audit access to recovery key information. +* Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. +* Enforces the BitLocker encryption policy options that you set for your enterprise. +* Integrates with existing management tools, such as System Center Configuration Manager. +* Offers an IT-customizable recovery user experience. +* Supports Windows 10. + +For more information about MBAM, including how to obtain it, see [Microsoft BitLocker Administration and Monitoring](https://technet.microsoft.com/windows/hh826072.aspx) on the MDOP TechCenter. diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index e3d23d3102..d92c5e1cce 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -67,6 +67,7 @@ When installing the BitLocker optional component on a server you will also need | Topic | Description | | - | - | +| [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker and device encryption can help protect data on devices running Windows 10. | | [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| | [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. | | [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. | diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 858577af50..6cd59dffcb 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,6 +18,17 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| +|[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New | +|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)|New | +|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen-set-individual-device.md)|New | + + +## February 2017 + +|New or changed topic |Description | +|---------------------|------------| +|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Added information that maps the Enhanced Mitigation Experience Toolkit (EMET) to Windows 10 features. | + ## January 2017 @@ -129,7 +140,6 @@ The topics in this library have been updated for Windows 10, version 1607 (also |New or changed topic | Description | |----------------------|-------------| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Clarified Credential Guard protections | -|[Windows 10 security overview](windows-10-security-guide.md) |Added SMB hardening improvements for SYSVOL and NETLOGON connections | ## March 2016 diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 49287b61de..5e69d804c4 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -45,16 +45,16 @@ Configure a registry-based static proxy to allow only Windows Defender ATP senso The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**. -The registry key that this policy sets can be found at: -```HKLM\Software\Policies\Microsoft\Windows\DataCollection TelemetryProxyServer``` +The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy`. + +The registry value `TelemetryProxyServer` takes the following string format: -The policy and the registry key takes the following string format: ```text : ``` For example: 10.0.0.6:8080 -If the static proxy settings are configured after onboarding, then you must restart the PC to apply the proxy settings. +The registry value `DisableEnterpriseAuthProxy` should be set to 1. ## Configure the proxy server manually using netsh command diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 4bd92ff06f..079086758f 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md deleted file mode 100644 index 77a7c0ee85..0000000000 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) -description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune ---- \ No newline at end of file diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md deleted file mode 100644 index 354503af96..0000000000 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10) -description: Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-sccm ---- \ No newline at end of file diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md deleted file mode 100644 index edd007a4f0..0000000000 --- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10) -description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune ---- \ No newline at end of file diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md deleted file mode 100644 index 6d70cbad2b..0000000000 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create a Device Guard code integrity policy based on a reference device (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide ---- - diff --git a/windows/keep-secure/deploy-code-integrity-policies-steps.md b/windows/keep-secure/deploy-code-integrity-policies-steps.md index 19608b040d..d13224f45d 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-steps.md +++ b/windows/keep-secure/deploy-code-integrity-policies-steps.md @@ -136,11 +136,37 @@ You can now use this file to update the existing code integrity policy that you > **Note**  You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. +## Use a code integrity policy to control specific plug-ins, add-ins, and modules + +As of Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser): + +| Approach (as of Windows 10, version 1703) | Guideline | +|---|---| +| You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. | Use `New-CIPolicyRule` with the `-AppID` option. | +| In addition, you can work from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. | Use `New-CIPolicyRule` with the `-AppID` and `-Deny` options. | + +To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your ‘master’ policy (merging is described in the next section). + +For example, to create a code integrity policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization’s enterprise resource planning (ERP) application, but blocks those add-ins in other applications, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable: + +``` +$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' +$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe' +New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs +``` + +As another example, to create a code integrity policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specifed application: + +``` +$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe' +New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs +``` + ## Merge code integrity policies When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy. -> **Note**  The following example uses the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine. +> **Note**  The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine. To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session: diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md deleted file mode 100644 index c9528077e0..0000000000 --- a/windows/keep-secure/deploy-edp-policy-using-intune.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) -description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/deploy-wip-policy-using-intune ---- \ No newline at end of file diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md deleted file mode 100644 index 566a6df4da..0000000000 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Device Guard certification and compliance (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide ---- diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md deleted file mode 100644 index b3077d445a..0000000000 --- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Enable phone sign-in to PC or VPN (Windows 10) -description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone. -keywords: ["identity", "PIN", "biometric", "Hello"] -ms.prod: W10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-enable-phone-signin ---- - -# Enable phone sign-in to PC or VPN - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md deleted file mode 100644 index c152dca1e5..0000000000 --- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10) -description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md deleted file mode 100644 index 88a3f076b6..0000000000 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Get apps to run on Device Guard-protected devices (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide ---- diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md deleted file mode 100644 index cfd70be3cc..0000000000 --- a/windows/keep-secure/guidance-and-best-practices-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: General guidance and best practices for enterprise data protection (EDP) (Windows 10) -description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP). -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md index dc6bb1e021..336c82005d 100644 --- a/windows/keep-secure/hello-and-password-changes.md +++ b/windows/keep-secure/hello-and-password-changes.md @@ -41,7 +41,6 @@ Suppose instead that you sign in on **Device B** and change your password for yo - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md index caf9da8a9b..c57043af82 100644 --- a/windows/keep-secure/hello-biometrics-in-enterprise.md +++ b/windows/keep-secure/hello-biometrics-in-enterprise.md @@ -79,7 +79,6 @@ To allow facial recognition, you must have devices with integrated special infra - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md deleted file mode 100644 index b325dd3b58..0000000000 --- a/windows/keep-secure/hello-enable-phone-signin.md +++ /dev/null @@ -1,84 +0,0 @@ ---- -title: Enable phone sign-in to PC or VPN (Windows 10) -description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone. -keywords: ["identity", "PIN", "biometric", "Hello"] -ms.prod: W10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: DaniHalfin -localizationpriority: high ---- - -# Enable phone sign-in to PC or VPN - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app. - -![Sign in to a device](images/phone-signin-menu.png) - -> [!NOTE] -> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. - -You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone. - - ## Prerequisites - - - Both phone and PC must be running Windows 10, version 1607. - - The PC must be running Windows 10 Pro, Enterprise, or Education - - Both phone and PC must have Bluetooth. - - The **Microsoft Authenticator** app must be installed on the phone. - - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. - - The phone must be joined to Azure AD or have a work account added. - - The VPN configuration profile must use certificate-based authentication. - -## Set policies - -To enable phone sign-in, you must enable the following policies using Group Policy or MDM. - -- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** - - Enable **Use Windows Hello for Business** - - Enable **Phone Sign-in** -- MDM: - - Set **UsePassportForWork** to **True** - - Set **Remote\UseRemotePassport** to **True** - -## Configure VPN - -To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows: - -- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate. -- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate. - -## Get the app - -If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md). - -[Tell people how to sign in using their phone.](hello-prepare-people-to-use.md#bmk-remote) - - -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) - - -  - -  - - - - - diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md index 98dce6bbda..b9f0619b20 100644 --- a/windows/keep-secure/hello-errors-during-pin-creation.md +++ b/windows/keep-secure/hello-errors-during-pin-creation.md @@ -225,7 +225,6 @@ For errors listed in this table, contact Microsoft Support for assistance. - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md index a59c57e6be..1eecd8dd53 100644 --- a/windows/keep-secure/hello-event-300.md +++ b/windows/keep-secure/hello-event-300.md @@ -37,7 +37,6 @@ This is a normal condition. No further action is required. - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md index af480096c6..379783c65a 100644 --- a/windows/keep-secure/hello-how-it-works.md +++ b/windows/keep-secure/hello-how-it-works.md @@ -112,7 +112,6 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ - [Windows Hello for Business](hello-identity-verification.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md index c13f490b56..063ed2cfe2 100644 --- a/windows/keep-secure/hello-identity-verification.md +++ b/windows/keep-secure/hello-identity-verification.md @@ -72,10 +72,6 @@ Imagine that someone is looking over your shoulder as you get money from an ATM Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs. -For customers using a hybrid Active Directory and Azure Active Directory environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. - -> [!NOTE] ->  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.   ## How Windows Hello for Business works: key points @@ -119,7 +115,6 @@ Windows Hello for Business can use either keys (hardware or software) or certifi - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md index beca5f89e3..44cef02636 100644 --- a/windows/keep-secure/hello-manage-in-organization.md +++ b/windows/keep-secure/hello-manage-in-organization.md @@ -131,16 +131,12 @@ The following table lists the Group Policy settings that you can configure for W -Phone Sign-in +>Phone Sign-in

Use Phone Sign-in

-
Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
 
-

Not configured: Phone sign-in is disabled.

-

Enabled: Users can use a portable, registered device as a companion device for desktop authentication.

-

Disabled: Phone sign-in is disabled.

+

Not currently supported.

@@ -283,14 +279,11 @@ The following table lists the MDM policy settings that you can configure for Win Remote

UseRemotePassport

-
Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
-
 
Device or user False -

True: Phone sign-in is enabled.

-

False: Phone sign-in is disabled.

+

Not currently supported.

@@ -381,7 +374,6 @@ If you want to use Windows Hello for Business with certificates, you’ll need a - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/keep-secure/hello-prepare-people-to-use.md index 41c323ada1..8426ced11d 100644 --- a/windows/keep-secure/hello-prepare-people-to-use.md +++ b/windows/keep-secure/hello-prepare-people-to-use.md @@ -51,56 +51,13 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci ![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png) -## Use a phone to sign in to a PC or VPN -If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials. - -> [!NOTE] -> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. - -  -**Prerequisites:** - -- Both phone and PC must be running Windows 10, version 1607. -- The PC must be running Windows 10 Pro, Enterprise, or Education -- Both phone and PC must have Bluetooth. -- The **Microsoft Authenticator** app must be installed on the phone. -- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. -- The phone must be joined to Azure AD or have a work account added. -- The VPN configuration profile must use certificate-based authentication. - -**Pair the PC and phone** - -1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing. - - ![bluetooth pairing](images/btpair.png) - -2. On the phone, go to **Settings** > **Devices** > **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**. - - ![bluetooth pairing passcode](images/bt-passcode.png) - -3. On the PC, tap **Yes**. - -**Sign in to PC using the phone** - - -1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to. - > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account. - - ![select a device](images/phone-signin-device-select.png) -   -2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account. - -**Connect to VPN** - -You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. ## Related topics - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md index e79b6e5348..9c24738397 100644 --- a/windows/keep-secure/hello-why-pin-is-better-than-password.md +++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md @@ -75,7 +75,6 @@ If you only had a biometric sign-in configured and, for any reason, were unable - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) diff --git a/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png b/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png new file mode 100644 index 0000000000..f23868fdde Binary files /dev/null and b/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png differ diff --git a/windows/keep-secure/images/windows-defender-security-center.png b/windows/keep-secure/images/windows-defender-security-center.png new file mode 100644 index 0000000000..a3286fb528 Binary files /dev/null and b/windows/keep-secure/images/windows-defender-security-center.png differ diff --git a/windows/keep-secure/images/windows-defender-smartscreen-control.png b/windows/keep-secure/images/windows-defender-smartscreen-control.png new file mode 100644 index 0000000000..b2700addba Binary files /dev/null and b/windows/keep-secure/images/windows-defender-smartscreen-control.png differ diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md deleted file mode 100644 index 20c4be5a7e..0000000000 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Implement Windows Hello in your organization (Windows 10) -description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. -ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8 -keywords: identity, PIN, biometric, Hello -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-in-organization ---- - -# Implement Windows Hello for Business in your organization - -**Applies to** -- Windows 10 -- Windows 10 Mobile - diff --git a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md index 3712b6aed0..73592f2841 100644 --- a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md +++ b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md @@ -36,6 +36,10 @@ The following table lists security threats and describes the corresponding Devic In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](credential-guard.md) and [AppLocker](applocker-overview.md). +## New and changed functionality + +As of Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a code integrity policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins). + ## Tools for managing Device Guard features You can easily manage Device Guard features by using familiar enterprise and client-management tools that IT pros use every day: diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md deleted file mode 100644 index 81cef9cc41..0000000000 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Manage identity verification using Windows Hello for Business (Windows 10) -description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. -ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification ---- -# Manage identity verification using Windows Hello for Business - -**Applies to** -- Windows 10 -- Windows 10 Mobile - diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 1c7ea0a9ff..f92c5cee6a 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md deleted file mode 100644 index fffa48b90f..0000000000 --- a/windows/keep-secure/microsoft-passport-and-password-changes.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Windows Hello and password changes (Windows 10) -description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-and-password-changes ---- -# Windows Hello and password changes - diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md deleted file mode 100644 index aa890d3cd9..0000000000 --- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Windows Hello errors during PIN creation (Windows 10) -description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step. -ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 -keywords: PIN, error, create a work PIN -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-errors-during-pin-creation ---- - -# Windows Hello errors during PIN creation - diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md deleted file mode 100644 index faa85f4206..0000000000 --- a/windows/keep-secure/microsoft-passport-guide.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Microsoft Passport guide (Windows 10) -description: This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. -ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84 -keywords: security, credential, password, authentication -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: security -author: challum -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification ---- - -# Microsoft Passport guide - -**Applies to** -- Windows 10 - diff --git a/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md deleted file mode 100644 index 2f8775683c..0000000000 --- a/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md +++ /dev/null @@ -1,7 +0,0 @@ - --- - redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection - --- - -# Monitor the Windows Defender Advanced Threat Protection onboarding - -This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection) \ No newline at end of file diff --git a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md index b686486083..1412786961 100644 --- a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md @@ -24,11 +24,11 @@ Windows 10 includes Group Policy-configurable “Process Mitigation Options” t The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure additional protections. The types of process mitigations are: -- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](windows-10-security-guide.md#data-execution-prevention). +- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention). -- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. +- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection). -- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](windows-10-security-guide.md#address-space-layout-randomization). +- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`. diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md deleted file mode 100644 index 74ca414ed7..0000000000 --- a/windows/keep-secure/overview-create-edp-policy.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create an enterprise data protection (EDP) policy (Windows 10) -description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy ---- \ No newline at end of file diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md new file mode 100644 index 0000000000..2e7af88cf4 --- /dev/null +++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md @@ -0,0 +1,395 @@ +--- +title: Mitigate threats by using Windows 10 security features (Windows 10) +description: This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: justinha +--- + +# Mitigate threats by using Windows 10 security features + +**Applies to:** +- Windows 10 + +This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Windows and Office, see [Related topics](#related-topics). + +| **Section** | **Contents** | +|--------------|-------------------------| +| [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines the basic ways that Windows 10 is designed to mitigate software exploits and similar threats. | +| [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). | +| [Windows 10 mitigations that need no configuration](#windows-10-mitigations-that-need-no-configuration) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | +| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | For IT professionals who are familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/en-us/kb/2458544), describes how the mitigations in EMET correspond to features built into Windows 10. It also describes how to convert an XML settings file created in EMET into mitigation policies for Windows 10. | + +This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration: + +Types of defenses in Windows 10 + +**Figure 1.  Device protection and threat resistance as part of the Windows 10 security defenses** + +## The security threat landscape + +Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks and the personal enjoyment of temporarily taking a system offline. Since then, attacker’s motives have shifted toward monetizing their attacks, which includes holding machines and data hostage until the owners pay the demanded ransom, and exploiting the valuable information the attackers discover for monetary gain. Unlike these examples, modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that results in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets, seemingly unlimited human resources, and unknown motives. Threats like these require a different approach and mitigations that can meet the challenge. + +In recognition of this landscape, Windows 10, version 1703 includes multiple security features that were created to make it difficult (and costly) to find and exploit software vulnerabilities. These features are designed to: + +- Eliminate entire classes of vulnerabilities + +- Break exploitation techniques + +- Contain damage and prevent persistence + +- Limit the window of opportunity to exploit + +The following sections provide more detail about security mitigations in Windows 10, version 1703. + +## Windows 10 mitigations that you can configure + +Windows 10 mitigations that you can configure are listed in the following two tables. The first table focuses on features such as Device Guard, and the second table describes memory protection options such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory to gain control of a system. + +**Table 1  Windows 10 mitigations that you can configure** + +| Mitigation and corresponding threat | Description and links | +|---|---| +| **Windows Defender SmartScreen**,
which helps prevent
malicious applications
from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.

**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic | +| **Credential Guard**,
which helps keep attackers
from gaining access through
Pass-the-Hash or
Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.

**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) | +| **Enterprise certificate pinning**,
which helps keep users
from being deceived by
man-in-the-middle attacks
that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority, either root or leaf.

**More information**: [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) | +| **Device Guard**,
which helps keep a device
from running malware or
other untrusted apps | Device Guard includes Code Integrity policies, a whitelist you create of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain entrance to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) | +| **Windows Defender Antivirus**,
which helps keep devices
free of viruses and other
known software threats | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.

**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic | +| **Blocking of untrusted fonts**,
which helps prevent fonts
from being used in
elevation-of-privilege attacks | The Block Untrusted Fonts setting allows you to prevent users from loading untrusted fonts onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

**More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | +| **Memory protections** listed in [Table 2](#table-2),
which help prevent malware
from using memory manipulation
techniques such as buffer
overruns | This set of mitigations helps to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system. For example, malware might use buffer overruns to inject malicious executable code into memory.
A minority of trusted apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing needed apps to run correctly.

**More information**: [Table 2](#table-2), later in this topic | +| **UEFI Secure Boot**,
which helps protect
the platform from
bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot helps to protect the boot process and firmware from tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

**More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot) | +| **Early Launch Antimalware (ELAM)**,
which helps protect
the platform from
rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.

**More information**: [Early Launch Antimalware](bitlocker-countermeasures.md#protection-during-startup) | +| **Device Health Attestation**,
which helps prevent
compromised devices from
accessing an organization’s
assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.

**More information**: [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) | + +Configurable Windows 10 mitigations oriented specifically toward memory manipulation are listed in the following table. Detailed understanding of these threats and mitigations requires knowledge of how the operating system and applications handle memory—knowledge used by developers but not necessarily by IT professionals. However, from an IT professional’s perspective, the basic process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any needed applications. Then you can deploy settings that maximize protection while still allowing needed apps to run correctly. + +Also, as an IT professional, you can ask application developers and software vendors to deliver applications compiled with an additional protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications, as described in [Control Flow Guard](#control-flow-guard), later in this topic. + +### Table 2  Configurable Windows 10 mitigations designed to protect against memory exploits + +| Mitigation and corresponding threat | Description | +|---|---| +| **Data Execution Prevention (DEP),**
which helps prevent
exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature that has been available in Windows operating systems for over a decade. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.
DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not.
For more information, see [Data Execution Prevention](#data-execution-prevention), later in this topic.

**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | +| **SEHOP**,
which helps prevent
overwrites of the
Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. Although some applications have compatibility problems with SEHOP, the vast majority of applications do not.
For more information, see [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.

**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | +| **ASLR**,
which mitigates malware
attacks based on
expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This mitigates malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded.
For more information, see [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.

**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | + +### Windows Defender SmartScreen + +Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads. + +Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped protect users from both malicious applications and nefarious websites by using the SmartScreen Filter’s application and URL reputation services. The SmartScreen Filter in Internet Explorer would check URLs and newly downloaded apps against an online reputation service that Microsoft maintained. If the app or URL were not known to be safe, SmartScreen Filter would warn the user or even prevent the app or URL from loading, depending on how systems administrators had configured Group Policy settings. + +For Windows 10, Microsoft further developed SmartScreen, now called Windows Defender SmartScreen, by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. + +For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md). + +### Windows Defender Antivirus + +Windows included Windows Defender Antivirus, a robust inbox antimalware solution, starting with Windows 8, when it was called Windows Defender. With Windows 10, Microsoft significantly improved Windows Defender Antivirus. Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware: + +- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates. + +- **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content. + +- **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. + +- **Tamper proofing** helps guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.) + +- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution. + + + +For more information, see [Windows Defender in Windows 10](windows-defender-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). + +For information about Windows Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Windows Defender Advanced Threat Protection (ATP)](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-advanced-threat-protection) (documentation). + +### Data Execution Prevention + +Malware depends on its ability to put a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? + +Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted within through a vulnerability exploit. + +Because of the importance of DEP, users cannot install Windows 10 on a computer that does not have DEP capability. Fortunately, most processors released since the mid-2000s support DEP. + +**To use Task Manager to see which apps use DEP** + +1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. + +2. Click **More Details** (if necessary), and then click the **Details** tab. + +3. Right-click any column heading, and then click **Select Columns**. + +4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. + +5. Click **OK**. + +You can now see which processes have DEP enabled. Figure 2 shows the processes running on a Windows 10 PC with a single process that does not support DEP. + + + +![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png) + +**Figure 2.  Processes on which DEP has been enabled in Windows 10** + +You can use Control Panel to view or change DEP settings. + +#### To use Control Panel to view or change DEP settings on an individual PC + +1. Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER. + +2. Click **Advanced system settings**, and then click the **Advanced** tab. + +3. In the **Performance** box, click **Settings**. + +4. In **Performance Options**, click the **Data Execution Prevention** tab. + +5. Select an option: + + - **Turn on DEP for essential Windows programs and services only** + + - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. + +#### To use Group Policy to control DEP settings + +You can use the Group Policy setting called **Process Mitigation Options** to control DEP settings. Although some applications have compatibility problems with DEP, the vast majority of applications do not. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). + +### Structured Exception Handling Overwrite Protection + +Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handler](https://msdn.microsoft.com/library/windows/desktop/ms680657(v=vs.85).aspx) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. + +You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. Although some applications have compatibility problems with SEHOP, the vast majority of applications do not. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). + +### Address Space Layout Randomization + +One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations. + +Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. + +![ASLR at work](images/security-fig4-aslr.png) + +**Figure 3.  ASLR at work** + +Although the ASLR implementation in Windows 7 was effective, it wasn’t applied holistically across the operating system, and the level of entropy (cryptographic randomization) wasn’t always at the highest possible level. To decrease the likelihood that sophisticated attacks such as heap spraying could succeed, starting with Windows 8, Microsoft applied ASLR holistically across the system and increased the level of entropy many times. + +The ASLR implementation in Windows 10 is greatly improved over Windows 7, especially with 64-bit system and application processes that can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another. + +You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). + +## Windows 10 mitigations that need no configuration + +Windows 10 provides many threat mitigations that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations. + +One of the mitigations, Control Flow Guard (CFG), needs no configuration within the operating system, but does require that the application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other features in Windows 10, and can be built into many other applications when they are compiled. + +### Table 3   Windows 10 mitigations to protect against memory exploits – no configuration needed + +| Mitigation and corresponding threat | Description | +|---|---| +| **SMB hardening for SYSVOL and NETLOGON shares**,
which mitigates
man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).

**More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. | +| **Protected Processes**,
which help prevent one process
from tampering with another
process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.

**More information**: [Protected Processes](#protected-processes), later in this topic. | +| **Universal Windows apps protections**,
which screen downloadable
apps and run them in
an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.

**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. | +| **Heap protections**,
which help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.

**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | +| **Kernel pool protections**,
which help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations to create an attack.

**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | +| **Control Flow Guard**,
which mitigates exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead can be built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other features in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. Administrators can request software vendors to deliver Windows applications compiled with CFG enabled.

**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | +| **Protections built into Microsoft Edge** (the browser),
which mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.

**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. | + +### SMB hardening improvements for SYSVOL and NETLOGON shares + +In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process domain-based Group Policy and scripts. + +> [!NOTE] +> The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). + +### Protected Processes + +Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on any malware that might be running. Protected Processes creates limits of this type. + +With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. + +### Universal Windows apps protections + +When users download Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. + +Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Unlike Windows Classic applications, which can run with elevated privileges and have potentially sweeping access to the system and data, Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. + +In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher. + +### Windows heap protections + +The *heap* is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part of an attack. + +Windows 10 has several important improvements to the security of the heap over Windows 7: + +- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption. + +- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. + +- **Heap guard pages** before and after blocks of memory, which work as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. + +### Kernel pool protections + +The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory (“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections, such as integrity checks, that help protect the kernel pool against such attacks. + +In addition to pool hardening, Windows 10 includes other kernel hardening features: + +- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic. + +- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx). + +- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.) + +- **Supervisor Mode Execution Prevention (SMEP)**: Prevents the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support. + +- **Safe unlinking:** Protects against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination. + +- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as “NULL dereference” to overwrite critical system data structures in memory. + +### Control Flow Guard + +When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the opportunity to change the flow to meet their needs. + +This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk. + +An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Administrators should consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx). + +Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG. + +### Microsoft Edge and Internet Explorer 11 + +Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks. + +All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority. + +Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially: + +- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions. + +- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits. + +- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues. + +- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. + +- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default. + +In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. + +For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when users use Microsoft Edge and it identifies a site that requires IE11, they will automatically be switched to IE11. + +### Functions that software vendors can use to build mitigations into apps + +Some of the protections available in Windows 10 are provided through functions that can be called from apps or other software. Such software is less likely to provide openings for exploits. If you are working with a software vendor, you can request that they include these security-oriented functions in the application. The following table lists some types of mitigations and the corresponding security-oriented functions that can be used in apps. + +> [!NOTE] +> Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For more information, see [Control Flow Guard](#control-flow-guard), earlier in this topic. + +### Table 4   Functions available to developers for building mitigations into apps + +| Mitigation | Function | +|-------------|-----------| +| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | +| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | +| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | +| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx)
\[ProcessSignaturePolicy\] | +| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx)
\[ProcessSystemCallDisablePolicy\] | +| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | +| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | +| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | +| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | + +## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit + +You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. If you are familiar with EMET, you can use this section to understand how those mitigations map to Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, are not considered durable, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. + +EMET has benefited many enterprise IT admins and other security enthusiasts and early adopters, yet has also fallen behind the pace of security innovation in Windows. For this reason and because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)). + +The following table lists EMET features in relation to Windows 10 features. + +### Table 5   EMET features in relation to Windows 10 features + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Specific EMET featuresHow these EMET features map
+to Windows 10 features
    +

  • DEP

    • +

  • SEHOP

    • +

  • ASLR (Force ASLR, Bottom-up ASLR)

    • +

Included in Windows 10 as configurable features. See Table 2, earlier in this topic.

+

Also see the section that follows for steps you can take to convert your EMET settings for these features into policies that you can apply to Windows 10.

    +

  • Load Library Check (LoadLib)

    • +

  • Memory Protection Check (MemProt)

    • +
Supported in Windows 10, for all applications that are written to use these functions. See Table 4, earlier in this topic.
    +

  • Null Page

    • +
No action needed; mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in Kernel pool protections, earlier in this topic.
    +

  • Heap Spray

    • +

  • EAF

    • +

  • EAF+

    • +
Windows 10 does not include mitigations that map specifically to these EMET features, because they are seen as low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.
    +

  • Caller Check

    • +

  • Simulate Execution Flow

    • +

  • Stack Pivot

    • +

  • Deep Hooks (an ROP “Advanced Mitigation”)

    • +

  • Anti Detours (an ROP “Advanced Mitigation”)

    • +

  • Banned Functions (an ROP “Advanced Mitigation”)

    • +
Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in Control Flow Guard, earlier in this topic.
+ +### Converting an EMET XML settings file into Windows 10 mitigation policies + +One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file, thus enabling a straightforward deployment workflow. To aid with security configuration and deployment of Windows 10 devices, you can download a set of EMET Policy Converter cmdlets. With these cmdlets, you can use an EMET XML settings file to generate mitigation policies for Windows 10. + +The Converter feature is currently available as a Windows PowerShell cmdlet, **Set-ProcessMitigations -c** (instead of **-c**, you can also type **-Convert**). This cmdlet, and the Process Mitigation Management Tool collection of cmdlets, provides the following capabilities: + +- **Converting EMET settings to Windows 10 settings**: You can run **Set-ProcessMitigations -Convert** and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings. + +- **Auditing and modifying the converted settings (the output file)**: After you create the output file, you can apply and manually audit the mitigation settings by running cmdlets, through which you can Apply, Enumerate, Enable, Disable, and Save settings (see the Process Mitigation Management Tool documentation). + +- **Converting Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections. + +- **Converting Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use **Set-ProcessMitigations -Convert** to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). + +#### EMET-related products + +Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer enterprise deliveries for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (ATP). + +## Related topics + +- [Keep Windows 10 secure](index.md) +- [Security technologies in Windows 10](security-technologies.md) +- [Security and Assurance in Windows Server 2016](https://technet.microsoft.com/windows-server-docs/security/security-and-assurance) +- [Windows Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) +- [Windows Defender Advanced Threat Protection (ATP) - documentation](windows-defender-advanced-threat-protection.md) +- [Exchange Online Advanced Threat Protection Service Description](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx) +- [Office 365 Advanced Threat Protection](https://products.office.com/en-us/exchange/online-email-threat-protection) +- [Microsoft Malware Protection Center](https://www.microsoft.com/en-us/security/portal/mmpc/default.aspx) + + diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md deleted file mode 100644 index f516f124d0..0000000000 --- a/windows/keep-secure/passport-event-300.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Event ID 300 - Windows Hello successfully created (Windows 10) -description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 -keywords: ngc -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-event-300 ---- - -# Event ID 300 - Windows Hello successfully created - diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md index 2846134874..3e922b1c6b 100644 --- a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -25,8 +25,8 @@ This topic provides a roadmap for planning and getting started on the Device Gua 3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create: - How standardized is the hardware?
This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. - - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline code integrity policy. - + - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline code integrity policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). + - What software does each department or role need? Should they be able to install and run other departments’ software?
If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management. - Are there departments or roles where unique, restricted software is used?
If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy. diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md deleted file mode 100644 index 9594deccca..0000000000 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Prepare people to use Windows Hello (Windows 10) -description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B -keywords: identity, PIN, biometric, Hello -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-prepare-people-to-use ---- - -# Prepare people to use Windows Hello - - - diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md deleted file mode 100644 index 3f8df3ef51..0000000000 --- a/windows/keep-secure/protect-enterprise-data-using-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10) -description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md index bf9a7ac22a..b7b8ab7a18 100644 --- a/windows/keep-secure/recommended-network-definitions-for-wip.md +++ b/windows/keep-secure/recommended-network-definitions-for-wip.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md deleted file mode 100644 index 3d16ef00df..0000000000 --- a/windows/keep-secure/testing-scenarios-for-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Testing scenarios for enterprise data protection (EDP) (Windows 10) -description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/testing-scenarios-for-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md index f99f10fb6f..9ebb14e657 100644 --- a/windows/keep-secure/using-owa-with-wip.md +++ b/windows/keep-secure/using-owa-with-wip.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md deleted file mode 100644 index 1640262ffd..0000000000 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Why a PIN is better than a password (Windows 10) -description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . -ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 -keywords: pin, security, password, hello -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-why-pin-is-better-than-password ---- - -# Why a PIN is better than a password - diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md index 0ed2aa1d28..496bb6addb 100644 --- a/windows/keep-secure/windows-10-enterprise-security-guides.md +++ b/windows/keep-secure/windows-10-enterprise-security-guides.md @@ -14,7 +14,7 @@ author: challum ## Purpose -Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. +This section offers overviews to help you understand selected enterprise-level security technologies, such as technologies to control the health of Windows 10-based devices. ## In this section @@ -39,8 +39,12 @@ Get proven guidance to help you better secure and protect your enterprise by usi

This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.

-

[Windows 10 security overview](windows-10-security-guide.md)

-

This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. Wherever possible, specific recommendations are provided to help you implement and configure Windows 10 security features.

+

[Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md)

+

This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the Microsoft Download Center.

+ + +

[How to use single sign on (SSO) over VPN and Wi-Fi connections](how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)

+

This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.

diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md deleted file mode 100644 index 6333401752..0000000000 --- a/windows/keep-secure/windows-10-security-guide.md +++ /dev/null @@ -1,806 +0,0 @@ ---- -title: Windows 10 security overview (Windows 10) -description: This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. -ms.assetid: 4561D80B-A914-403C-A17C-3BE6FC95B59B -keywords: configure, feature, file encryption -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -author: challum ---- - -# Windows 10 security overview - -**Applies to** -- Windows 10 - -This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. Wherever possible, specific recommendations are provided to help you implement and configure Windows 10 security features. - -#### Introduction - -Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10: -- [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello for Business, which better protects user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials. -- [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security. -- [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10. - -## Identity and access control - -Traditionally, access control is a process that has three components: -- **Identification** - when a user asserts a unique identity to the computer system for the purpose of gaining access to a resource, such as a file or a printer. In some definitions, the user is called the subject and the resource is the object. -- **Authentication** - the process of proving the asserted identity and verification that the subject is indeed *the* subject. -- **Authorization** - performed by the system to compare the authenticated subject’s access rights against the object’s permissions and either allow or deny the requested access. - -The way these components are implemented makes the difference in stopping attackers from accessing secret data. Only a user who proves his or her identity – and is authorized to access that data – will access it. But in security, there are varying degrees of identity proof and many different requirements for authorization limits. The access control flexibility needed in most corporate environments presents a challenge for any operating system. Table 1 lists typical Windows access control challenges and the Windows 10 solutions. - -Table 1. Windows 10 solutions to typical access control challenges - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Access control challengeWindows 10 solutions

Organizations frequently use passwords because the alternative methods are too complex and costly to deploy.

-

Organizations that choose password alternatives such as smart cards must purchase and manage smart card readers, smart cards, and management software. These solutions delay productivity when the MFA component is lost or damaged. Consequently, MFA solutions like smart cards tend to be used only for VPN and select assets.

Windows Hello for Business enables simpler MFA.

Tablet users must type their password on a touchscreen, which is error prone and less efficient than a keyboard.

Windows Hello enables secure facial recognition–based authentication.

IT must purchase and manage non-Microsoft tools to meet regulatory requirements for access control and auditing.

Combined with the Windows Server 2012 operating system, Dynamic Access Control provides flexible access control and auditing designed to meet many government security and regulatory requirements.

Users dislike typing their passwords.

Single sign-on (SSO) allows users to sign in once with Windows Hello and get access to all corporate resources without the need to re-authenticate.

-

Windows Hello enables secure fingerprint- and facial recognition–based authentication and can be used to revalidate user presence when sensitive resources are accessed.

Windows adds increasing delays between logon attempts and can lock out a user account when it detects brute-force attacks.

When BitLocker is enabled on the system drive and brute-force protection is enabled, Windows can restart the PC after a specified number of incorrect password entries, lock access to the hard drive, and require the user to type the 48-character BitLocker recovery key to start the device and access the disk.

-  -The sections that follow describe these challenges and solutions in more detail. - -### Windows Hello - -Windows Hello provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or biometric gesture. Windows Hello is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the user’s key material can be secured by using hardware. -Unlike smart cards, Windows Hello does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI – for example, in secure email or VPN authentication – you can use the existing infrastructure with Windows Hello. Windows Hello combines the major advantages of smart card technology – deployment flexibility for virtual smart cards and robust security for physical smart cards – without any of their drawbacks. - ->[!NOTE] ->When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Windows Hello offers three significant advantages over the current state of Windows authentication: It’s more flexible, it’s based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail. - -#### It’s flexible - -Windows Hello offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Windows Hello gives both administrators and users options to manage authentication. First and foremost, Windows Hello works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself. - -MWindows Hello gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Windows Hello enables PIN- and biometrics-based authentication to securely identify users. - -With Windows Hello for Business, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Windows Hello for Business builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Windows Hello for Business to your network. The choice of which users to enable for Windows Hello for Business use is completely up to you – you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Windows Hello for Business to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Windows Hello for Business in scenarios that call for extra protection for sensitive resources or systems. - -#### It’s standardized - -Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end: The future lies with open, interoperable systems that allow secure authentication across a variety of devices, line of business (LOB) apps, and external applications and websites. To this end, a group of industry players formed FIDO, the Fast IDentity Online Alliance. The FIDO Alliance is a nonprofit organization intended to address the lack of interoperability among strong authentication devices, as well as the problems users face when they need to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security. - -In 2014, Microsoft joined the board of the [FIDO Alliance](https://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike. - -#### It’s effective - -Windows Hello effectively mitigates two major security risks. First, it eliminates the use of passwords for sign-in and so reduces the risk that a nefarious attacker will steal and reuse the user’s credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Windows Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised. - -To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks. - -### Biometric sign-in - -Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the user’s unique biometric identifier and the device itself. - -The user’s biometric data that is used for Windows Hello is considered a local gesture and consequently doesn’t roam among a user’s devices and is not centrally stored. The biometric image of the user the sensor takes is converted into an algorithmic form that cannot be converted back into the original image that the sensor took. Devices that have TPM 2.0 encrypt the biometric data in a form that makes it unreadable if the data is ever removed from the device. If multiple users share a device, each user will be able to enroll and use Windows Hello for his or her Windows profile. - -Windows Hello supports two biometric sensor options that are suitable for enterprise scenarios: - -- **Facial recognition** uses special infrared cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping integrated devices with facial-recognition technology. -- **Fingerprint recognition** uses a fingerprint sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running Windows for years, the detection, antispoofing, and recognition algorithms in Windows 10 are more advanced than previous Windows versions. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) can be used with Windows Hello. - -Windows Hello offers several major benefits. First, it addresses the problems of credential theft and sharing, because an attacker must obtain the device and impersonate the user’s biometric identity, which is more difficult than stealing a password or PIN. Second, the use of biometrics gives users an authenticator that’s always with them – there’s nothing to forget, lose, or leave behind. Instead of worrying about memorizing long, complex passwords, users can take advantage of a convenient, secure method for logging in to all their Windows devices. Finally, there’s nothing additional to deploy or manage. Because Windows Hello support is built directly into the operating system, -there are no additional drivers to deploy. - -### Brute-force attack resistance - -A brute-force attack is the process used to break into a device simply by guessing a user’s password, PIN, or even his or her biometric identity over and over until the attacker gets it right. Over the last several versions of Windows, Microsoft has added features that dramatically reduce the chances that such an attack would succeed. - -The Windows 7 operating system and previous versions defended against brute-force attacks in a straightforward way: they slowed or prevented additional guesses after multiple mistakes. When users use a full password to log on, Windows forces users to wait several seconds between attempts if they type their password incorrectly multiple times. You can even choose to have Windows lock out an account for a period of time when it detects a brute-force attack. -Windows 8.1 and Windows 10 support an even more powerful – but optional – form of brute-force protection when the credentials are tied to TPM. If the operating system detects a brute-force attack against the Windows sign-in and BitLocker protects the system drive, Windows can automatically restart the device and put it in BitLocker recovery mode until someone enters a recovery key password. This password is a virtually unguessable 48-character recovery code that must be used before Windows will be able to start normally. - -If you’re interested in learning how to configure brute-force protection, use a test Windows 10 PC on which BitLocker protection is enabled for the system drive, and then print the BitLocker recovery key to ensure that you have it available. Then, open the Local Group Policy Editor by running **gpedit.msc**, and go to Computer Configuration\\Windows Settings\\Security Settings\\Security Options. Open the policy **Interactive Login: Machine Account Lockout Threshold**, and set the value to **5**, as shown in Figure 1. - -![Machine lockout threshold](images/security-fig1-invalidaccess.png "Machine lockout threshold") - -Figure 1. Set the number of invalid access attempts prior to lockout - -Now, your PC is configured with brute-force protection. Restart your PC. When prompted to log on, mistype your password until the PC restarts. Now, try to guess the 48-character recovery key. You will be glad you printed it out beforehand. - -## Information protection - -When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies. - -Table 2 lists specific data-protection concerns and how they are addressed in Windows 10 and Windows 7. - -Table 2. Data Protection in Windows 10 and Windows 7 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows 7Windows 10

When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely.

Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

-

Network Unlock allows PCs to start automatically when connected to the internal network.

Users must contact the IT department to change their BitLocker PIN or password.

Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.

-

Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN.

When BitLocker is enabled, the provisioning process can take several hours.

BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers.

There is no support for using BitLocker with self-encrypting drives (SEDs).

BitLocker supports offloading encryption to encrypted hard drives.

Administrators have to use separate tools to manage encrypted hard drives.

BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them.

Encrypting a new flash drive can take more than 20 minutes.

Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds.

BitLocker could require users to enter a recovery key when system configuration changes occur.

BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password.

Users need to enter a PIN to start the PC, and then their password to sign in to Windows.

Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks.

- -The sections that follow describe these improvements in more detail. - -### Prepare for drive and file encryption - -The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid. -Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 10 meets your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth. - -#### TPM pre-provisioning - -In Windows 7, preparing the TPM for use offered a couple of challenges: - -* You can turn on the TPM in the BIOS, which requires someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows. -* When you enable the TPM, it may require one or more restarts. - -Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled. - -Microsoft includes instrumentation in Windows 10 that enables the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated. - -### Deploy hard drive encryption - -BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker. -With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 10. - -#### Device encryption - -Beginning in Windows 8.1, Windows automatically enables BitLocker device encryption on devices that support InstantGo. With Windows 10, Microsoft offers device encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes device encryption pervasive across modern Windows devices. Device encryption further protects the system by transparently implementing device-wide data encryption. - -Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: - -* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). -* If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials. -* If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. -* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. - -Microsoft recommends that device encryption be enabled on any systems that support it, but the automatic device encryption process can be prevented by changing the following registry setting: -- **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker -- **Value**: PreventDeviceEncryption equal to True (1) -- **Type**: REG\_DWORD - -Administrators can manage domain-joined devices that have device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. - -#### Used Disk Space Only encryption - -BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted, in which case traces of the confidential data could remain on portions of the drive marked as unused. -But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 10 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent. -Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk. - -#### Encrypted hard drive support - -SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. -Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements. -For more information about encrypted hard drives, see [Encrypted Hard Drive](https://go.microsoft.com/fwlink/p/?LinkId=733880). - -### Preboot information protection - -An effective information protection implementation, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. -It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided. -Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information about how to configure BitLocker for SSO, see [BitLocker Countermeasures](bitlocker-countermeasures.md). - -### Manage passwords and PINs - -When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files. - -Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis. -Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, InstantGo devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. -For more information about how startup security works and the countermeasures that Windows 10 provides, see [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md). - -### Configure Network Unlock - -Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs should not leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. - -Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled). -Network Unlock requires the following infrastructure: - -* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) -* A server running Windows Server 2012 with the Windows Deployment Services role -* A server with the DHCP server role installed - -For more information about how to configure Network Unlock, see [BitLocker: How to enable Network Unlock](https://go.microsoft.com/fwlink/p/?LinkId=733905). - -### Microsoft BitLocker Administration and Monitoring - -Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features: - -* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise. -* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself. -* Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager. -* Reduces the workload on the help desk to assist end users with BitLocker recovery requests. -* Enables end users to recover encrypted devices independently by using the Self-Service Portal. -* Enables security officers to easily audit access to recovery key information. -* Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. -* Enforces the BitLocker encryption policy options that you set for your enterprise. -* Integrates with existing management tools, such as System Center Configuration Manager. -* Offers an IT-customizable recovery user experience. -* Supports Windows 10. - -For more information about MBAM, including how to obtain it, see [Microsoft BitLocker Administration and Monitoring](https://go.microsoft.com/fwlink/p/?LinkId=626935) on the MDOP TechCenter. - -## Malware resistance - -In movies, security threats always seem to be initiated by a nefarious hacker sitting in front of a monitor with green text scrolling across it. In the real world, the vast majority of security threats occur without any human interaction at all. Just as software has automated so much of our lives, malware has automated attacks on our PCs. Those attacks are relentless. Malware is constantly changing, and when it infects a PC, it can in some cases be extremely difficult to detect and remove. - -Prevention is the best bet, and Windows 10 provides strong malware resistance because it takes advantage of secure hardware, which secures the startup process, the core operating system architecture, and the desktop. - -Table 3 lists specific malware threats and the mitigation that Windows 10 provides. - -Table 3. Threats and Windows 10 mitigations - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ThreatWindows 10 mitigation

"Man in the middle" attacks, when an attacker reroutes communications between two users through the attacker's computer without the knowledge of the two communicating users

Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).

Firmware bootkits replace the firmware with malware.

All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.

Bootkits start malware before Windows starts.

UEFI Secure Boot verifies Windows bootloader integrity to ensure that no malicious operating system can start before Windows.

System or driver rootkits start kernel-level malware while Windows is starting, before Windows Defender and antimalware solutions can start.

Windows Trusted Boot verifies Windows boot components; Microsoft drivers; and the Early Launch Antimalware (ELAM) antimalware driver, which verifies non-Microsoft drivers.

-

Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure Trusted Boot and other boot components successfully checked the system.

User-level malware exploits a vulnerability in the system or an application and owns the device.

Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.

-

Protected Processes isolates nontrusted processes from each other and from sensitive operating system components.

-

VBS, built on top of Microsoft Hyper-V, protects sensitive Windows processes from the Windows operating system by isolating them from user mode processes and the Windows kernel.

-

Configurable code integrity enforces administrative policies to select exactly which applications are allowed to run in user mode. No other applications are permitted to run.

Users download dangerous software (for example, a seemingly legitimate application with an embedded Trojan horse) and run it without knowledge of the risk.

The SmartScreen Application Reputation feature is part of the core operating system; Microsoft Edge and Internet Explorer can use this feature either to warn users or to block users from downloading or running potentially malicious software.

Malware exploits a vulnerability in a browser add-on.

Microsoft Edge is a Universal App that does not run older binary extensions, including Microsoft Active X and Browser Helper Objects (BHO) frequently used for toolbars, thus eliminating these risks.

A website that includes malicious code exploits a vulnerability in Microsoft Edge and IE to run malware on the client PC.

Both Microsoft Edge and IE include Enhanced Protected Mode, which uses AppContainer-based sandboxing to protect the system from vulnerabilities that may be discovered in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.

-  -The sections that follow describe these improvements in more detail. - -**SMB hardening improvements for SYSVOL and NETLOGON connections** - -In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). -- **What value does this change add?** -This change reduces the likelihood of man-in-the-middle attacks. -- **What works differently?** -If SMB signing and mutual authentication are unavailable, a Windows 10 or Windows Server 2016 computer won’t process domain-based Group Policy and scripts. ->[!NOTE] ->The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. - -For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://go.microsoft.com/fwlink/p/?LinkId=789216) and [MS15-011 & MS15-014: Hardening Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=789215). - -#### Secure hardware - -Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors. - -#### UEFI with Secure Boot - -When a PC starts, it begins the process of loading the operating system by locating the bootloader on the PC’s hard drive. Without safeguards in place, the PC may simply hand control over to the bootloader without even determining whether it is a trusted operating system or malware. - -UEFI is a standards-based solution that offers a modern-day replacement for the BIOS. In fact, it provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, UEFI initializes devices, but UEFI components with the Secure Boot feature (version 2.3.1 or later) also ensure that only trusted firmware in Option ROMs, UEFI apps, and operating system bootloaders can start on the device. - -UEFI can run internal integrity checks that verify the firmware’s digital signature before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection from firmware bootkits. Thus, UEFI is the first link in the chain of trust. - -UEFI with Secure Boot became a hardware requirement starting with Windows 8 devices. If a PC supports UEFI, it must be enabled by default. It is possible to disable the Secure Boot feature on many devices, but Microsoft strongly discourages doing so because it dramatically reduces the security of the startup process. - -When a PC with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloader’s digital signature to verify that it has not been modified after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloader’s digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing. - -All Windows 8 certified PCs must meet several requirements related to Secure Boot: - -* They must have Secure Boot enabled by default. -* They must trust Microsoft’s certification authority (CA) and thus any bootloader Microsoft has signed. -* They must allow the user to add signatures and hashes to the UEFI database. -* They must allow the user to completely disable Secure Boot (although administrators can restrict this). - -This behavior doesn’t limit the choice of operating system. In fact, users typically have three options for running non-Microsoft operating systems: - -- **Use an operating system with a Microsoft-signed bootloader.** Microsoft offers a service to sign non-Microsoft bootloaders so that they can be used on the device. In this case, a signature from the Microsoft third-party UEFI -CA is used to sign the non-Microsoft bootloader, and the signature itself is added to the UEFI database. Several non-Microsoft operating systems, including several varieties of Linux, have had their bootloaders signed by Microsoft so that they can take advantage of the Secure Boot capability. For more information about the Microsoft third-party UEFI signing policy, read [Microsoft UEFI CA Signing policy updates](https://go.microsoft.com/fwlink/p/?LinkId=626936) and [Pre-submission testing for UEFI submissions](https://go.microsoft.com/fwlink/p/?LinkId=626937). - - >[!NOTE]  - >PCs configured to use Device Guard boot only a secured version of Windows and do not permit a third-party bootloader. For more information, see the [Device Guard](#device-guard) section of this document. -   -- **Configure UEFI to trust a non–Microsoft-signed bootloader or hashes.** Some Certified For Windows 8 or later PCs allow users to add noncertified bootloaders through a signature or hashes sent to the UEFI database, which allows them to run any operating system without Microsoft signing it. -- **Turn off Secure Boot.**Windows 8 certified PCs allow users to turn off Secure Boot so they can run unsigned operating systems. In this mode, the behavior is identical to PCs that have BIOS: The PC simply runs the bootloader without any verification. Microsoft strongly recommends that Secure Boot remain enabled whenever the device starts so that it can help prevent bootkit infections. - ->[!NOTE]   ->With Windows 10, original equipment manufacturers (OEMs) have the ability to ship built-to-order PCs that lock down UEFI Secure Boot so that it cannot be disabled and allows only the operating system of the customer’s choice to start on the device. -   -Windows, apps, and even malware cannot change the UEFI configuration. Instead, users must be physically present to manually boot a PC into a UEFI shell, and then change UEFI firmware settings. For more information about UEFI Secure Boot, read [Protecting the pre-OS environment with UEFI](https://go.microsoft.com/fwlink/p/?LinkId=626938). - -#### Virtualization-based security - -One of the most powerful changes to Windows 10 is virtual-based security. Virtual-based security (VBS) takes advantage of advances in PC virtualization to change the game when it comes to protecting system components from compromise. VBS is able to isolate some of the most sensitive security components of Windows 10. These security components aren’t just isolated through application programming interface (API) restrictions or a middle-layer: They actually run in a different virtual environment and are isolated from the Windows 10 operating system itself. - -VBS and the isolation it provides is accomplished through the novel use of the Hyper V hypervisor. In this case, instead of running other operating systems on top of the hypervisor as virtual guests, the hypervisor supports running the VBS environment in parallel with Windows and enforces a tightly limited set of interactions and access between the environments. - -Think of the VBS environment as a miniature operating system: It has its own kernel and processes. Unlike Windows, however, the VBS environment runs a micro-kernel and only two processes called trustlets: - -- **Local Security Authority (LSA)** enforces Windows authentication and authorization policies. LSA is a well-known security component that has been part of Windows since 1993. Sensitive portions of LSA are isolated within the VBS environment and are protected by a new feature called Credential Guard. -- **Hypervisor-enforced code integrity** verifies the integrity of kernel-mode code prior to execution. This is a part of the [Device Guard](#device-guard) feature described later in this document. -VBS provides two major improvements in Windows 10 security: a new trust boundary between key Windows system components and a secure execution environment within which they run. A trust boundary between key Windows system components is enabled though the VBS environment’s use of platform virtualization to isolate the VBS environment from the Windows operating system. Running the VBS environment and Windows operating system as guests on top of Hyper-V and the processor’s virtualization extensions inherently prevents the guests from interacting with each other outside the limited and highly structured communication channels between the trustlets within the VBS environment and Windows operating system. - -VBS acts as a secure execution environment because the architecture inherently prevents processes that run within the Windows environment – even those that have full system privileges – from accessing the kernel, trustlets, or any allocated memory within the VBS environment. In addition, the VBS environment uses TPM 2.0 to protect any data that is persisted to disk. Similarly, a user who has access to the physical disk is unable to access the data in an unencrypted form. - -The VBS architecture is illustrated in Figure 2. - -![Example of VBS architecture](images/security-fig2-vbsarchitecture-redo.png "Example of VBS architecture") - -Figure 2. The VBS architecture - -Note that VBS requires a system that includes: - -* Windows 10 Enterprise Edition -* A 64-bit processor -* UEFI with Secure Boot -* Second-Level Address Translation (SLAT) technologies (for example, Intel Extended Page Tables \[EPT\], AMD Rapid Virtualization Indexing \[RVI\]) -* Virtualization extensions (for example, Intel VT-x, AMD RVI) -* I/O memory management unit (IOMMU) chipset virtualization (Intel VT-d or AMD-Vi) -* TPM 2.0 - -#### Trusted Platform Module - -A TPM is a tamper-resistant cryptographic module designed to enhance the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a personal computer, tablet, or phone. The computing platform is specially designed to work with the TPM to support privacy and security scenarios that cannot be achieved through software alone. A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, a key created in a TPM with the property that it can never be exported from the TPM really means the key cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling reliable report of the software used to start a platform. -The functionality a TPM provides includes: - -- **Cryptographic key management.** Create, store, and permit the use of keys in defined ways. -- **Safeguarding and reporting integrity measurements.** Software used to boot the platform can be recorded in the TPM and used to establish trust in the software running on the platform. -- **Prove a TPM is really a TPM.** The TPM’s capabilities are so central to protecting privacy and security that a TPM needs to be able to differentiate itself from malware that masquerades as a TPM. - -Microsoft combined this small list of TPM benefits with Windows 10 and other hardware security technologies to provide practical security and privacy benefits. - -Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measured-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC. - -Windows 10 supports TPM implementations that comply with either the 1.2 or 2.0 standards. Several improvements have been made in the TPM 2.0 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard was created in the early 2000s, these algorithms were considered cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that may be preferred in certain geographies or industries. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself. - -TPM is usually assumed to be implanted in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 supports both discrete and firmware TPM that complies with the 2.0 standard (1.2 can only be discrete). Windows does not differentiate between discrete and firmware-based solutions because they must meet the same requirements; therefore, any Windows feature that can take advantage of TPM can use either implementation. - ->[!NOTE]  ->Microsoft will not initially require new Windows 10 PCs to include TPM support. Microsoft will require systems to include a TPM 2.0 beginning one year from the launch of Windows 10, however, to give manufacturers enough time to incorporate this critical functionality and to give IT pros enough time to determine which benefits they will leverage. -  -Several Windows 10 security features require TPM: -* Virtual smart cards -* Measured Boot -* Health attestation (requires TPM 2.0 or later) -* InstantGo (requires TPM 2.0 or later) - -Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Windows Hello for Business. - -All of these features are covered in this document. - -#### Biometrics - -You read in the [Windows Hello](#windows-hello) section of this document that Windows 10 has built-in support for biometric hardware. Windows has included some amount of built-in biometric support since the Windows XP operating system, so what’s different about this in Windows 10? - -Windows 10 makes biometrics a core security feature. Biometrics is fully integrated into the Windows 10 security components, not just tacked on as an extra part of a larger scheme. This is a big change. Earlier biometric implementations were largely front-end methods to simplify authentication. Under the hood, biometrics was used to access a password, which was then used for authentication behind the scenes. Biometrics may have provided convenience but not necessarily enterprise-grade authentication. - -Microsoft has evangelized the importance of enterprise-grade biometric sensors to the OEMs that create Windows PCs and peripherals. Many OEMs already ship systems that have integrated fingerprint sensors and are transitioning from swipe-based to touch-based sensors. Facial-recognition sensors were already available when Windows 10 launched and are becoming more commonplace as integrated system components. - -In the future, Microsoft expects OEMs to produce even more enterprise-grade biometric sensors and to continue to integrate them into systems as well as provide separate peripherals. As a result, biometrics will become a commonplace authentication method as part of an MFA system. - -#### Secure Windows startup - -UEFI Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the devices, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system. - -#### Trusted Boot - -When UEFI Secure Boot verifies that the bootloader is trusted and starts Windows, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (for example, signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM component. - -If a file has been modified (for example, if malware has tampered with it or it has been corrupted), Trusted Boot will detect the problem and automatically repair the corrupted component. When repaired, Windows will start normally after only a brief delay. - -#### Early Launch Antimalware - -Malware that targeted previous versions of Windows often attempted to start before the antimalware solution. To do this, some types of malware would update or replace a non-Microsoft–related driver that starts during the Windows startup process. The malicious driver would then use its system access privileges to modify critical parts of the system and disguise its presence so it could not be detected when the antimalware solution later started. - -Early Launch Antimalware (ELAM) is part of the Trusted Boot feature set and is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures; doing so would delay startup too much. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete. - -The design is simple but effective. ELAM is a component of a full-featured antimalware solution, and it helps prevent malicious drivers and apps from starting before the rest of the antimalware solution starts later during the boot process. Indeed, ELAM runs only for a few seconds each time a PC starts. Windows Defender in Windows 10 supports ELAM, as does Microsoft System Center 2012 Endpoint Protection and several non-Microsoft antimalware apps. - -If you want to learn how to configure ELAM, you can use Group Policy settings to configure how ELAM responds to potentially malicious boot drivers. In the Group Policy Management Editor, go to Computer Configuration\\Administrative Templates\\System\\Early Launch Antimalware, and enable the **Boot-Start Driver Initialization Policy** setting. Now, you can select which driver classifications ELAM loads. When you select the **Good Only** setting, it provides the highest level of security, but test it thoroughly to ensure that it does not prevent users with healthy PCs from starting. - -#### Measured Boot - -The biggest challenge with rootkits and bootkits in earlier versions of Windows is that they can frequently be undetectable to the client. Because they often start before Windows defenses and the antimalware solution and they have system-level privileges, rootkits and bootkits can completely disguise themselves while continuing to access system resources. Although UEFI Secure Boot and Trusted Boot can prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (for example, if UEFI with Secure Boot is disabled or if the signature used to sign a boot component, such as a non-Microsoft driver, has been compromised and is used to sign a malicious one). - -Windows 10 implements the Measured Boot feature, which uses the TPM hardware component built into newer PCs to record a series of measurements for critical startup-related components, including firmware, Windows boot components, drivers, and even the ELAM driver. Because Measured Boot leverages the hardware-based security capabilities of TPM, which isolates and protects the measurement data from malware attacks, the log data is well protected against even sophisticated attacks. - -Measured Boot focuses on acquiring the measurement data and protecting it from tampering. It must be coupled with a service that can analyze the data to determine device health and provide a more complete security service. The next section introduces just such a service. - -#### Verify device compliance for conditional access to corporate resources - -Measured Boot itself does not prevent malware from loading during the startup process – that is the job of Secure Boot, Device Guard, and ELAM. Instead, Measured Boot provides a TPM-protected audit log that allows a trusted remote health attestation service to evaluate the PC’s startup components, state, and overall configuration. If the health attestation service detects that the PC loaded an untrustworthy component and is therefore out of compliance, the service can block the PC’s access to specific network resources or the entire network. You can even couple a health attestation service with a management system to facilitate conditional access capabilities that can initiate the quarantine and remediation processes to fix an infected PC and return it to a compliant state. - -![Health Attestation in Windows 10](images/security-fig3-healthattestation.png "Health Attestation in Windows 10") - -Figure 3. Health Attestation in Windows 10 - -Figure 3 illustrates the following process for device compliance verification and conditional access implementation: - -1. The PC uses the TPM to record measurements of the bootloader, boot drivers, and ELAM driver. The TPM prevents anyone from tampering with these measurements, so even if malware is successfully loaded, it will not be able to modify the measurements. These measurements are signed with an Attestation Identity Key (AIK) that is stored in the TPM. Because the TPM hardware has signed the measurements, malware cannot modify them without being detected. - -2. Health Attestation is not enabled by default and requires an enrollment with a mobile device management (MDM) server in order to enable it. If it is enabled, the health attestation client will contact a remote server, called a health attestation server. Microsoft provides a cloud-based Windows Health Attestation service that can help evaluate the health of a device. The health attestation client sends the signed measurements, the device’s TPM boot log, and an AIK certificate (if present), which lets the health attestation server verify that the key used to sign the measurements was issued to a trusted TPM. - -3. The health attestation server analyzes the measurements and boot log and creates a statement of device health. This statement is encrypted to help ensure the confidentiality of the data. - -4. A management system, such as an MDM server, can request that an enrolled device present a statement of device health. Windows 10 supports both Microsoft and non-Microsoft MDM server requests for device health. To prevent theft of device health statements and reuse from other devices, an MDM server sends the enrolled device a “number used only once” (nonce) request along with this request for the device health statement. - -5. The enrolled device digitally signs the nonce with its AIK (which is stored in the TPM) and sends the MDM server the encrypted statement of device health, the digitally signed nonce, and a signed boot counter, which asserts that the device has not been restarted since it obtained the statement of health. - -6. The MDM server can send the same data to the health attestation server. The server decrypts the statement of health, asserts that the boot counter in the statement matches the boot counter that was sent to the MDM server, and compiles a list of health attributes. - -7. The health attestation server sends this list of health attributes back to the MDM server. The MDM server now enforces access and compliance policies if configured to do so. - - -For a list of data points that the health attestation server verifies, along with a description of the data, see the [HealthAttestation CSP article on MSDN](http://go.microsoft.com/fwlink/p/?LinkId=626940). - -The management system’s implementation determines which attributes within the statement of device health are evaluated when assessing a device’s health. Broadly speaking, the management server receives information about how the device booted, what kind of policy is enforced on the device, and how data on the device is secured. Depending on the implementation, the management server may add checks that go beyond what the statement of device health provides—for example, Windows patch level and other device attributes. - -Based on these data points, the management server can determine whether the client is healthy and grant it access to either a limited quarantine network or to the full network. Individual network resources, such as servers, can also grant or deny access based on whether the remote attestation client were able to retrieve a valid health certification from the remote attestation server. - -Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider the implementation of a management system, like Microsoft Intune, or any management solutions that take advantage of the Windows 10 cloud-based Health Attestation Server feature to detect and block devices that have been infected with advanced malware from network resources. - -### Secure the Windows core - -Applications built for Windows are designed to be secure and free of defects, but the reality is that as long as human beings are writing code, vulnerabilities will continue to crop up. When identified, malicious users and software may attempt to exploit vulnerabilities by manipulating data in memory in the hope that they can bootstrap a successful exploit. - -To mitigate these risks, Windows 10 includes core improvements to make it more difficult for malware to perform buffer overflow, heap spraying, and other low-level attacks and even which code is allowed to run on the PC. In addition, these improvements dramatically reduce the likelihood that newly discovered vulnerabilities result in a successful exploit. It takes detailed knowledge of operating system architecture and malware exploit techniques to fully appreciate the impact of these improvements, but the sections that follow explain them at a high level. - -#### Device Guard - -Today’s security threat landscape is more aggressive than ever before. Modern malicious attacks are focused on revenue generation, intellectual property theft, and targeted system degradation resulting in financial loss. Many of these nefarious attackers are sponsored by nation states that have ulterior motives and large cyber-terrorism budgets. These threats can enter a company through something as simple as an email and can permanently damage the organization’s reputation for securing employee and customer data and intellectual property, not to mention having a significant financial impact. The Windows 10 operating system introduces several new security features that help mitigate a large percentage of today’s known threats. - -It is estimated that more than 300,000 new malware variants are discovered daily. Unfortunately, companies currently use an ancient method to discover this infectious software and prevent its use. In fact, current PCs trust everything that runs until antimalware signatures determine whether a threat exists; then, the antimalware software attempts to clean the PC, often after the malicious software’s effect has already occurred. This signature-based system focuses on reacting to an infection and then ensuring that that particular infection does not happen again. In this model, the system that drives malware detection relies on the discovery of malicious software; only then can a signature be provided to the client to remediate it, which implies that a computer has often already been infected. The time between detection of the malware and a client being issued a signature could mean the difference between losing data and staying safe. - -In addition to antimalware solutions, “app control” or “whitelisting” technologies are available, including AppLocker. These perform single-instance or blanket allow or deny rules for running applications. In Windows 10, these types of solutions are most effective when deployed alongside the Windows 10 Device Guard feature. - -Device Guard breaks the current model of detection first-block later and allows only trusted applications to run, period. This methodology is consistent with the successful prevention strategy for mobile phone security. With Device Guard, Microsoft has changed how the Windows operating system handles untrusted applications, which makes its defenses difficult for malware to penetrate. This new prevention versus detection model will provide Windows clients with the necessary security for modern threats and, when implemented, mitigates many of today’s threats from day one. - -#### Device Guard overview - -Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features revolutionize the Windows operating system’s security by taking advantage of new VBS options to protect the system core and the processes and drivers running in kernel mode—the trust-nothing model you see in mobile device operating systems. A key feature used with Device Guard is *configurable code integrity*, which allows your organization to choose exactly which software from trusted software publishers is allowed to run code on your client machines—exactly what has made mobile phone security on some platforms, such as Windows Mobile, so successful. Trusted applications are those signed directly (in other words, binaries) or indirectly by using a signed file that lists the hash values for application binaries that are considered trustworthy. In addition, Device Guard offers organizations a way to sign existing LOB applications so that they can trust their own code without the requirement that the application be rebuilt or packaged. Also, this same method of signing can provide organizations a way to trust non-Microsoft applications, including those that may not have been signed directly. Device Guard with configurable code integrity, Credential Guard, and AppLocker present the most complete security defense that any Microsoft product has ever been able to offer a Windows client. - -Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 can leverage them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Hyper V isolates core Windows services into a virtualization-based, protected container. This is just one example of how -Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users. - -To deliver this additional security, Device Guard has the following hardware and software requirements: -- UEFI Secure Boot (optionally with a non-Microsoft UEFI CA removed from the UEFI database) -- Virtualization support enabled by default in the system firmware (BIOS): - - Virtualization extensions (for example, Intel VT-x, AMD RVI) - - SLAT (for example, Intel EPT, AMD RVI) - - IOMMU (for example, Intel VT-d, AMD-Vi) -- UEFI BIOS configured to prevent an unauthorized user from disabling Device Guard–dependent hardware security features (for example, Secure Boot) -- Kernel mode drivers signed and compatible with hypervisor-enforced code integrity -- Windows 10 Enterprise only -- X64 version of Windows - -Along with these new features, some components of Device Guard are existing tools or technologies that have been included in this strategic security offering to provide customers with the most secure Windows operating system possible. Device Guard is intended as a set of client security features to be used in conjunction with the other threat-resistance features available in the Windows operating system, some of which are mentioned in this guide. - -#### Configurable code integrity - -The Windows operating system consists of two operating modes: user mode and kernel mode. The base of the operating system runs within the kernel mode, which is where the Windows operating system directly interfaces with hardware resources. User mode is primarily responsible for running applications and brokering information to and from the kernel mode for hardware resource requests. For example, when an application running in user mode needs additional memory, the user mode process must request the resources from the kernel, not directly from RAM. - -Code integrity is the component of the Windows operating system that verifies that the code Windows is running came from a trusted source and is tamper free. Like the operating system, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been used in recent versions of the Windows operating system to protect the kernel mode from executing unsigned drivers. Although effective, drivers are not the only route that malware can take to penetrate the kernel mode space of the operating system. In Windows 10, however, Microsoft has raised the requirements for kernel mode code out of the box as well as provided enterprises with a way to set their own UMCI and KMCI policies. Starting with the Code Integrity service itself and continuing through the policies a Windows client uses to verify that an application should be allowed to run, Microsoft has made Windows 10 more secure than any previous Windows release. Historically, UMCI has been available only in Windows RT and on Windows Mobile devices, which has made it difficult to infect these devices with viruses and malware. These same successful UMCI policies are available in Windows 10Windows 10. - -Historically, most malware has been unsigned. Simply by deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for the vast majority of current attacks. By using code integrity policies, an enterprise can also select exactly which binaries are allowed to run in both user mode and kernel mode based on the signer, binary hash, or both. When completely enforced, it makes user mode in Windows function like some mobile platforms, trusting and running only specific applications or specific signatures. This feature alone fundamentally changes security in an enterprise. This additional security is *not* limited to Windows apps and does *not* require an application rewrite to be compatible with your existing and possibly unsigned applications. You can run configurable code integrity independent of Device Guard, thus making it available to devices that don’t meet Device Guard hardware requirements. - -#### Hardware security features and VBS - -The core functionality and protection of Device Guard starts at the hardware level. Devices that have processors equipped with SLAT technologies and virtualization extensions, such as Intel VT x and AMD V, will be able to take advantage of a VBS environment that dramatically enhances Windows security by isolating critical Windows services from the operating system itself. This isolation is necessary, because you must assume that the operating system kernel will be compromised, and you need assurance that some processes will remain secure. - -Device Guard leverages VBS to isolate its Hypervisor Code Integrity (HVCI) service, which enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s IOMMU functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read only or execute only. By forcing memory into these states, it helps ensure that attacks are unable to inject malicious code into kernel mode processes and drivers through techniques such as buffer overruns or heap spraying. In the end, the VBS environment protects the Device Guard HVCI service from tampering even if the operating system’s kernel has been fully compromised, and HVCI protects kernel mode processes and drivers so that a compromise of this magnitude can't happen in the first place. - -Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section. - -#### Device Guard with AppLocker - -Although AppLocker is not considered a new Device Guard feature, you can use it to complement configurable code integrity functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which you could use code integrity policies alongside AppLocker rules. As a best practice, enforce code integrity policies at the most restrictive level possible for your organization, and then use AppLocker to fine-tune the restrictions to an even lower level. - ->[!NOTE]   ->One example in which Device Guard functionality needs AppLocker supplementation is when your organization would like to limit which universal applications from the Windows Store users can install on a device. Microsoft has already validated universal applications from the Windows Store as trustworthy to run, but an organization may not want to allow specific universal applications to run in its environment. You could use an AppLocker rule to enforce such a stance. - -In another example, you could enable a configurable code integrity policy to allow users to run all the apps from a specific publisher. To do so, you would add the publisher’s signature to the policy. If your organization decides that only specific apps from that publisher should be allowed to run, you would add the signature for the publisher to the configurable code integrity policy, and then use AppLocker to determine which specific apps can run. -  -AppLocker and Device Guard can run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. - -#### Device Guard with Credential Guard - -Although Credential Guard isn’t a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against derived credential theft. Similar to virtualization-based protection of kernel mode through the Device Guard HVCI service, Credential Guard leverages hypervisor technology to protect the Windows authentication service (the LSA) and users’ derived credentials. This mitigation is targeted at preventing the use of pass-the-hash and pass-the-ticket techniques. - -Because Credential Guard uses VBS, it is decisive in its ability to prevent pass-the-hash and pass-the-ticket attacks from occurring on Windows 10 devices. Microsoft recognizes, however, that most organizations will have a blend of Windows versions running in their environments. Mitigations for devices not capable of running Credential Guard on both the client side and the server side are available to help with this scenario. Microsoft will be releasing details to TechNet regarding these additional mitigations in the near future. - -#### Unified manageability through Device Guard - -You can easily manage Device Guard features through the familiar enterprise and client-management tools that IT pros use every day. Use the following management tools to enable and manage Device Guard: -- **Group Policy.**Windows 10 provides an administrative template that you can use to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings with your existing Group Policy objects, which makes it simple to implement Device Guard features. In addition to the code integrity and hardware-based security features, Group Policy can help you manage your catalog files. -- **System Center Configuration Manager.** Use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features as well as to provide version control. -- **MDM systems.** Organizations will be able to use Microsoft Intune and non-Microsoft MDM systems for deployment and management of code integrity policies and catalog files. -- **Windows PowerShell.** You use Windows PowerShell primarily to create and service code integrity policies. These policies represent the most impactful component of Device Guard. -These options provide the same experience you’re used to for management of your existing enterprise management solutions. - -#### Address Space Layout Randomization - -One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations. -Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 4 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. - -![ASLR at work](images/security-fig4-aslr.png "ASLR at work") - -Figure 4. ASLR at work - -Although the ASLR implementation in Windows 7 was effective, it wasn’t applied holistically across the operating system, and the level of entropy (cryptographic randomization) wasn’t always at the highest possible level. To decrease the likelihood that sophisticated attacks such as heap spraying could succeed in the Windows 8 operating system, Microsoft applied ASLR holistically across the system and increased the level of entropy many times. -The ASLR implementation in Windows 8 and Windows 10 is greatly improved over Windows 7, especially with 64-bit system and application processes that can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another. - -#### Data Execution Prevention - -Malware depends on its ability to put a malicious payload into memory with the hope that it will be executed later, and ASLR will make that much more difficult. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? - -Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted within through a vulnerability exploit. - -Because of the importance of DEP, users cannot install Windows 10 on a computer that does not have DEP capability. Fortunately, most processors released since the mid-2000s support DEP. - -If you want to see which apps use DEP, complete these steps: -1. Open Task Manager: Press Ctrl+Alt+Esc or by searching the Start screen. -2. Click **More Details** (if necessary), and then click the **Details** tab. -3. Right-click any column heading, and then click **Select Columns**. -4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. -5. Click **OK**. - -You can now see which processes have DEP enabled. Figure 5 shows the processes running on a Windows 10 PC with a single process that does not support DEP. - -![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png "Processes with DEP enabled in Windows 10") - -Figure 5. Processes on which DEP has been enabled in Windows 10 - -#### Windows Heap - -The *heap* is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part of an attack. - -Windows 10 has several important improvements to the security of the heap over Windows 7: -- Internal data structures that the heap uses are now better protected against memory corruption. -- Heap memory allocations now have randomized locations and sizes, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. -- Windows 10 uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. - -Windows 10 resolves known heap attacks that could be used to compromise a PC running previous versions of Windows. - -#### Memory reservations - -The lowest 64 KB of process memory is reserved for the system. Apps are no longer allowed to allocate that portion of the memory, which makes it more difficult for malware to overwrite critical system data structures in memory. - -#### Control Flow Guard - -When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gives attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run. - -This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk. - -An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Administrators should consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. Of course, browsers are a key entry point for attacks; thus Microsoft Edge, IE, and other Windows features take full advantage of CFG. - -#### Protected Processes - -Benjamin Franklin once said that "an ounce of prevention is worth a pound of cure." His wisdom directly applies to PC security. Most security controls are designed to prevent the initial infection point. The reasoning is that if malware cannot infect the system, the system is immune to malware. - -No computer is immune to malware, however. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, it cannot be the only type of malware control. - -The key security scenario is to assume that malware is running on a system but limit what it can do. Windows 10 has security controls and design features in place to reduce compromise from existing malware infections. Protected Processes is one such feature. - -With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and for the first time, you can put antimalware solutions into the protected process space, which helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. - -### Secure the Windows desktop - -Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows apps are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the application’s risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk. -The sections that follow describe Windows 10 improvements to application security in more detail. - -### Microsoft Edge and Internet Explorer 11 - -Browser security is a critical component of any security strategy, and for good reason: The browser is the user’s interface to the Internet, an environment that is quite literally overwhelmed with malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks. - -All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. -Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority. - -Microsoft includes an entirely new browser, Microsoft Edge, in Windows 10. Microsoft Edge is more secure in several ways, especially: -- **Microsoft Edge does not support non-Microsoft binary extensions.** Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions but no other binary extensions, including ActiveX controls and Java. -- **Microsoft Edge runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure when vulnerabilities are discovered and attempts are made to exploit them. -- **Microsoft Edge is designed as a Universal Windows app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because it can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. -- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft created Microsoft Edge default settings that align with security best practices, which makes it secure by default. - -In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10 primarily for backwards-compatibility with websites and binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover, as shown in Figure 6. - -![Configure Windows 10 for backwards-compatibility with IE11](images/security-fig6-edge2.png "Configure Windows 10 for backwards-compatibility with IE11") - -Figure 6. Configure Windows 10 to switch from Microsoft Edge to IE11 for backwards-compatibility. - -Microsoft’s recommendation is to use Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. When configured, when users use Microsoft Edge and it identifies a site that requires IE11, they will automatically be switched to IE11. - -### The SmartScreen Filter - -Recent versions of Windows have many effective techniques to prevent malware from installing itself without the user’s knowledge. To work around those restrictions, malware attacks often use social engineering techniques to trick users into running software. For example, malware known as a Trojan horse pretends to be something useful, such as a utility, but carries an additional, malicious payload. - -Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped protect users from both malicious applications and nefarious websites by using the SmartScreen Filter’s application and URL reputation services. The SmartScreen Filter in Internet Explorer would check URLs and newly downloaded apps against an online reputation service that Microsoft maintained. If the app or URL were not known to be safe, SmartScreen Filter would warn the user or even prevent the app or URL from loading, depending on how systems administrators had configured Group Policy settings. - -For Windows 10, Microsoft further developed the SmartScreen Filter by integrating its app reputation abilities into the operating system itself, which allows the filter to protect users regardless of the web browser they are using or the path that the app uses to arrive on the device (for example, email, USB flash drive). The first time a user runs an app that originates from the Internet, even if the user copied it from another PC, the SmartScreen Filter checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, the SmartScreen Filter warns the user or blocks execution entirely, depending on how the administrator has configured Group Policy (see Figure 7). - -![SmartScreen Filter at work in Windows 10](images/security-fig7-smartscreenfilter.png "SmartScreen Filter at work in Windows 10") - -Figure 7. The SmartScreen Filter at work in Windows 10 - -By default, users have the option to bypass SmartScreen Filter protection so that it will not prevent a user from running a legitimate app. You can use Control Panel or Group Policy settings to disable the SmartScreen Filter or to completely prevent users from running apps that the SmartScreen Filter does not recognize. The Control Panel settings are shown in Figure 8. - -![SmartScreen configuration options](images/security-fig8-smartscreenconfig.png "SmartScreen configuration options") - -Figure 8. The Windows SmartScreen configuration options in Control Panel - -If you want to try the SmartScreen Filter, use Windows 7 to download this simulated (but not dangerous) malware file:[freevideo.exe](https://go.microsoft.com/fwlink/p/?LinkId=626943). Save it to your computer, and then run it from Windows Explorer. As shown in Figure 9, Windows runs the app without much warning. In Windows 7, you might receive a warning message about the app not having a certificate, but you can easily bypass it. - -![Windows 7 allows the app to run](images/security-fig9-windows7allow.png "Windows 7 allows the app to run") - -Figure 9. Windows 7 allows the app to run - -Now, repeat the test on a computer running Windows 10 by copying the file to a Windows 10 PC or by downloading the file again and saving it to your local computer. Run the file directly from File Explorer, and the SmartScreen Filter will warn you before it allows it to run. Microsoft’s data shows that for a vast majority of users, that extra warning is enough to save them from a malware infection. - -### Universal Windows apps - -The good news is that the download and use of Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store will dramatically reduce the likelihood that you encounter malware on your PC because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. - -Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Unlike Windows Classic applications, which can run with elevated privileges and have potentially sweeping access to the system and data, Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. - -In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher. - -In the end, the Windows Store app distribution process and the app sandboxing capabilities of Windows 10 will dramatically reduce the likelihood that users encounter malicious apps on the system. - -### Windows Defender - -Antimalware software, also generically called virus scanners, antivirus, and a host of other names, has been around for a long time. Microsoft shipped its first program in this category, Microsoft Anti-Virus, in 1993 for MS DOS 6.0. At the time, the approach of running a standalone MS DOS program to locate and remove viruses was sufficient. - -Times change and technology progresses, and antimalware software has also evolved. It is crucial to have multilayered defense with interoperability when you manage modern threats. Windows Defender uses the operating system extensively to achieve interoperability across the varying layers of defense. It is important to have an effective antimalware solution in place as an important obstacle between malware and enterprise assets, and it complements features like Device Guard. For example, an antimalware solution could help detect malicious behavior in memory or even within trusted applications, an area that Device Guard is not designed to address. -Windows Defender has evolved to meet the growing complexity of IT and the challenges that come with this complexity. Windows included Windows Defender, a robust inbox antimalware solution, starting with Windows 8. Now, with Windows 10, Microsoft has significantly improved Windows Defender. - -Windows Defender in Windows 10 uses a four-pronged approach to improve antimalware: rich local context, extensive global sensors, tamper proofing, and the empowerment of IT security professionals. This section explains each prong. - -**Rich, local context** improves how malware is identified. Windows 10 informs Windows Defender not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender to apply different levels of scrutiny to different content. - -For example, an application downloaded from the Internet would be more heavily scrutinized than an application installed from a trusted server. Windows 10 persists the history of the Internet-sourced application at the operating system level so that the app cannot erase its own tracks. The history is tracked and stored by the Persisted Store, a new feature in Windows 10 that securely manages the rich local context and prevents unauthorized modification or deletion. The rich local context improvements also help prevent malware from using tactics such as obfuscation as a means to evade detection. - -Local context also extends to how antimalware software exposes interfaces. Windows Defender implements the Antimalware Scan Interface (AMSI), a generic public interface standard that allows applications and services to request Windows Defender to scan and analyze obfuscated code before execution. AMSI is available for any application and antimalware solution to implement. In Windows 10, AMSI is accessible through Windows PowerShell, the Windows Script Host, JavaScript, and Microsoft JScript. - -In Windows 10, Microsoft implemented a new technology that allows Windows Defender to work closely with User Account Control (UAC) requests. When the UAC system is triggered, it requests a scan from Windows Defender before it prompts for elevation. Windows Defender scans the file or process and determines whether it's malicious. If it’s malicious, the user will see a message that explains that Windows Defender blocked the file or process from executing; if it's not malicious, then UAC will run and display the usual elevation request prompt. - -**Extensive global sensors** help keep Windows Defender current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. The goal is to identify new, emerging malware and block it in the first critical hours of its lifetime to limit exposure to the broader PC ecosystem. - -With Windows Defender in Windows 8, Microsoft first introduced Windows Defender Cloud Protection, which helps to better react in the quickly evolving malware landscape. The goal is to block malware the "first time it’s seen" in the first critical hours of a malware attack. - -To help preserve the privacy of customers, Microsoft allows customers to opt in or out of the system. To participate, you simply opt into the program. To opt in for Windows 10, click **Settings**, click **Update & Security**, and then click **Windows Defender**. The opt-in choices are shown in Figure 10. - -![figure 10](images/security-fig10-optinsettings.png) - -Figure 10. Windows Defender opt-in settings in Windows 10 - -Of course, system administrators have centralized control of all Windows Defender settings through Group Policy. The Windows Defender configuration settings are shown under Computer Configuration/Windows Components/Windows Defender, as shown in Figure 11. - -![Windows Defender settings in Group Policy](images/security-fig11-defendersettings.png "Windows Defender settings in Group Policy") - -Figure 11. Windows Defender settings in Group Policy – the sample submission options are listed under MAPS - -**Tamper proofing** is the safeguarding of Windows Defender itself against malware attacks. Malware creators assume that antimalware software is implemented on most PCs. Many malware creators choose to overcome that obstacle by designing malware that modifies the antimalware software in some way, such as disabling real-time scanning or by hiding specific processes. Some malware goes as far as completely disabling the antimalware software while making it appear fully functional to the user. - -Windows Defender is designed to resist tampering; it uses several security technologies available in Windows 10, the primary of which is Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender components, its registry keys, and so on. Tamper proofing in Windows Defender is also the indirect result of system-wide security components, including UEFI with Secure Boot and ELAM. These components help provide a more secure environment in which Windows Defender can launch in before it begins to defend itself. - -**Empowerment of IT security professionals** means that Windows Defender gives IT pros the tools and configuration options necessary to make it an enterprise-class antimalware solution. It has numerous enterprise-level features -that put it on par with the top products in this category: - -* Integration with centralized management software, including Microsoft Intune, System Center Configuration Manager, and Microsoft System Center Operations Manager. Unlike Windows 8.1, no additional client is necessary, because Windows Defender is now integrated into Windows and only a management layer needs to be added. -* Windows Defender supports the Open Mobile Alliance Device Management standard for centralized management by many non-Microsoft device management solutions. -* It includes integrated classic command-line and Windows PowerShell cmdlet support. -* Support for Windows Management Instrumentation reporting and application management is built in. -* Full integration with Group Policy offers complete IT configuration management. - -In addition, Windows Defender now integrates the Windows Defender Offline Tool, which formerly required the creation of a bootable, standalone version of Windows Defender into the Windows Recovery Environment. This simplifies the process of remediating low-level malware infections, which may prove difficult to detect and remove with the antimalware solution running on the Windows desktop. You can update signatures for this environment automatically from within the Windows Defender Offline experience. - -Beyond Windows Defender, Windows 10 provides deep operating system access for antimalware products. Non-Microsoft antimalware vendors can take advantage of Microsoft’s new APIs and interfaces to gain unprecedented access to Windows 10 resources for malware detection and removal. Non-Microsoft antimalware solutions can implement ELAM drivers, which scan Windows 10 while it’s in its initial startup process. The broad set of new low-level interfaces lets non-Microsoft antimalware solutions perform advanced malware detection in a way that enables them to retain application compatibility even when Microsoft makes significant changes to Windows internals, such as are often made between major operating system versions. - -This access presents a security challenge, however: How does Windows 10 grant antimalware software generous access while ensuring that malware doesn’t take advantage of the very same access? Microsoft has been hard at work with several non-Microsoft software vendors to meet this challenge. If a third party wants this level of access, it must meet certain criteria and vetting requirements, and then Microsoft must digitally sign its software. This allows Microsoft to verify the authenticity of the software vendors and prevent nefarious individuals from creating their own self-signed fake malware scanners. - -To be clear, Microsoft is not restricting the antimalware vendors or their innovations. Nor is Microsoft changing software distribution channels. When Microsoft has signed the antimalware application, you can deploy and install it through any means. Microsoft is basically ensuring that these software developers are authentic, industry-recognized entities before signing their antimalware software and, in doing so, granting extended privileges to it. -Another security threat that customers face particularly in consumer and bring your own device (BYOD) scenarios is a disabled or outdated antimalware product. A BYOD computer that has an installed but ineffective antimalware product can be more dangerous than no product at all, because it gives the illusion of security. Windows Defender in Windows 10 mitigates this threat by helping ensure that either Windows Defender or the customer’s preferred non-Microsoft solution is running and in a healthy state. - -Whenever non-Microsoft real-time protection is in an inoperable state (for example, disabled, expired) for 24 hours, Windows Defender automatically turns on to ensure that the device is protected. Windows attempts to help the user remediate the issue with the non-Microsoft antimalware solution by notifying him or her as early as 5 days before the software expires. If the solution expires, Windows enables Windows Defender and continues to remind the user to renew the non-Microsoft solution. When the user updates or reactivates the solution, Windows Defender is automatically disabled. In the end, the goal is to make sure that an operable antimalware solution is running at all times. - -#### Conclusion - -Windows 10 is the culmination of many years of effort from Microsoft, and its impact from a security perspective will be significant. Many of us still remember the years of Windows XP, when the attacks on the Windows operating system, applications, and data increased in volume and matured into serious threats. With the existing platforms and security solutions that you’ve likely deployed, you’re better defended than ever. But as attackers have become more advanced, there is no doubt that they have exceeded your ability to defend your organization and users. Evidence of this fact can be found in the news virtually every day as yet another major organization falls victim. Microsoft specifically designed Windows 10 to address these modern threats and tactics from the most advanced adversaries. It can truly change the game for your organization, and it can restore your advantage against those would like to make you their next victim. - -## Related topics - -[Windows 10 Specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077 ) - -[HealthAttestation CSP](https://go.microsoft.com/fwlink/p/?LinkId=626940 ) - -[Making Windows 10 More Personal and More Secure with Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=626945) - -[Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md) diff --git a/windows/keep-secure/windows-defender-smartscreen-available-settings.md b/windows/keep-secure/windows-defender-smartscreen-available-settings.md new file mode 100644 index 0000000000..936751e349 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-available-settings.md @@ -0,0 +1,215 @@ +--- +title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10) +description: A list of all available setttings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings +**Applies to:** + +- Windows 10 +- Windows 10 Mobile + +Windows Defender SmartScreen works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. + +## Group Policy settings +SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SettingSupported onDescription
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

At least Windows Server 2012, Windows 8 or Windows RTThis policy setting turns on Windows Defender SmartScreen.

If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.

Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install ControlWindows 10, version 1703This setting helps protect PCs by allowing users to install apps only from the Windows Store. SmartScreen must be enabled for this feature to work properly.

If you enable this setting, your employees can only install apps from the Windows Store.

If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.

If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Windows Store.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

Microsoft Edge on Windows 10 or laterThis policy setting turns on Windows Defender SmartScreen.

If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off.

If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files

Microsoft Edge on Windows 10, version 1511 or laterThis policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious files.

If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.

Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

Windows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites

Microsoft Edge on Windows 10, version 1511 or laterThis policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious sites.

If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.

Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen FilterInternet Explorer 9 or laterThis policy setting prevents the employee from managing SmartScreen Filter.

If you enable this policy setting, the employee isn't prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.

If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.

Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warningsInternet Explorer 8 or laterThis policy setting determines whether an employee can bypass warnings from SmartScreen Filter.

If you enable this policy setting, SmartScreen Filter warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.

Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the InternetInternet Explorer 9 or laterThis policy setting determines whether the employee can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.

If you enable this policy setting, SmartScreen Filter warnings block the employee.

If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.

+ +## MDM settings +If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SettingSupported versionsDetails
AllowSmartScreenWindows 10 +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Turns off Windows Defender SmartScreen.
      • +
    • 1. Turns on Windows Defender SmartScreen.
+
EnableAppInstallControlWindows 10, version 1703 +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
      • +
    • 1. Turns on Application Installation Control, allowing users to install apps from the Windows Store only.
+
EnableSmartScreenInShellWindows 10, version 1703 +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Turns off SmartScreen in Windows.
      • +
    • 1. Turns on SmartScreen in Windows.
+
PreventOverrideForFilesInShellWindows 10, version 1703 +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Employees can ignore SmartScreen warnings and run malicious files.
      • +
    • 1. Employees can't ignore SmartScreen warnings and run malicious files.
+
PreventSmartScreenPromptOverrideWindows 10, Version 1511 and later +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Employees can ignore SmartScreen warnings.
      • +
    • 1. Employees can't ignore SmartScreen warnings.
+
PreventSmartScreenPromptOverrideForFilesWindows 10, Version 1511 and later +
    +
  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
    • +
  • Data type. Integer
    • +
  • Allowed values:
      +
    • 0 . Employees can ignore SmartScreen warnings for files.
      • +
    • 1. Employees can't ignore SmartScreen warnings for files.
+
+ +## Recommended Group Policy and MDM settings for your organization +By default, Windows Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Windows Defender SmartScreen to block high-risk interactions instead of providing just a warning. + +To better help you protect your organization, we recommend turning on and using these specific Windows Defender SmartScreen Group Policy and MDM settings. + + + + + + + + + + + + + + + + + + + + + +
Group Policy settingRecommendation
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreenEnable. Turns on Windows Defender SmartScreen.
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesEnable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesEnable. Stops employees from ingnoring warning messages and continuing to download potentially malicious files.
Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreenEnable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.
+

+ + + + + + + + + + + + + + + + + + + + + + + + + +
MDM settingRecommendation
Browser/AllowSmartScreen1. Turns on Windows Defender SmartScreen.
Browser/PreventSmartScreenPromptOverride1. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
Browser/PreventSmartScreenPromptOverrideForFiles1. Stops employees from ingnoring warning messages and continuing to download potentially malicious files.
SmartScreen/EnableSmartScreenInShell1. Turns on Windows Defender SmartScreen in Windows.

Requires at least Windows 10, version 1703.

SmartScreen/PreventOverrideForFilesInShell1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

Requires at least Windows 10, version 1703.

+ +## Related topics +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) + +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + +- [Available Group Policy and Mobile Data Management (MDM) settings for Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge/available-policies) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-smartscreen-overview.md b/windows/keep-secure/windows-defender-smartscreen-overview.md new file mode 100644 index 0000000000..4df34ae566 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-overview.md @@ -0,0 +1,66 @@ +--- +title: Windows Defender SmartScreen overview (Windows 10) +description: Conceptual info about Windows Defender SmartScreen. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Windows Defender SmartScreen +**Applies to:** + +- Windows 10 +- Windows 10 Mobile + +Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. + +>[!NOTE] +>SmartScreen completely blocks apps from the Internet from running on Windows 10 Mobile. + +**SmartScreen determines whether a site is potentially malicious by:** + +- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution. + +- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. + +**SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** + +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. + +- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution. + + >[!NOTE] + >Before Windows 10, version 1703 this feature was called the SmartScreen Filter when used within the browser and Windows SmartScreen when used outside of the browser. + +## Benefits of Windows Defender SmartScreen +Windows Defender SmartScreen helps to provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: + +- **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) + +- **Reputation-based URL and app protection.** SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee. + +- **Operating system integration.** SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. + +- **Improved heuristics and telemetry.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files. + +- **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). + +## Viewing Windows Defender SmartScreen anti-phishing events +When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/en-us/scriptcenter/dd565657(v=msdn.10).aspx). + +## Related topics +- [SmartScreen Frequently Asked Questions (FAQ)](https://support.microsoft.com/en-us/products/windows?os=windows-10) + +- [How to recognize phishing email messages, links, or phone calls](https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx) + +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) + +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md b/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md new file mode 100644 index 0000000000..482d88a367 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md @@ -0,0 +1,80 @@ +--- +title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10) +description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Defender Security Center to set Windows Defender SmartScreen for individual devices. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Set up and use Windows Defender SmartScreen on individual devices + +**Applies to:** +- Windows 10, version 1703 +- Windows 10 Mobile + +Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. + +## How employees can use Windows Defender Security Center to set up Windows Defender SmartScreen +Starting with Windows 10, version 1703 your employees can use Windows Defender Security Center to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it. + +>[!NOTE] +>If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. + +**To use Windows Defender Security Center to set up Windows Defender SmartScreen on a device** +1. Open the Windows Defender Security Center app, and then click **App & browser control**. + + ![Windows Defender Security Center](images/windows-defender-security-center.png) + +2. In the **App & browser control** screen, choose from the following options: + + - In the **Check apps and files** area: + + - **Block.** Stops employees from downloading and running unrecognized apps and files from the web. + + - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + + - In the **SmartScreen for Microsoft Edge** area: + + - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. + + - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + + - In the **SmartScreen from Windows Store apps** area: + + - **Block** or **Warn.** Warns employees that the sites and downloads used by Windows Store apps are potentially dangerous, but allows the action to continue. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + + ![Windows Defender Security Center, SmartScreen controls](images/windows-defender-smartscreen-control.png) + +## How SmartScreen works when an employee tries to run an app +Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. + +By default, your employees can bypass SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). + +## How employees can report websites as safe or unsafe +You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. + +**To report a website as safe from the warning message** +- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. + +**To report a website as unsafe from Microsoft Edge** +- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. + +**To report a website as unsafe from Internet Explorer 11** +- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. + +## Related topics +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md deleted file mode 100644 index 379a453284..0000000000 --- a/windows/keep-secure/windows-hello-in-enterprise.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: Windows Hello biometrics in the enterprise (Windows 10) -description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. -ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc -keywords: Windows Hello, enterprise biometrics -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-biometrics-in-enterprise ---- - -# Windows Hello biometrics in the enterprise diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md index b4ebd4ced4..98ee046b77 100644 --- a/windows/keep-secure/wip-app-enterprise-context.md +++ b/windows/keep-secure/wip-app-enterprise-context.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- diff --git a/windows/keep-secure/wip-enterprise-overview.md b/windows/keep-secure/wip-enterprise-overview.md deleted file mode 100644 index 2b0b45fd93..0000000000 --- a/windows/keep-secure/wip-enterprise-overview.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Windows Information Protection overview (Windows 10) -description: Conceptual info about Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP). -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip ---- diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 4a3b4ff900..148d75201f 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -1,78 +1,42 @@ -# [Manage and update Windows 10](index.md) +# [Manage Windows 10](index.md) +## [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) +## [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) -## [Cortana integration in your business or enterprise](cortana-at-work-overview.md) -### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md) -#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md) -#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md) -#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md) -#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md) -#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md) -#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) -#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-7.md) -### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md) -### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md) -### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md) -### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work-voice-commands.md) -### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work-policy-settings.md) -### [Send feedback about Cortana at work back to Microsoft](cortana-at-work-feedback.md) -## [Update Windows 10 in the enterprise](waas-update-windows-10.md) -### [Quick guide to Windows as a service](waas-quick-start.md) -### [Overview of Windows as a service](waas-overview.md) -### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -### [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -### [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) -#### [Get started with Update Compliance](update-compliance-get-started.md) -#### [Use Update Compliance](update-compliance-using.md) -### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -#### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -#### [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -### [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -### [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -#### [Configure Windows Update for Business](waas-configure-wufb.md) -#### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -#### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -#### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -### [Manage device restarts after updates](waas-restart.md) -## [Manage corporate devices](manage-corporate-devices.md) -### [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) -### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) -### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) -### [New policies for Windows 10](new-policies-for-windows-10.md) -### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) -### [Changes to Group Policy settings for Windows 10 Start menu](changes-to-start-policies-in-windows-10.md) -### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) -### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) -## [Windows Spotlight on the lock screen](windows-spotlight.md) -## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) -### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) -### [Customize and export Start layout](customize-and-export-start-layout.md) -### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) -### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) -### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +## [Windows Store for Business](windows-store-for-business.md) +### [Sign up and get started](sign-up-windows-store-for-business-overview.md) +####[Windows Store for Business overview](windows-store-for-business-overview.md) +#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md) +#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md) +#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md) +#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md) +### [Find and acquire apps](find-and-acquire-apps-overview.md) +#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md) +#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md) +#### [Working with line-of-business apps](working-with-line-of-business-apps.md) +### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md) +#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md) +#### [Assign apps to employees](assign-apps-to-employees.md) +#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md) +#### [Distribute offline apps](distribute-offline-apps.md) +### [Manage apps](manage-apps-windows-store-for-business-overview.md) +#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md) +#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md) +#### [Manage access to private store](manage-access-to-private-store.md) +#### [Manage private store settings](manage-private-store-settings.md) +#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) +### [Device Guard signing portal](device-guard-signing-portal.md) +#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) +#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) +### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md) +#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md) +#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md) +### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md) ## [Create mandatory user profiles](mandatory-user-profile.md) -## [Lock down Windows 10](lock-down-windows-10.md) -### [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) -### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) -### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md) -#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) -#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) -#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) -### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) -### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) -### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) -### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) -### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) -#### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) -#### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) -### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) +## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) -## [Configure devices without MDM](configure-devices-without-mdm.md) +## [New policies for Windows 10](new-policies-for-windows-10.md) +## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) +## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) ## [Application Virtualization (App-V) for Windows](appv-for-windows.md) ### [Getting Started with App-V](appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](appv-about-appv.md) @@ -199,34 +163,4 @@ #### [Synchronizing Microsoft Office with UE-V](uev-synchronizing-microsoft-office-with-uev.md) #### [Application Template Schema Reference for UE-V](uev-application-template-schema-reference.md) #### [Security Considerations for UE-V](uev-security-considerations.md) -## [Windows Store for Business](windows-store-for-business.md) -### [Sign up and get started](sign-up-windows-store-for-business-overview.md) -####[Windows Store for Business overview](windows-store-for-business-overview.md) -#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md) -#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md) -#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md) -#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md) -### [Find and acquire apps](find-and-acquire-apps-overview.md) -#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md) -#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md) -#### [Working with line-of-business apps](working-with-line-of-business-apps.md) -### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md) -#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md) -#### [Assign apps to employees](assign-apps-to-employees.md) -#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md) -#### [Distribute offline apps](distribute-offline-apps.md) -### [Manage apps](manage-apps-windows-store-for-business-overview.md) -#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md) -#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md) -#### [Manage access to private store](manage-access-to-private-store.md) -#### [Manage private store settings](manage-private-store-settings.md) -#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) -### [Device Guard signing portal](device-guard-signing-portal.md) -#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) -#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) -### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md) -#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md) -#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md) -### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md) -## [Windows Libraries](windows-libraries.md) -## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) +## [Change history for Manage Windows 10](change-history-for-manage-and-update-windows-10.md) diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md deleted file mode 100644 index 1dedc043ff..0000000000 --- a/windows/manage/app-inventory-managemement-windows-store-for-business.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -title: App inventory management for Windows Store for Business (Windows 10) -description: You can manage all apps that you've acquired on your Inventory page. -ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2 -redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store -author: TrudyHa ---- - diff --git a/windows/manage/application-development-for-windows-as-a-service.md b/windows/manage/application-development-for-windows-as-a-service.md deleted file mode 100644 index 080fccc711..0000000000 --- a/windows/manage/application-development-for-windows-as-a-service.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Application development for Windows as a service (Windows 10) -description: Microsoft recommends that our ISV partners decouple their app release and support from specific Windows builds. -ms.assetid: 28E0D103-B0EE-4B14-8680-6F30BD373ACF -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, servicing -author: jdeckerMS -redirect_url: https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service ---- - -# Application development for Windows as a service - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows 10 IoT Core - -In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation, development, and delivery called [Windows as a service (WaaS)](introduction-to-windows-10-servicing.md). The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle and provide feedback to Microsoft through an iterative methodology called flighting. - -Builds distributed as flights provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery and better public release quality than ever. - -## Windows 10 release types and cadences - -Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis: - -**Feature updates** install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature updates contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed. Microsoft expects to publish an average of one to two new feature updates per year. - -**Quality updates** deliver security issue resolutions and other important bug fixes. Quality updates will be provided to improve each feature currently in support, on a cadence of one or more times per month. Microsoft will continue publishing quality updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional quality updates for Windows 10 outside the Update Tuesday process when required to address customer needs. - -During Windows 10 development, Microsoft streamlined the Windows product engineering and release cycle so that we can deliver the features, experiences, and functionality customers want, more quickly than ever. We also created new ways to deliver and install feature updates and quality updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. Hence we have implemented new servicing options – referred to as Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB) – that provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible. - -The following table shows describes the various servicing branches and their key attributes. - -| Servicing option | Availability of new feature upgrades for installation | Minimum length of servicing lifetime | Key benefits | Supported editions | -|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------| -| Current Branch (CB) | Immediately after first published by Microsoft | Approximately 4 months | Makes new features available to users as soon as possible | Home, Pro, Education, Enterprise, Mobile, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) | -| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months | Provides additional time to test new feature upgrades before deployment | Pro, Education, Enterprise, Mobile Enterprise, IoT Core Pro | -| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft | 10 Years | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB | -  -For more information, see [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md). - -## Supporting apps in Windows as a service - -The traditional approach for supporting apps has been to release a new app version in response to a Windows release. This assumes that there are breaking changes in the underlying OS that could potentially cause a regression with the application. This model involves a dedicated development and validation cycle that requires our ISV partners to align with the Windows release cadence. - -In the Windows as a service model, Microsoft is making a commitment to maintaining the compatibility of the underlying OS. This means Microsoft will make a concerted effort to ensure that there are no breaking changes that impact the app ecosystem negatively. In this scenario, when there is a release of a Windows build, most apps (those with no kernel dependencies) will continue to work. - -In view of this change, Microsoft recommends that our ISV partners decouple their app release and support from specific Windows builds. Our mutual customers are better served by an application lifecycle approach. This means when an application version is released it will be supported for a certain period of time irrespective of however many Windows builds are released in the interim. The ISV makes a commitment to provide support for that specific version of the app as long as it is supported in the lifecycle. Microsoft follows a similar lifecycle approach for Windows that can be referenced [here](https://go.microsoft.com/fwlink/?LinkID=780549). - -This approach will reduce the burden of maintaining an app schedule that aligns with Windows releases. ISV partners should be free to release features or updates at their own cadence. We feel that our partners can keep their customer base updated with the latest app updates independent of a Windows release. In addition, our customers do not have to seek an explicit support statement whenever a Windows build is released. Here is an example of a support statement that covers how an app may be supported across different versions of the OS: - -| Example of an application lifecycle support statement | -|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Contoso is a software development company and is the owner of the popular Mojave app which has a major share in the enterprise space. Contoso releases its next major release Mojave 14.0 and declares mainstream support for a period of three years from the release date. During mainstream support all updates and support are complimentary for the licensed product. Contoso also declares an additional two years of extended support where customers can purchase updates and support for a grace period. Beyond the extended support end date this product version is no longer supported. During the period of mainstream support Contoso will support Mojave 14.0 on all released builds of Windows. Contoso will also release updates to Mojave as necessary and independent of the Windows product releases. | -  -In the following sections, you will find additional information about the steps Microsoft takes to maintain the compatibility of the underlying OS. You will also find guidance on steps you can take to help maintain the compatibility of the combined OS and app ecosystem. There is a section on how to leverage Windows flighting builds to detect app regressions before a Windows build is released. Lastly, we describe how we use an instrumentation and telemetry-driven approach to increase the quality of Windows builds. We recommend ISVs adopt a similar approach with their app portfolio. - -## Key changes since Windows 7 to ensure app compatibility - -We understand that compatibility matters to developers. ISVs and developers want to ensure their apps will run as expected on all supported versions of the Windows OS. Consumers and businesses have a key investment here—they want to ensure that the apps they have paid for will continue to work. We know that compatibility is the primary criteria for purchase decisions. Apps that are well written based on best practices will lead to much less code churn when -a new Windows version is released and will reduce fragmentation—these apps have a reduced engineering investment to maintain, and a faster time to market. - -In the Windows 7 timeframe, compatibility was very much a reactive approach. In Windows 8, we started looking at this differently, working within Windows to ensure that compatibility was by design rather than an afterthought. -Windows 10 is the most compatible-by-design version of the OS to date. Here are some key ways we accomplished this: -- **App telemetry**: This helps us understand app popularity in the Windows ecosystem to inform compatibility testing. -- **ISV partnerships**: Work directly with external partners to provide them with data and help fix issues that our users experience. -- **Design reviews, upstream detection**: Partner with feature teams to reduce the number of breaking changes in Windows. Compatibility review is a gate that our feature teams must pass. -- **Communication**: Tighter control over API changes and improved communication. -- **Flighting and feedback loop**: Windows insiders receive flighted builds that help improve our ability to find compatibility issues before a final build is released to customers. This feedback process not only exposes bugs, but ensures we are shipping features our users want. - -## Best practices for app compatibility - -Microsoft uses diagnostic and usage data to identify and troubleshoot problems, improve our products and services, and provide our users with personalized experiences. The usage data we collect also extends to the apps that PCs in the Windows ecosystem are running. Based on what our customers use, we build our list to test these apps, devices, and drivers against new versions of the Windows OS. Windows 10 has been the most compatible version of Windows to-date, with over 90% compatibility against thousands of popular apps. The Windows Compatibility team commonly reaches out to our ISV partners to provide feedback if issues are discovered, so that we can partner together on solutions. Ideally, we’d like our common customers to be able to update Windows seamlessly and without losing functionality in either their OS or the apps they depend on for their productivity or entertainment. - -The following sections contain some best practices Microsoft recommends so you can ensure your apps are compatible with Windows 10. - -### Windows version check - -The OS version has been incremented with Windows 10. This means that the internal version number has been changed to 10.0. As in the past, we go to great lengths to maintain application and device compatibility after an OS version change. For most app categories (without any kernel dependencies), the change will not negatively impact app functionality, and existing apps will continue to work fine on Windows 10. - -The manifestation of this change is app-specific. This means any app that specifically checks for the OS version will get a higher version number, which can lead to one or more of the following situations: -- App installers might not be able to install the app, and apps might not be able to start. -- Apps might become unstable or crash. -- Apps might generate error messages, but continue to function properly. - -Some apps perform a version check and simply pass a warning to users. However, there are apps that are bound very tightly to a version check (in the drivers, or in kernel mode to avoid detection). In these cases, the app will fail if an incorrect version is found. Rather than a version check, we recommend one of the following approaches: -- If the app is dependent on specific API functionality, ensure you target the correct API version. -- Ensure you detect the change via APISet or another public API, and do not use the version as a proxy for some feature or fix. If there are breaking changes and a proper check is not exposed, then that is a bug. -- Ensure the app does NOT check for version in odd ways, such as via the registry, file versions, offsets, kernel mode, drivers, or other means. If the app absolutely needs to check the version, use the GetVersion APIs, which should return the major, minor, and build number. -- If you are using the [GetVersion](https://go.microsoft.com/fwlink/?LinkID=780555) API, remember that the behavior of this API has changed since Windows 8.1. - -If you own apps such as antimalware or firewall apps, you should work through your usual feedback channels and via the Windows Insider program. - -### Undocumented APIs - -Your apps should not call undocumented Windows APIs, or take dependency on specific Windows file exports or registry keys. This can lead to broken functionality, data loss, and potential security issues. If there is functionality your app requires that is not available, this is an opportunity to provide feedback through your usual feedback channels and via the Windows Insider program. - -### Develop Universal Windows Platform (UWP) and Centennial apps - -We encourage all Win32 app ISVs to develop [Universal Windows Platform (UWP)](https://go.microsoft.com/fwlink/?LinkID=780560) and, specifically, [Centennial](https://go.microsoft.com/fwlink/?LinkID=780562) apps moving forward. There are great benefits to developing these app packages rather than using traditional Win32 installers. UWP apps are also supported in the [Windows Store](https://go.microsoft.com/fwlink/?LinkID=780563), so it’s easier for you to update your users to a consistent version automatically, lowering your support costs. - -If your Win32 app types do not work with the Centennial model, we highly recommend that you use the right installer and ensure this is fully tested. An installer is your user or customer’s first experience with your app, so ensure that this works well. All too often, this doesn’t work well or it hasn’t been fully tested for all scenarios. The [Windows App Certification Kit](https://go.microsoft.com/fwlink/?LinkID=780565) can help you test the install and uninstall of your Win32 app and help you identify use of undocumented APIs, as well as other basic performance-related best-practice issues, before your users do. - -**Best practices:** -- Use installers that work for both 32-bit and 64-bit versions of Windows. -- Design your installers to run on multiple scenarios (user or machine level). -- Keep all Windows redistributables in the original packaging – if you repackage these, it’s possible that this will break the installer. -- Schedule development time for your installers—these are often overlooked as a deliverable during the software development lifecycle. - -## Optimized test strategies and flighting - -Windows OS flighting refers to the interim builds available to Windows Insiders before a final build is released to the general population. The more Insiders that flight these interim builds, the more feedback we receive on the build quality, compatibility, etc., and this helps improve quality of the final builds. You can participate in this flighting program to ensure that your apps work as expected on iterative builds of the OS. We also encourage you to provide feedback on how these flighted builds are working for you, issues you run into, and so on. - -If your app is in the Store, you can flight your app via the Store, which means that your app will be available for our Windows Insider population to install. Users can install your app and you can receive preliminary feedback on your app before you release it to the general population. The follow sections outline the steps for testing your apps against Windows flighted builds. - -### Step 1: Become a Windows Insider and participate in flighting -As a [Windows Insider,](https://go.microsoft.com/fwlink/p/?LinkId=521639) you can help shape the future of Windows—your feedback will help us improve features and functionality in the platform. This is a vibrant community where you can connect with other enthusiasts, join forums, trade advice, and learn about upcoming Insider-only events. - -Since you’ll have access to preview builds of Windows 10, Windows 10 Mobile, and the latest Windows SDK and Emulator, you’ll have all the tools at your disposal to develop great apps and explore what's new in the Universal Windows Platform and the Windows Store. - -This is also a great opportunity to build great hardware, with preview builds of the hardware development kits so you can develop universal drivers for Windows. The IoT Core Insider Preview is also available on supported IoT development boards, so you can build amazing connected solutions using the Universal Windows Platform. - -Before you become a Windows Insider, please note that participation is intended for users who: -- Want to try out software that’s still in development. -- Want to share feedback about the software and the platform. -- Don’t mind lots of updates or a UI design that might change significantly over time. -- Really know their way around a PC and feel comfortable troubleshooting problems, backing up data, formatting a hard drive, installing an operating system from scratch, or restoring an old one if necessary. -- Know what an ISO file is and how to use it. -- Aren't installing it on their everyday computer or device. - -### Step 2: Test your scenarios - -Once you have updated to a flighted build, the following are some sample test cases to help you get started on testing and gathering feedback. For most of these tests, ensure you cover both x86 and AMD64 systems. -**Clean install test:** On a clean install of Windows 10, ensure your app is fully functional. If your app fails this test and the upgrade test, then it’s likely that the issue is caused by underlying OS changes or bugs in the app. -If after investigation, the former is the case, be sure to use the Windows Insider program to provide feedback and partner on solutions. - -**Upgrade Test:** Check that your app works after upgrading from a down-level version of Windows (i.e. Windows 7 or Windows 8.1) to Windows 10. Your app shouldn’t cause roll backs during upgrade, and should continue to work as expected after upgrade—this is crucial to achieve a seamless upgrade experience. - -**Reinstall Test:** Ensure that app functionality can be restored by reinstalling your app after you upgrade the PC to Windows 10 from a down-level OS. If your app didn’t pass the upgrade test and you have not been able to narrow down the cause of these issues, it’s possible that a reinstall can restore lost functionality. A passing reinstall test indicates that parts of the app may not have been migrated to Windows 10. - -**OS\\Device Features Test:** Ensure that your app works as expected if your app relies on specific functionality in the OS. Common areas for testing include the following, often against a selection of the commonly used PC models to ensure coverage: -- Audio -- USB device functionality (keyboard, mouse, memory stick, external hard disk, and so on) -- Bluetooth -- Graphics\\display (multi-monitor, projection, screen rotation, and so on) -- Touch screen (orientation, on-screen keyboard, pen, gestures, and so on) -- Touchpad (left\\right buttons, tap, scroll, and so on) -- Pen (single\\double tap, press, hold, eraser, and so on) -- Print\\Scan -- Sensors (accelerometer, fusion, and so on) -- Camera - -### Step 3: Provide feedback - -Let us know how your app is performing against flighted builds. As you discover issues with your app during testing, please log bugs via the partner portal if you have access, or through your Microsoft representative. We encourage this information so that we can build a quality experience for our users together. - -### Step 4: Register on Windows 10 -The [Ready for Windows 10](https://go.microsoft.com/fwlink/?LinkID=780580) website is a directory of software that supports Windows 10. It’s intended for IT administrators at companies and organizations worldwide that are considering Windows 10 for their deployments. IT administrators can check the site to see whether software deployed in their enterprise is supported in Windows 10. - -## Related topics -[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) -  -  diff --git a/windows/manage/appv-accessibility.md b/windows/manage/appv-accessibility.md deleted file mode 100644 index 34a3ab0a09..0000000000 --- a/windows/manage/appv-accessibility.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Accessibility for App-V (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-getting-started ---- diff --git a/windows/manage/appv-accessing-the-client-management-console.md b/windows/manage/appv-accessing-the-client-management-console.md deleted file mode 100644 index d6ad0b2b1a..0000000000 --- a/windows/manage/appv-accessing-the-client-management-console.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: How to access the client management console (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-using-the-client-management-console ---- diff --git a/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md b/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md deleted file mode 100644 index 77ee61220b..0000000000 --- a/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: How to Install the App-V Client for Shared Content Store Mode (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client ---- diff --git a/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md b/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md deleted file mode 100644 index 5d1058e257..0000000000 --- a/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: How to Modify App-V Client Configuration Using the ADMX Template and Group Policy (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client ---- diff --git a/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md b/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md deleted file mode 100644 index 5b98eac02b..0000000000 --- a/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Planning for Migrating from a Previous Version of App-V (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version ---- diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 151fefd372..d6a3868254 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -1,6 +1,6 @@ --- -title: Change history for Manage and update Windows 10 (Windows 10) -description: This topic lists new and updated topics in the Manage and update Windows 10 documentation for Windows 10 and Windows 10 Mobile. +title: Change history for Manage Windows 10 (Windows 10) +description: This topic lists new and updated topics in the Manage Windows 10 documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 29144AFA-1DA9-4532-B07D-1EBE34B7E1E0 ms.prod: w10 ms.mktglfcycl: manage @@ -8,12 +8,16 @@ ms.sitesec: library author: jdeckerMS --- -# Change history for Manage and update Windows 10 +# Change history for Manage Windows 10 -This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +This topic lists new and updated topics in the [Manage Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). Some topics have been moved to [Update Windows 10](../update/index.md) or to [Configure Windows 10](../configure/index.md). + ## March 2017 | New or changed topic | Description | | --- | --- | @@ -26,7 +30,6 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in |[Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) |New | |[Available Mobile Data Management (MDM) settings for App-V](appv-available-mdm-settings.md) |New | - ## February 2017 | New or changed topic | Description | | --- | --- | @@ -43,7 +46,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | -| [Cortana integration in your business or enterprise and sub-topics](cortana-at-work-overview.md) |New | +| [Cortana at work topics](../configure/cortana-at-work-overview.md)]|New | | [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) | | [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) | | [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. | @@ -70,8 +73,8 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | --- | --- | | [Manage device restarts after updates](waas-restart.md) | New | | [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New | -| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. | -| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. | +| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) |Added an important note about Cortana and Office 365 integration. | +| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. | | [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. | @@ -81,7 +84,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | | [Update Windows 10 in the enterprise](waas-update-windows-10.md), replaces **Windows 10 servicing options** | New | -| [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter | +| [Lockdown features from Windows Embedded 8.1 Industry](../configure/lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added content for Windows Server 2016 | | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the script for setting a custom shell using Shell Launcher. | @@ -102,7 +105,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also - [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) -- [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +- [Set up a shared or guest PC with Windows 10](../configure/set-up-shared-or-guest-pc.md) - [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) - [Application Virtualization (App-V) for Windows 10](appv-for-windows.md) - [User Experience Virtualization (UE-V) for Windows 10](uev-for-windows.md) @@ -148,7 +151,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | ---|---| | [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New | | [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New | -| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. | +| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. | ## February 2016 @@ -166,7 +169,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | New or changed topic | Description | | ---|---| -| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | New | +| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) | New | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New | | [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New | diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md deleted file mode 100644 index 8a9777af29..0000000000 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services ---- \ No newline at end of file diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md deleted file mode 100644 index 8a9777af29..0000000000 --- a/windows/manage/disconnect-your-organization-from-microsoft.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services ---- \ No newline at end of file diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index 0eb86b635e..74dced9953 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -18,17 +18,17 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W | Policy name | Policy path | Comments | | --- | --- | --- | -| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. | -| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | -| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | -| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | +| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. | +| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | +| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | +| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | | **Do not require CTRL+ALT+DEL**
combined with
**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon
and
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro.

**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.| -| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md | -| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | +| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md | +| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). | | **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app

User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) | -| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](cortana-at-work-overview.md) | +| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](../configure/cortana-at-work-overview.md) | diff --git a/windows/manage/index.md b/windows/manage/index.md index bdb730b559..3446fc1a1b 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -1,5 +1,5 @@ --- -title: Manage and update Windows 10 (Windows 10) +title: Manage Windows 10 (Windows 10) description: Learn about managing and updating Windows 10. ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0 keywords: Windows 10, MDM, WSUS, Windows update @@ -11,77 +11,37 @@ localizationpriority: high author: jdeckerMS --- -# Manage and update Windows 10 +# Manage Windows 10 -Learn about managing and updating Windows 10. +Learn about managing Windows 10. >[!NOTE] >Information for Windows 10 Enterprise also applies to Windows 10 IoT Enterprise, and information for Windows 10 Mobile Enterprise also applies to Windows 10 IoT Mobile. For information about managing devices running Windows 10 IoT Core, see [Windows 10 IoT Core Commercialization](https://www.windowsforiotdevices.com/). ## In this section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)

Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.

[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)

The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.

[Update Windows 10 in the enterprise](waas-update-windows-10.md) Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business.

[Manage corporate devices](manage-corporate-devices.md)

You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.

[Windows Spotlight on the lock screen](windows-spotlight.md)

Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)

Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.

[Create mandatory user profiles](mandatory-user-profile.md)

Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings.

[Lock down Windows 10](lock-down-windows-10.md)

Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.

[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)

Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE).

[Configure devices without MDM](configure-devices-without-mdm.md)

Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.

[Application Virtualization for Windows (App-V)](appv-for-windows.md)

When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally.

[User Experience Virtualization for Windows (UE-V)](uev-for-windows.md)

When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

[Windows Store for Business](windows-store-for-business.md)

Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.

[Windows Libraries](windows-libraries.md)

Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music).

[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)

This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).

+ + +| Topic | Description | +| --- | --- | +| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. | +| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices. | +| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. | +| [Windows Store for Business](windows-store-for-business.md) | Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. | +| [Create mandatory user profiles](mandatory-user-profile.md) | Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. | +| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC. | +| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). | +| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10. | +| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education. | +| [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) | There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. | +| [Application Virtualization (App-V) for Windows](appv-for-windows.md) | When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. | +| [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) | When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. | +| [Change history for Manage Windows 10](change-history-for-manage-and-update-windows-10.md) | This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | + + + + +   ## Related topics [Windows 10 and Windows 10 Mobile](../index.md) diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md deleted file mode 100644 index f57d4145be..0000000000 --- a/windows/manage/introduction-to-windows-10-servicing.md +++ /dev/null @@ -1,493 +0,0 @@ ---- -title: Windows 10 servicing options for updates and upgrades (Windows 10) -description: This article describes the new servicing options available in Windows 10. -ms.assetid: D1DEB7C0-283F-4D7F-9A11-EE16CB242B42 -keywords: update, LTSB, lifecycle, Windows update, upgrade -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, servicing -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10 ---- - -# Windows 10 servicing options - -**Applies to** -- Windows 10 -- Windows 10 IoT Core (IoT Core) - -This article provides detailed information about new servicing options available in Windows 10 and IoT Core. It also provides information on how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles. Before reading this article, you should understand the new Windows 10 servicing model. For an overview of this servicing model, see: [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). - -For Windows 10 current version numbers by servicing option see: [Windows 10 release information](https://technet.microsoft.com/en-us/windows/mt679505.aspx). -  -## Key terminology - -The following terms are used When discussing the new Windows 10 servicing model: - - - - - - - - - - - - - - - - - - - - - - -
**Term****Description**
UpgradeA new Windows 10 release that contains additional features and capabilities, released two to three times per year.
UpdatePackages of security fixes, reliability fixes, and other bug fixes that are released periodically, typically once a month on Update Tuesday (sometimes referred to as Patch Tuesday). With Windows 10, these are cumulative in nature.
BranchThe windows servicing branch is one of four choices: Windows Insider, Current Branch, Current Branch for Business, or Long-Term Servicing Branch. Branches are determined by the frequency with which the computer is configured to receive feature updates.
RingA ring is a groups of PCs that are all on the same branch and have the same update settings. Rings can be used internally by organizations to better control the upgrade rollout process.
- -## Windows 10 servicing - -The following table provides an overview of the planning implications of the three Windows 10 servicing options so that IT administrators can be well-grounded conceptually before they start a Windows 10 deployment project. - -Table 1. Windows 10 servicing options - -| Servicing option | Availability of new feature upgrades for installation | Minimum length of servicing lifetime | Key benefits | Supported editions | -|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------| -| Current Branch (CB) | Immediately after first published by Microsoft | Approximately 4 months | Makes new features available to users as soon as possible | Home, Pro, Education, Enterprise, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) | -| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months | Provides additional time to test new feature upgrades before deployment | Pro, Education, Enterprise, IoT Core Pro | -| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft | 10 Years | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB | -  -## Streamlined product development and release cycles - -**Product cycles and builds** - -The Windows engineering team adds new features and functionality to Windows through *product cycles* comprised of development, testing, and release phases. Each day during a product cycle, the team compiles the source code for Windows and assembles the output into a *build* that users can install on their devices. The first recipients of builds are Microsoft employees who begin what Microsoft calls *selfhost* testing. - -**Testing and release prior to Windows 10** - -Prior to Windows 10, Microsoft issued and extensively tested many builds internally before selecting one for testing outside Microsoft. After repeating the external test cycle several times against builds of progressively better quality, the engineering team selected a build to enter the release phase. At the end of this phase, the team published the build as a new version of Windows – an event referred to as the *Release to Manufacturing* (RTM) milestone. In total, product cycles took between one and three years to complete, with testing and release processes taking up as much as half of the total investment in time. - -**A different approach for Windows 10** - -In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation development and delivery called *Windows as a Service* (WaaS). -The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle, and provide feedback to Microsoft through an iterative methodology called *flighting*. -Builds distributed as *flights* provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery, and better public release quality than ever. - -**Windows 10 release types and cadences** - -Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis: -- **Feature upgrades** that install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature upgrades contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed. -- **Servicing updates** that focus on the installation of security fixes and other important updates. -Microsoft expects to publish an average of two to three new feature upgrades per year, and to publish servicing updates as needed for any feature upgrades that are still in support. Microsoft will continue publishing servicing updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional servicing updates for Windows 10 outside the Update Tuesday process when required to address customer needs. - -**The cumulative nature of all Windows 10 releases** -It is important to note that, in order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10 will be *cumulative*. This means new feature upgrades and servicing updates will contain the *payloads* of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 servicing update. For example, if a servicing update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.   - -## New Windows 10 delivery and installation alternatives - -As with earlier releases of Windows, Windows 10 includes support for the deployment of new releases using Windows Update, Windows Server Update Services, System Center Configuration Manager, and third-party configuration management tools. Because of the importance of the Windows as a Service (WaaS) approach to delivering innovations to businesses, and the proven ability of Windows Update to deploy releases quickly and seamlessly to consumers and small businesses, several of the largest investments in Windows 10 focus on enabling broader use of Windows Update within enterprises. - -**Windows Update use by consumers and small businesses** - -Since Microsoft introduced the first generation of Windows Update with Windows 95, Windows Update has evolved to become the standard way for consumers and small businesses to help keep devices running Windows secure and running reliably. Almost one billion Windows devices communicate with the Windows Update service on a regular basis. The process of downloading and installing updates has evolved to be less and less obtrusive to users. More recently, Microsoft also has used Windows Update to deliver larger, feature-centric updates, such as the upgrade from Windows 8 to Windows 8.1, and is using Windows Update to upgrade devices running Windows 7 and Windows 8.1 to Windows 10. - -**Windows Update use within enterprises** - -Although Windows Update greatly simplifies and accelerates update deployment, enterprises are not using Windows Update as broadly as consumers and small businesses. This is largely because Windows Update maintains control over which updates are installed and the timing of installation. This makes it difficult for IT administrators to test updates before deployment in their specific environment. - -**The role of Windows Server Update Services** - -To help address the concerns of IT administrators, Microsoft released Windows Server Update Services in 2005. Windows Server Update Services enables IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Windows Server Update Services also provides IT administrators with an all or nothing way to specify when they want an approved update to be installed. Because IT administrators ultimately select and install most updates identified by Windows Update, the role of Windows Server Update Services in many enterprises is to provide IT administrators with the additional time they need to gain confidence in the quality of updates prior to deployment. - -**New Windows Update capabilities in Windows 10** - -To enable enterprises to manage more of their devices using Windows Update directly, Windows 10 provides IT administrators with a way to configure devices so that Windows Update will defer new feature upgrade installations until approximately four months after Microsoft first publishes them. The additional time can be used to perform testing or enable releases to gain additional time in market prior to deployment. -At the end of each approximately four month period, Microsoft executes a set of processes that require no action from enterprise IT administrators. First, Microsoft creates new installation media for the feature upgrade by combining the original installation media with all the servicing updates published by Microsoft since the original media’s release. This reduces the time it can take to install a feature upgrade on a device. Second, Microsoft *republishes* the new media to Windows Update with *targeting* instructions that state (in effect) “install this media on devices that are configured for deferred installation of new feature upgrades.” At this point, devices configured to defer installation will begin receiving and installing the feature upgrade automatically. - -**The role of Windows Update for Business** - -Although Windows 10 will enable IT administrators to defer installation of new feature upgrades using Windows Update, enterprises may also want additional control over how and when Windows Update installs releases. With this need in mind, Microsoft [announced Windows Update for Business](https://go.microsoft.com/fwlink/p/?LinkId=624798) in May of 2015. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing releases. This article will be updated with additional information about the role of Windows Update for Business in servicing Windows 10 devices as it becomes available. - -## Windows 10 servicing branches - -Historically, because of the length of time between releases of new Windows versions, and the relatively low number of enterprise devices that were upgraded to newer versions of Windows during their deployment lifetimes, most IT administrators defined servicing as installing the updates that Microsoft published every month. Looking forward, because Microsoft will be publishing new feature upgrades on a continual basis, *servicing* will also include (on some portion of an enterprise's devices) installing new feature upgrades as they become available. -In fact, when planning to deploy Windows 10 on a device, one of the most important questions for IT administrators to ask is, “What should happen to this device when Microsoft publishes a new feature upgrade?” This is because Microsoft designed Windows 10 to provide businesses with multiple servicing options, centered on enabling different rates of feature upgrade adoption. In particular, IT administrators can configure Windows 10 devices to: -- Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see [Immediate feature upgrade installation with Current Branch (CB) servicing](#immediate-upgrade-cb). -- Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see [Deferred feature upgrade installation with Current Branch for Business (CBB) servicing](#deferred-upgrade-cbb). -- Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install-updates-ltsb). -The breakout of a company’s devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices. - -## Current Branch versus Current Branch for Business - -When the development of a new Windows 10 feature upgrade is complete, it is initially offered to Current Branch computers; those computers configured for Current Branch for Business will receive the feature upgrade (with additional fixes) at a later date, generally at least four months later. An additional deferral of at least eight months is available to organizations that use tools to control the update process. During this time, monthly security updates will continue to be made available to machines not yet upgraded. - -The process to configure a PC for Current Branch for Business is simple. The **Defer upgrades** setting needs to be configured, either manually (through the Settings app), by using Group Policy, or by using mobile device management (MDM). - -![figure 1](images/fig1-deferupgrades.png) - -Figure 1. Configure the **Defer upgrades** setting - -Most organizations today leverage Windows Server Update Services (WSUS) or System Center Configuration Manager to update their PCs. With Windows 10, this does not need to change; all updates are controlled through approvals or automatic deployment rules configured in those products, so new upgrades will not be deployed until the organization chooses. The **Defer upgrades** setting can function as an additional validation check, so that Current Branch for Business machines that are targeted with a new upgrade prior to the end of the initial four-month deferral period will decline to install it; they can install the upgrade any time within the eight-month window after that initial four-month deferral period. - -For computers configured to receive updates from Windows Update directly, the **Defer upgrades** setting directly controls when the PC will be upgraded. Computers that are not configured to defer upgrades will be upgraded at the time of the initial Current Branch release; computers that are configured to defer upgrades will be upgraded four months later. - -With Windows 10 it is now possible to manage updates for PCs and tablets that have a higher degree of mobility and are not joined to a domain. For these PCs, you can leverage mobile device management (MDM) services or Windows Update for Business to provide the same type of control provided today with WSUS or Configuration Manager. - -For PCs enrolled in a mobile device management (MDM) service, Windows 10 provides new update approval mechanisms that could be leveraged to delay the installation of a new feature upgrade or any other update. Windows Update for Business will eventually provide these and other capabilities to manage upgrades and updates; more details on these capabilities will be provided when they are available later in 2015. - -With the release of each Current Branch feature update, new ISO images will be made available. You can use these images to upgrade existing machines or to create new custom images. These feature upgrades will also be published with WSUS to enable simple deployment to devices already running Windows 10. - -Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates. This requires new ways of thinking about software deployment. It is best to align your deployment schedule with the Current Branch release schedule: - -- Begin your evaluation process with the Windows Insider Program releases. -- Perform initial pilot deployments by using the Current Branch. -- Expand to broad deployment after the Current Branch for Business is available. -- Complete deployments by using that release in advance of the availability of the next Current Branch. - -![figure 2](images/fig2-deploymenttimeline.png) - -Figure 2. Deployment timeline - -Some organizations may require more than 12 months to deploy Windows 10 to all of their existing PCs. To address this, it may be necessary to deploy multiple Windows 10 releases, switching to these new releases during the deployment project. Notice how the timelines can overlap, with the evaluation of one release happening during the pilot and deployment of the previous release: - -![figure 3](images/fig3-overlaprelease.png) - -Figure 3. Overlapping releases - -As a result of these overlapping timelines, organizations can choose which release to deploy. Note though that by continuing for longer with one release, that gives you less time to deploy the subsequent release (to both existing Windows 10 PCs as well as newly-migrated ones), so staying with one release for the full lifetime of that release can be detrimental overall. - -## Long-Term Servicing Branch - -For specialized devices, Windows 10 Enterprise Long Term Servicing Branch (LTSB) ISO images will be made available. These are expected to be on a variable schedule, less often than CB and CBB releases. Once released, these will be supported with security and reliability fixes for an extended period; no new features will be added over its servicing lifetime. Note that LTSB images will not contain most in-box Universal Windows Apps (for example, Microsoft Edge, Cortana, the Windows Store, the Mail and Calendar apps) because the apps or the services that they use will be frequently updated with new functionality and therefore cannot be supported on PCs running the LTSB OS. - -These LTSB images can be used to upgrade existing machines or to create new custom images. - -Note that Windows 10 Enterprise LTSB installations fully support the Universal Windows Platform, with the ability to run line-of-business apps created using the Windows SDK, Visual Studio, and related tools capable of creating Universal Windows apps. For apps from other ISVs (including those published in the Windows Store), contact the ISV to confirm if they will provide long-term support for their specific apps. - -As mentioned previously, there are few, if any, scenarios where an organization would use the Long-Term Servicing Branch for every PC – or even for a majority of them. - -## Windows Insider Program - -During the development of a new Windows 10 feature update, preview releases will be made available to Windows Insider Program participants. This enables those participants to try out new features, check application compatibility, and provide feedback during the development process. - -To obtain Windows Insider Program builds, the Windows Insider Program participants must opt in through the Settings app, and specify their Microsoft account. - -Occasionally (typically as features are made available to those in the Windows Insider Program “slow” ring), new ISO images will be released to enable deployment validation, testing, and image creation. - -## Switching between branches - -During the life of a particular PC, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
For a PC that uses…Changing to…You need to:
Windows Insider ProgramCurrent BranchWait for the final Current Branch release.
Current Branch for BusinessNot directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle.
Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
Current BranchInsiderUse the Settings app to enroll the device in the Windows Insider Program.
Current Branch for BusinessSelect the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.
Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
Current Branch for BusinessInsiderUse the Settings app to enroll the device in the Windows Insider Program.
Current BranchDisable the Defer upgrade setting, or move the PC to a target group or flight that will receive the latest Current Branch release.
Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
Long-Term Servicing BranchInsiderUse media to upgrade to the latest Windows Insider Program build.
Current BranchUse media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)
Current Branch for BusinessUse media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.
- -## Plan for Windows 10 deployment - -The remainder of this article focuses on the description of the three options outlined above, and their planning implications, in more detail. In practice, IT administrators have to focus on two areas when planning a Windows 10 device deployment: -- **When should new feature upgrades be deployed?** Should the device install new feature upgrades when they are published by Microsoft? If so, should installation occur immediately or on a deferred basis? -- **How will releases be installed on devices?** Will Windows Update or Windows Server Update Services be used to install new releases, or will installation be performed using a configuration management system such as -Configuration Manager? - -The content that follows will provide IT administrators with the context needed to understand why these areas are pivotal, and the choices available to them. - -**How Microsoft releases Windows 10 feature upgrades** - ->Some figures in this article show multiple feature upgrades of Windows being released by Microsoft over time. Be aware that these figures were created with dates that were chosen for illustrative clarity, not for release roadmap accuracy, and should not be used for planning purposes. - -When it is time to release a build as a new feature upgrade for Windows 10, Microsoft performs several processes in sequence. The first process involves creating either one or two servicing branches in a source code management system. These branches (shown in Figure 4) are required to produce feature upgrade installation media and servicing update packages that can be deployed on different Windows 10 editions, running in different configurations. - -![figure 4](images/w10servicing-f1-branches.png) - -Figure 4. Feature upgrades and servicing branches - -In all cases, Microsoft creates a servicing branch (referred to in Figure 4 as Servicing Branch \#1) that is used to produce releases for approximately one year (although the lifetime of the branch will ultimately depend on when Microsoft publishes subsequent feature upgrade releases). If Microsoft has selected the feature upgrade to receive long-term servicing-only support, Microsoft also creates a second servicing branch (referred to in Figure 4 as Servicing Branch \#2) that is used to produce servicing update releases for up to 10 years. - -As shown in Figure 5, when Microsoft publishes a new feature upgrade, Servicing Branch \#1 is used to produce the various forms of media needed by OEMs, businesses, and consumers to install Windows 10 Home, Pro, Education, and Enterprise editions. Microsoft also produces the files needed by Windows Update to distribute and install the feature upgrade, along with *targeting* information that instructs Windows Update to only install the files on devices configured for *immediate* installation of feature upgrades. - -![figure 5](images/win10servicing-fig2-featureupgrade.png) - -Figure 5. Producing feature upgrades from servicing branches - -Approximately four months after publishing the feature upgrade, Microsoft uses Servicing Branch \#1 again to *republish* updated installation media for Windows 10 Pro, Education, and Enterprise editions. The updated media contains the exact same feature upgrade as contained in the original media except Microsoft also includes all the servicing updates that were published since the feature upgrade was first made available. This enables the feature upgrade to be installed on a device more quickly, and in a way that is potentially less obtrusive to users. - -Concurrently, Microsoft also changes the way the feature upgrade is published in the Windows Update service. In particular, the files used by Windows Update to distribute and install the feature upgrade are refreshed with the updated versions, and the targeting instructions are changed so that the updated feature upgrade will now be installed on devices configured for *deferred* installation of feature upgrades. - -**How Microsoft publishes the Windows 10 Enterprise LTSB Edition** - -If Microsoft has selected the feature upgrade to receive long-term servicing support, Servicing Branch \#2 is used to publish the media needed to install the Windows 10 Enterprise LTSB edition. The time between releases of feature upgrades with long-term servicing support will vary between one and three years, and is strongly influenced by input from customers regarding the readiness of the release for long-term enterprise deployment. Figure 5 shows the Windows 10 Enterprise LTSB edition being published at the same time as the other Windows 10 editions, which mirrors the way editions were actually published for Windows 10 in July of 2015. It is important to note that this media is never published to Windows Update for deployment. Installations of the Enterprise LTSB edition on devices must be performed another way. - -**How Microsoft releases Windows 10 servicing updates** - -As shown in Figure 6, servicing branches are also used by Microsoft to produce servicing updates containing fixes for security vulnerabilities and other important issues. Servicing updates are published in a way that determines the Windows 10 editions on which they can be installed. For example, servicing updates produced from a given servicing branch can only be installed on devices running a Windows 10 edition produced from the same servicing branch. In addition, because Windows 10 Home does not support deferred installation of feature upgrades, servicing updates produced from Servicing Branch \#1 are targeted at devices running Windows 10 Home only until Microsoft publishes feature upgrades for deferred installation. - -![figure 6](images/win10servicing-fig3.png) - -Figure 6. Producing servicing updates from servicing branches - -**Release installation alternatives** - -When IT administrators select Windows Update and/or Windows Server Update Services to deploy feature upgrades and servicing updates, Windows 10 and Windows Update will determine and deploy the correct releases for each of the three servicing options at the appropriate times. If there are multiple feature upgrades receiving long-term servicing support at the same time, Windows Update will select updates for each device that are appropriate for the feature upgrades they are running. - -When IT administrators manage deployments of feature upgrades and servicing updates directly with configuration management products such as Configuration Manager, they are responsible for the timing of installation of both feature upgrades and servicing updates. It is important to note that until IT administrators install a new servicing update, devices may remain exposed to security vulnerabilities. Therefore, when managing deployments directly, IT administrators should deploy new servicing updates as soon as possible. - -## Servicing options and servicing branch designations - -Servicing options have several different attributes that affect deployment planning decisions. For example, each servicing option: -- Is supported on a selected set of Windows 10 editions (and no Windows 10 edition supports all three servicing options). -- Has a policy that determines the periods of time during which Microsoft will produce servicing updates for a given feature upgrade. -- Has a policy that determines when devices being managed by Windows Update or Windows Server Update Services will install new feature upgrades when they become available from Microsoft. - -Because the servicing lifetime of a feature upgrade typically ends when the servicing lifetime of the subsequent feature upgrade begins, the length of servicing lifetimes will also vary. To simplify referring to these ranges, -Microsoft created *servicing branch designations* for each of the three time range/servicing branch combinations. The designations are Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). -Because there is a one-to-one mapping between servicing options and servicing branch designations, Microsoft occasionally refers to servicing options using servicing branch-centric terminology. The following sections describe servicing options and servicing branch designations, including terminology, servicing lifetime policies, upgrade behavior, and edition support, in more detail. - -**Service lifetime and feature upgrade installation paths** - -Although Microsoft is currently planning to release approximately two to three feature upgrades per year, the actual frequency and timing of releases will vary. Because the servicing lifetimes of feature upgrades typically end when the servicing lifetimes of other, subsequent feature upgrades begin, the lengths of servicing lifetimes will also vary. - -![figure 7](images/win10servicing-fig4-upgradereleases.png) - -Figure 7. Example release cadence across multiple feature upgrades - -To show the variability of servicing lifetimes, and show the paths that feature upgrade installations will take when Windows Update and Windows Server Update Services are used for deployments, Figure 4 contains three feature upgrade releases (labeled *X*, *Y*, and *Z*) and their associated servicing branches. The time period between publishing X and Y is four months, and the time period between publishing Y and Z is six months. X and Z have long-term servicing support, and Y has shorter-term servicing support only. - -The same underlying figure will be used in subsequent figures to show all three servicing options in detail. It is important to note that Figure 7 is provided for illustration of servicing concepts only and should not be used for actual Windows 10 release planning. - -To simplify the servicing lifetime and feature upgrade behavior explanations that follow, this document refers to branch designations for a specific feature upgrade as the +0 versions, the designations for the feature upgrade after the +0 version as the +1 (or successor) versions, and the designation for the feature upgrade after the +1 version as the +2 (or second successor) versions. - -### - -**Immediate feature upgrade installation with Current Branch (CB) servicing** -As shown in Figure 8, the Current Branch (CB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft publishes a feature upgrade targeted for devices configured for *immediate* installation and ends when Microsoft publishes the *successor* feature upgrade targeted for devices configured for *immediate* installation. - -![figure 8](images/win10servicing-fig5.png) - -Figure 8. Immediate installation with Current Branch Servicing - -The role of Servicing Branch \#1 during the CB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *immediate* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBs*. The Windows 10 editions that support servicing from CBs are Home, Pro, Education, and Enterprise. The Current Branch designation is intended to reflect the fact that devices serviced using this approach will be kept as current as possible with respect to the latest Windows 10 feature upgrade release. -Windows 10 Home supports Windows Update for release deployment. Windows 10 editions (Pro, Education, and Enterprise) support Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems: -- When IT administrators use Windows Update to manage deployments, devices will receive new feature upgrades and servicing updates as soon as they are published by Microsoft in the Windows Update service, targeted to devices configured for *immediate* feature upgrade installation. -- When devices are being managed by using Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin. -- When using configuration management systems such as Configuration Manager to manage deployments, IT administrators can obtain installation media from Microsoft and deploy new feature upgrades immediately by using standard change control processes. IT administrators who use configuration management systems should also make sure to obtain and deploy all servicing updates published by Microsoft as soon as possible. -It is important to note that devices serviced from CBs must install two to three feature upgrades per year to remain current and continue to receive servicing updates. - -### - -**Deferred feature upgrade installation with Current Branch for Business (CBB) servicing** -As shown in Figure 9, the Current Branch for Business (CBB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft republishes a feature upgrade targeted for devices configured for *deferred* installation and ends when Microsoft republishes the *second successor* feature upgrade targeted for devices configured for *deferred* installation. - -![figure 9](images/win10servicing-fig6.png) - -Figure 9. Deferred installation with Current Branch for Business Servicing - -The role of Servicing Branch \#1 during the CBB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *deferred* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBBs*. The Windows 10 editions that support servicing from CBBs are Pro, Education, and Enterprise. The Current Branch for Business designation is intended to reflect the fact that many businesses require IT administrators to test feature upgrades prior to deployment, and servicing devices from CBBs is a pragmatic solution for businesses with testing constraints to remain as current as possible. -Windows 10 (Pro, Education, and Enterprise editions) support release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems: -- When IT administrators use Windows Update to manage deployments, devices will receive new feature upgrades and servicing updates as soon as they are published by Microsoft in the Windows Update service, targeted to devices configured for *deferred* feature upgrade installation. It is important to note that, even when devices are configured to defer installations, all servicing updates that are applicable to the feature upgrade that is running on a device will be installed immediately after being published by Microsoft in the Windows Update service. -- When devices are being managed through Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin. -- When using configuration management systems such as Configuration Manager to manage deployments, IT administrators can obtain media published for deferred installation from Microsoft and deploy new feature upgrades by using standard change control processes. When deferring feature upgrade installations, IT administrators should still deploy all applicable servicing updates as soon as they become available from Microsoft. -Microsoft designed Windows 10 servicing lifetime policies so that CBBs will receive servicing updates for approximately twice as many months as CBs. This enables two CBBs to receive servicing support at the same time, which provides businesses with more flexibility when deploying new feature upgrades. That said, it is important to note that Microsoft will not produce servicing updates for a feature upgrade after its corresponding CBB reaches the end of its servicing lifetime. This means that feature upgrade deployments cannot be extended indefinitely and IT administrators should ensure that they deploy newer feature upgrades onto devices before CBBs end. - -### - -**Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing** - -As shown in Figure 10, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section). - -![figure 10](images/win10servicing-fig7.png) - -Figure 10. Servicing updates only using LTSB Servicing - -The role of LTSBs is to produce servicing updates for devices running Windows 10 configured to install servicing updates only. Devices configured this way are referred to as being *serviced from LTSBs*. The Long-Term Servicing Branch designation is intended to reflect the fact that this servicing option is intended for scenarios where changes to software running on devices must be limited to essential updates (such as those for security vulnerabilities and other important issues) for the duration of deployments. -Windows 10 Enterprise LTSB supports release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems: -- When IT administrators use Windows Update to manage deployments, Windows Update will install only servicing updates, and do so as soon as they are published by Microsoft in the Windows Update service. Windows Update does not install feature upgrades on devices configured for long-term servicing. -- When devices are being managed using Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin. -- When using configuration management systems such as System Center Configuration Manager to manage deployments, IT administrators should make sure to obtain and deploy all servicing updates published by Microsoft as soon as possible. - -**Note**   -It is important to note again that not all feature upgrades will have an LTSB. The initial release of Windows 10, published in July 2015, has an LTSB and Microsoft expects to designate one additional feature upgrade in the next 12 months for long-term support. After that, Microsoft expects to publish feature upgrades with long-term servicing support approximately every two to three years. Microsoft will provide additional information in advance of publishing new feature upgrades so that IT administrators can make informed deployment planning decisions. -  -### - -**Considerations when configuring devices for servicing updates only** -Before deciding to configure a device for LTSB-based servicing, IT administrators should carefully consider the implications of changing to a different servicing option later, and the effect of using Windows 10 Enterprise LTSB on the availability of *in-box* applications. - -Regarding edition changes, it is possible to reconfigure a device running Windows 10 Enterprise LTSB to run Windows 10 Enterprise while preserving the data and applications already on the device. Reconfiguring a device running Windows 10 Enterprise LTSB to run other editions of Windows 10 may require IT administrators to restore data and/or reinstall applications on the device after the other edition has been installed. -Regarding in-box applications, Windows 10 Enterprise LTSB does not include all the universal apps that are included with other Windows 10 editions. This is because the universal apps included with Windows 10 will be continually upgraded by Microsoft, and new releases of in-box universal apps are unlikely to remain compatible with a feature upgrade of Windows 10 Enterprise LTSB for the duration of its servicing lifetime. Examples of apps that Windows 10 Enterprise LTSB does not include are Microsoft Edge, Windows Store Client, Cortana (limited search capabilities remain available), Outlook Mail, Outlook Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. - -Windows 10 Enterprise LTSB does include Internet Explorer 11, and is compatible with Windows 32 versions of Microsoft Office. IT administrators can also install universal apps on devices when apps are compatible with the feature upgrades running on the device. They should do so with care, however, as servicing updates targeted for devices running Windows 10 Enterprise LTSB will not include security or non-security fixes for universal apps. Additionally, Microsoft will not provide servicing updates for specific releases of apps on any Windows 10 edition after the feature upgrade of Windows 10 with which the apps were included reaches the end of its servicing lifetime. - -**Servicing option summary** - -Table 2. Servicing option summary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComparisonWindows 10 servicing options
Current Branch (CB)Current Branch for Business (CBB)Long-Term Servicing Branch (LTSB)
Availability of new feature upgrades for installationImmediateDeferred by ~4 monthsNot applicable
Supported editionsWindows 10 Home, Windows 10 Pro, Windows 10 Education, Windows 10 Enterprise, -IoT Core, IoT Core ProWindows 10 Pro, -Windows 10 Education, -Windows 10 Enterprise, -IoT Core ProWindows 10 Enterprise LTSB
Minimum length of servicing lifetimeApproximately 4 MonthsApproximately 8 months10 years
Ongoing installation of new feature upgrades required to receive servicing updatesYesYesNo
Supports Windows Update for release deploymentYesYesYes
Supports Windows Server Update Services for release deploymentYes -(excludes Home) -YesYes
Supports Configuration Manager/configuration management systems for release deploymentYes -(excludes Home) -YesYes
First party browsers includedMicrosoft Edge, -Internet Explorer 11Microsoft Edge, -IE11IE11
Notable Windows -system apps removed -NoneNoneMicrosoft Edge, Windows Store Client, Cortana (limited search available)
Notable Windows -universal apps removed -NoneNoneOutlook Mail/Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, Clock
-  -## Related topics - -[Plan for Windows 10 deployment](../plan/index.md) - -[Deploy Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=624776) - -[Manage and update Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=624796) -  -  diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md deleted file mode 100644 index a3374f6d0f..0000000000 --- a/windows/manage/lock-down-windows-10.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Lock down Windows 10 (Windows 10) -description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. -ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D -keywords: lockdown -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, mobile -author: jdeckerMS -localizationpriority: high ---- - -# Lock down Windows 10 - -Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)

Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.

[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)

Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.

[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)

You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.

[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)

Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.

[Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)

Use this article to make informed decisions about how you can configure Windows telemetry in your organization.

[Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)

Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.

[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)

IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.

[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)

Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.

-

The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.

[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)

Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.

[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)

There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.

- -## Learn more - -[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) - -## Related topics - -[Lockdown features from Windows Embedded Industry 8.1](../whats-new/lockdown-features-windows-10.md) diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md deleted file mode 100644 index 33b7160191..0000000000 --- a/windows/manage/manage-cortana-in-enterprise.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Cortana integration in your business or enterprise (Windows 10) -description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/cortana-at-work-overview ---- \ No newline at end of file diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md deleted file mode 100644 index f8db99379b..0000000000 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: Manage inventory in Windows Store for Business (Windows 10) -description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses. -redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library ---- - - diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md index f149335e36..ed2c748110 100644 --- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md @@ -44,11 +44,10 @@ As indicated in the diagram, Microsoft continues to provide support for deep man With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: - - Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune). -- Create self-contained provisioning packages built with the [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113(v=vs.85).aspx). +- Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). - Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction). diff --git a/windows/manage/mandatory-user-profile.md b/windows/manage/mandatory-user-profile.md index 6664e2d2aa..3ced9aa8fd 100644 --- a/windows/manage/mandatory-user-profile.md +++ b/windows/manage/mandatory-user-profile.md @@ -164,7 +164,7 @@ When a user is configured with a mandatory profile, Windows 10 starts as though - [Manage Windows 10 Start layout and taskbar options](windows-10-start-layout-options-and-policies.md) - [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) -- [Windows Spotlight on the lock screen](windows-spotlight.md) +- [Windows Spotlight on the lock screen](../configure/windows-spotlight.md) - [Configure devices without MDM](configure-devices-without-mdm.md) diff --git a/windows/manage/uev-accessibility.md b/windows/manage/uev-accessibility.md deleted file mode 100644 index 08416f8349..0000000000 --- a/windows/manage/uev-accessibility.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Accessibility for UE-V -redirect_url: https://technet.microsoft.com/itpro/windows/manage/uev-for-windows ---- \ No newline at end of file diff --git a/windows/manage/uev-privacy-statement.md b/windows/manage/uev-privacy-statement.md deleted file mode 100644 index eb9e64f8a1..0000000000 --- a/windows/manage/uev-privacy-statement.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: User Experience Virtualization Privacy Statement -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/uev-security-considerations ---- \ No newline at end of file diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md deleted file mode 100644 index b588216cb5..0000000000 --- a/windows/manage/windows-10-start-layout-options-and-policies.md +++ /dev/null @@ -1,180 +0,0 @@ ---- -title: Manage Windows 10 Start and taskbar layout (Windows 10) -description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education. -ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A -keywords: ["start screen", "start menu"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Manage Windows 10 Start and taskbar layout - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) - -Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. - ->[!NOTE] ->Taskbar configuration is available starting in Windows 10, version 1607. -> ->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx). - -## Start options - -![start layout sections](images/startannotated.png) - -Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy. - -The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
StartPolicySetting
User tileGroup Policy: Remove Logoff on the Start menu
Most usedGroup Policy: Remove frequent programs from the Start menuSettings > Personalization > Start > Show most used apps

Suggestions

-

-and-

-

Dynamically inserted app tile

MDM: Allow Windows Consumer Features

-

Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences

-
-Note   -

This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.

-
-
-  -
Settings > Personalization > Start > Occasionally show suggestions in Start
Recently addednot applicableSettings > Personalization > Start > Show recently added apps
Pinned foldersnot applicableSettings > Personalization > Start > Choose which folders appear on Start
PowerGroup Policy: Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commandsNone
Start layout

MDM: Start layout

-

Group Policy: Start layout

-

Group Policy: Prevent users from customizing their Start Screen

-
-Note   -

When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the All Apps view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

Start layout policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. -

-
-  -
None
Jump listsGroup Policy: Do not keep history of recently opened documentsSettings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
Start size

MDM: Force Start size

-

Group Policy: Force Start to be either full screen size or menu size

Settings > Personalization > Start > Use Start full screen
All SettingsGroup Policy: Prevent changes to Taskbar and Start Menu SettingsNone
- - ## Taskbar options - -Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region. - -There are three categories of apps that might be pinned to a taskbar: -* Apps pinned by the user -* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) -* Apps pinned by the enterprise, such as in an unattended Windows setup - - **Note**   - The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. - -The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). - -> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed. - -![Windows left, user center, enterprise to the right](images/taskbar-generic.png) - -Whether you apply the taskbar configuration to a clean install or an update, users will still be able to: -* Pin additional apps -* Change the order of pinned apps -* Unpin any app - -### Taskbar configuration applied to clean install of Windows 10 - -In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied. - -### Taskbar configuration applied to Windows 10 upgrades - -When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. - -The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior: -* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right. -* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned. -* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. -* New apps specified in updated layout file are pinned to right of user's pinned apps. - - - -## Related topics - - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - -  - -  - - - - - diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md deleted file mode 100644 index eb3af0eb51..0000000000 --- a/windows/manage/windows-spotlight.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Windows Spotlight on the lock screen (Windows 10) -description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. -ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A -keywords: ["lockscreen"] -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Windows Spotlight on the lock screen - - -**Applies to** - -- Windows 10 - -Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. - -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. - - ->[!NOTE] ->In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**. - -## What does Windows Spotlight include? - - -- **Background image** - - The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis. - - ![lock screen image](images/lockscreen.png) - -- **Feature suggestions, fun facts, tips** - - The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. - -## How do you turn off Windows Spotlight locally? - - -To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background - -![personalization background](images/spotlight.png) - -## How do you disable Windows Spotlight for managed devices? - - -Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers. - -**Windows 10 Pro, Enterprise, and Education** - -- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services. - -**Windows 10 Enterprise and Education** - -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting. -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.) - -Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - ->[!WARNING] -> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release. - -![lockscreen policy details](images/lockscreenpolicy.png) - -Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image. - -![fun facts](images/funfacts.png) - -## Related topics - - -[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md) - -  - -  - - - - - diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md index 9bee9778e7..08c2baded5 100644 --- a/windows/plan/TOC.md +++ b/windows/plan/TOC.md @@ -1,4 +1,5 @@ # [Plan for Windows 10 deployment](index.md) +## [Windows 10 Enterprise FAQ for IT Pros](windows-10-enterprise-faq-itpro.md) ## [Windows 10 deployment considerations](windows-10-deployment-considerations.md) ## [Windows 10 compatibility](windows-10-compatibility.md) ## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) diff --git a/windows/plan/act-community-ratings-and-process.md b/windows/plan/act-community-ratings-and-process.md deleted file mode 100644 index e9c34a2026..0000000000 --- a/windows/plan/act-community-ratings-and-process.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Community Ratings and Process (Windows 10) -description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-database-configuration.md b/windows/plan/act-database-configuration.md deleted file mode 100644 index 7c07865d8a..0000000000 --- a/windows/plan/act-database-configuration.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Database Configuration (Windows 10) -description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-database-migration.md b/windows/plan/act-database-migration.md deleted file mode 100644 index e8b5e9b74f..0000000000 --- a/windows/plan/act-database-migration.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Database Migration (Windows 10) -description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-deployment-options.md b/windows/plan/act-deployment-options.md deleted file mode 100644 index a550b72152..0000000000 --- a/windows/plan/act-deployment-options.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Deployment Options (Windows 10) -description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-glossary.md b/windows/plan/act-glossary.md deleted file mode 100644 index 17f66a70be..0000000000 --- a/windows/plan/act-glossary.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Glossary (Windows 10) -description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-lps-share-permissions.md b/windows/plan/act-lps-share-permissions.md deleted file mode 100644 index 37a6534881..0000000000 --- a/windows/plan/act-lps-share-permissions.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT LPS Share Permissions (Windows 10) -description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-operatingsystem-application-report.md b/windows/plan/act-operatingsystem-application-report.md deleted file mode 100644 index 62da93a40d..0000000000 --- a/windows/plan/act-operatingsystem-application-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: OperatingSystem - Application Report (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-operatingsystem-computer-report.md b/windows/plan/act-operatingsystem-computer-report.md deleted file mode 100644 index bf508ee97a..0000000000 --- a/windows/plan/act-operatingsystem-computer-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: OperatingSystem - Computer Report (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-operatingsystem-device-report.md b/windows/plan/act-operatingsystem-device-report.md deleted file mode 100644 index 6668aa3041..0000000000 --- a/windows/plan/act-operatingsystem-device-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: OperatingSystem - Device Report (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-product-and-documentation-resources.md b/windows/plan/act-product-and-documentation-resources.md deleted file mode 100644 index 2c3290db5b..0000000000 --- a/windows/plan/act-product-and-documentation-resources.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: ACT Product and Documentation Resources (Windows 10) -description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- -  - -  - - - - - diff --git a/windows/plan/act-settings-dialog-box-preferences-tab.md b/windows/plan/act-settings-dialog-box-preferences-tab.md deleted file mode 100644 index eaa5fec362..0000000000 --- a/windows/plan/act-settings-dialog-box-preferences-tab.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Settings Dialog Box - Preferences Tab (Windows 10) -description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-settings-dialog-box-settings-tab.md b/windows/plan/act-settings-dialog-box-settings-tab.md deleted file mode 100644 index 30e7000dd2..0000000000 --- a/windows/plan/act-settings-dialog-box-settings-tab.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Settings Dialog Box - Settings Tab (Windows 10) -description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-toolbar-icons-in-acm.md b/windows/plan/act-toolbar-icons-in-acm.md deleted file mode 100644 index bd6b97dcde..0000000000 --- a/windows/plan/act-toolbar-icons-in-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Toolbar Icons in ACM (Windows 10) -description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-tools-packages-and-services.md b/windows/plan/act-tools-packages-and-services.md deleted file mode 100644 index 7e20751a4a..0000000000 --- a/windows/plan/act-tools-packages-and-services.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Tools, Packages, and Services (Windows 10) -description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-user-interface-reference.md b/windows/plan/act-user-interface-reference.md deleted file mode 100644 index affbef996f..0000000000 --- a/windows/plan/act-user-interface-reference.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT User Interface Reference (Windows 10) -description: This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/activating-and-closing-windows-in-acm.md b/windows/plan/activating-and-closing-windows-in-acm.md deleted file mode 100644 index 4640049e22..0000000000 --- a/windows/plan/activating-and-closing-windows-in-acm.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Activating and Closing Windows in ACM (Windows 10) -description: The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- -  - -  - - - - - diff --git a/windows/plan/adding-or-editing-a-solution.md b/windows/plan/adding-or-editing-a-solution.md deleted file mode 100644 index b5a52a45c2..0000000000 --- a/windows/plan/adding-or-editing-a-solution.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Adding or Editing a Solution (Windows 10) -description: If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/adding-or-editing-an-issue.md b/windows/plan/adding-or-editing-an-issue.md deleted file mode 100644 index 08d2098675..0000000000 --- a/windows/plan/adding-or-editing-an-issue.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Adding or Editing an Issue (Windows 10) -description: In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/analyzing-your-compatibility-data.md b/windows/plan/analyzing-your-compatibility-data.md deleted file mode 100644 index 2d69b55931..0000000000 --- a/windows/plan/analyzing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Analyzing Your Compatibility Data (Windows 10) -description: This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/application-dialog-box.md b/windows/plan/application-dialog-box.md deleted file mode 100644 index 7615d0949e..0000000000 --- a/windows/plan/application-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Application Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the Application dialog box shows information about the selected application. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/categorizing-your-compatibility-data.md b/windows/plan/categorizing-your-compatibility-data.md deleted file mode 100644 index e77b9ca34e..0000000000 --- a/windows/plan/categorizing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Categorizing Your Compatibility Data (Windows 10) -description: Steps to customize and filter your compatibility reports through categories and subcategories. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md deleted file mode 100644 index 8db7b3b57c..0000000000 --- a/windows/plan/chromebook-migration-guide.md +++ /dev/null @@ -1,854 +0,0 @@ ---- -title: Chromebook migration guide (Windows 10) -description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. -redirect_url: https://technet.microsoft.com/edu/windows/chromebook-migration-guide -ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA -keywords: migrate, automate, device -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu; devices -author: craigash - ---- -# Chromebook migration guide - -**Applies to** -- Windows 10 - -In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. - -## Plan Chromebook migration - -Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. - -In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. - -## Plan for app migration or replacement - -App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. - -**Identify the apps currently in use on Chromebook devices** - -Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). - -> **Note**  The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. - -You can divide the apps into the following categories: - -- **Apps installed and managed by the institution.** These apps are typically managed in the Apps section in the Google Admin Console. You can record the list of these apps in your app portfolio. -- **Apps installed by faculty or students.** Faculty or students might have installed these apps as a part of a classroom curriculum. Obtain the list of these apps from faculty or students. Ensure you only record apps that are legitimately used as a part of classroom curriculum (and not for personal entertainment or use). - -Record the following information about each app in your app portfolio: - -- App name -- App type (such as offline app, online app, web app, and so on) -- App publisher or developer -- App version currently in use -- App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low) - -Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. - -### - -**Select Google Apps replacements** - -Table 1 lists the Windows device app replacements for the common Google Apps on Chromebook devices. If your users rely on any of these Google Apps, use the corresponding app on the Windows device. Use the information in Table 1 to select the Google App replacement on a Windows device. - -Table 1. Google App replacements - -| If you use this Google app on a Chromebook | Use this app on a Windows device | -|--------------------------------------------|--------------------------------------| -| Google Docs | Word 2016 or Word Online | -| Google Sheets | Excel 2016 or Excel Online | -| Google Slides | PowerPoint 2016 or PowerPoint Online | -| Google Apps Gmail | Outlook 2016 or Outlook Web App | -| Google Hangouts | Microsoft Skype for Business | -| Chrome | Microsoft Edge | -| Google Drive | Microsoft OneDrive for Business | -  -It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. - -**Find the same or similar apps in the Windows Store** - -In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. - -In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. - -Record the Windows app that replaces the Chromebook app in your app portfolio. - -### - -**Perform app compatibility testing for web apps** - -The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. - -Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. - -## Plan for migration of user and device settings - -Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. - -However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom. - -In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. -At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the -case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. - -**Identify Google Admin Console settings to migrate** - -You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices. - -![figure 1](images/chromebook-fig1-googleadmin.png) - -Figure 1. Google Admin Console - -Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. - -Table 2. Settings in the Device Management node in the Google Admin Console - - ---- - - - - - - - - - - - - - - - - - - - - -
SectionSettings
Network

These settings configure the network connections for Chromebook devices and include the following settings categories:

-
    -

  • Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.

    • -

  • Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.

    • -

  • VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.

    • -

  • Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.

    • -
Mobile

These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:

-
    -

  • Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.

    • -

  • Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.

    • -

  • Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.

    • -

  • Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.

    • -

  • Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.

    • -
Chrome management

These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:

-
    -

  • User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.

    • -

  • Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.

    • -

  • Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.

    • -

  • Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.

    • -

  • App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.

    • -
-  -Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. - -Table 3. Settings in the Security node in the Google Admin Console - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SectionSettings

Basic settings

These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.

-

Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.

Password monitoring

This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.

API reference

This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.

Set up single sign-on (SSO)

This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.

Advanced settings

This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.

-  -**Identify locally-configured settings to migrate** - -In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). - -![figure 2](images/fig2-locallyconfig.png) - -Figure 2. Locally-configured settings on Chromebook - -Table 4. Locally-configured settings - -| Section | Settings | -| - | - | -| Internet connections | These settings configure the Internet connection for the devices, such as Wi-Fi and VPN connections. Record the network connection currently in use and configure the Windows device to use the same network connection settings. | -| Appearances | These settings affect the appearance of the desktop. Record the wallpaper image file that is used. Migrate the image file to the Windows device and configure as the user’s wallpaper to maintain similar user experience. | -| Search | These settings configure which search engine is used to search for content. Record this setting so that you can use as the search engine on the Windows device. | -| Advanced sync settings | These settings configure which user settings are synchronized with the Google cloud, such as Apps, Extensions, History, Passwords, Settings, and so on. Record these settings and configure the Windows device with the same settings if you decide to continue to use Google Apps and other cloud services after you migrate to Windows devices. | -| Date and time | These settings configure the time zone and if 24-hour clock time should be used. Record these settings and configure the Windows device to use these settings. | -| Privacy | These settings configure Google Chrome web browser privacy settings (such as prediction service, phishing and malware protection, spelling errors, resource pre-fetch, and so on). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Bluetooth | This setting configures whether or not Bluetooth is enabled on the device. Record this setting and configure the Windows device similarly. | -| Passwords and forms | These settings configure Google Chrome web browser to enable autofill of web forms and to save web passwords. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Smart lock | These settings configure the Chromebook when the user’s Android phone is nearby and unlocked, which eliminates the need to type a password. You don’t need to migrate settings in this section. | -| Web content | These settings configure how the Chrome web browser displays content (such as font size and page zoom). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Languages | These settings configure the language in use for the Chromebook. Record these settings and configure the Windows device to support the same language. | -| Downloads | These settings configure the default folder for file download, if the user should be prompted where to save files, and if the Google Drive account should be disconnected. Record these settings and configure the Windows device with similar settings. | -| HTTPS/SSL | These settings configure client-side certificates that are used to authenticate the device. Depending on the services or apps that use these certificates, you may need to export and then migrate these certificates to the Windows device. Contact the service or app provider to determine if you can use the existing certificate or if a new certificate needs to be issued. Record these settings and migrate the certificate to the Windows device or enroll for a new certificate as required by the service or app. | -| Google Cloud Print | These settings configure the printers that are available to the user. Record the list of printers available to the user and configure the Windows device to have the same printers available. Ensure that the user-friendly printer names in Windows are the same as for the Chromebook device. For example, if the Chromebook device has a printer named “Laser Printer in Registrar’s Office”, use that same name in Windows. | -| On startup | These settings configure which web pages are opened when the Chrome web browser starts. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Accessibility | These settings configure the Chromebook ease of use (such as display of large mouse cursor, use of high contrast mode, enablement of the screen magnifier, and so on). Record these settings and configure the Windows device with similar settings. | -| Powerwash | This action removes all user accounts and resets the Chromebook device back to factory settings. You don’t have to migrate any settings in this section. | -| Reset settings | This action retains all user accounts, but restores all settings back to their default values. You don’t have to migrate any settings in this section. | -  -Determine how many users have similar settings and then consider managing those settings centrally. For example, a large number of users may have many of the same Chrome web browser settings. You can centrally manage these settings in Windows after migration. -Also, as a part of this planning process, consider settings that may not be currently managed centrally, but should be managed centrally. Record the settings that are currently being locally managed, but you want to manage centrally after the migration. - -**Prioritize settings to migrate** - -After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. -Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. - -## Plan for email migration - -Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration. -Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690252). - -**Identify the list of user mailboxes to migrate** - -In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff. - -Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. - -Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](https://go.microsoft.com/fwlink/p/?LinkId=690253). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process. - -**Identify companion devices that access Google Apps Gmail** - -In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. - -After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. - -In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254). -**Identify the optimal timing for the migration** - -Typically, the best time to perform the migration is between academic years or during semester breaks. Select the time of least activity for your institution. And during that time, the optimal time to perform the migration might be during an evening or over a weekend. - -Ensure that you communicate the time the migration will occur to your users well in advance. Also, ensure that users know how to access their Office 365 email after the migration is complete. Finally, ensure that your users know how to perform the common tasks they performed in Google Apps Gmail in Office 365 and/or Outlook 2016. - -## Plan for cloud storage migration - -Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process. - -In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. - -**Identify cloud storage services currently in use** - -Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following: -- Name of the cloud storage service -- Cloud storage service vendor -- Associated licensing costs or fees -- Approximate storage currently in use per user - -Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. - -**Optimize cloud storage services migration plan** - -Now that you know the current cloud storage services configuration, you need to optimize your cloud storage services migration plan for Microsoft OneDrive for Business. Optimization helps ensure that your use only the cloud storage services resources that are necessary for your requirements. - -Consider the following to help optimize your cloud storage services migration plan: - -- **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate. -- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage. -- **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs. - -Record your optimization changes in your cloud storage services migration plan. - -## Plan for cloud services migration - -Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. - -In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. - -### - -**Identify cloud services currently in use** - -You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: -- Cloud service name -- Cloud service provider -- Number of users that use the cloud service - -**Select cloud services to migrate** - -One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features. - -Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: -- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. -- **Online apps offer better document compatibility.** Microsoft Office online apps (such as Word Online and Excel Online) provide the highest level of compatibility with Microsoft Office documents. The Office online apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office online app from any device with Internet connectivity. -- **Reduce licensing costs.** If you pay for Office 365 licenses, then Office 365 apps and cloud storage are included in those licenses. Although you could keep existing cloud services, you probably would pay more to keep those services. -- **Improve storage capacity and cross-platform features.** Microsoft cloud services provide competitive storage capacity and provide more Windows-centric features than other cloud services providers. While the Microsoft cloud services user experience is highly optimized for Windows devices, Microsoft cloud services are also highly optimized for companion devices (such as iOS or Android devices). -Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify-cloud-services-inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan-windevice-deploy) section. Also, skip the [Perform cloud services migration](#perform-cloud-services-migration) section later in this guide. - -**Prioritize cloud services** - -After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. -Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority. - -Focus on the migration of higher priority cloud services first and put less effort into the migration of lower priority cloud services. There may be some cloud services that are unnecessary and you can remove them from your list of cloud services to migrate entirely. Record the cloud service migration priority in the list of cloud services you plan to migrate. - -### - -**Select cloud services migration strategy** - -When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time. - -Consider the following when you create your cloud services migration strategy: - -- **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses. -- **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks. -- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use. -- **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms. -- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years. -- **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. - -## Plan for Windows device deployment - -You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks. - -In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. - -### - -**Select a Windows device deployment strategy** - -What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies. - -For each classroom that has Chromebook devices, select a combination of the following device deployment strategies: - -- **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices. -- **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. -- **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. -- **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices. -- **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. - - If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration. - -Record the combination of Windows device deployment strategies that you selected. - -### - -**Plan for AD DS and Azure AD services** - -The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services. - -In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD. -Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD. - -Table 5. Select on-premises AD DS, Azure AD, or hybrid - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you plan to...On-premises AD DSAzure ADHybrid
Use Office 365XX
Use Intune for managementXX
Use System Center 2012 R2 Configuration Manager for managementXX
Use Group Policy for managementXX
Have devices that are domain-joinedXX
Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joinedXX
-  -### - -**Plan device, user, and app management** - -You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle. -Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device. -Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan. - -Table 6. Device, user, and app management products and technologies - - --------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Desired featureWindows provisioning packagesGroup PolicyConfiguration ManagerIntuneMDTWindows Software Update Services
Deploy operating system imagesXXX
Deploy apps during operating system deploymentXXX
Deploy apps after operating system deploymentXXX
Deploy software updates during operating system deploymentXX
Deploy software updates after operating system deploymentXXXXX
Support devices that are domain-joinedXXXXX
Support devices that are not domain-joinedXXX
Use on-premises resourcesXXXX
Use cloud-based servicesX
-  -You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. - -Record the device, user, and app management products and technologies that you selected. - -### - -**Plan network infrastructure remediation** - -In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices. - -Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary: - -- **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements. - - However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. - -- **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices. - - If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices. - -- **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices. - - If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices. - -- **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices. - - However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices. - - For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources: - - - [Chromebook vs. Windows Notebook Network Traffic Analysis](https://go.microsoft.com/fwlink/p/?LinkId=690255) - - [Hidden Cost of Chromebook Deployments](https://go.microsoft.com/fwlink/p/?LinkId=690256) - - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://go.microsoft.com/fwlink/p/?LinkId=690257) - -- **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices. - - If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. - -At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide. - -## Perform Chromebook migration - -Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created. - -In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. - -You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important. - -## Perform network infrastructure remediation - -The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. - -It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. - -Table 7. Network infrastructure products and technologies and deployment resources - - ---- - - - - - - - - - - - - - - - - -
Product or technologyResources
DHCP
    -

  • [Core Network Guide](https://go.microsoft.com/fwlink/p/?LinkId=733920)

    • -

  • [DHCP Deployment Guide](https://go.microsoft.com/fwlink/p/?LinkId=734021)

    • -
DNS
    -

  • [Core Network Guide](https://go.microsoft.com/fwlink/p/?LinkId=733920)

    • -

  • [Deploying Domain Name System (DNS)](https://go.microsoft.com/fwlink/p/?LinkId=734022)

    • -
-  -If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section. - -## Perform AD DS and Azure AD services deployment or remediation - -It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. -In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. - -Table 8. AD DS, Azure AD and deployment resources - - ---- - - - - - - - - - - - - - - - - -
Product or technologyResources
AD DS
    -

  • [Core Network Guide](https://go.microsoft.com/fwlink/p/?LinkId=733920)

    • -

  • [Active Directory Domain Services Overview](https://go.microsoft.com/fwlink/p/?LinkId=733909)

    • -
Azure AD
    -

  • [Azure Active Directory documentation](https://go.microsoft.com/fwlink/p/?LinkId=690258)

    • -

  • [Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)

    • -

  • [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](https://go.microsoft.com/fwlink/p/?LinkId=690260)

    • -
-  -If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps. -## Prepare device, user, and app management systems - -In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. - -Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. - -Table 9. Management systems and deployment resources - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Management systemResources
Windows provisioning packages
    -

  • [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkId=733918)

    • -

  • [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)

    • -

  • [Step-By-Step: Building Windows 10 Provisioning Packages](https://go.microsoft.com/fwlink/p/?LinkId=690261)

    • -
Group Policy
    -

  • [Core Network Companion Guide: Group Policy Deployment](https://go.microsoft.com/fwlink/p/?LinkId=733915)

    • -

  • [Deploying Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=734024)

    • -
Configuration Manager
    -

  • [Site Administration for System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733914)

    • -

  • [Deploying Clients for System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733919)

    • -
Intune
    -

  • [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)

    • -

  • [Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263)

    • -

  • [System Center 2012 R2 Configuration Manager & Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690264)

    • -
MDT
    -

  • [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324)

    • -

  • [Step-By-Step: Installing Windows 8.1 From A USB Key](https://go.microsoft.com/fwlink/p/?LinkId=690265)

    • -
-  -If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. - -## Perform app migration or replacement - -In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer. - -In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. - -Table 10. Management systems and app deployment resources - - ---- - - - - - - - - - - - - - - - - - - - - -
Management systemResources
Group Policy
    -

  • [Editing an AppLocker Policy](https://go.microsoft.com/fwlink/p/?LinkId=734025)

    • -

  • [Group Policy Software Deployment Background](https://go.microsoft.com/fwlink/p/?LinkId=734026)

    • -

  • [Assigning and Publishing Software](https://go.microsoft.com/fwlink/p/?LinkId=734027)

    • -
Configuration Manager
    -

  • [How to Deploy Applications in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733917)

    • -

  • [Application Management in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733907)

    • -
Intune
    -

  • [Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913)

    • -

  • [Manage apps with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733910)

    • -
-  -If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. - -## Perform migration of user and device settings - -In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device. - -Perform the user and device setting migration by using the following steps: - -1. From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune). -2. From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure device-specific setting for higher priority settings. -3. From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure user-specific setting for higher priority settings. -4. Verify that all higher-priority user and device settings have been configured in your management system. - -If you do no want to migrate any user or device settings from the Chromebook devices to the Windows devices, you can skip this section. - -## Perform email migration - -In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices. - -Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690252). - -Alternatively, if you want to migrate to Office 365 from: -- **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server: - - [Cutover Exchange Migration and Single Sign-On](https://go.microsoft.com/fwlink/p/?LinkId=690266) - - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690267) - - [Step-By-Step: Migrating from Exchange 2007 to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690268) -- **Another on-premises or cloud-based email service.** Follow the guidance from that vendor. - -## Perform cloud storage migration - -In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. - -Manually migrate the cloud storage migration by using the following steps: - -1. Install both Google Drive app and OneDrive for Business or OneDrive app on a device. -2. Sign in as the user in the Google Drive app. -3. Sign in as the user in the OneDrive for Business or OneDrive app. -4. Copy the data from the Google Drive storage to the OneDrive for Business or OneDrive storage. -5. Optionally uninstall the Google Drive app. - -There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors. - -## Perform cloud services migration - -In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices. - -Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected. - -There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors. - -## Perform Windows device deployment - -In the [Select a Windows device deployment strategy](#select-windows-device-deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan-windevice-deploy) section have already been performed. Now it's time to deploy the actual devices. - -For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices. - -In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy -Windows 10 images to the devices, see the following resources: - -- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911) -- [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkId=733918) -- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324) -- [Step-By-Step: Installing Windows 8.1 From A USB Key](https://go.microsoft.com/fwlink/p/?LinkId=690265) -- [Operating System Deployment in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733916) - -In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment: - -- Enroll the device with your management system. -- Ensure that Windows Defender is enabled and configured to receive updates. -- Ensure that Windows Update is enabled and configured to receive updates. -- Deploy any apps that you want the user to immediately be able to access when they start the device (such as Word 2016 or Excel 2016). - -After you complete these steps, your management system should take over the day-to-day maintenance tasks for the Windows 10 devices. Verify that the user and device settings migrated correctly as you deploy each batch of Windows 10 devices. Continue this process until you deploy all Windows 10 devices. - -## Related topics -- [Try it out: Windows 10 deployment (for education)](https://go.microsoft.com/fwlink/p/?LinkId=623254) -- [Try it out: Windows 10 in the classroom](https://go.microsoft.com/fwlink/p/?LinkId=623255) -  -  diff --git a/windows/plan/common-compatibility-issues.md b/windows/plan/common-compatibility-issues.md deleted file mode 100644 index 0883298316..0000000000 --- a/windows/plan/common-compatibility-issues.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Common Compatibility Issues (Windows 10) -ms.assetid: f5ad621d-bda2-45b5-ae85-bc92970f602f -description: List of common compatibility issues, based on the type of technology. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/compatibility-monitor-users-guide.md b/windows/plan/compatibility-monitor-users-guide.md deleted file mode 100644 index a183923ba1..0000000000 --- a/windows/plan/compatibility-monitor-users-guide.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Compatibility Monitor User's Guide (Windows 10) -description: Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/computer-dialog-box.md b/windows/plan/computer-dialog-box.md deleted file mode 100644 index 89054bac9a..0000000000 --- a/windows/plan/computer-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Computer Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the Computer dialog box shows information about the selected computer. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/configuring-act.md b/windows/plan/configuring-act.md deleted file mode 100644 index 372e1dcaf1..0000000000 --- a/windows/plan/configuring-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Configuring ACT (Windows 10) -description: This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/creating-a-runtime-analysis-package.md b/windows/plan/creating-a-runtime-analysis-package.md deleted file mode 100644 index e6b56c752b..0000000000 --- a/windows/plan/creating-a-runtime-analysis-package.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Creating a Runtime-Analysis Package (Windows 10) -description: In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- -  - - - - - diff --git a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md deleted file mode 100644 index 2953ad9c9f..0000000000 --- a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Creating an Enterprise Environment for Compatibility Testing (Windows 10) -description: The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/creating-an-inventory-collector-package.md b/windows/plan/creating-an-inventory-collector-package.md deleted file mode 100644 index c52e8f3965..0000000000 --- a/windows/plan/creating-an-inventory-collector-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Creating an Inventory-Collector Package (Windows 10) -description: You can use Application Compatibility Manager (ACM) to create an inventory-collector package. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/creating-and-editing-issues-and-solutions.md b/windows/plan/creating-and-editing-issues-and-solutions.md deleted file mode 100644 index e1897a0122..0000000000 --- a/windows/plan/creating-and-editing-issues-and-solutions.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Creating and Editing Issues and Solutions (Windows 10) -description: This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/customizing-your-report-views.md b/windows/plan/customizing-your-report-views.md deleted file mode 100644 index 1c69e77305..0000000000 --- a/windows/plan/customizing-your-report-views.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Customizing Your Report Views (Windows 10) -description: You can customize how you view your report data in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md deleted file mode 100644 index 97e2f14378..0000000000 --- a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Data Sent Through the Microsoft Compatibility Exchange (Windows 10) -description: The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md deleted file mode 100644 index d4d3319cbc..0000000000 --- a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deciding Whether to Fix an Application or Deploy a Workaround (Windows 10) -description: You can fix a compatibility issue by changing the code for the application or by deploying a workaround. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deciding-which-applications-to-test.md b/windows/plan/deciding-which-applications-to-test.md deleted file mode 100644 index 4b548c65f6..0000000000 --- a/windows/plan/deciding-which-applications-to-test.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deciding Which Applications to Test (Windows 10) -description: Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deleting-a-data-collection-package.md b/windows/plan/deleting-a-data-collection-package.md deleted file mode 100644 index c5401542c9..0000000000 --- a/windows/plan/deleting-a-data-collection-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deleting a Data-Collection Package (Windows 10) -description: In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md deleted file mode 100644 index b451e7b8aa..0000000000 --- a/windows/plan/deploy-windows-10-in-a-school.md +++ /dev/null @@ -1,1263 +0,0 @@ ---- -title: Deploy Windows 10 in a school (Windows 10) -description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. -redirect_url: https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school -keywords: configure, tools, device, school -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: edu -ms.sitesec: library -author: craigash ---- - -# Deploy Windows 10 in a school - - -**Applies to** - -- Windows 10 - -This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system. - -## Prepare for school deployment - -Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. Just as with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. - -### Plan a typical school configuration - -As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. - -![fig 1](images/deploy-win-10-school-figure1.png) - -*Figure 1. Typical school configuration for this guide* - -Figure 2 shows the classroom configuration this guide uses. - -![fig 2](images/deploy-win-10-school-figure2.png) - -*Figure 2. Typical classroom configuration in a school* - -This school configuration has the following characteristics: -- It contains one or more admin devices. -- It contains two or more classrooms. -- Each classroom contains one teacher device. -- The classrooms connect to each other through multiple subnets. -- All devices in each classroom connect to a single subnet. -- All devices have high-speed, persistent connections to each other and to the Internet. -- All teachers and students have access to Windows Store or Windows Store for Business. -- All devices receive software updates from Intune (or another device management system). -- You install a 64-bit version of Windows 10 on the admin device. -- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. -- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. -- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. ->**Note:**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. -- The devices use Azure AD in Office 365 Education for identity management. -- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/). -- Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices. -- Each device supports a one-student-per-device or multiple-students-per-device scenario. -- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical. -- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot). -- The devices can be a mixture of different Windows 10 editions, such as Windows 10 Home, Windows 10 Pro, and Windows 10 Education. - -Office 365 Education allows: - -- Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser. -- Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students. -- Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, administration, and faculty. -- Teachers to employ Sway to create interactive educational digital storytelling. -- Students and faculty to use email and calendars, with mailboxes up to 50 GB per user. -- Faculty to use advanced email features like email archiving and legal hold capabilities. -- Faculty to help prevent unauthorized users from accessing documents and email by using Azure Rights Management. -- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center. -- Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business or Skype. -- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business. -- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites. -- Students and faculty to use Office 365 Video to manage videos. -- Students and faculty to use Yammer to collaborate through private social networking. -- Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices). - -For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://products.office.com/en-us/academic). - -## How to configure a school - -Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. - -The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). - -You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments. - -MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices. - -LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. - -The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. - -The configuration process requires the following devices: - -- **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device. -- **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. -- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. - -The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3: - -1. Prepare the admin device for use, which includes installing the Windows ADK and MDT. -2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school. -3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). -4. On the admin device, create and configure a Windows Store for Business portal. -5. On the admin device, prepare for management of the Windows 10 devices after deployment. -6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10. -7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration. - -![fig 3](images/deploy-win-10-school-figure3.png) - -*Figure 3. How school configuration works* - -Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide. - -### Summary - -In this section, you looked at the final configuration of your individual classrooms and the school as a whole upon completion of this guide. You also learned the high-level steps you need to perform to deploy the faculty and student devices in your school. - -## Prepare the admin device - -Now, you’re ready to prepare the admin device for use in the school. This process includes installing the Windows ADK, installing the MDT, and creating the MDT deployment share. - -### Install the Windows ADK - -The first step in preparing the admin device is to install the Windows ADK. The Windows ADK contains the deployment tools that MDT uses, including the Windows Preinstallation Environment (Windows PE), the Windows User State Migration Tool (USMT), and Deployment Image Servicing and Management. - -When you install the Windows ADK on the admin device, select the following features: - -- Deployment tools -- Windows Preinstallation Environment (Windows PE) -- User State Migration Tool (USMT) - -For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK). - -### Install MDT - -Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment and is a free tool available directly from Microsoft. - -You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. - ->**Note:**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system. - -For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com//library/dn759415.aspx#InstallingaNewInstanceofMDT). - -Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices. - -### Create a deployment share - -MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media). - -For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare). - -### Summary - -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process. - -## Create and configure Office 365 - -Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business. - -As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](http://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx). - -### Select the appropriate Office 365 Education license plan - -Complete the following steps to select the appropriate Office 365 Education license plan for your school: - -

    -
  1. Determine the number of faculty members and students who will use the classroom.
    Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan. -
    2. -
  2. Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
    3. -
    -*Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans* -
    - ----- - - - - - - - - - - - - -
    PlanAdvantagesDisadvantages
    Standard
    • Less expensive than Office 365 ProPlus
    • Can be run from any device
    • No installation necessary
    • Must have an Internet connection to use it
    • Does not support all the features found in Office 365 ProPlus
    Office ProPlus
    • Only requires an Internet connection every 30 days (for activation)
    • Supports full set of Office features
    • Requires installation
    • Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
    -
    -The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device. -
    -
  3. Determine whether students or faculty need Azure Rights Management.
    You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](https://technet.microsoft.com/library/jj585024.aspx).
    4. -
  4. Record the Office 365 Education license plans needed for the classroom in Table 2.

    - -*Table 2. Office 365 Education license plans needed for the classroom* -
    - ---- - - - - - - - - - - - - -
    QuantityPlan
    Office 365 Education for students
    Office 365 Education for faculty
    Azure Rights Management for students
    Azure Rights Management for faculty
    -
    -You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
- -### Create a new Office 365 Education subscription - -To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions. - ->**Note:**  If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains). - -#### To create a new Office 365 subscription - -1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. - - >**Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
- - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**. - - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**. - -2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account. -3. Click the hyperlink in the email in your school email account. -4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription. - -### Add domains and subdomains - -Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. - -#### To add additional domains and subdomains - -1. In the Office 365 admin center, in the list view, click **DOMAINS**. -2. In the details pane, above the list of domains, on the menu bar, click **Add domain**. -3. In the Add a New Domain in Office 365 Wizard, on the **Verify domain wizard** page, click **Let’s get started**. -4. On the **Verify domain** wizard page, in the **Enter a domain you already own** box, type your domain name, and then click **Next**. -5. Sign in to your domain name management provider (for example, Network Solutions or GoDaddy), and then complete the steps for your provider. -6. Repeat these steps for each domain and subdomain you want faculty and students to use for your institution. - -### Configure automatic tenant join - -To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant. - ->**Note:**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. - -Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: - -- If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. -- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. - -You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. - ->**Note:**  You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. - -All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). - -*Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join* - - -| Action | Windows PowerShell command | -|------- |----------------------------| -| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`| -| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`| -

->**Note:**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. - -### Disable automatic licensing - -To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. - ->**Note:**  By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. - -Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). - -*Table 4. Windows PowerShell commands to enable or disable automatic licensing* - -| Action | Windows PowerShell command| -| -------| --------------------------| -| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`| -|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`| -

-### Enable Azure AD Premium - -When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. - -Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access). - -The Azure AD Premium features that are not in Azure AD Basic include: - -- Allow designated users to manage group membership -- Dynamic group membership based on user metadata -- Multifactor authentication (MFA) -- Identify cloud apps that your users run -- Automatic enrollment in a mobile device management (MDM) system (such as Intune) -- Self-service recovery of BitLocker -- Add local administrator accounts to Windows 10 devices -- Azure AD Connect health monitoring -- Extended reporting capabilities - -You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. - -You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. - -For more information about: - -- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). -- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3). - -### Summary -You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. - -## Select an Office 365 user account–creation method - - -Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: - -- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain. -- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain. - -### Method 1: Automatic synchronization between AD DS and Azure AD - -In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. - ->**Note:**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com//library/dn510997.aspx?f=255&MSPPError=-2147217396). - -![fig 4](images/deploy-win-10-school-figure4.png) - -*Figure 4. Automatic synchronization between AD DS and Azure AD* - -For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide. - -### Method 2: Bulk import into Azure AD from a .csv file - -In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. - -![fig 5](images/deploy-win-10-school-figure5.png) - -*Figure 5. Bulk import into Azure AD from other sources* - -To implement this method, perform the following steps: - -1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires. -2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section. - -### Summary - -In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts. - -## Integrate on-premises AD DS with Azure AD - -You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. - ->**Note:**  If your institution does not have an on-premises AD DS domain, you can skip this section. - -### Select synchronization model - -Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect. - -You can deploy the Azure AD Connect tool by using one of the following methods: - -- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. - - ![fig 6](images/deploy-win-10-school-figure6.png) - - *Figure 6. Azure AD Connect on premises* - -- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. - - ![fig 7](images/deploy-win-10-school-figure7.png) - - *Figure 7. Azure AD Connect in Azure* - -This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com//library/dn635310.aspx). - -### Deploy Azure AD Connect on premises - -In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution. - -#### To deploy AD DS and Azure AD synchronization - -1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/). -2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account. -3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect). -4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features). - -Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. - -### Verify synchronization - -Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console. - -#### To verify AD DS and Azure AD synchronization - -1. Open https://portal.office.com in your web browser. -2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365. -3. In the list view, expand **USERS**, and then click **Active Users**. -4. In the details pane, view the list of users. The list of users should mirror the users in AD DS. -5. In the list view, click **GROUPS**. -6. In the details pane, view the list of security groups. The list of users should mirror the security groups in AD DS. -7. In the details pane, double-click one of the security groups. -8. The list of security group members should mirror the group membership for the corresponding security group in AD DS. -9. Close the browser. - -Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium. - -### Summary - -In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly. - -## Bulk-import user and group accounts into AD DS - -You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS. - ->**Note:**  If your institution doesn’t have an on-premises AD DS domain, you can skip this section. - -### Select the bulk import method - -Several methods are available to bulk-import user accounts into AD DS domains. Table 5 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS. - -*Table 5. AD DS bulk-import account methods* - -|Method | Description and reason to select this method | -|-------| ---------------------------------------------| -|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| -|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com//scriptcenter/dd939958.aspx).| -|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| -

-### Create a source file that contains the user and group accounts - -After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. - -*Table 6. Source file format for each bulk import method* - -| Method | Source file format | -|--------| -------------------| -|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| -|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx).| -| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| -

-### Import the user accounts into AD DS - -With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. - ->**Note:**  Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. - -For more information about how to import user accounts into AD DS by using: - -- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). -- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx). -- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). - -### Summary - -In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide. - -## Bulk-import user accounts into Office 365 - -You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires. - -### Create user accounts in Office 365 - -Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. - -You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). - -The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts. - -For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US). - ->**Note:**  If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. - -The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365. - -### Create Office 365 security groups - -Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources. - ->**Note:**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. - -For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). - -You can add and remove users from security groups at any time. - ->**Note:**  Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect. - -### Create email distribution groups - -Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student. - -You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. - ->**Note:**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. - -For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). - -### Summary - -Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. - -## Assign user licenses for Azure AD Premium - -Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost. - -You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users. - -For more information about: - -- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). -- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts). - -## Create and configure a Windows Store for Business portal - -Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following: - -- Find and acquire Windows Store apps. -- Manage apps, app licenses, and updates. -- Distribute apps to your users. - -For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview). - -The following section shows you how to create a Windows Store for Business portal and configure it for your school. - -### Create and configure your Windows Store for Business portal - -To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator. - -#### To create and configure a Windows Store for Business portal - -1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar. -2. On the **Windows Store for Business** page, click **Sign in with an organizational account**. ->**Note:**  If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. -3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in. -4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept** -5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**. - -After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal. - -*Table 7. Menu selections to configure Windows Store for Business settings* - -| Menu selection | What you can do in this menu | -|---------------| -------------------| -|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).| -|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).| -|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).| -|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).| -|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).| -|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).| -|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).| -

-### Find, acquire, and distribute apps in the portal - -Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business. - ->**Note:**  Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business. - -You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users. - -For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business). - -### Summary - -At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users. - -## Plan for deployment - -You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. - -### Select the operating systems - -Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: - -- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10. -- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. - -Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: - -- **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home. -- **Windows 10 Pro**. Use this operating system to: - - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro. - - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration. -- **Windows 10 Education**. Use this operating system to: - - Upgrade institution-owned devices to Windows 10 Education. - - Deploy new instances of Windows 10 Education so that new devices have a known configuration. - ->**Note:**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home. - -One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. - ->**Note:**  On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. - -Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. - -### Select an image approach - -A key operating system image decision is whether to use a “thin” or “thick” image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed. - -The advantage to a thin image is that the final deployment configuration is dynamic, and you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment. - -The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image. - -### Select a method to initiate deployment - -The MDT deployment process is highly automated, requiring minimal information to deploy or upgrade Windows 10, but you must manually initiate the MDT deployment process. To do so, use the method listed in Table 8 that best meets the needs of your institution. - -*Table 8. Methods to initiate MDT deployment* - - ---- - - - - - - - - - - - - - - - - - - - - - - - -
MethodDescription and reason to select this method
Windows Deployment ServicesThis method:

-
    -
  • Uses diskless booting to initiate MDT deployment.
    • -
  • Works only with devices that support PXE boot.
    • -
  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
    • -
  • Deploys images more slowly than when using local media.
    • -
  • Requires that you deploy a Windows Deployment Services server.
    • -
- -Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
Bootable mediaThis method:

-
    -
  • Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
    • -
  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
    • -
  • Deploys images more slowly than when using local media.
    • -
  • Requires no additional infrastructure.
    • -
- -Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
MDT deployment mediaThis method:

-
    -
  • Initiates MDT deployment by booting from a local USB hard disk.
    • -
  • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
    • -
  • Deploys images more quickly than network-based methods do.
    • -
  • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
    • -
- -Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk.
- -### Summary - -At the end of this section, you should know the Windows 10 editions and processor architecture that you want to deploy (and will import later in the process). You also determined whether you want to use thin or thick images. Finally, you selected the method for initiating your LTI deployment. Now, you can prepare for Windows 10 deployment. - -## Prepare for deployment - -To deploy Windows 10 to devices, using the LTI deployment method in MDT. In this section, you prepare your MDT environment and Windows Deployment Services for Windows 10 deployment. - -### Configure the MDT deployment share - -The first step in preparation for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 9 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 9. - -*Table 9. Tasks to configure the MDT deployment share* - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskDescription
1. Import operating systemsImport the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
2. Import device drivesDevice drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

- -Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). - -
3. Create MDT applications for Windows Store appsCreate an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.

- -Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.

- -If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.

- -In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:

-
    -
  • Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/itpro/windows/deploy/sideload-apps-in-windows-10).
    • -
  • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
    • -
- - -
4. Create MDT applications for Windows desktop apps -You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

- -To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com//library/jj219423.aspx?f=255&MSPPError=-2147217396).

- -If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

**Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

- -For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). - -
5. Create task sequences. -You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will: -

-
  • Deploy Windows 10 Education 64-bit to devices.
    • -
  • Deploy Windows 10 Education 32-bit to devices.
    • -
  • Upgrade existing devices to Windows 10 Education 64-bit.
    • -
  • Upgrade existing devices to Windows 10 Education 32-bit.
    • -
- -Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). - -
6. Update the deployment share. -Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

- -For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).
- -### Configure Window Deployment Services for MDT - -You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers. - -#### To configure Windows Deployment Services for MDT - -1. Set up and configure Windows Deployment Services.

Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources: - - - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx) - - The Windows Deployment Services Help file, included in Windows Deployment Services - - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com//library/jj648426.aspx) - -2. Add LTI boot images (Windows PE images) to Windows Deployment Services.

The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com//library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices). - -### Summary - -Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution. - -## Prepare for device management - -Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. - -### Select the management method - -If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases. - -For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution. - -*Table 10. School management methods* - - ---- - - - - - - - - - - - - - - - - - - - -
MethodDescription
Group Policy -Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you: -
    -
  • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
    • -
  • Want more granular control of device and user settings.
    • -
  • Have an existing AD DS infrastructure.
    • -
  • Typically manage on-premises devices.
    • -
  • Can manage a required setting only by using Group Policy.
    • -
- -The advantages of this method include: -
    -
  • No cost beyond the AD DS infrastructure.
    • -
  • A larger number of settings (compared to Intune).
    • -
-The disadvantages of this method are: -
    -
  • Can only manage domain-joined (institution-owned devices).
    • -
  • Requires an AD DS infrastructure (if the institution does not have AD DS already).
    • -
  • Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess).
    • -
-
IntuneIntune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD. -Select this method when you: -
    -
  • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
    • -
  • Don’t require the level of granular control over device and user settings (compared to Group Policy).
    • -
  • Don’t have an existing AD DS infrastructure.
    • -
  • Need to manage devices regardless of where they are (on or off premises).
    • -
  • Can manage a required setting only by using Intune.
    • -
- -The advantages of this method are: -
    -
  • You can manage institution-owned and personal devices.
    • -
  • It doesn’t require that devices be domain joined.
    • -
  • It doesn’t require any on-premises infrastructure.
    • -
  • It can manage devices regardless of their location (on or off premises).
    • - -
-The disadvantages of this method are: -
    -
  • Carries an additional cost for subscription.
    • -
  • Doesn’t have a granular level control over device and user settings (compared to Group Policy).
    • -
- -

- -### Select Microsoft-recommended settings - -Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. - -*Table 11. Recommended settings for educational institutions* - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
RecommendationDescription
Use of Microsoft accountsYou want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

-**Note:**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

-**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com//library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

-**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. -
Restrict local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

-**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com//library/cc732525.aspx).

-**Intune**. Not available. -
Restrict the local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

-**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com//library/cc732525.aspx).

-**Intune**. Not available. -
Manage the built-in administrator account created during device deploymentWhen you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

-**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com//library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com//library/jj852165.aspx).

-**Intune**. Not available. -
Control Windows Store accessYou can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.

-**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com//library/hh832040.aspx#BKMK_UseGP).

-**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. -
Use of Remote Desktop connections to devicesRemote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

-**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

-**Intune**. Not available. -
Use of cameraA device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

-**Group Policy**. Not available.

-**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. -
Use of audio recordingAudio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

-**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com//library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com//library/ee791899.aspx).

-**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy. -
Use of screen captureScreen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.

-**Group Policy**. Not available.

-**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy. -
Use of location servicesProviding a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.

-**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.

-**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. -
Changing wallpaperDisplaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.

-**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.

-**Intune**. Not available. -

- -### Configure settings by using Group Policy - -Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. - -For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com//library/cc754948.aspx). - -#### To configure Group Policy settings - -1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com//library/cc738830.aspx). -2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com//library/cc739902.aspx). -3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com//library/cc738954(v=ws.10).aspx). - -### Configure settings by using Intune - -Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. - -For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/). - -#### To configure Intune settings - -1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune). -2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com//library/dn646962.aspx). -3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com//library/dn646984.aspx). -4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com//library/dn646959.aspx). - -### Deploy apps by using Intune - -You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution. - -For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/). - -### Summary - -In this section, you prepared your institution for device management. You determined whether you want to use Group Policy or Intune to manage your devices. You identified the configuration settings that you want to use to manage your users and devices. Finally, you configured the Group Policy and Intune settings in Group Policy and Intune, respectively. - -## Deploy Windows 10 to devices - -You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10. - -### Prepare for deployment - -Prior to deployment of Windows 10, ensure that you complete the tasks listed in Table 12. Most of these tasks are already complete, but use this step to make sure. - -*Table 12. Deployment preparation checklist* - -|Task | | -| ---| --- | -| |The target devices have sufficient system resources to run Windows 10. | -| | Identify the necessary devices drivers, and import them to the MDT deployment share.| -| | Create an MDT application for each Windows Store and Windows desktop app.| -| | Notify the students and faculty about the deployment.| -

-### Perform the deployment - -Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. - ->**Note:**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com//library/dn781089.aspx). - -In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems. - -#### To deploy Windows 10 - -1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide. -2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com//library/dn759415.aspx#Running%20the%20Deployment%20Wizard). - -### Set up printers - -After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section. - ->**Note:**  If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section. - -#### To set up printers - -1. Review the printer manufacturer’s instructions for installing the printer drivers. -2. On the admin device, download the printer drivers. -3. Copy the printer drivers to a USB drive. -4. On a device, use the same account you used to set up Windows 10 in the [Perform the deployment](#perform-the-deployment) section to sign in to the device. -5. Insert the USB drive in the device. -6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive. -7. Verify that the printer drivers were installed correctly by printing a test page. -8. Complete steps 1–8 for each printer. - -### Verify deployment - -As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following: - -- The device can connect to the Internet and view the appropriate web content in Microsoft Edge. -- Windows Update is active and current with software updates. -- Windows Defender is active and current with malware signatures. -- The SmartScreen Filter is active. -- All Windows Store apps are properly installed and updated. -- All Windows desktop apps are properly installed and updated. -- Printers are properly configured. - -When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. - -### Summary - -You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use. - -## Maintain Windows devices and Office 365 - -After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: - -- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware. -- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students. -- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration. - -Table 13 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks. - -*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them* - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Task and resourcesMonthlyNew semester or academic yearAs required
Verify that Windows Update is active and current with operating system and software updates.

-For more information about completing this task when you have: -
    -
  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
    • -
  • Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
    • -
  • Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx?f=255&MSPPError=-2147217396).
    • -
  • Neither Intune, Group Policy, or WSUS, see [Update Windows 10](http://windows.microsoft.com/en-id/windows-10/update-windows-10)
    • -
-		XXX
Verify that Windows Defender is active and current with malware signatures.

-For more information about completing this task, see [Turn Windows Defender on or off](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03). 		XXX
Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

-For more information about completing this task, see [How do I find and remove a virus?](http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus) -		XXX
Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

-For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing).		XX
Refresh the operating system and apps on devices.

-For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. - -		XX
Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.

-For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. - -		XX
Install new or update existing Windows Store apps that are used in the curriculum.

-Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.

-You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. - -		XX
Remove unnecessary user accounts (and corresponding licenses) from Office 365.

-For more information about how to: -
    -
  • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e?ui=en-US&rs=en-US&ad=US).
    • -
  • Unassign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
    • -
- -		XX
Add new accounts (and corresponding licenses) to Office 365.

-For more information about how to: -
    -
  • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
    • -
  • Assign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
    • -
-		XX
Create or modify security groups and manage group membership in Office 365.

-For more information about how to: -
    -
  • Create or modify security groups, see [View, create, and delete Groups in the Office 365 admin center](https://support.office.com/en-us/article/View-create-and-delete-groups-in-the-Office-365-admin-center-a6360120-2fc4-46af-b105-6a04dc5461c7).
    • -
  • Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
    • -
- -		XX
Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.

-For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange). - -		XX
Install new student devices

-Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. - -		X
-

-### Summary - -Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified. - -##Related resources -

- diff --git a/windows/plan/deploying-a-runtime-analysis-package.md b/windows/plan/deploying-a-runtime-analysis-package.md deleted file mode 100644 index 38f478a9b9..0000000000 --- a/windows/plan/deploying-a-runtime-analysis-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploying a Runtime-Analysis Package (Windows 10) -description: When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deploying-an-inventory-collector-package.md b/windows/plan/deploying-an-inventory-collector-package.md deleted file mode 100644 index 784ecd61b4..0000000000 --- a/windows/plan/deploying-an-inventory-collector-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploying an Inventory-Collector Package (Windows 10) -description: How to deploy an inventory-collector package to your destination computers. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/example-filter-queries.md b/windows/plan/example-filter-queries.md deleted file mode 100644 index 8494d2a4b1..0000000000 --- a/windows/plan/example-filter-queries.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Example Filter Queries (Windows 10) -description: You can filter your compatibility-issue data or reports by selecting specific restriction criteria. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/exporting-a-data-collection-package.md b/windows/plan/exporting-a-data-collection-package.md deleted file mode 100644 index e3b5a9ce64..0000000000 --- a/windows/plan/exporting-a-data-collection-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Exporting a Data-Collection Package (Windows 10) -description: In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/filtering-your-compatibility-data.md b/windows/plan/filtering-your-compatibility-data.md deleted file mode 100644 index 83040f196c..0000000000 --- a/windows/plan/filtering-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Filtering Your Compatibility Data (Windows 10) -description: You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/fixing-compatibility-issues.md b/windows/plan/fixing-compatibility-issues.md deleted file mode 100644 index 50f8032d64..0000000000 --- a/windows/plan/fixing-compatibility-issues.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixing Compatibility Issues (Windows 10) -description: This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/identifying-computers-for-inventory-collection.md b/windows/plan/identifying-computers-for-inventory-collection.md deleted file mode 100644 index 524304a7cf..0000000000 --- a/windows/plan/identifying-computers-for-inventory-collection.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Identifying Computers for Inventory Collection (Windows 10) -description: To generate a complete inventory and obtain a comprehensive view of your organization, inventory all computers. However, remember that deploying inventory-collector packages to all computers in your organization will require the additional work of analyzing and reducing a larger list of applications. If you do not have the resources to deploy to all computers or you cannot process a larger list of applications, consider deploying inventory-collector packages to representative subsets of computers instead. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/index.md b/windows/plan/index.md index dfa19e4252..125db28968 100644 --- a/windows/plan/index.md +++ b/windows/plan/index.md @@ -16,6 +16,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi ## In this section |Topic |Description | |------|------------| +|[Windows 10 Enterprise: FAQ for IT professionals](windows-10-enterprise-faq-itpro.md) | Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. | |[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. | |[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. | |[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. | diff --git a/windows/plan/integration-with-management-solutions-.md b/windows/plan/integration-with-management-solutions-.md deleted file mode 100644 index 7246b22a3a..0000000000 --- a/windows/plan/integration-with-management-solutions-.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Integration with management solutions (Windows 10) -description: You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune. -ms.assetid: E0CB0CD3-4FE1-46BF-BA6F-5A5A8BD14CC9 -keywords: update, upgrade, deployment, manage, tools -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: servicing, devices -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb ---- - -# Integration with management solutions - -**Applies to** -- Windows 10 - -You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune. - -## System Center Configuration Manager - -For Windows 10, version 1511, organizations that already manage their systems with Configuration Manager can also have their devices configured for Windows Update for Business (in other words, set deferral policies on those machines). For Windows 10, version 1511, such devices will be visible in the Configuration Manager console, however they will appear with a detection state of “Unknown”. - -![figure 1](images/wuforbusiness-fig10-sccmconsole.png) - -## WSUS standalone - -For Windows 10, version 1511, you cannot configure devices for both Windows Update for Business *and* to receive updates from WSUS. If both group policies are set (for both deferrals as well as WSUS scanning), Windows Update for Business settings will NOT be respected and devices will continue to scan against WSUS. - -## Enterprise Mobility Suite: Intune - -You can configure Windows Update for Business by using MDM policy. To configure Windows Update for Business with Intune: -1. Create a new Windows 10 custom policy. (Add a policy, and choose **Custom Configuration for Windows 10 Desktop and phone…**). - - ![figure 2](images/wuforbusiness-fig11-intune.png) - -2. Configure the device to Consumer Branch for Business by selecting to defer upgrades (as described in [Setup and deployment](setup-and-deployment.md). - - **Note**   - As noted, because WSUS and Windows Update for Business are mutually exclusive policies, do not set **UpdateServiceUrl** if you want to configure to defer upgrades. -   -3. Establish deferral windows for updates and upgrades. - - ![figure 3](images/wuforbusiness-fig12a-updates.png) - - ![figure 4](images/wuforbusiness-fig13a-upgrades.png) - -## Related topics - -[Windows Update for Business](windows-update-for-business.md) - -[Setup and deployment](setup-and-deployment.md) diff --git a/windows/plan/internet-explorer-web-site-report.md b/windows/plan/internet-explorer-web-site-report.md deleted file mode 100644 index f30fc92bd6..0000000000 --- a/windows/plan/internet-explorer-web-site-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Internet Explorer - Web Site Report (Windows 10) -description: The Internet Explorer - Web Site Report screen shows the URL, your organization's compatibility rating, issue count, and resolved issue count, for each of the websites visited in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/labeling-data-in-acm.md b/windows/plan/labeling-data-in-acm.md deleted file mode 100644 index 92f7448f84..0000000000 --- a/windows/plan/labeling-data-in-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Labeling Data in ACM (Windows 10) -description: Application data and its associated compatibility issues can vary within an organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/log-file-locations-for-data-collection-packages.md b/windows/plan/log-file-locations-for-data-collection-packages.md deleted file mode 100644 index 5fa3b6c466..0000000000 --- a/windows/plan/log-file-locations-for-data-collection-packages.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Log File Locations for Data-Collection Packages (Windows 10) -description: Selecting the output for your data-collection package log files. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/managing-your-data-collection-packages.md b/windows/plan/managing-your-data-collection-packages.md deleted file mode 100644 index 03cbe4849d..0000000000 --- a/windows/plan/managing-your-data-collection-packages.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Managing Your Data-Collection Packages (Windows 10) -description: This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/organizational-tasks-for-each-report-type.md b/windows/plan/organizational-tasks-for-each-report-type.md deleted file mode 100644 index 61498e165d..0000000000 --- a/windows/plan/organizational-tasks-for-each-report-type.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Organizational Tasks for Each Report Type (Windows 10) -description: The following table shows which tasks can be performed for each report type. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/organizing-your-compatibility-data.md b/windows/plan/organizing-your-compatibility-data.md deleted file mode 100644 index 30d2918977..0000000000 --- a/windows/plan/organizing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Organizing Your Compatibility Data (Windows 10) -description: This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/prioritizing-your-compatibility-data.md b/windows/plan/prioritizing-your-compatibility-data.md deleted file mode 100644 index 7304d6dbb9..0000000000 --- a/windows/plan/prioritizing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prioritizing Your Compatibility Data (Windows 10) -description: Prioritizing your apps, websites, computers, and devices to help customize and filter your compatibilty reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/ratings-icons-in-acm.md b/windows/plan/ratings-icons-in-acm.md deleted file mode 100644 index c1f0184338..0000000000 --- a/windows/plan/ratings-icons-in-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ratings Icons in ACM (Windows 10) -description: Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/resolving-an-issue.md b/windows/plan/resolving-an-issue.md deleted file mode 100644 index e6a5b97651..0000000000 --- a/windows/plan/resolving-an-issue.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Resolving an Issue (Windows 10) -description: You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red x to a green check mark on your report and report detail screens. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/saving-opening-and-exporting-reports.md b/windows/plan/saving-opening-and-exporting-reports.md deleted file mode 100644 index 65bfc93fba..0000000000 --- a/windows/plan/saving-opening-and-exporting-reports.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Saving, Opening, and Exporting Reports (Windows 10) -description: You can perform several common reporting tasks from the Analyze screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md deleted file mode 100644 index 3674f73b68..0000000000 --- a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Selecting the Send and Receive Status for an Application (Windows 10) -description: For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/selecting-your-compatibility-rating.md b/windows/plan/selecting-your-compatibility-rating.md deleted file mode 100644 index e0b0defc6d..0000000000 --- a/windows/plan/selecting-your-compatibility-rating.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Selecting Your Compatibility Rating (Windows 10) -description: You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/selecting-your-deployment-status.md b/windows/plan/selecting-your-deployment-status.md deleted file mode 100644 index 61fdf90369..0000000000 --- a/windows/plan/selecting-your-deployment-status.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Selecting Your Deployment Status (Windows 10) -description: In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/sending-and-receiving-compatibility-data.md b/windows/plan/sending-and-receiving-compatibility-data.md deleted file mode 100644 index fe2e0356a0..0000000000 --- a/windows/plan/sending-and-receiving-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Sending and Receiving Compatibility Data (Windows 10) -description: The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/settings-for-acm.md b/windows/plan/settings-for-acm.md deleted file mode 100644 index fe209d179d..0000000000 --- a/windows/plan/settings-for-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Settings for ACM (Windows 10) -description: This section provides information about settings that you can configure in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/setup-and-deployment.md b/windows/plan/setup-and-deployment.md deleted file mode 100644 index 2b2e1e2a43..0000000000 --- a/windows/plan/setup-and-deployment.md +++ /dev/null @@ -1,184 +0,0 @@ ---- -title: Setup and deployment (Windows 10) -description: This article describes the basic features of a Windows Update for Business deployment. -ms.assetid: E176BB36-3B1B-4707-9665-968D80050DD1 -keywords: update, upgrade, deployment -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: servicing, devices -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb ---- - -# Setup and deployment - -**Applies to** -- Windows 10 - -This article describes the basic features of a Windows Update for Business deployment. Use this information to familiarize yourself with a simple deployment with a single group of machines connected to Windows Update, in addition to more complex scenarios such as the creation of Windows Update for Business validation groups that receive updates from Windows Update at different time intervals, as well as Windows Update for Business deployments integrated with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, or Microsoft Intune. - -## Configure your systems to receive updates on CBB - -To use Windows Update for Business, Windows 10-based devices must first be configured for the Current Branch for Business (CBB). You can configure devices manually, by using Group Policy, or by using mobile device management (MDM). - -![figure 1](images/wuforbus-fig1-manuallyset.png) - -![figure 2](images/wuforbusiness-fig2-gp.png) - -![figure 3](images/wuforbusiness-fig3-mdm.png) - -## Defer OS upgrade and update deployments - -Windows Update for Business allows administrators to control when upgrades and updates are deployed to their Windows 10 clients by specifying deferral windows from when they are initially made available on the Windows Update service. As mentioned, there are restrictions as to how long you can delay upgrades and updates. The following table details these restrictions, per deployment category type: - - - - - - - - - - - - - - - - -
-

Group Policy keys

-		 -

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod

-
    -
  • -

    Values: 0-8 where each unit for upgrade is a month -

    -
    • -
-
-

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod

-
    -
  • -

    Values: 0-4 where each unit for update is a week -

    -
    • -
-
-

MDM

-

./Vendor/MSFT/Update/DeferUpgrade

-		 -

Software\Microsoft\PolicyManager\current\Update\RequireDeferUpgrade -

-
    -
  • -

    Values: 0-8 where each unit for upgrade is a month - -

    -
    • -
-
-

Software\Microsoft\PolicyManager\current\Update\RequireDeferUpdate

-
    -
  • -

    Values: 0-4 where each unit for update is a week -

    -
    • -
-
-  -Administrators can control deferral periods with Group Policy Objects by using the [Local Group Policy Editor (GPEdit)](https://go.microsoft.com/fwlink/p/?LinkId=734030) or, for domain joined systems, [Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=699325). For additional details on Group Policy management see [Group Policy management for IT pros](https://go.microsoft.com/fwlink/p/?LinkId=699282). -**Set different deferrals based on update classification in GPedit.msc** -![figure 4](images/wuforbusiness-fig4-localpoleditor.png) -![figure 5](images/wuforbusiness-fig5-deferupgrade.png) -## Pause upgrades and updates -Although administrators can use deferral periods to stagger the rate at which deployments go out to their organization (which provides time to verify quality and address any issues), there may be cases where additional time is needed before an update is set to deploy to a machine, or group of machines. Windows Update for Business provides a means for administrators to *pause* updates and upgrades on a per-machine basis. This pause functionality ensures that no updates or upgrades will be made available for the specified machine; the machine will remain in this state until the machine is specifically “unpaused”, or when a period of five weeks (35 days) has passed, at which point updates are auto-resumed. -**Note**   -The five-week period ensures that pause functionality overlaps a possible subsequent Update Tuesday release. -  -**Note**   -Group Policy does not allow you to set a future "unpause” — administrators must actively select to unpause a deployment if they wish to do so before the time expiration. -  - ---- - - - - - - - - - - -

Group Policy keys

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\Pause

MDM

-

./Vendor/MSFT/Update/DeferUpgrade

Software\Microsoft\PolicyManager\current\Update\Pause

-
    -

  • Values (bool): 0, 1

    • -
-  -![figure 6](images/wuforbusiness-fig6-pause.png) - -## Create validation groups for deployments - -By grouping machines into similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be used as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause, administrators can effectively control and measure update deployments by rolling out to a small pool of devices first to verify quality, prior to a broader roll-out to their organization. - -Administrators can establish validation groups to maintain a level of control over update/driver deployments which allows them to: -- Control the date, time, and frequency updates will be applied and devices rebooted -- Deploy a small set of machines to verify quality prior to broad roll-out -- Stage broad roll-out in waves to continue quality verification and minimize disruptions -- Manage membership of waves based on criteria defined by IT -- Halt and roll-back deployment of updates/drivers that may be causing trouble - -![figure 7](images/wuforbusiness-fig7-validationgroup.png) - -## Peer-to-peer networking for deployments - -Windows Update Delivery Optimization enables Windows Update for Business enrolled devices to download Windows updates and Windows Store apps from sources other than Microsoft. With multiple devices, Delivery Optimization can reduce the amount of Internet bandwidth that is required to keep all of your Windows Update for Business enrolled systems up to date. It can also help ensure that devices get updates and apps more quickly if they have a limited or unreliable Internet connection. - -In addition to downloading updates and apps from Microsoft, Windows will get updates and apps from other PCs that already have them. You can choose which PCs you get these updates from. - -### How Delivery Optimization works - -- **PCs on your local network.** When Windows downloads an update or app, it will look for other PCs on your local network that have already downloaded the update or app using Delivery Optimization. Windows then downloads parts of the file from those PCs and parts of the file from Microsoft. Windows doesn’t download the entire file from one place. Instead, the download is broken down into smaller parts. Windows uses the fastest, most reliable download source for each part of the file. -- **PCs on your local network and PCs on the Internet.** Windows uses the same process as when getting updates and apps from PCs on your local network, and also looks for PCs on the Internet that can be used as a source to download parts of updates and apps. - -### Delivery Optimization settings - -Delivery Optimization is turned on by default for the Enterprise and Education editions of Windows 10, where the default option is that updates will only be pulled and shared from PCs on your LAN and not the Internet. -Delivery Optimization configuration settings can be viewed by going to: Settings > Update and Security > Advanced Options > Choose how your updates are delivered - -![figure 8](images/wuforbusiness-fig8a-chooseupdates.png) - -## Use Group Policy to configure Windows Update Delivery Optimization - -You can use Group Policy to configure Windows Update Delivery Optimization. To do this, use the following steps: - -1. Download the [Administrative Templates (.admx) file for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=699283) from the Microsoft Download Center. -2. Copy the following files to the SYSVOL central store: - - DeliveryOptimization.admx from C:\\Program Files (x86)\\Microsoft Group Policy\\Windows 10\\PolicyDefinitions - - DeliveryOptimization.adml from C:\\Program Files (x86)\\Microsoft Group Policy\\Windows 10\\PolicyDefinitions\\en-US -3. Start the Gpeditor tool. -4. Browse to the following location: - - Computer Configuration\\Administrative Templates\\Windows Components\\Delivery Optimization -5. Make the following Windows Update Delivery Optimization settings, as appropriate. - - ![figure 9](images/wuforbusiness-fig9-dosettings.jpg) - -**Virus-scan claim** - -Microsoft scanned this file for viruses, using the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to it. - -For more information about Windows Update Delivery Optimization in Windows 10, see the [Windows Update Delivery Optimization FAQ](https://go.microsoft.com/fwlink/p/?LinkId=699284). - -For additional resources, see [How to use Group Policy to configure Windows Update Delivery Optimization in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=699288). - -## Related topics - -[Windows Update for Business](windows-update-for-business.md) - -[Integration with management solutions](integration-with-management-solutions-.md) diff --git a/windows/plan/software-requirements-for-act.md b/windows/plan/software-requirements-for-act.md deleted file mode 100644 index d631eef7aa..0000000000 --- a/windows/plan/software-requirements-for-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Software Requirements for ACT (Windows 10) -description: The Application Compatibility Toolkit (ACT) has the following software requirements. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/software-requirements-for-rap.md b/windows/plan/software-requirements-for-rap.md deleted file mode 100644 index b9914238fc..0000000000 --- a/windows/plan/software-requirements-for-rap.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Software Requirements for RAP (Windows 10) -description: The runtime-analysis package (RAP) has the following software requirements. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/taking-inventory-of-your-organization.md b/windows/plan/taking-inventory-of-your-organization.md deleted file mode 100644 index d199af1ab6..0000000000 --- a/windows/plan/taking-inventory-of-your-organization.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Taking Inventory of Your Organization (Windows 10) -description: This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/testing-compatibility-on-the-target-platform.md b/windows/plan/testing-compatibility-on-the-target-platform.md deleted file mode 100644 index 9ba06e8cb3..0000000000 --- a/windows/plan/testing-compatibility-on-the-target-platform.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Testing Compatibility on the Target Platform (Windows 10) -description: This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-act-database-issues.md b/windows/plan/troubleshooting-act-database-issues.md deleted file mode 100644 index e0fb05fd2a..0000000000 --- a/windows/plan/troubleshooting-act-database-issues.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting ACT Database Issues (Windows 10) -description: The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-act.md b/windows/plan/troubleshooting-act.md deleted file mode 100644 index 1366988ae6..0000000000 --- a/windows/plan/troubleshooting-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting ACT (Windows 10) -description: This section provides troubleshooting information for the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-the-act-configuration-wizard.md b/windows/plan/troubleshooting-the-act-configuration-wizard.md deleted file mode 100644 index 08200ff49f..0000000000 --- a/windows/plan/troubleshooting-the-act-configuration-wizard.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting the ACT Configuration Wizard (Windows 10) -description: When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-the-act-log-processing-service.md b/windows/plan/troubleshooting-the-act-log-processing-service.md deleted file mode 100644 index 5f338b3141..0000000000 --- a/windows/plan/troubleshooting-the-act-log-processing-service.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting the ACT Log Processing Service (Windows 10) -description: The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/using-act.md b/windows/plan/using-act.md deleted file mode 100644 index 3e3ffff7d2..0000000000 --- a/windows/plan/using-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Using ACT (Windows 10) -description: This section describes how to use the Application Compatibility Toolkit (ACT) in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/using-compatibility-monitor-to-send-feedback.md b/windows/plan/using-compatibility-monitor-to-send-feedback.md deleted file mode 100644 index c5e20c52ba..0000000000 --- a/windows/plan/using-compatibility-monitor-to-send-feedback.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Using Compatibility Monitor to Send Feedback (Windows 10) -description: The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/viewing-your-compatibility-reports.md b/windows/plan/viewing-your-compatibility-reports.md deleted file mode 100644 index 57ba7d07a9..0000000000 --- a/windows/plan/viewing-your-compatibility-reports.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Viewing Your Compatibility Reports (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/websiteurl-dialog-box.md b/windows/plan/websiteurl-dialog-box.md deleted file mode 100644 index e07214a067..0000000000 --- a/windows/plan/websiteurl-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: WebsiteURL Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the websiteURL dialog box shows information about the selected website. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/welcome-to-act.md b/windows/plan/welcome-to-act.md deleted file mode 100644 index b4ef6d3088..0000000000 --- a/windows/plan/welcome-to-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Welcome to ACT (Windows 10) -description: The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/whats-new-in-act-60.md b/windows/plan/whats-new-in-act-60.md deleted file mode 100644 index 89d6afdf1c..0000000000 --- a/windows/plan/whats-new-in-act-60.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: What's New in ACT 6.1 (Windows 10) -description: Two major updates have been released since ACT 6.1. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/windows-10-enterprise-faq-itpro.md b/windows/plan/windows-10-enterprise-faq-itpro.md new file mode 100644 index 0000000000..192d0910c6 --- /dev/null +++ b/windows/plan/windows-10-enterprise-faq-itpro.md @@ -0,0 +1,138 @@ +--- +title: Windows 10 Enterprise FAQ for IT pros (Windows 10) +description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. +keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing branches, deployment tools +ms.prod: w10 +ms.mktglfcycl: plan +localizationpriority: high +ms.sitesec: library +author: +--- + +# Windows 10 Enterprise: FAQ for IT professionals + +Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. + +## Download and requirements + +### Where can I download Windows 10 Enterprise? + +If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/Licensing/how-to-buy/how-to-buy.aspx). + +### What are the system requirements? + +For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752). + +### What are the hardware requirements for Windows 10? + +Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information. + +### Can I evaluate Windows 10 Enterprise? + +Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. + +## Drivers and compatibility + +### Where can I find drivers for my devices for Windows 10 Enterprise? + +For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action. +- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. +- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. +- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: + - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) + - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) + - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) + +### Where can I find out if an application or device is compatible with Windows 10? + +Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center. + +### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10? + +[Windows Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. + +## Administration and deployment + +### Which deployment tools support Windows 10? + +Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. +- [MDT](http://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. +- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [System Center Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. +- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. + +### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? + +Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit). + +### Are there any deployment tools available to support Windows 10? + +Updated versions of Microsoft deployment tools, including Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) have been released adding support for Windows 10. For most organizations currently using MDT or Configuration Manager to deploy Windows, deployment of Windows 10 will change very little. + +For more information on deployment methods for Windows 10, see [Windows 10 deployment tools](https://technet.microsoft.com/library/mt297512.aspx) and [Windows 10 deployment scenarios](https://technet.microsoft.com/library/mt282208.aspx). + +### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? + +If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Software Assurance, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). + +For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. + +## Managing updates + +### What is Windows as a service? + +The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview). + +### How is servicing different with Windows as a service? + +Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. + +### What are the servicing branches? + +To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each branch, see [servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches). + +### What tools can I use to manage Windows as a service updates? + +There are many tools are available. You can choose from these: +- Windows Update +- Windows Update for Business +- Windows Server Update Services +- System Center Configuration Manager + +For more information on pros and cons for these tools, see [Servicing Tools](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches). + +## User experience + +### Where can I find information about new features and changes in Windows 10 Enterprise? + +For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library. You can find information You'll find info on features like these: +- Modern deployment - Zero-touch deployment, bulk AD enrollment with provisioning, UEFI conversion tooland +- Windows Analytics - Upgrade Readiness, and Update Compliance +- Windows as a service enhancements - Differential feature update support, express update support for System Center Configuration Manager and third-party management software +- Mobile application management (MAM) and enhanced MDM +- Advanced security with Windows Defender - App Guard, Credential Guard, App Control, ATP) and Windows Hello + +Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. + +To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). + +### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1? + +Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 for Business Onboarding Kit](https://blogs.technet.microsoft.com/windowsitpro/2016/06/28/windows-10-for-business-onboarding-kit/) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources. + +### How does Windows 10 help people work with applications and data across a variety of devices? + +The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include: +- Start menu is a launching point for access to apps. +- Universal apps now open in windows instead of full screen. +- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged. +- Tablet Mode to simplify using Windows with a finger or pen by using touch input. + +## Help and support + +### Where can I ask a question about Windows 10? + +Use the following resources for additional information about Windows 10. +- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. +- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](http://answers.microsoft.com/windows/forum/windows_10). +- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN. +- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet. \ No newline at end of file diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md deleted file mode 100644 index f4ce0e1a32..0000000000 --- a/windows/plan/windows-10-guidance-for-education-environments.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Guidance for education environments (Windows 10) -description: Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. -redirect_url: https://technet.microsoft.com/edu/windows/index -ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu, security -author: craigash ---- - -# Guidance for education environments - -Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. - -## In this section - - ---- - - - - - - - - - - - - -
TopicDescription

[Chromebook migration guide](chromebook-migration-guide.md)

In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools.

-  -  -  diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md deleted file mode 100644 index 8ad9c29c5a..0000000000 --- a/windows/plan/windows-10-servicing-options.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Windows 10 servicing overview (Windows 10) -description: Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. -ms.assetid: 6EF0792C-B587-497D-8489-4A7F5848D92A -keywords: deploy, upgrade, update, servicing -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: servicing -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview ---- - -# Windows 10 servicing overview - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -This topic provides an overview of the new servicing model for Windows 10. For more detailed information about this model, refer to [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md). - -## The Windows servicing model - -Traditionally, new versions of Windows have been released every few years. The deployment of those new versions within an organization would then become a project, either by leveraging a "wipe and load" process to deploy the new operating system version to existing computers, or by migrating to the new operating system version as part of the hardware replacement cycle. Either way, a significant amount of time and effort was required to complete these tasks. - -With Windows 10, a new model is being adopted. This new model, referred to as "Windows as a service," requires organizations to rethink how they deploy and upgrade Windows. It is no longer a project that happens every few years, it is a continual process. - -## Windows as a service - -Instead of new features being added only in new releases that happen every few years, the goal of Windows as a service is to continually provide new capabilities. New features are provided or updated two to three times per year, while maintaining a high level of hardware and application compatibility. - -This new model uses simpler deployment methods, reducing the overall amount of effort required for Windows servicing. By combining these simpler methods (such as in-place upgrade) with new techniques to deploy upgrades in phases to existing devices, the effort that used to be performed as part of a traditional deployment project is spread across a broad period of time. - -## Windows 10 servicing branches - -The concept of branching goes back many years, and represents how Windows has traditionally been written and serviced. Each release of Windows was from a particular branch of the Windows code, and updates would be made to that release for the lifecycle of that release. This concept still applies now with Windows 10, but is much more visible because it is incorporated directly into the servicing model. - -Microsoft has implemented the following new servicing options in Windows 10: - -**Windows Insider Program**: To see new features before they are released, to provide feedback on those new features, and to initially validate compatibility with existing applications and hardware, a small number of PCs can leverage the Windows Insider Program branch. These are typically dedicated lab machines used for IT testing, secondary PCs used by IT administrators, and other non-critical devices.
-**Current Branch (CB)**: For early adopters, IT teams, and other broader piloting groups, the Current Branch (CB) can be used to further validate application compatibility and newly-released features.
-**Current Branch for Business (CBB)**. For the majority of people in an organization, the Current Branch for Business (CBB) allows for a staged deployment of new features over a longer period of time.
-**Long-Term Servicing Branch (LTSB)**: For critical or specialized devices (for example, operation of factory floor machinery, point-of-sale systems, automated teller machines), the Long-Term Servicing Branch (LTSB) provides a version of Windows 10 Enterprise that receives no new features, while continuing to be supported with security and other updates for a long time. (Note that the Long-Term Servicing Branch is a separate Windows 10 Enterprise image, with many in-box apps, including Microsoft Edge, Cortana, and Windows Store, removed.)
-![branches](images/branch.png) - -These servicing options provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible. Most organizations will leverage all of these choices, with the mix determined by how individual PCs are used. Some examples are shown in the table below: - -| Industry | Windows Insider Program | Current Branch | Current Branch for Business | Long-Term Servicing Branch | -|--------------------|-------------------------|----------------|-----------------------------|----------------------------| -| Retail | <1% | 10% | 60% | 30% | -| Manufacturing | <1% | 10% | 55% | 45% | -| Pharmaceuticals | <1% | 10% | 50% | 40% | -| Consulting | 10% | 50% | 35% | 5% | -| Software developer | 30% | 60% | 5% | 5% | -
-Because every organization is different, the exact breakdown will vary even within a specific industry. The examples shown above should not be taken as specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch. - -- Retailers often have critical devices (for example, point-of-sale systems) in stores which results in higher percentages of PCs on the Long-Term Servicing Branch. But those used by information workers in support of the retail operations would leverage Current Branch for Business to receive new features. - -- Manufacturers typically have critical devices (for example, control systems) in factories; these are also good candidates for the Long-Term Servicing Branch. But as with retailers, information workers that support those factories are better suited to the Current Branch for Business. - -- Pharmaceutical firms often have regulatory requirements for PCs used for the development of their products, which are best satisfied by using Long-Term Servicing Branch. But not all PCs are subject to these regulatory requirements; those that are not can use the Current Branch for Business. - -- Consulting firms want their employees to have the latest functionality so they can be as productive as possible. They also want to develop expertise with new capabilities as soon as possible, hence more emphasis on Current Branch. But they also have information workers that provide services to the consultants; these workers can leverage Current Branch for Business. - -- Software developers typically work on software that will release in conjunction with a new Windows upgrade. To enable that, a significant percentage of developers may use the Windows Insider Program preview branch for initial efforts, which shifts to Current Branch as development progresses. - -Note that there are few, if any, scenarios where an entire organization would use the Long-Term Servicing Branch for all PCs – or even for a majority of them. - -With these new servicing options, Microsoft streamlined the Windows product engineering and release cycle so that Microsoft can deliver new features, experiences, and functionality more quickly than ever. Microsoft also created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. - -Windows 10 enables organizations to fulfill the desire to provide users with the latest features while balancing the need for manageability and cost control. To keep pace with technology, there are good business reasons to keep a significant portion of your enterprise's devices *current* with the latest release of Windows. - -## Related topics - -[Windows 10 release information](https://technet.microsoft.com/windows/release-info)
-[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
-[Windows 10 compatibility](windows-10-compatibility.md)
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) \ No newline at end of file diff --git a/windows/plan/windows-update-for-business.md b/windows/plan/windows-update-for-business.md deleted file mode 100644 index 87315ba806..0000000000 --- a/windows/plan/windows-update-for-business.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: Windows Update for Business (Windows 10) -description: Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. -ms.assetid: DF61F8C9-A8A6-4E83-973C-8ABE090DB8C6 -keywords: update, upgrade, deployment, WSUS -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: servicing; devices -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb ---- - -# Windows Update for Business - -**Applies to** -- Windows 10 - -Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. - -## Introduction - -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: -- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. -- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). - -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://go.microsoft.com/fwlink/p/?LinkId=734043) and [System Center Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=734044). - -## Deploy Windows Update for Business in your organization - -For Windows 10, version 1511, Windows Update for Business is enabled using a set of client-side configurations, allowing you to manage how and when Windows-based devices receive updates and upgrades. These capabilities use the Windows Update service like any other Windows 10 clients, but provides controls to help businesses validate update quality as well as time their update deployments to machines through the use of Group Policy Objects. Windows Update for Business also incorporates smart peer-to-peer networking for distribution of Windows updates, which will help maintain bandwidth efficiency in the absence of a WSUS solution. - -## Eligible devices - -All devices running Windows 10 Pro, Enterprise, and Education on the Current Branch for Business (CBB) are Windows Update for Business eligible. - -## OS upgrades and updates - -In Windows 10, Windows Update for Business recognizes three deployment categories that clients receive from Windows Update: -- **Upgrades** - - Examples: Windows 10 (Build 10240) to Windows 10, version 1511; CBB 1 to CBB 2 - **Note**   - In the Windows 10 servicing model, new CBBs will be declared 2-3 times per year. -   -- **Updates** - - General OS updates, typically released the second Tuesday of each month. These include Security, Critical, and Driver updates. -- **Other/non-deferrable** - - Definition updates (these cannot be deferred) -Both upgrades and updates can be deferred from deployment to client machines by a Windows Update for Business administrator within a bounded rage of time from when those updates are first made available on the Windows Update service. This deferral capability allows administrators to validate deployments as they are pushed to all their Windows Update for Business enrolled clients. The following table defines maximum deferral periods allowed by deployment type: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CategoryMaximum deferralDeferral incrementsClassification typeClassification GUID
OS upgrades8 months1 monthUpgrade3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
OS updates4 weeks1 weekSecurity updates0FA1201D-4330-4FA8-8AE9-B877473B6441
DriversEBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
UpdatesCD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
Other/non-deferrableNo deferralNo deferralDefinition updatesE0789628-CE08-4437-BE74-2495B842F43B
- -## Related topics - -[Setup and deployment](setup-and-deployment.md) - -[Integration with management solutions](integration-with-management-solutions-.md) - -[Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md) diff --git a/windows/update/TOC.md b/windows/update/TOC.md new file mode 100644 index 0000000000..cb2e9787f8 --- /dev/null +++ b/windows/update/TOC.md @@ -0,0 +1,23 @@ +# [Update Windows 10](index.md) +## [Quick guide to Windows as a service](waas-quick-start.md) +## [Overview of Windows as a service](waas-overview.md) +## [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +## [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +## [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) +## [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) +### [Get started with Update Compliance](update-compliance-get-started.md) +### [Use Update Compliance](update-compliance-using.md) +## [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +### [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +## [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +## [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) +### [Configure Windows Update for Business](waas-configure-wufb.md) +### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +## [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +## [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +## [Manage device restarts after updates](waas-restart.md) +## [Change history for Update Windows 10](change-history-for-update-windows-10.md) + diff --git a/windows/update/change-history-for-update-windows-10.md b/windows/update/change-history-for-update-windows-10.md new file mode 100644 index 0000000000..d1a178004f --- /dev/null +++ b/windows/update/change-history-for-update-windows-10.md @@ -0,0 +1,19 @@ +--- +title: Change history for Update Windows 10 (Windows 10) +description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10 and Windows 10 Mobile. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: DaniHalfin +--- + +# Change history for Update Windows 10 + +This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). + +>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). + diff --git a/windows/update/images/ActionCenterXML.jpg b/windows/update/images/ActionCenterXML.jpg new file mode 100644 index 0000000000..b9832b2708 Binary files /dev/null and b/windows/update/images/ActionCenterXML.jpg differ diff --git a/windows/update/images/AppsXML.jpg b/windows/update/images/AppsXML.jpg new file mode 100644 index 0000000000..ecc1869bb5 Binary files /dev/null and b/windows/update/images/AppsXML.jpg differ diff --git a/windows/update/images/AppsXML.png b/windows/update/images/AppsXML.png new file mode 100644 index 0000000000..3981543264 Binary files /dev/null and b/windows/update/images/AppsXML.png differ diff --git a/windows/update/images/ButtonsXML.jpg b/windows/update/images/ButtonsXML.jpg new file mode 100644 index 0000000000..238eca7e68 Binary files /dev/null and b/windows/update/images/ButtonsXML.jpg differ diff --git a/windows/update/images/CSPRunnerXML.jpg b/windows/update/images/CSPRunnerXML.jpg new file mode 100644 index 0000000000..071b316a9e Binary files /dev/null and b/windows/update/images/CSPRunnerXML.jpg differ diff --git a/windows/update/images/ICDstart-option.PNG b/windows/update/images/ICDstart-option.PNG new file mode 100644 index 0000000000..1ba49bb261 Binary files /dev/null and b/windows/update/images/ICDstart-option.PNG differ diff --git a/windows/update/images/MenuItemsXML.png b/windows/update/images/MenuItemsXML.png new file mode 100644 index 0000000000..cc681250bb Binary files /dev/null and b/windows/update/images/MenuItemsXML.png differ diff --git a/windows/update/images/SettingsXML.png b/windows/update/images/SettingsXML.png new file mode 100644 index 0000000000..98a324bdea Binary files /dev/null and b/windows/update/images/SettingsXML.png differ diff --git a/windows/update/images/StartGrid.jpg b/windows/update/images/StartGrid.jpg new file mode 100644 index 0000000000..36136f3201 Binary files /dev/null and b/windows/update/images/StartGrid.jpg differ diff --git a/windows/update/images/StartGridPinnedApps.jpg b/windows/update/images/StartGridPinnedApps.jpg new file mode 100644 index 0000000000..fbade52f53 Binary files /dev/null and b/windows/update/images/StartGridPinnedApps.jpg differ diff --git a/windows/update/images/TilesXML.png b/windows/update/images/TilesXML.png new file mode 100644 index 0000000000..cec52bbbf7 Binary files /dev/null and b/windows/update/images/TilesXML.png differ diff --git a/windows/update/images/aadj1.jpg b/windows/update/images/aadj1.jpg new file mode 100644 index 0000000000..2348fc4c84 Binary files /dev/null and b/windows/update/images/aadj1.jpg differ diff --git a/windows/update/images/aadj2.jpg b/windows/update/images/aadj2.jpg new file mode 100644 index 0000000000..39486bfc66 Binary files /dev/null and b/windows/update/images/aadj2.jpg differ diff --git a/windows/update/images/aadj3.jpg b/windows/update/images/aadj3.jpg new file mode 100644 index 0000000000..80e1f5762f Binary files /dev/null and b/windows/update/images/aadj3.jpg differ diff --git a/windows/update/images/aadj4.jpg b/windows/update/images/aadj4.jpg new file mode 100644 index 0000000000..0db2910012 Binary files /dev/null and b/windows/update/images/aadj4.jpg differ diff --git a/windows/update/images/aadjbrowser.jpg b/windows/update/images/aadjbrowser.jpg new file mode 100644 index 0000000000..c8d909688e Binary files /dev/null and b/windows/update/images/aadjbrowser.jpg differ diff --git a/windows/update/images/aadjcal.jpg b/windows/update/images/aadjcal.jpg new file mode 100644 index 0000000000..1858886f5f Binary files /dev/null and b/windows/update/images/aadjcal.jpg differ diff --git a/windows/update/images/aadjcalmail.jpg b/windows/update/images/aadjcalmail.jpg new file mode 100644 index 0000000000..5a5661259a Binary files /dev/null and b/windows/update/images/aadjcalmail.jpg differ diff --git a/windows/update/images/aadjmail1.jpg b/windows/update/images/aadjmail1.jpg new file mode 100644 index 0000000000..89b1fcc3b7 Binary files /dev/null and b/windows/update/images/aadjmail1.jpg differ diff --git a/windows/update/images/aadjmail2.jpg b/windows/update/images/aadjmail2.jpg new file mode 100644 index 0000000000..0608010c6a Binary files /dev/null and b/windows/update/images/aadjmail2.jpg differ diff --git a/windows/update/images/aadjmail3.jpg b/windows/update/images/aadjmail3.jpg new file mode 100644 index 0000000000..d7154a7e0e Binary files /dev/null and b/windows/update/images/aadjmail3.jpg differ diff --git a/windows/update/images/aadjonedrive.jpg b/windows/update/images/aadjonedrive.jpg new file mode 100644 index 0000000000..6fb1196d5f Binary files /dev/null and b/windows/update/images/aadjonedrive.jpg differ diff --git a/windows/update/images/aadjonenote.jpg b/windows/update/images/aadjonenote.jpg new file mode 100644 index 0000000000..4ccd207f9f Binary files /dev/null and b/windows/update/images/aadjonenote.jpg differ diff --git a/windows/update/images/aadjonenote2.jpg b/windows/update/images/aadjonenote2.jpg new file mode 100644 index 0000000000..1b6941e638 Binary files /dev/null and b/windows/update/images/aadjonenote2.jpg differ diff --git a/windows/update/images/aadjonenote3.jpg b/windows/update/images/aadjonenote3.jpg new file mode 100644 index 0000000000..3ac6911046 Binary files /dev/null and b/windows/update/images/aadjonenote3.jpg differ diff --git a/windows/update/images/aadjpin.jpg b/windows/update/images/aadjpin.jpg new file mode 100644 index 0000000000..dac6cfec30 Binary files /dev/null and b/windows/update/images/aadjpin.jpg differ diff --git a/windows/update/images/aadjppt.jpg b/windows/update/images/aadjppt.jpg new file mode 100644 index 0000000000..268d5fe662 Binary files /dev/null and b/windows/update/images/aadjppt.jpg differ diff --git a/windows/update/images/aadjverify.jpg b/windows/update/images/aadjverify.jpg new file mode 100644 index 0000000000..7b30210f39 Binary files /dev/null and b/windows/update/images/aadjverify.jpg differ diff --git a/windows/update/images/aadjword.jpg b/windows/update/images/aadjword.jpg new file mode 100644 index 0000000000..db2a58406e Binary files /dev/null and b/windows/update/images/aadjword.jpg differ diff --git a/windows/update/images/aadjwsfb.jpg b/windows/update/images/aadjwsfb.jpg new file mode 100644 index 0000000000..428f1a26d4 Binary files /dev/null and b/windows/update/images/aadjwsfb.jpg differ diff --git a/windows/update/images/admin-tools-folder.png b/windows/update/images/admin-tools-folder.png new file mode 100644 index 0000000000..4831204f73 Binary files /dev/null and b/windows/update/images/admin-tools-folder.png differ diff --git a/windows/update/images/admin-tools.png b/windows/update/images/admin-tools.png new file mode 100644 index 0000000000..1470cffdd5 Binary files /dev/null and b/windows/update/images/admin-tools.png differ diff --git a/windows/update/images/allow-rdp.png b/windows/update/images/allow-rdp.png new file mode 100644 index 0000000000..55c13b53bc Binary files /dev/null and b/windows/update/images/allow-rdp.png differ diff --git a/windows/update/images/app-v-in-adk.png b/windows/update/images/app-v-in-adk.png new file mode 100644 index 0000000000..a36ef9f00f Binary files /dev/null and b/windows/update/images/app-v-in-adk.png differ diff --git a/windows/update/images/apprule.png b/windows/update/images/apprule.png new file mode 100644 index 0000000000..ec5417849a Binary files /dev/null and b/windows/update/images/apprule.png differ diff --git a/windows/update/images/appwarning.png b/windows/update/images/appwarning.png new file mode 100644 index 0000000000..877d8afebd Binary files /dev/null and b/windows/update/images/appwarning.png differ diff --git a/windows/update/images/backicon.png b/windows/update/images/backicon.png new file mode 100644 index 0000000000..3007e448b1 Binary files /dev/null and b/windows/update/images/backicon.png differ diff --git a/windows/update/images/checklistbox.gif b/windows/update/images/checklistbox.gif new file mode 100644 index 0000000000..cbcf4a4f11 Binary files /dev/null and b/windows/update/images/checklistbox.gif differ diff --git a/windows/update/images/checklistdone.png b/windows/update/images/checklistdone.png new file mode 100644 index 0000000000..7e53f74d0e Binary files /dev/null and b/windows/update/images/checklistdone.png differ diff --git a/windows/update/images/checkmark.png b/windows/update/images/checkmark.png new file mode 100644 index 0000000000..f9f04cd6bd Binary files /dev/null and b/windows/update/images/checkmark.png differ diff --git a/windows/update/images/choose-package.png b/windows/update/images/choose-package.png new file mode 100644 index 0000000000..2bf7a18648 Binary files /dev/null and b/windows/update/images/choose-package.png differ diff --git a/windows/update/images/config-policy.png b/windows/update/images/config-policy.png new file mode 100644 index 0000000000..b9cba70af6 Binary files /dev/null and b/windows/update/images/config-policy.png differ diff --git a/windows/update/images/config-source.png b/windows/update/images/config-source.png new file mode 100644 index 0000000000..58938bacf7 Binary files /dev/null and b/windows/update/images/config-source.png differ diff --git a/windows/update/images/configconflict.png b/windows/update/images/configconflict.png new file mode 100644 index 0000000000..011a2d76e7 Binary files /dev/null and b/windows/update/images/configconflict.png differ diff --git a/windows/update/images/connect-aad.png b/windows/update/images/connect-aad.png new file mode 100644 index 0000000000..8583866165 Binary files /dev/null and b/windows/update/images/connect-aad.png differ diff --git a/windows/update/images/copy-to-change.png b/windows/update/images/copy-to-change.png new file mode 100644 index 0000000000..21aa250c0c Binary files /dev/null and b/windows/update/images/copy-to-change.png differ diff --git a/windows/update/images/copy-to-path.png b/windows/update/images/copy-to-path.png new file mode 100644 index 0000000000..1ef00fc86b Binary files /dev/null and b/windows/update/images/copy-to-path.png differ diff --git a/windows/update/images/copy-to.PNG b/windows/update/images/copy-to.PNG new file mode 100644 index 0000000000..dad84cedc8 Binary files /dev/null and b/windows/update/images/copy-to.PNG differ diff --git a/windows/update/images/cortana-about-me.png b/windows/update/images/cortana-about-me.png new file mode 100644 index 0000000000..32c1ccefab Binary files /dev/null and b/windows/update/images/cortana-about-me.png differ diff --git a/windows/update/images/cortana-add-reminder.png b/windows/update/images/cortana-add-reminder.png new file mode 100644 index 0000000000..3f03528e11 Binary files /dev/null and b/windows/update/images/cortana-add-reminder.png differ diff --git a/windows/update/images/cortana-chicago-weather.png b/windows/update/images/cortana-chicago-weather.png new file mode 100644 index 0000000000..9273bf201b Binary files /dev/null and b/windows/update/images/cortana-chicago-weather.png differ diff --git a/windows/update/images/cortana-complete-send-email-coworker-mic.png b/windows/update/images/cortana-complete-send-email-coworker-mic.png new file mode 100644 index 0000000000..3238c8d31d Binary files /dev/null and b/windows/update/images/cortana-complete-send-email-coworker-mic.png differ diff --git a/windows/update/images/cortana-connect-crm.png b/windows/update/images/cortana-connect-crm.png new file mode 100644 index 0000000000..c70c42f75e Binary files /dev/null and b/windows/update/images/cortana-connect-crm.png differ diff --git a/windows/update/images/cortana-connect-o365.png b/windows/update/images/cortana-connect-o365.png new file mode 100644 index 0000000000..df1ffa449b Binary files /dev/null and b/windows/update/images/cortana-connect-o365.png differ diff --git a/windows/update/images/cortana-connect-uber.png b/windows/update/images/cortana-connect-uber.png new file mode 100644 index 0000000000..724fecb5b5 Binary files /dev/null and b/windows/update/images/cortana-connect-uber.png differ diff --git a/windows/update/images/cortana-crm-screen.png b/windows/update/images/cortana-crm-screen.png new file mode 100644 index 0000000000..ded5d80a59 Binary files /dev/null and b/windows/update/images/cortana-crm-screen.png differ diff --git a/windows/update/images/cortana-feedback.png b/windows/update/images/cortana-feedback.png new file mode 100644 index 0000000000..6e14018c98 Binary files /dev/null and b/windows/update/images/cortana-feedback.png differ diff --git a/windows/update/images/cortana-final-reminder.png b/windows/update/images/cortana-final-reminder.png new file mode 100644 index 0000000000..f114e058e5 Binary files /dev/null and b/windows/update/images/cortana-final-reminder.png differ diff --git a/windows/update/images/cortana-meeting-specific-time.png b/windows/update/images/cortana-meeting-specific-time.png new file mode 100644 index 0000000000..a108355133 Binary files /dev/null and b/windows/update/images/cortana-meeting-specific-time.png differ diff --git a/windows/update/images/cortana-meeting-tomorrow.png b/windows/update/images/cortana-meeting-tomorrow.png new file mode 100644 index 0000000000..13273b6600 Binary files /dev/null and b/windows/update/images/cortana-meeting-tomorrow.png differ diff --git a/windows/update/images/cortana-newyork-weather.png b/windows/update/images/cortana-newyork-weather.png new file mode 100644 index 0000000000..b3879737be Binary files /dev/null and b/windows/update/images/cortana-newyork-weather.png differ diff --git a/windows/update/images/cortana-o365-screen.png b/windows/update/images/cortana-o365-screen.png new file mode 100644 index 0000000000..ba06dd6de5 Binary files /dev/null and b/windows/update/images/cortana-o365-screen.png differ diff --git a/windows/update/images/cortana-place-reminder.png b/windows/update/images/cortana-place-reminder.png new file mode 100644 index 0000000000..89ccdab3e3 Binary files /dev/null and b/windows/update/images/cortana-place-reminder.png differ diff --git a/windows/update/images/cortana-powerbi-create-report.png b/windows/update/images/cortana-powerbi-create-report.png new file mode 100644 index 0000000000..a22789d72a Binary files /dev/null and b/windows/update/images/cortana-powerbi-create-report.png differ diff --git a/windows/update/images/cortana-powerbi-expand-nav.png b/windows/update/images/cortana-powerbi-expand-nav.png new file mode 100644 index 0000000000..c8b47943f9 Binary files /dev/null and b/windows/update/images/cortana-powerbi-expand-nav.png differ diff --git a/windows/update/images/cortana-powerbi-field-selection.png b/windows/update/images/cortana-powerbi-field-selection.png new file mode 100644 index 0000000000..8aef58c23a Binary files /dev/null and b/windows/update/images/cortana-powerbi-field-selection.png differ diff --git a/windows/update/images/cortana-powerbi-getdata-samples.png b/windows/update/images/cortana-powerbi-getdata-samples.png new file mode 100644 index 0000000000..3bfa4792df Binary files /dev/null and b/windows/update/images/cortana-powerbi-getdata-samples.png differ diff --git a/windows/update/images/cortana-powerbi-getdata.png b/windows/update/images/cortana-powerbi-getdata.png new file mode 100644 index 0000000000..55b7b61589 Binary files /dev/null and b/windows/update/images/cortana-powerbi-getdata.png differ diff --git a/windows/update/images/cortana-powerbi-myreport.png b/windows/update/images/cortana-powerbi-myreport.png new file mode 100644 index 0000000000..cc04d9c6f0 Binary files /dev/null and b/windows/update/images/cortana-powerbi-myreport.png differ diff --git a/windows/update/images/cortana-powerbi-pagesize.png b/windows/update/images/cortana-powerbi-pagesize.png new file mode 100644 index 0000000000..fd1c1ef917 Binary files /dev/null and b/windows/update/images/cortana-powerbi-pagesize.png differ diff --git a/windows/update/images/cortana-powerbi-report-qna.png b/windows/update/images/cortana-powerbi-report-qna.png new file mode 100644 index 0000000000..d17949aa8a Binary files /dev/null and b/windows/update/images/cortana-powerbi-report-qna.png differ diff --git a/windows/update/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/update/images/cortana-powerbi-retail-analysis-dashboard.png new file mode 100644 index 0000000000..5b94a2e2fc Binary files /dev/null and b/windows/update/images/cortana-powerbi-retail-analysis-dashboard.png differ diff --git a/windows/update/images/cortana-powerbi-retail-analysis-dataset.png b/windows/update/images/cortana-powerbi-retail-analysis-dataset.png new file mode 100644 index 0000000000..b2ffec3b70 Binary files /dev/null and b/windows/update/images/cortana-powerbi-retail-analysis-dataset.png differ diff --git a/windows/update/images/cortana-powerbi-retail-analysis-sample.png b/windows/update/images/cortana-powerbi-retail-analysis-sample.png new file mode 100644 index 0000000000..e3b61dcaa2 Binary files /dev/null and b/windows/update/images/cortana-powerbi-retail-analysis-sample.png differ diff --git a/windows/update/images/cortana-powerbi-search.png b/windows/update/images/cortana-powerbi-search.png new file mode 100644 index 0000000000..88a8b40296 Binary files /dev/null and b/windows/update/images/cortana-powerbi-search.png differ diff --git a/windows/update/images/cortana-powerbi-settings.png b/windows/update/images/cortana-powerbi-settings.png new file mode 100644 index 0000000000..0f51229895 Binary files /dev/null and b/windows/update/images/cortana-powerbi-settings.png differ diff --git a/windows/update/images/cortana-redmond-weather.png b/windows/update/images/cortana-redmond-weather.png new file mode 100644 index 0000000000..7e8adc1929 Binary files /dev/null and b/windows/update/images/cortana-redmond-weather.png differ diff --git a/windows/update/images/cortana-reminder-edit.png b/windows/update/images/cortana-reminder-edit.png new file mode 100644 index 0000000000..79cc280947 Binary files /dev/null and b/windows/update/images/cortana-reminder-edit.png differ diff --git a/windows/update/images/cortana-reminder-list.png b/windows/update/images/cortana-reminder-list.png new file mode 100644 index 0000000000..1f57fc0f05 Binary files /dev/null and b/windows/update/images/cortana-reminder-list.png differ diff --git a/windows/update/images/cortana-reminder-mic.png b/windows/update/images/cortana-reminder-mic.png new file mode 100644 index 0000000000..46a18e8e0b Binary files /dev/null and b/windows/update/images/cortana-reminder-mic.png differ diff --git a/windows/update/images/cortana-reminder-pending-mic.png b/windows/update/images/cortana-reminder-pending-mic.png new file mode 100644 index 0000000000..159d408e0a Binary files /dev/null and b/windows/update/images/cortana-reminder-pending-mic.png differ diff --git a/windows/update/images/cortana-reminder-pending.png b/windows/update/images/cortana-reminder-pending.png new file mode 100644 index 0000000000..a6b64b5621 Binary files /dev/null and b/windows/update/images/cortana-reminder-pending.png differ diff --git a/windows/update/images/cortana-send-email-coworker-mic.png b/windows/update/images/cortana-send-email-coworker-mic.png new file mode 100644 index 0000000000..0cfa8fb731 Binary files /dev/null and b/windows/update/images/cortana-send-email-coworker-mic.png differ diff --git a/windows/update/images/cortana-send-email-coworker.png b/windows/update/images/cortana-send-email-coworker.png new file mode 100644 index 0000000000..40ce18bdca Binary files /dev/null and b/windows/update/images/cortana-send-email-coworker.png differ diff --git a/windows/update/images/cortana-weather-multipanel.png b/windows/update/images/cortana-weather-multipanel.png new file mode 100644 index 0000000000..e8db031744 Binary files /dev/null and b/windows/update/images/cortana-weather-multipanel.png differ diff --git a/windows/update/images/crossmark.png b/windows/update/images/crossmark.png new file mode 100644 index 0000000000..69432ff71c Binary files /dev/null and b/windows/update/images/crossmark.png differ diff --git a/windows/update/images/csp-placeholder.png b/windows/update/images/csp-placeholder.png new file mode 100644 index 0000000000..fe6bcf4720 Binary files /dev/null and b/windows/update/images/csp-placeholder.png differ diff --git a/windows/update/images/cspinicd.png b/windows/update/images/cspinicd.png new file mode 100644 index 0000000000..a60ad9e2bf Binary files /dev/null and b/windows/update/images/cspinicd.png differ diff --git a/windows/update/images/csptable.png b/windows/update/images/csptable.png new file mode 100644 index 0000000000..ee210cad69 Binary files /dev/null and b/windows/update/images/csptable.png differ diff --git a/windows/update/images/deploymentworkflow.png b/windows/update/images/deploymentworkflow.png new file mode 100644 index 0000000000..b665a0bfea Binary files /dev/null and b/windows/update/images/deploymentworkflow.png differ diff --git a/windows/update/images/doneicon.png b/windows/update/images/doneicon.png new file mode 100644 index 0000000000..d80389f35b Binary files /dev/null and b/windows/update/images/doneicon.png differ diff --git a/windows/update/images/export-mgt-desktop.png b/windows/update/images/export-mgt-desktop.png new file mode 100644 index 0000000000..13349c3b4e Binary files /dev/null and b/windows/update/images/export-mgt-desktop.png differ diff --git a/windows/update/images/export-mgt-mobile.png b/windows/update/images/export-mgt-mobile.png new file mode 100644 index 0000000000..6a74c23e59 Binary files /dev/null and b/windows/update/images/export-mgt-mobile.png differ diff --git a/windows/update/images/express-settings.png b/windows/update/images/express-settings.png new file mode 100644 index 0000000000..99e9c4825a Binary files /dev/null and b/windows/update/images/express-settings.png differ diff --git a/windows/update/images/fig1-deferupgrades.png b/windows/update/images/fig1-deferupgrades.png new file mode 100644 index 0000000000..f8c52b943e Binary files /dev/null and b/windows/update/images/fig1-deferupgrades.png differ diff --git a/windows/update/images/fig2-deploymenttimeline.png b/windows/update/images/fig2-deploymenttimeline.png new file mode 100644 index 0000000000..a8061d2f15 Binary files /dev/null and b/windows/update/images/fig2-deploymenttimeline.png differ diff --git a/windows/update/images/fig3-overlaprelease.png b/windows/update/images/fig3-overlaprelease.png new file mode 100644 index 0000000000..58747a35cf Binary files /dev/null and b/windows/update/images/fig3-overlaprelease.png differ diff --git a/windows/update/images/funfacts.png b/windows/update/images/funfacts.png new file mode 100644 index 0000000000..71355ec370 Binary files /dev/null and b/windows/update/images/funfacts.png differ diff --git a/windows/update/images/genrule.png b/windows/update/images/genrule.png new file mode 100644 index 0000000000..1d68f1ad0b Binary files /dev/null and b/windows/update/images/genrule.png differ diff --git a/windows/update/images/gp-branch.png b/windows/update/images/gp-branch.png new file mode 100644 index 0000000000..997bcc830a Binary files /dev/null and b/windows/update/images/gp-branch.png differ diff --git a/windows/update/images/gp-exclude-drivers.png b/windows/update/images/gp-exclude-drivers.png new file mode 100644 index 0000000000..0010749139 Binary files /dev/null and b/windows/update/images/gp-exclude-drivers.png differ diff --git a/windows/update/images/gp-feature.png b/windows/update/images/gp-feature.png new file mode 100644 index 0000000000..b862d545d4 Binary files /dev/null and b/windows/update/images/gp-feature.png differ diff --git a/windows/update/images/gp-quality.png b/windows/update/images/gp-quality.png new file mode 100644 index 0000000000..d7ff30172d Binary files /dev/null and b/windows/update/images/gp-quality.png differ diff --git a/windows/update/images/icd-adv-shared-pc.PNG b/windows/update/images/icd-adv-shared-pc.PNG new file mode 100644 index 0000000000..a8da5fa78a Binary files /dev/null and b/windows/update/images/icd-adv-shared-pc.PNG differ diff --git a/windows/update/images/icd-school.PNG b/windows/update/images/icd-school.PNG new file mode 100644 index 0000000000..e6a944a193 Binary files /dev/null and b/windows/update/images/icd-school.PNG differ diff --git a/windows/update/images/icd-simple.PNG b/windows/update/images/icd-simple.PNG new file mode 100644 index 0000000000..7ae8a1728b Binary files /dev/null and b/windows/update/images/icd-simple.PNG differ diff --git a/windows/update/images/icdbrowse.png b/windows/update/images/icdbrowse.png new file mode 100644 index 0000000000..53c91074c7 Binary files /dev/null and b/windows/update/images/icdbrowse.png differ diff --git a/windows/update/images/identitychoices.png b/windows/update/images/identitychoices.png new file mode 100644 index 0000000000..9a69c04f20 Binary files /dev/null and b/windows/update/images/identitychoices.png differ diff --git a/windows/update/images/launchicon.png b/windows/update/images/launchicon.png new file mode 100644 index 0000000000..d469c68a2c Binary files /dev/null and b/windows/update/images/launchicon.png differ diff --git a/windows/update/images/license-terms.png b/windows/update/images/license-terms.png new file mode 100644 index 0000000000..8dd34b0a18 Binary files /dev/null and b/windows/update/images/license-terms.png differ diff --git a/windows/update/images/lockdownapps.png b/windows/update/images/lockdownapps.png new file mode 100644 index 0000000000..ad928d87bc Binary files /dev/null and b/windows/update/images/lockdownapps.png differ diff --git a/windows/update/images/lockscreen.png b/windows/update/images/lockscreen.png new file mode 100644 index 0000000000..68c64e15ec Binary files /dev/null and b/windows/update/images/lockscreen.png differ diff --git a/windows/update/images/lockscreenpolicy.png b/windows/update/images/lockscreenpolicy.png new file mode 100644 index 0000000000..30b6a7ae9d Binary files /dev/null and b/windows/update/images/lockscreenpolicy.png differ diff --git a/windows/update/images/mdm-diag-report-powershell.PNG b/windows/update/images/mdm-diag-report-powershell.PNG new file mode 100644 index 0000000000..86f5b49211 Binary files /dev/null and b/windows/update/images/mdm-diag-report-powershell.PNG differ diff --git a/windows/update/images/mdm.png b/windows/update/images/mdm.png new file mode 100644 index 0000000000..8ebcc00526 Binary files /dev/null and b/windows/update/images/mdm.png differ diff --git a/windows/update/images/mobile-start-layout.png b/windows/update/images/mobile-start-layout.png new file mode 100644 index 0000000000..d1055d6c87 Binary files /dev/null and b/windows/update/images/mobile-start-layout.png differ diff --git a/windows/update/images/oma-uri-shared-pc.png b/windows/update/images/oma-uri-shared-pc.png new file mode 100644 index 0000000000..68f9fa3b32 Binary files /dev/null and b/windows/update/images/oma-uri-shared-pc.png differ diff --git a/windows/update/images/oobe.jpg b/windows/update/images/oobe.jpg new file mode 100644 index 0000000000..53a5dab6bf Binary files /dev/null and b/windows/update/images/oobe.jpg differ diff --git a/windows/update/images/package.png b/windows/update/images/package.png new file mode 100644 index 0000000000..f5e975e3e9 Binary files /dev/null and b/windows/update/images/package.png differ diff --git a/windows/update/images/packageaddfileandregistrydata-global.png b/windows/update/images/packageaddfileandregistrydata-global.png new file mode 100644 index 0000000000..775e290a36 Binary files /dev/null and b/windows/update/images/packageaddfileandregistrydata-global.png differ diff --git a/windows/update/images/packageaddfileandregistrydata-stream.png b/windows/update/images/packageaddfileandregistrydata-stream.png new file mode 100644 index 0000000000..0e1205c62b Binary files /dev/null and b/windows/update/images/packageaddfileandregistrydata-stream.png differ diff --git a/windows/update/images/packageaddfileandregistrydata.png b/windows/update/images/packageaddfileandregistrydata.png new file mode 100644 index 0000000000..603420e627 Binary files /dev/null and b/windows/update/images/packageaddfileandregistrydata.png differ diff --git a/windows/update/images/phoneprovision.png b/windows/update/images/phoneprovision.png new file mode 100644 index 0000000000..01ada29ac9 Binary files /dev/null and b/windows/update/images/phoneprovision.png differ diff --git a/windows/update/images/policytocsp.png b/windows/update/images/policytocsp.png new file mode 100644 index 0000000000..80ca76cb62 Binary files /dev/null and b/windows/update/images/policytocsp.png differ diff --git a/windows/update/images/powericon.png b/windows/update/images/powericon.png new file mode 100644 index 0000000000..b497ff859d Binary files /dev/null and b/windows/update/images/powericon.png differ diff --git a/windows/update/images/priv-telemetry-levels.png b/windows/update/images/priv-telemetry-levels.png new file mode 100644 index 0000000000..9581cee54d Binary files /dev/null and b/windows/update/images/priv-telemetry-levels.png differ diff --git a/windows/update/images/prov.jpg b/windows/update/images/prov.jpg new file mode 100644 index 0000000000..1593ccb36b Binary files /dev/null and b/windows/update/images/prov.jpg differ diff --git a/windows/update/images/provisioning-csp-assignedaccess.png b/windows/update/images/provisioning-csp-assignedaccess.png new file mode 100644 index 0000000000..14d49cdd89 Binary files /dev/null and b/windows/update/images/provisioning-csp-assignedaccess.png differ diff --git a/windows/update/images/rdp.png b/windows/update/images/rdp.png new file mode 100644 index 0000000000..ac088d0b06 Binary files /dev/null and b/windows/update/images/rdp.png differ diff --git a/windows/update/images/resetdevice.png b/windows/update/images/resetdevice.png new file mode 100644 index 0000000000..4e265c3f8d Binary files /dev/null and b/windows/update/images/resetdevice.png differ diff --git a/windows/update/images/settings-table.png b/windows/update/images/settings-table.png new file mode 100644 index 0000000000..ada56513fc Binary files /dev/null and b/windows/update/images/settings-table.png differ diff --git a/windows/update/images/settingsicon.png b/windows/update/images/settingsicon.png new file mode 100644 index 0000000000..0ad27fc558 Binary files /dev/null and b/windows/update/images/settingsicon.png differ diff --git a/windows/update/images/setupmsg.jpg b/windows/update/images/setupmsg.jpg new file mode 100644 index 0000000000..12935483c5 Binary files /dev/null and b/windows/update/images/setupmsg.jpg differ diff --git a/windows/update/images/sign-in-prov.png b/windows/update/images/sign-in-prov.png new file mode 100644 index 0000000000..55c9276203 Binary files /dev/null and b/windows/update/images/sign-in-prov.png differ diff --git a/windows/update/images/spotlight.png b/windows/update/images/spotlight.png new file mode 100644 index 0000000000..515269740b Binary files /dev/null and b/windows/update/images/spotlight.png differ diff --git a/windows/update/images/spotlight2.png b/windows/update/images/spotlight2.png new file mode 100644 index 0000000000..27401c1a2b Binary files /dev/null and b/windows/update/images/spotlight2.png differ diff --git a/windows/update/images/start-pinned-app.png b/windows/update/images/start-pinned-app.png new file mode 100644 index 0000000000..e1e4a24a00 Binary files /dev/null and b/windows/update/images/start-pinned-app.png differ diff --git a/windows/update/images/startannotated.png b/windows/update/images/startannotated.png new file mode 100644 index 0000000000..d46f3a70c2 Binary files /dev/null and b/windows/update/images/startannotated.png differ diff --git a/windows/update/images/starticon.png b/windows/update/images/starticon.png new file mode 100644 index 0000000000..fa8cbdff10 Binary files /dev/null and b/windows/update/images/starticon.png differ diff --git a/windows/update/images/startlayoutpolicy.jpg b/windows/update/images/startlayoutpolicy.jpg new file mode 100644 index 0000000000..d3c8d054fe Binary files /dev/null and b/windows/update/images/startlayoutpolicy.jpg differ diff --git a/windows/update/images/starttemplate.jpg b/windows/update/images/starttemplate.jpg new file mode 100644 index 0000000000..900eed08c5 Binary files /dev/null and b/windows/update/images/starttemplate.jpg differ diff --git a/windows/update/images/sysprep-error.png b/windows/update/images/sysprep-error.png new file mode 100644 index 0000000000..aa004efbb6 Binary files /dev/null and b/windows/update/images/sysprep-error.png differ diff --git a/windows/update/images/taskbar-blank.png b/windows/update/images/taskbar-blank.png new file mode 100644 index 0000000000..185027f2fd Binary files /dev/null and b/windows/update/images/taskbar-blank.png differ diff --git a/windows/update/images/taskbar-default-plus.png b/windows/update/images/taskbar-default-plus.png new file mode 100644 index 0000000000..8afcebac09 Binary files /dev/null and b/windows/update/images/taskbar-default-plus.png differ diff --git a/windows/update/images/taskbar-default-removed.png b/windows/update/images/taskbar-default-removed.png new file mode 100644 index 0000000000..b3ff924e9f Binary files /dev/null and b/windows/update/images/taskbar-default-removed.png differ diff --git a/windows/update/images/taskbar-default.png b/windows/update/images/taskbar-default.png new file mode 100644 index 0000000000..41c6c72258 Binary files /dev/null and b/windows/update/images/taskbar-default.png differ diff --git a/windows/update/images/taskbar-generic.png b/windows/update/images/taskbar-generic.png new file mode 100644 index 0000000000..6d47a6795a Binary files /dev/null and b/windows/update/images/taskbar-generic.png differ diff --git a/windows/update/images/taskbar-region-defr.png b/windows/update/images/taskbar-region-defr.png new file mode 100644 index 0000000000..6d707b16f4 Binary files /dev/null and b/windows/update/images/taskbar-region-defr.png differ diff --git a/windows/update/images/taskbar-region-other.png b/windows/update/images/taskbar-region-other.png new file mode 100644 index 0000000000..fab367ef7a Binary files /dev/null and b/windows/update/images/taskbar-region-other.png differ diff --git a/windows/update/images/taskbar-region-usuk.png b/windows/update/images/taskbar-region-usuk.png new file mode 100644 index 0000000000..6bba65ee81 Binary files /dev/null and b/windows/update/images/taskbar-region-usuk.png differ diff --git a/windows/update/images/taskbarSTARTERBLANK.png b/windows/update/images/taskbarSTARTERBLANK.png new file mode 100644 index 0000000000..e206bdc196 Binary files /dev/null and b/windows/update/images/taskbarSTARTERBLANK.png differ diff --git a/windows/update/images/trust-package.png b/windows/update/images/trust-package.png new file mode 100644 index 0000000000..8a293ea4da Binary files /dev/null and b/windows/update/images/trust-package.png differ diff --git a/windows/update/images/twain.png b/windows/update/images/twain.png new file mode 100644 index 0000000000..53cd5eadc7 Binary files /dev/null and b/windows/update/images/twain.png differ diff --git a/windows/update/images/uc-01.png b/windows/update/images/uc-01.png new file mode 100644 index 0000000000..7f4df9f6d7 Binary files /dev/null and b/windows/update/images/uc-01.png differ diff --git a/windows/update/images/uc-02.png b/windows/update/images/uc-02.png new file mode 100644 index 0000000000..8317f051c3 Binary files /dev/null and b/windows/update/images/uc-02.png differ diff --git a/windows/update/images/uc-02a.png b/windows/update/images/uc-02a.png new file mode 100644 index 0000000000..d12544e3a0 Binary files /dev/null and b/windows/update/images/uc-02a.png differ diff --git a/windows/update/images/uc-03.png b/windows/update/images/uc-03.png new file mode 100644 index 0000000000..58494c4128 Binary files /dev/null and b/windows/update/images/uc-03.png differ diff --git a/windows/update/images/uc-03a.png b/windows/update/images/uc-03a.png new file mode 100644 index 0000000000..39412fc8f3 Binary files /dev/null and b/windows/update/images/uc-03a.png differ diff --git a/windows/update/images/uc-04.png b/windows/update/images/uc-04.png new file mode 100644 index 0000000000..ef9a37d379 Binary files /dev/null and b/windows/update/images/uc-04.png differ diff --git a/windows/update/images/uc-04a.png b/windows/update/images/uc-04a.png new file mode 100644 index 0000000000..537d4bbe72 Binary files /dev/null and b/windows/update/images/uc-04a.png differ diff --git a/windows/update/images/uc-05.png b/windows/update/images/uc-05.png new file mode 100644 index 0000000000..21c8e9f9e0 Binary files /dev/null and b/windows/update/images/uc-05.png differ diff --git a/windows/update/images/uc-05a.png b/windows/update/images/uc-05a.png new file mode 100644 index 0000000000..2271181622 Binary files /dev/null and b/windows/update/images/uc-05a.png differ diff --git a/windows/update/images/uc-06.png b/windows/update/images/uc-06.png new file mode 100644 index 0000000000..03a559800b Binary files /dev/null and b/windows/update/images/uc-06.png differ diff --git a/windows/update/images/uc-06a.png b/windows/update/images/uc-06a.png new file mode 100644 index 0000000000..15df1cfea0 Binary files /dev/null and b/windows/update/images/uc-06a.png differ diff --git a/windows/update/images/uc-07.png b/windows/update/images/uc-07.png new file mode 100644 index 0000000000..de1ae35e82 Binary files /dev/null and b/windows/update/images/uc-07.png differ diff --git a/windows/update/images/uc-07a.png b/windows/update/images/uc-07a.png new file mode 100644 index 0000000000..c0f2d9fd73 Binary files /dev/null and b/windows/update/images/uc-07a.png differ diff --git a/windows/update/images/uc-08.png b/windows/update/images/uc-08.png new file mode 100644 index 0000000000..877fcd64c0 Binary files /dev/null and b/windows/update/images/uc-08.png differ diff --git a/windows/update/images/uc-08a.png b/windows/update/images/uc-08a.png new file mode 100644 index 0000000000..89da287d3d Binary files /dev/null and b/windows/update/images/uc-08a.png differ diff --git a/windows/update/images/uc-09.png b/windows/update/images/uc-09.png new file mode 100644 index 0000000000..37d7114f19 Binary files /dev/null and b/windows/update/images/uc-09.png differ diff --git a/windows/update/images/uc-09a.png b/windows/update/images/uc-09a.png new file mode 100644 index 0000000000..f6b6ec5b60 Binary files /dev/null and b/windows/update/images/uc-09a.png differ diff --git a/windows/update/images/uc-10.png b/windows/update/images/uc-10.png new file mode 100644 index 0000000000..3ab72d10d2 Binary files /dev/null and b/windows/update/images/uc-10.png differ diff --git a/windows/update/images/uc-10a.png b/windows/update/images/uc-10a.png new file mode 100644 index 0000000000..1c6b8b01dc Binary files /dev/null and b/windows/update/images/uc-10a.png differ diff --git a/windows/update/images/uc-11.png b/windows/update/images/uc-11.png new file mode 100644 index 0000000000..8b4fc568ea Binary files /dev/null and b/windows/update/images/uc-11.png differ diff --git a/windows/update/images/uc-12.png b/windows/update/images/uc-12.png new file mode 100644 index 0000000000..4198684c99 Binary files /dev/null and b/windows/update/images/uc-12.png differ diff --git a/windows/update/images/uc-13.png b/windows/update/images/uc-13.png new file mode 100644 index 0000000000..117f9b9fd8 Binary files /dev/null and b/windows/update/images/uc-13.png differ diff --git a/windows/update/images/uc-14.png b/windows/update/images/uc-14.png new file mode 100644 index 0000000000..66047984e7 Binary files /dev/null and b/windows/update/images/uc-14.png differ diff --git a/windows/update/images/uc-15.png b/windows/update/images/uc-15.png new file mode 100644 index 0000000000..c241cd9117 Binary files /dev/null and b/windows/update/images/uc-15.png differ diff --git a/windows/update/images/uc-16.png b/windows/update/images/uc-16.png new file mode 100644 index 0000000000..e7aff4d4ed Binary files /dev/null and b/windows/update/images/uc-16.png differ diff --git a/windows/update/images/uc-17.png b/windows/update/images/uc-17.png new file mode 100644 index 0000000000..cb8e42ca5e Binary files /dev/null and b/windows/update/images/uc-17.png differ diff --git a/windows/update/images/uc-18.png b/windows/update/images/uc-18.png new file mode 100644 index 0000000000..5eff59adc9 Binary files /dev/null and b/windows/update/images/uc-18.png differ diff --git a/windows/update/images/uc-19.png b/windows/update/images/uc-19.png new file mode 100644 index 0000000000..791900eafc Binary files /dev/null and b/windows/update/images/uc-19.png differ diff --git a/windows/update/images/uc-20.png b/windows/update/images/uc-20.png new file mode 100644 index 0000000000..7dbb027b9f Binary files /dev/null and b/windows/update/images/uc-20.png differ diff --git a/windows/update/images/uc-21.png b/windows/update/images/uc-21.png new file mode 100644 index 0000000000..418db41fe4 Binary files /dev/null and b/windows/update/images/uc-21.png differ diff --git a/windows/update/images/uc-22.png b/windows/update/images/uc-22.png new file mode 100644 index 0000000000..2ca5c47a61 Binary files /dev/null and b/windows/update/images/uc-22.png differ diff --git a/windows/update/images/uc-23.png b/windows/update/images/uc-23.png new file mode 100644 index 0000000000..58b82db82d Binary files /dev/null and b/windows/update/images/uc-23.png differ diff --git a/windows/update/images/uc-24.png b/windows/update/images/uc-24.png new file mode 100644 index 0000000000..00bc61e3e1 Binary files /dev/null and b/windows/update/images/uc-24.png differ diff --git a/windows/update/images/uc-25.png b/windows/update/images/uc-25.png new file mode 100644 index 0000000000..4e0f0bdb03 Binary files /dev/null and b/windows/update/images/uc-25.png differ diff --git a/windows/update/images/uev-adk-select-uev-feature.png b/windows/update/images/uev-adk-select-uev-feature.png new file mode 100644 index 0000000000..1556f115c0 Binary files /dev/null and b/windows/update/images/uev-adk-select-uev-feature.png differ diff --git a/windows/update/images/uev-archdiagram.png b/windows/update/images/uev-archdiagram.png new file mode 100644 index 0000000000..eae098e666 Binary files /dev/null and b/windows/update/images/uev-archdiagram.png differ diff --git a/windows/update/images/uev-checklist-box.gif b/windows/update/images/uev-checklist-box.gif new file mode 100644 index 0000000000..8af13c51d1 Binary files /dev/null and b/windows/update/images/uev-checklist-box.gif differ diff --git a/windows/update/images/uev-deployment-preparation.png b/windows/update/images/uev-deployment-preparation.png new file mode 100644 index 0000000000..b665a0bfea Binary files /dev/null and b/windows/update/images/uev-deployment-preparation.png differ diff --git a/windows/update/images/uev-generator-process.png b/windows/update/images/uev-generator-process.png new file mode 100644 index 0000000000..e16cedd0a7 Binary files /dev/null and b/windows/update/images/uev-generator-process.png differ diff --git a/windows/update/images/w10servicing-f1-branches.png b/windows/update/images/w10servicing-f1-branches.png new file mode 100644 index 0000000000..ac4a549aed Binary files /dev/null and b/windows/update/images/w10servicing-f1-branches.png differ diff --git a/windows/update/images/waas-active-hours-policy.PNG b/windows/update/images/waas-active-hours-policy.PNG new file mode 100644 index 0000000000..af80ef6652 Binary files /dev/null and b/windows/update/images/waas-active-hours-policy.PNG differ diff --git a/windows/update/images/waas-active-hours.PNG b/windows/update/images/waas-active-hours.PNG new file mode 100644 index 0000000000..c262c302ed Binary files /dev/null and b/windows/update/images/waas-active-hours.PNG differ diff --git a/windows/update/images/waas-auto-update-policy.PNG b/windows/update/images/waas-auto-update-policy.PNG new file mode 100644 index 0000000000..52a1629cbf Binary files /dev/null and b/windows/update/images/waas-auto-update-policy.PNG differ diff --git a/windows/update/images/waas-do-fig1.png b/windows/update/images/waas-do-fig1.png new file mode 100644 index 0000000000..2a2b6872e9 Binary files /dev/null and b/windows/update/images/waas-do-fig1.png differ diff --git a/windows/update/images/waas-do-fig2.png b/windows/update/images/waas-do-fig2.png new file mode 100644 index 0000000000..cc42b328eb Binary files /dev/null and b/windows/update/images/waas-do-fig2.png differ diff --git a/windows/update/images/waas-do-fig3.png b/windows/update/images/waas-do-fig3.png new file mode 100644 index 0000000000..d9182d3b20 Binary files /dev/null and b/windows/update/images/waas-do-fig3.png differ diff --git a/windows/update/images/waas-do-fig4.png b/windows/update/images/waas-do-fig4.png new file mode 100644 index 0000000000..a66741ed90 Binary files /dev/null and b/windows/update/images/waas-do-fig4.png differ diff --git a/windows/update/images/waas-overview-patch.png b/windows/update/images/waas-overview-patch.png new file mode 100644 index 0000000000..6ac0a03227 Binary files /dev/null and b/windows/update/images/waas-overview-patch.png differ diff --git a/windows/update/images/waas-restart-policy.PNG b/windows/update/images/waas-restart-policy.PNG new file mode 100644 index 0000000000..936f9aeb08 Binary files /dev/null and b/windows/update/images/waas-restart-policy.PNG differ diff --git a/windows/update/images/waas-rings.png b/windows/update/images/waas-rings.png new file mode 100644 index 0000000000..041a59ce87 Binary files /dev/null and b/windows/update/images/waas-rings.png differ diff --git a/windows/update/images/waas-sccm-fig1.png b/windows/update/images/waas-sccm-fig1.png new file mode 100644 index 0000000000..6bf2b1c621 Binary files /dev/null and b/windows/update/images/waas-sccm-fig1.png differ diff --git a/windows/update/images/waas-sccm-fig10.png b/windows/update/images/waas-sccm-fig10.png new file mode 100644 index 0000000000..ad3b5c922f Binary files /dev/null and b/windows/update/images/waas-sccm-fig10.png differ diff --git a/windows/update/images/waas-sccm-fig11.png b/windows/update/images/waas-sccm-fig11.png new file mode 100644 index 0000000000..6c4f905630 Binary files /dev/null and b/windows/update/images/waas-sccm-fig11.png differ diff --git a/windows/update/images/waas-sccm-fig12.png b/windows/update/images/waas-sccm-fig12.png new file mode 100644 index 0000000000..87464dd5f1 Binary files /dev/null and b/windows/update/images/waas-sccm-fig12.png differ diff --git a/windows/update/images/waas-sccm-fig2.png b/windows/update/images/waas-sccm-fig2.png new file mode 100644 index 0000000000..c83e7bc781 Binary files /dev/null and b/windows/update/images/waas-sccm-fig2.png differ diff --git a/windows/update/images/waas-sccm-fig3.png b/windows/update/images/waas-sccm-fig3.png new file mode 100644 index 0000000000..dcbc83b8ff Binary files /dev/null and b/windows/update/images/waas-sccm-fig3.png differ diff --git a/windows/update/images/waas-sccm-fig4.png b/windows/update/images/waas-sccm-fig4.png new file mode 100644 index 0000000000..782c5ca6ef Binary files /dev/null and b/windows/update/images/waas-sccm-fig4.png differ diff --git a/windows/update/images/waas-sccm-fig5.png b/windows/update/images/waas-sccm-fig5.png new file mode 100644 index 0000000000..cb399a6c6f Binary files /dev/null and b/windows/update/images/waas-sccm-fig5.png differ diff --git a/windows/update/images/waas-sccm-fig6.png b/windows/update/images/waas-sccm-fig6.png new file mode 100644 index 0000000000..77dd02d61e Binary files /dev/null and b/windows/update/images/waas-sccm-fig6.png differ diff --git a/windows/update/images/waas-sccm-fig7.png b/windows/update/images/waas-sccm-fig7.png new file mode 100644 index 0000000000..a74c7c8133 Binary files /dev/null and b/windows/update/images/waas-sccm-fig7.png differ diff --git a/windows/update/images/waas-sccm-fig8.png b/windows/update/images/waas-sccm-fig8.png new file mode 100644 index 0000000000..2dfaf75ddf Binary files /dev/null and b/windows/update/images/waas-sccm-fig8.png differ diff --git a/windows/update/images/waas-sccm-fig9.png b/windows/update/images/waas-sccm-fig9.png new file mode 100644 index 0000000000..311d79dc94 Binary files /dev/null and b/windows/update/images/waas-sccm-fig9.png differ diff --git a/windows/update/images/waas-strategy-fig1a.png b/windows/update/images/waas-strategy-fig1a.png new file mode 100644 index 0000000000..7a924c43bc Binary files /dev/null and b/windows/update/images/waas-strategy-fig1a.png differ diff --git a/windows/update/images/waas-wsus-fig1.png b/windows/update/images/waas-wsus-fig1.png new file mode 100644 index 0000000000..14bf35958a Binary files /dev/null and b/windows/update/images/waas-wsus-fig1.png differ diff --git a/windows/update/images/waas-wsus-fig10.png b/windows/update/images/waas-wsus-fig10.png new file mode 100644 index 0000000000..3efa119693 Binary files /dev/null and b/windows/update/images/waas-wsus-fig10.png differ diff --git a/windows/update/images/waas-wsus-fig11.png b/windows/update/images/waas-wsus-fig11.png new file mode 100644 index 0000000000..ae6d79221a Binary files /dev/null and b/windows/update/images/waas-wsus-fig11.png differ diff --git a/windows/update/images/waas-wsus-fig12.png b/windows/update/images/waas-wsus-fig12.png new file mode 100644 index 0000000000..47479ea1df Binary files /dev/null and b/windows/update/images/waas-wsus-fig12.png differ diff --git a/windows/update/images/waas-wsus-fig13.png b/windows/update/images/waas-wsus-fig13.png new file mode 100644 index 0000000000..f0b1578094 Binary files /dev/null and b/windows/update/images/waas-wsus-fig13.png differ diff --git a/windows/update/images/waas-wsus-fig14.png b/windows/update/images/waas-wsus-fig14.png new file mode 100644 index 0000000000..b5b930ddad Binary files /dev/null and b/windows/update/images/waas-wsus-fig14.png differ diff --git a/windows/update/images/waas-wsus-fig15.png b/windows/update/images/waas-wsus-fig15.png new file mode 100644 index 0000000000..95e38c039e Binary files /dev/null and b/windows/update/images/waas-wsus-fig15.png differ diff --git a/windows/update/images/waas-wsus-fig16.png b/windows/update/images/waas-wsus-fig16.png new file mode 100644 index 0000000000..3848ac1772 Binary files /dev/null and b/windows/update/images/waas-wsus-fig16.png differ diff --git a/windows/update/images/waas-wsus-fig17.png b/windows/update/images/waas-wsus-fig17.png new file mode 100644 index 0000000000..5511da3e5c Binary files /dev/null and b/windows/update/images/waas-wsus-fig17.png differ diff --git a/windows/update/images/waas-wsus-fig18.png b/windows/update/images/waas-wsus-fig18.png new file mode 100644 index 0000000000..f9ac774754 Binary files /dev/null and b/windows/update/images/waas-wsus-fig18.png differ diff --git a/windows/update/images/waas-wsus-fig19.png b/windows/update/images/waas-wsus-fig19.png new file mode 100644 index 0000000000..f69d793afe Binary files /dev/null and b/windows/update/images/waas-wsus-fig19.png differ diff --git a/windows/update/images/waas-wsus-fig2.png b/windows/update/images/waas-wsus-fig2.png new file mode 100644 index 0000000000..167774a6c9 Binary files /dev/null and b/windows/update/images/waas-wsus-fig2.png differ diff --git a/windows/update/images/waas-wsus-fig20.png b/windows/update/images/waas-wsus-fig20.png new file mode 100644 index 0000000000..ea6bbb350a Binary files /dev/null and b/windows/update/images/waas-wsus-fig20.png differ diff --git a/windows/update/images/waas-wsus-fig3.png b/windows/update/images/waas-wsus-fig3.png new file mode 100644 index 0000000000..272e8c05e9 Binary files /dev/null and b/windows/update/images/waas-wsus-fig3.png differ diff --git a/windows/update/images/waas-wsus-fig4.png b/windows/update/images/waas-wsus-fig4.png new file mode 100644 index 0000000000..bb5f27e3da Binary files /dev/null and b/windows/update/images/waas-wsus-fig4.png differ diff --git a/windows/update/images/waas-wsus-fig5.png b/windows/update/images/waas-wsus-fig5.png new file mode 100644 index 0000000000..23faf303c6 Binary files /dev/null and b/windows/update/images/waas-wsus-fig5.png differ diff --git a/windows/update/images/waas-wsus-fig6.png b/windows/update/images/waas-wsus-fig6.png new file mode 100644 index 0000000000..7857351d19 Binary files /dev/null and b/windows/update/images/waas-wsus-fig6.png differ diff --git a/windows/update/images/waas-wsus-fig7.png b/windows/update/images/waas-wsus-fig7.png new file mode 100644 index 0000000000..e7f02649d2 Binary files /dev/null and b/windows/update/images/waas-wsus-fig7.png differ diff --git a/windows/update/images/waas-wsus-fig8.png b/windows/update/images/waas-wsus-fig8.png new file mode 100644 index 0000000000..da5f620425 Binary files /dev/null and b/windows/update/images/waas-wsus-fig8.png differ diff --git a/windows/update/images/waas-wsus-fig9.png b/windows/update/images/waas-wsus-fig9.png new file mode 100644 index 0000000000..f3d5a4eb6a Binary files /dev/null and b/windows/update/images/waas-wsus-fig9.png differ diff --git a/windows/update/images/waas-wufb-gp-broad.png b/windows/update/images/waas-wufb-gp-broad.png new file mode 100644 index 0000000000..92b71c8936 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-broad.png differ diff --git a/windows/update/images/waas-wufb-gp-cb2-settings.png b/windows/update/images/waas-wufb-gp-cb2-settings.png new file mode 100644 index 0000000000..ae6ed4d856 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cb2-settings.png differ diff --git a/windows/update/images/waas-wufb-gp-cb2.png b/windows/update/images/waas-wufb-gp-cb2.png new file mode 100644 index 0000000000..006a8c02d3 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cb2.png differ diff --git a/windows/update/images/waas-wufb-gp-cbb1-settings.png b/windows/update/images/waas-wufb-gp-cbb1-settings.png new file mode 100644 index 0000000000..c9e1029b8b Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cbb1-settings.png differ diff --git a/windows/update/images/waas-wufb-gp-cbb2-settings.png b/windows/update/images/waas-wufb-gp-cbb2-settings.png new file mode 100644 index 0000000000..e5aff1cc89 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cbb2-settings.png differ diff --git a/windows/update/images/waas-wufb-gp-cbb2q-settings.png b/windows/update/images/waas-wufb-gp-cbb2q-settings.png new file mode 100644 index 0000000000..33a02165c6 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cbb2q-settings.png differ diff --git a/windows/update/images/waas-wufb-gp-create.png b/windows/update/images/waas-wufb-gp-create.png new file mode 100644 index 0000000000..d74eec4b2e Binary files /dev/null and b/windows/update/images/waas-wufb-gp-create.png differ diff --git a/windows/update/images/waas-wufb-gp-edit-defer.png b/windows/update/images/waas-wufb-gp-edit-defer.png new file mode 100644 index 0000000000..c697b42ffd Binary files /dev/null and b/windows/update/images/waas-wufb-gp-edit-defer.png differ diff --git a/windows/update/images/waas-wufb-gp-edit.png b/windows/update/images/waas-wufb-gp-edit.png new file mode 100644 index 0000000000..1b8d21a175 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-edit.png differ diff --git a/windows/update/images/waas-wufb-gp-scope-cb2.png b/windows/update/images/waas-wufb-gp-scope-cb2.png new file mode 100644 index 0000000000..fcacdbea57 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-scope-cb2.png differ diff --git a/windows/update/images/waas-wufb-gp-scope.png b/windows/update/images/waas-wufb-gp-scope.png new file mode 100644 index 0000000000..a04d8194df Binary files /dev/null and b/windows/update/images/waas-wufb-gp-scope.png differ diff --git a/windows/update/images/waas-wufb-intune-cb2a.png b/windows/update/images/waas-wufb-intune-cb2a.png new file mode 100644 index 0000000000..3e8c1ce19e Binary files /dev/null and b/windows/update/images/waas-wufb-intune-cb2a.png differ diff --git a/windows/update/images/waas-wufb-intune-cbb1a.png b/windows/update/images/waas-wufb-intune-cbb1a.png new file mode 100644 index 0000000000..bc394fe563 Binary files /dev/null and b/windows/update/images/waas-wufb-intune-cbb1a.png differ diff --git a/windows/update/images/waas-wufb-intune-cbb2a.png b/windows/update/images/waas-wufb-intune-cbb2a.png new file mode 100644 index 0000000000..a980e0e43a Binary files /dev/null and b/windows/update/images/waas-wufb-intune-cbb2a.png differ diff --git a/windows/update/images/waas-wufb-intune-step11a.png b/windows/update/images/waas-wufb-intune-step11a.png new file mode 100644 index 0000000000..7291484c93 Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step11a.png differ diff --git a/windows/update/images/waas-wufb-intune-step19a.png b/windows/update/images/waas-wufb-intune-step19a.png new file mode 100644 index 0000000000..de132abd28 Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step19a.png differ diff --git a/windows/update/images/waas-wufb-intune-step2a.png b/windows/update/images/waas-wufb-intune-step2a.png new file mode 100644 index 0000000000..9a719b8fda Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step2a.png differ diff --git a/windows/update/images/waas-wufb-intune-step7a.png b/windows/update/images/waas-wufb-intune-step7a.png new file mode 100644 index 0000000000..daa96ba18c Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step7a.png differ diff --git a/windows/update/images/waas-wufb-settings-branch.jpg b/windows/update/images/waas-wufb-settings-branch.jpg new file mode 100644 index 0000000000..7dfb770d4a Binary files /dev/null and b/windows/update/images/waas-wufb-settings-branch.jpg differ diff --git a/windows/update/images/waas-wufb-settings-defer.jpg b/windows/update/images/waas-wufb-settings-defer.jpg new file mode 100644 index 0000000000..5e6c58a101 Binary files /dev/null and b/windows/update/images/waas-wufb-settings-defer.jpg differ diff --git a/windows/update/images/who-owns-pc.png b/windows/update/images/who-owns-pc.png new file mode 100644 index 0000000000..d3ce1def8d Binary files /dev/null and b/windows/update/images/who-owns-pc.png differ diff --git a/windows/update/images/wifisense-grouppolicy.png b/windows/update/images/wifisense-grouppolicy.png new file mode 100644 index 0000000000..1142d834bd Binary files /dev/null and b/windows/update/images/wifisense-grouppolicy.png differ diff --git a/windows/update/images/wifisense-registry.png b/windows/update/images/wifisense-registry.png new file mode 100644 index 0000000000..cbb1fa8347 Binary files /dev/null and b/windows/update/images/wifisense-registry.png differ diff --git a/windows/update/images/wifisense-settingscreens.png b/windows/update/images/wifisense-settingscreens.png new file mode 100644 index 0000000000..cbb6903177 Binary files /dev/null and b/windows/update/images/wifisense-settingscreens.png differ diff --git a/windows/update/images/win10-mobile-mdm-fig1.png b/windows/update/images/win10-mobile-mdm-fig1.png new file mode 100644 index 0000000000..6ddac1df99 Binary files /dev/null and b/windows/update/images/win10-mobile-mdm-fig1.png differ diff --git a/windows/update/images/win10servicing-fig2-featureupgrade.png b/windows/update/images/win10servicing-fig2-featureupgrade.png new file mode 100644 index 0000000000..e4dc76b44f Binary files /dev/null and b/windows/update/images/win10servicing-fig2-featureupgrade.png differ diff --git a/windows/update/images/win10servicing-fig3.png b/windows/update/images/win10servicing-fig3.png new file mode 100644 index 0000000000..688f92b173 Binary files /dev/null and b/windows/update/images/win10servicing-fig3.png differ diff --git a/windows/update/images/win10servicing-fig4-upgradereleases.png b/windows/update/images/win10servicing-fig4-upgradereleases.png new file mode 100644 index 0000000000..961c8bebe2 Binary files /dev/null and b/windows/update/images/win10servicing-fig4-upgradereleases.png differ diff --git a/windows/update/images/win10servicing-fig5.png b/windows/update/images/win10servicing-fig5.png new file mode 100644 index 0000000000..dc4b2fc5b2 Binary files /dev/null and b/windows/update/images/win10servicing-fig5.png differ diff --git a/windows/update/images/win10servicing-fig6.png b/windows/update/images/win10servicing-fig6.png new file mode 100644 index 0000000000..4cdc5f9c6f Binary files /dev/null and b/windows/update/images/win10servicing-fig6.png differ diff --git a/windows/update/images/win10servicing-fig7.png b/windows/update/images/win10servicing-fig7.png new file mode 100644 index 0000000000..0a9a851449 Binary files /dev/null and b/windows/update/images/win10servicing-fig7.png differ diff --git a/windows/update/images/windows-10-management-cyod-byod-flow.png b/windows/update/images/windows-10-management-cyod-byod-flow.png new file mode 100644 index 0000000000..6121e93832 Binary files /dev/null and b/windows/update/images/windows-10-management-cyod-byod-flow.png differ diff --git a/windows/update/images/windows-10-management-gp-intune-flow.png b/windows/update/images/windows-10-management-gp-intune-flow.png new file mode 100644 index 0000000000..c9e3f2ea31 Binary files /dev/null and b/windows/update/images/windows-10-management-gp-intune-flow.png differ diff --git a/windows/update/images/windows-10-management-range-of-options.png b/windows/update/images/windows-10-management-range-of-options.png new file mode 100644 index 0000000000..e4de546709 Binary files /dev/null and b/windows/update/images/windows-10-management-range-of-options.png differ diff --git a/windows/update/images/wsfb-distribute.png b/windows/update/images/wsfb-distribute.png new file mode 100644 index 0000000000..d0482f6ebe Binary files /dev/null and b/windows/update/images/wsfb-distribute.png differ diff --git a/windows/update/images/wsfb-firstrun.png b/windows/update/images/wsfb-firstrun.png new file mode 100644 index 0000000000..2673567a1e Binary files /dev/null and b/windows/update/images/wsfb-firstrun.png differ diff --git a/windows/update/images/wsfb-inventory-viewlicense.png b/windows/update/images/wsfb-inventory-viewlicense.png new file mode 100644 index 0000000000..9fafad1aff Binary files /dev/null and b/windows/update/images/wsfb-inventory-viewlicense.png differ diff --git a/windows/update/images/wsfb-inventory.png b/windows/update/images/wsfb-inventory.png new file mode 100644 index 0000000000..b060fb30e4 Binary files /dev/null and b/windows/update/images/wsfb-inventory.png differ diff --git a/windows/update/images/wsfb-inventoryaddprivatestore.png b/windows/update/images/wsfb-inventoryaddprivatestore.png new file mode 100644 index 0000000000..bb1152e35b Binary files /dev/null and b/windows/update/images/wsfb-inventoryaddprivatestore.png differ diff --git a/windows/update/images/wsfb-landing.png b/windows/update/images/wsfb-landing.png new file mode 100644 index 0000000000..beae0b52af Binary files /dev/null and b/windows/update/images/wsfb-landing.png differ diff --git a/windows/update/images/wsfb-licenseassign.png b/windows/update/images/wsfb-licenseassign.png new file mode 100644 index 0000000000..5904abb3b9 Binary files /dev/null and b/windows/update/images/wsfb-licenseassign.png differ diff --git a/windows/update/images/wsfb-licensedetails.png b/windows/update/images/wsfb-licensedetails.png new file mode 100644 index 0000000000..53e0f5c935 Binary files /dev/null and b/windows/update/images/wsfb-licensedetails.png differ diff --git a/windows/update/images/wsfb-licensereclaim.png b/windows/update/images/wsfb-licensereclaim.png new file mode 100644 index 0000000000..9f94cd3600 Binary files /dev/null and b/windows/update/images/wsfb-licensereclaim.png differ diff --git a/windows/update/images/wsfb-manageinventory.png b/windows/update/images/wsfb-manageinventory.png new file mode 100644 index 0000000000..9a544ddc21 Binary files /dev/null and b/windows/update/images/wsfb-manageinventory.png differ diff --git a/windows/update/images/wsfb-offline-distribute-mdm.png b/windows/update/images/wsfb-offline-distribute-mdm.png new file mode 100644 index 0000000000..ec0e77a9a9 Binary files /dev/null and b/windows/update/images/wsfb-offline-distribute-mdm.png differ diff --git a/windows/update/images/wsfb-onboard-1.png b/windows/update/images/wsfb-onboard-1.png new file mode 100644 index 0000000000..012e91a845 Binary files /dev/null and b/windows/update/images/wsfb-onboard-1.png differ diff --git a/windows/update/images/wsfb-onboard-2.png b/windows/update/images/wsfb-onboard-2.png new file mode 100644 index 0000000000..2ff98fb1f7 Binary files /dev/null and b/windows/update/images/wsfb-onboard-2.png differ diff --git a/windows/update/images/wsfb-onboard-3.png b/windows/update/images/wsfb-onboard-3.png new file mode 100644 index 0000000000..ed9a61d353 Binary files /dev/null and b/windows/update/images/wsfb-onboard-3.png differ diff --git a/windows/update/images/wsfb-onboard-4.png b/windows/update/images/wsfb-onboard-4.png new file mode 100644 index 0000000000..d99185ddc6 Binary files /dev/null and b/windows/update/images/wsfb-onboard-4.png differ diff --git a/windows/update/images/wsfb-onboard-5.png b/windows/update/images/wsfb-onboard-5.png new file mode 100644 index 0000000000..68049f4425 Binary files /dev/null and b/windows/update/images/wsfb-onboard-5.png differ diff --git a/windows/update/images/wsfb-onboard-7.png b/windows/update/images/wsfb-onboard-7.png new file mode 100644 index 0000000000..38b7348b21 Binary files /dev/null and b/windows/update/images/wsfb-onboard-7.png differ diff --git a/windows/update/images/wsfb-online-distribute-mdm.png b/windows/update/images/wsfb-online-distribute-mdm.png new file mode 100644 index 0000000000..4b0f7cbf3a Binary files /dev/null and b/windows/update/images/wsfb-online-distribute-mdm.png differ diff --git a/windows/update/images/wsfb-paid-app-temp.png b/windows/update/images/wsfb-paid-app-temp.png new file mode 100644 index 0000000000..89e3857d07 Binary files /dev/null and b/windows/update/images/wsfb-paid-app-temp.png differ diff --git a/windows/update/images/wsfb-permissions-assignrole.png b/windows/update/images/wsfb-permissions-assignrole.png new file mode 100644 index 0000000000..de2e1785ba Binary files /dev/null and b/windows/update/images/wsfb-permissions-assignrole.png differ diff --git a/windows/update/images/wsfb-private-store-gpo.PNG b/windows/update/images/wsfb-private-store-gpo.PNG new file mode 100644 index 0000000000..5e7fe44ec2 Binary files /dev/null and b/windows/update/images/wsfb-private-store-gpo.PNG differ diff --git a/windows/update/images/wsfb-privatestore.png b/windows/update/images/wsfb-privatestore.png new file mode 100644 index 0000000000..74c9f1690d Binary files /dev/null and b/windows/update/images/wsfb-privatestore.png differ diff --git a/windows/update/images/wsfb-privatestoreapps.png b/windows/update/images/wsfb-privatestoreapps.png new file mode 100644 index 0000000000..1ddb543796 Binary files /dev/null and b/windows/update/images/wsfb-privatestoreapps.png differ diff --git a/windows/update/images/wsfb-renameprivatestore.png b/windows/update/images/wsfb-renameprivatestore.png new file mode 100644 index 0000000000..c6db282581 Binary files /dev/null and b/windows/update/images/wsfb-renameprivatestore.png differ diff --git a/windows/update/images/wsfb-settings-mgmt.png b/windows/update/images/wsfb-settings-mgmt.png new file mode 100644 index 0000000000..2a7b590d19 Binary files /dev/null and b/windows/update/images/wsfb-settings-mgmt.png differ diff --git a/windows/update/images/wsfb-settings-permissions.png b/windows/update/images/wsfb-settings-permissions.png new file mode 100644 index 0000000000..63d04d270b Binary files /dev/null and b/windows/update/images/wsfb-settings-permissions.png differ diff --git a/windows/update/images/wsfb-wsappaddacct.png b/windows/update/images/wsfb-wsappaddacct.png new file mode 100644 index 0000000000..5c0bd9a4ce Binary files /dev/null and b/windows/update/images/wsfb-wsappaddacct.png differ diff --git a/windows/update/images/wsfb-wsappprivatestore.png b/windows/update/images/wsfb-wsappprivatestore.png new file mode 100644 index 0000000000..9c29e7604c Binary files /dev/null and b/windows/update/images/wsfb-wsappprivatestore.png differ diff --git a/windows/update/images/wsfb-wsappsignin.png b/windows/update/images/wsfb-wsappsignin.png new file mode 100644 index 0000000000..c2c2631a94 Binary files /dev/null and b/windows/update/images/wsfb-wsappsignin.png differ diff --git a/windows/update/images/wsfb-wsappworkacct.png b/windows/update/images/wsfb-wsappworkacct.png new file mode 100644 index 0000000000..5eb9035124 Binary files /dev/null and b/windows/update/images/wsfb-wsappworkacct.png differ diff --git a/windows/update/images/wufb-config1a.png b/windows/update/images/wufb-config1a.png new file mode 100644 index 0000000000..1514b87528 Binary files /dev/null and b/windows/update/images/wufb-config1a.png differ diff --git a/windows/update/images/wufb-config2.png b/windows/update/images/wufb-config2.png new file mode 100644 index 0000000000..f54eef9a50 Binary files /dev/null and b/windows/update/images/wufb-config2.png differ diff --git a/windows/update/images/wufb-config3a.png b/windows/update/images/wufb-config3a.png new file mode 100644 index 0000000000..538028cfdc Binary files /dev/null and b/windows/update/images/wufb-config3a.png differ diff --git a/windows/update/images/wufb-do.png b/windows/update/images/wufb-do.png new file mode 100644 index 0000000000..8d6c9d0b8a Binary files /dev/null and b/windows/update/images/wufb-do.png differ diff --git a/windows/update/images/wufb-groups.png b/windows/update/images/wufb-groups.png new file mode 100644 index 0000000000..13cdea04b0 Binary files /dev/null and b/windows/update/images/wufb-groups.png differ diff --git a/windows/update/images/wufb-pause-feature.png b/windows/update/images/wufb-pause-feature.png new file mode 100644 index 0000000000..afeac43e29 Binary files /dev/null and b/windows/update/images/wufb-pause-feature.png differ diff --git a/windows/update/images/wufb-qual.png b/windows/update/images/wufb-qual.png new file mode 100644 index 0000000000..4a93408522 Binary files /dev/null and b/windows/update/images/wufb-qual.png differ diff --git a/windows/update/images/wufb-sccm.png b/windows/update/images/wufb-sccm.png new file mode 100644 index 0000000000..1d568c1fe4 Binary files /dev/null and b/windows/update/images/wufb-sccm.png differ diff --git a/windows/manage/waas-update-windows-10.md b/windows/update/index.md similarity index 90% rename from windows/manage/waas-update-windows-10.md rename to windows/update/index.md index 353a7bf43d..4346995b12 100644 --- a/windows/manage/waas-update-windows-10.md +++ b/windows/update/index.md @@ -44,19 +44,4 @@ Windows as a service provides a new way to think about building, deploying, and >[!TIP] >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. ->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager). - - -## Related topics - - -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - - - - +>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager).--- diff --git a/windows/manage/update-compliance-get-started.md b/windows/update/update-compliance-get-started.md similarity index 87% rename from windows/manage/update-compliance-get-started.md rename to windows/update/update-compliance-get-started.md index 9d2d540b82..ad42d0a9ca 100644 --- a/windows/manage/update-compliance-get-started.md +++ b/windows/update/update-compliance-get-started.md @@ -21,7 +21,7 @@ Steps are provided in sections that follow the recommended setup process: Update Compliance has the following requirements: 1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). -2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). +2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](../configure/configure-windows-telemetry-in-your-organization.md). 3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint: @@ -109,20 +109,7 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th 3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.

- Using Microsoft Mobile Device Management (MDM)

- Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp). - - For information on how to use MDM configuration CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/en-us/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). - - When using the Intune console, you can use the OMA-URI settings of a [custom policy](https://go.microsoft.com/fwlink/p/?LinkID=616316) to configure the commercial ID. The OMA-URI (case sensitive) path for configuring the commerical ID is: 

./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
- - For example, you can use the following values in **Add or edit OMA-URI Setting**: - - **Setting Name**: Windows Analytics Commercial ID
- **Setting Description**: Configuring commercial id for Windows Analytics solutions
- **Data Type**: String
- **OMA-URI (case sensitive)**: ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
- **Value**: \
- + Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).   ## Related topics diff --git a/windows/manage/update-compliance-monitor.md b/windows/update/update-compliance-monitor.md similarity index 100% rename from windows/manage/update-compliance-monitor.md rename to windows/update/update-compliance-monitor.md diff --git a/windows/manage/update-compliance-using.md b/windows/update/update-compliance-using.md similarity index 100% rename from windows/manage/update-compliance-using.md rename to windows/update/update-compliance-using.md diff --git a/windows/manage/waas-branchcache.md b/windows/update/waas-branchcache.md similarity index 98% rename from windows/manage/waas-branchcache.md rename to windows/update/waas-branchcache.md index 6e44cbaaa1..605234e7e2 100644 --- a/windows/manage/waas-branchcache.md +++ b/windows/update/waas-branchcache.md @@ -48,7 +48,7 @@ In addition to these steps, there is one requirement for WSUS to be able to use ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md similarity index 63% rename from windows/manage/waas-configure-wufb.md rename to windows/update/waas-configure-wufb.md index fcb36d20f6..f6029dff92 100644 --- a/windows/manage/waas-configure-wufb.md +++ b/windows/update/waas-configure-wufb.md @@ -18,7 +18,7 @@ localizationpriority: high > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for both Windows 10, version 1511, and Windows 10, version 1607. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). +You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). >[!IMPORTANT] >For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level). @@ -32,27 +32,35 @@ By grouping devices with similar deferral periods, administrators are able to cl >[!TIP] >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). - + ## Configure devices for Current Branch (CB) or Current Branch for Business (CBB) -With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](https://technet.microsoft.com/en-us/itpro/windows/manage/introduction-to-windows-10-servicing). +With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-branches). **Release branch policies** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | +| GPO for version 1607 and above:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | | GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | +| MDM for version 1607 and above:
../Vendor/MSFT/Policy/Config/Update/
**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | | MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**. + +![Branch readiness level setting](images/waas-wufb-settings-branch.jpg) + +>[!NOTE] +>Users will not be able to change this setting if it was configured by policy. ## Configure when devices receive Feature Updates -After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. +After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. >[!IMPORTANT] >This policy does not apply to Windows 10 Mobile Enterprise. +> +>You can only defer up to 180 days prior to version 1703. **Examples** @@ -66,16 +74,28 @@ After you configure the servicing branch (CB or CBB), you can then define if, an | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | +| GPO for version 1607 and above:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | | GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | +| MDM for version 1607 and above:
../Vendor/MSFT/Policy/Config/Update/
**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | | MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +>[!NOTE] +>If not configured by policy, users can defer feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**. ## Pause Feature Updates You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again. +Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 60 days to the start date. + +In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 60 days by configuring a later start date. + +With version 1703, pause will provide a more consistent experience: +- Any active restart notification are cleared or closed +- Any pending restarts are canceled +- Any pending update installations are canceled +- Any update installation running when pause is activated will attempt to rollback + >[!IMPORTANT] >This policy does not apply to Windows 10 Mobile Enterprise. @@ -83,12 +103,11 @@ You can also pause a device from receiving Feature Updates by a period of up to | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates | +| GPO for version 1607 and above:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | | GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**PauseFeatureUpdates** | \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates | +| MDM for version 1607 and above:
../Vendor/MSFT/Policy/Config/Update/
**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
**1703:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | | MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | - You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. @@ -99,6 +118,8 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda | 1 | Feature Updates paused | | 2 | Feature Updates have auto-resumed after being paused | +>[!NOTE] +>If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**. ## Configure when devices receive Quality Updates @@ -113,16 +134,28 @@ You can set your system to receive updates for other Microsoft products—known | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | +| GPO for version 1607 and above:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | | GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | +| MDM for version 1607 and above:
../Vendor/MSFT/Policy/Config/Update/
**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | | MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate | +>[!NOTE] +>If not configured by policy, users can defer quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**. ## Pause Quality Updates You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again. +Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. + +In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date. + +With version 1703, pause will provide a more consistent experience: +- Any active restart notification are cleared or closed +- Any pending restarts are canceled +- Any pending update installations are canceled +- Any update installation running when pause is activated will attempt to rollback + >[!IMPORTANT] >This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise. @@ -130,12 +163,11 @@ You can also pause a system from receiving Quality Updates for a period of up to | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates | +| GPO for version 1607 and above:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates
**1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime | | GPO for version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**PauseQualityUpdates** | \Microsoft\PolicyManager\default\Update\PauseQualityUpdates | +| MDM for version 1607 and above:
../Vendor/MSFT/Policy/Config/Update/
**PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
**1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | | MDM for version 1511:
../Vendor/MSFT/Policy/Config/Update/
**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | - You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. @@ -146,22 +178,23 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda | 1 | Quality Updates paused | | 2 | Quality Updates have auto-resumed after being paused | +>[!NOTE] +>If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**. + ## Exclude drivers from Quality Updates -In Windows 10, version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete. +In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete. **Exclude driver policies** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | -| MDM for version 1607:
../Vendor/MSFT/Policy/Config/Update/
**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | +| GPO for version 1607 and above:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | +| MDM for version 1607 and above:
../Vendor/MSFT/Policy/Config/Update/
**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | +## Summary: MDM and Group Policy for version 1703 - -## Summary: MDM and Group Policy for version 1607 - -Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607. +Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607 and above. **GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** @@ -169,11 +202,11 @@ Below are quick-reference tables of the supported Windows Update for Business po | --- | --- | --- | | BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)
32: systems take Feature Updates for the Current Branch for Business (CBB)
Note: Other value or absent: receive all applicable updates (CB) | | DeferQualityUpdates | REG_DWORD | 1: defer quality updates
Other value or absent: don’t defer quality updates | -| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days | -| PauseQualityUpdates | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | +| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | +| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | |DeferFeatureUpdates | REG_DWORD | 1: defer feature updates
Other value or absent: don’t defer feature updates | -| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days | -| PauseFeatureUpdates | REG_DWORD |1: pause feature updates
Other value or absent: don’t pause feature updates | +| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | +| PauseFeatureUpdatesStartDate | REG_DWORD |1: pause feature updates
Other value or absent: don’t pause feature updates | | ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers | @@ -182,19 +215,19 @@ Below are quick-reference tables of the supported Windows Update for Business po | MDM Key | Key type | Value | | --- | --- | --- | | BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)
32: systems take Feature Updates for the Current Branch for Business (CBB)
Note: Other value or absent: receive all applicable updates (CB) | -| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days | -| PauseQualityUpdates | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | -| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days | -| PauseFeatureUpdates | REG_DWORD | 1: pause feature updates
Other value or absent: don’t pause feature updates | +| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | +| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates
Other value or absent: don’t pause quality updates | +| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | +| PauseFeatureUpdatesStartDate | REG_DWORD | 1: pause feature updates
Other value or absent: don’t pause feature updates | | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
Other value or absent: offer Windows Update drivers | -## Update devices from Windows 10, version 1511 to version 1607 +## Update devices to newer versions -Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. However,Windows Update for Business clients running version 1511 will still see their policies honored after they update to version 1607; the old policy keys will continue to exist with their values ported forward during the update. Following the update to version 1607, it should be noted that only the version 1511 keys will be populated and not the new version 1607 keys, until the newer keys are explicitly defined on the device by the administrator. +Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, is also using a few new GPO and MDM keys than those available in version 1607. However,Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator. -### How version 1511 policies are respected on version 1607 +### How older version policies are respected on newer versions -When a client running version 1607 sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for version 1607. If these are not present, it will then check to see if any of the version 1511 keys are set and defer accordingly. Update keys for version 1607 will always supersede the version 1511 equivalent. +When a client running a newer version sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for it's version. If these are not present, it will then check to see if any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. ### Comparing the version 1511 keys to the version 1607 keys @@ -209,13 +242,16 @@ Enabling allows user to set deferral periods for upgrades and updates. It also
**RequireDeferUpgade**: *bool*
   Puts the device on CBB (no ability to defer updates while on the CB branch).

**DeferUpgradePeriod**: *0 - 8 months*

**DeferUpdatePeriod**: *1 – 4 weeks*

**PauseDeferrals**: *bool*
   Enabling will pause both upgrades and updates for a max of 35 days		**BranchReadinessLevel**
   Set system on CB or CBB

**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

**PauseFeatureUpdates**: *enable/disable*
   Enabling will pause Feature updates for a max of 60 days

**DeferQualityUpdatesPeriodinDays**: *0 - 30 days*

**PauseQualityUpdates**: *enable/disable*
    Enabling will pause Quality updates for a max of 35 days

**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td>
+### Comparing the version 1607 keys to the version 1703 keys - - +| Version 1607 key | Version 1703 key | +| --- | --- | +| PauseFeatureUpdates | PauseFeatureUpdatesStartTime | +| PauseQualityUpdates | PauseQualityUpdatesStartTime | ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/update/waas-delivery-optimization.md similarity index 77% rename from windows/manage/waas-delivery-optimization.md rename to windows/update/waas-delivery-optimization.md index 120818bbe1..7a3e27122c 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/update/waas-delivery-optimization.md @@ -41,15 +41,20 @@ Several Delivery Optimization features are configurable: | --- | --- | | [Download mode](#download-mode) | DODownloadMode | | [Group ID](#group-id) | DOGroupID | +| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | +| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | | [Max Cache Age](#max-cache-age) | DOMaxCacheAge | | [Max Cache Size](#max-cache-size) | DOMaxCacheSize | | [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | | [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | +| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | | [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | | [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | | [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | | [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | | [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | +| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | +| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates. @@ -65,12 +70,20 @@ Delivery Optimization uses locally cached updates. In cases where devices have a >[!NOTE] >It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices). +All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services. Administrators may choose to change it, which will result in increased performance, when local storage is sufficient and the network isn't strained or congested. [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) determines the minimum size of files to be cached. + There are additional options available to robustly control the impact Delivery Optimization has on your network: - [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization. - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. +Various controls allow administrators to further customize scenarios where Delivery Optimization will be used: +- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled. +- [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled. +- [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching. +- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. + ### How Microsoft uses Delivery Optimization In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. @@ -102,7 +115,20 @@ By default, peer sharing on clients using the group download mode is limited to >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) > >This configuration is optional and not required for most implementations of Delivery Optimization. - + + +### Minimum RAM (inclusive) allowed to use Peer Caching + +This setting specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means not limited, which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4 GB. + +### Minimum disk size allowed to use Peer Caching + +This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means not limited, which means the cloud service set default value will be used. The recommended values are 64 to 256 GB. + +>[!NOTE] +>If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy. + + ### Max Cache Age In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). @@ -113,7 +139,11 @@ This setting limits the maximum amount of space the Delivery Optimization cache ### Absolute Max Cache Size -This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB. +This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. The default value for this setting is 10 GB. + +### Minimum Peer Caching Content File Size + +This setting specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. The recommended values are from 1 to 100000 MB. ### Maximum Download Bandwidth @@ -138,7 +168,17 @@ This setting allows for an alternate Delivery Optimization cache location on the ### Monthly Upload Data Cap This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB. - + +### Enable Peer Caching while the device connects via VPN + +This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. + +### Allow uploads while the device is on battery while under set Battery level + +This setting specifies battery levels at which a device will be allowed to upload data. Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set if you allow uploads on battery is 40 (for 40%). +The device can download from peers while on battery regardless of this policy. +The value 0 means not limited, which means the cloud service set default value will be used. + ## Set “preferred” cache devices for Delivery Optimization @@ -157,7 +197,7 @@ On devices that are not preferred, you can choose to set the following policy to ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-deployment-rings-windows-10-updates.md b/windows/update/waas-deployment-rings-windows-10-updates.md similarity index 98% rename from windows/manage/waas-deployment-rings-windows-10-updates.md rename to windows/update/waas-deployment-rings-windows-10-updates.md index 1277f71080..697b85bf4b 100644 --- a/windows/manage/waas-deployment-rings-windows-10-updates.md +++ b/windows/update/waas-deployment-rings-windows-10-updates.md @@ -67,7 +67,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) diff --git a/windows/manage/waas-integrate-wufb.md b/windows/update/waas-integrate-wufb.md similarity index 99% rename from windows/manage/waas-integrate-wufb.md rename to windows/update/waas-integrate-wufb.md index 26e1d2bb42..f6058440b0 100644 --- a/windows/manage/waas-integrate-wufb.md +++ b/windows/update/waas-integrate-wufb.md @@ -92,7 +92,7 @@ For Windows 10, version 1607, organizations already managing their systems with ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-manage-updates-configuration-manager.md b/windows/update/waas-manage-updates-configuration-manager.md similarity index 99% rename from windows/manage/waas-manage-updates-configuration-manager.md rename to windows/update/waas-manage-updates-configuration-manager.md index 10a6565a03..9bdb0238e0 100644 --- a/windows/manage/waas-manage-updates-configuration-manager.md +++ b/windows/update/waas-manage-updates-configuration-manager.md @@ -392,7 +392,7 @@ or Manage Windows 10 updates using System Center Configuration Manager (this top ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-manage-updates-wsus.md b/windows/update/waas-manage-updates-wsus.md similarity index 99% rename from windows/manage/waas-manage-updates-wsus.md rename to windows/update/waas-manage-updates-wsus.md index 6fee51df69..d491319549 100644 --- a/windows/manage/waas-manage-updates-wsus.md +++ b/windows/update/waas-manage-updates-wsus.md @@ -335,7 +335,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-manage-updates-wufb.md b/windows/update/waas-manage-updates-wufb.md similarity index 98% rename from windows/manage/waas-manage-updates-wufb.md rename to windows/update/waas-manage-updates-wufb.md index 790cb61972..f15a5388f4 100644 --- a/windows/manage/waas-manage-updates-wufb.md +++ b/windows/update/waas-manage-updates-wufb.md @@ -89,7 +89,7 @@ Both Feature and Quality Updates can be deferred from deploying to client device Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. >[!NOTE] ->For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](introduction-to-windows-10-servicing.md). +>For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-branches). @@ -122,7 +122,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-mobile-updates.md b/windows/update/waas-mobile-updates.md similarity index 98% rename from windows/manage/waas-mobile-updates.md rename to windows/update/waas-mobile-updates.md index 1352624cc9..ce0c446a7a 100644 --- a/windows/manage/waas-mobile-updates.md +++ b/windows/update/waas-mobile-updates.md @@ -63,7 +63,7 @@ If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, versi ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/update/waas-optimize-windows-10-updates.md similarity index 97% rename from windows/manage/waas-optimize-windows-10-updates.md rename to windows/update/waas-optimize-windows-10-updates.md index 681a39ca98..dba3ee72bb 100644 --- a/windows/manage/waas-optimize-windows-10-updates.md +++ b/windows/update/waas-optimize-windows-10-updates.md @@ -49,6 +49,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10. Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. ### How Microsoft supports Express +- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager. - **Express on WSUS Standalone** Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). @@ -95,8 +96,9 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) + +- [Update Windows 10 in the enterprise](index.md) +- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/manage/waas-overview.md b/windows/update/waas-overview.md similarity index 99% rename from windows/manage/waas-overview.md rename to windows/update/waas-overview.md index d597a74145..0df38fb0e2 100644 --- a/windows/manage/waas-overview.md +++ b/windows/update/waas-overview.md @@ -173,7 +173,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Quick guide to Windows as a service](waas-quick-start.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) diff --git a/windows/manage/waas-quick-start.md b/windows/update/waas-quick-start.md similarity index 95% rename from windows/manage/waas-quick-start.md rename to windows/update/waas-quick-start.md index eef6aed2a3..28b2e3d36a 100644 --- a/windows/manage/waas-quick-start.md +++ b/windows/update/waas-quick-start.md @@ -17,7 +17,7 @@ localizationpriority: high - Windows 10 Mobile - Windows 10 IoT Mobile -Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](waas-update-windows-10.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. +Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. ## Definitions @@ -63,7 +63,7 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) diff --git a/windows/manage/waas-restart.md b/windows/update/waas-restart.md similarity index 99% rename from windows/manage/waas-restart.md rename to windows/update/waas-restart.md index ffb43434aa..0577ff709a 100644 --- a/windows/manage/waas-restart.md +++ b/windows/update/waas-restart.md @@ -132,7 +132,7 @@ There are 3 different registry combinations for controlling restart behavior: ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/update/waas-servicing-branches-windows-10-updates.md similarity index 99% rename from windows/manage/waas-servicing-branches-windows-10-updates.md rename to windows/update/waas-servicing-branches-windows-10-updates.md index 322b7c07b2..dec5263d65 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/update/waas-servicing-branches-windows-10-updates.md @@ -207,7 +207,7 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) diff --git a/windows/manage/waas-servicing-strategy-windows-10-updates.md b/windows/update/waas-servicing-strategy-windows-10-updates.md similarity index 99% rename from windows/manage/waas-servicing-strategy-windows-10-updates.md rename to windows/update/waas-servicing-strategy-windows-10-updates.md index 52c156bbeb..6996fe3d0f 100644 --- a/windows/manage/waas-servicing-strategy-windows-10-updates.md +++ b/windows/update/waas-servicing-strategy-windows-10-updates.md @@ -59,7 +59,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) diff --git a/windows/manage/waas-wufb-group-policy.md b/windows/update/waas-wufb-group-policy.md similarity index 99% rename from windows/manage/waas-wufb-group-policy.md rename to windows/update/waas-wufb-group-policy.md index 87d3b8ba3f..9346bd5711 100644 --- a/windows/manage/waas-wufb-group-policy.md +++ b/windows/update/waas-wufb-group-policy.md @@ -334,7 +334,7 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-wufb-intune.md b/windows/update/waas-wufb-intune.md similarity index 99% rename from windows/manage/waas-wufb-intune.md rename to windows/update/waas-wufb-intune.md index c730a5edfd..5b610b1336 100644 --- a/windows/manage/waas-wufb-intune.md +++ b/windows/update/waas-wufb-intune.md @@ -257,7 +257,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index c672a255a8..4944339989 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,4 +1,5 @@ # [What's new in Windows 10](index.md) +## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) ## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) ## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md deleted file mode 100644 index 2e082cd98c..0000000000 --- a/windows/whats-new/applocker.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: What's new in AppLocker (Windows 10) -description: AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. -ms.assetid: 6F836FF6-7794-4E7B-89AA-1EABA1BF183F -ms.pagetype: security, mobile -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in AppLocker? - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. -In Windows 10, AppLocker has added some improvements. - -## New features in Windows 10 - -- A new parameter was added to the [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. -- A new [AppLocker](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. -- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). - -[Learn how to manage AppLocker within your organization](../keep-secure/applocker-overview.md). -  -  diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md deleted file mode 100644 index 9f0df242bf..0000000000 --- a/windows/whats-new/bitlocker.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: What's new in BitLocker (Windows 10) -description: BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -ms.assetid: 3F2DE365-68A1-4CDB-AB5F-C65574684C7B -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security, mobile -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in BitLocker? - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. - -## New features in Windows 10, version 1511 - -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. - It provides the following benefits: - - The algorithm is FIPS-compliant. - - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - **Note**   - Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. -   -## New features in Windows 10 - -- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#bkmk-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. -- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. -- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the "Configure pre-boot recovery message and URL" section in [BitLocker Group Policy settings](../keep-secure/bitlocker-group-policy-settings.md). - -[Learn how to deploy and manage BitLocker within your organization](../keep-secure/bitlocker-overview.md). - -## Related topics - -[Trusted Platform Module](../keep-secure/trusted-platform-module-overview.md) -  \ No newline at end of file diff --git a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md deleted file mode 100644 index a38cbf4702..0000000000 --- a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Change history for What's new in Windows 10 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile. -ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: TrudyHa -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/whats-new/index ---- - -# Change history for What's new in Windows 10 -This topic lists new and updated topics in the [What's new in Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). - - -## April 2016 - -|New or changed topic |Description | -|---------------------|------------| -|[Enterprise data protection (EDP) overview](edp-whats-new-overview.md) |Updated to remove content that's duplicated in the EDP content and added pointer. | - -## February 2016 - -|New or changed topic |Description | -|---------------------|------------| -|[Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md) |Updated to include policy setting names for USB filter and Toast notification filter| - -## January 2016 - -|New or changed topic |Description | -|---------------------|------------| -|[Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md) |Updated to include the **Applies to** section | - -## December 2015 - -|New or changed topic |Description | -|---------------------|------------| -|[Security](security.md) |New | -|[Windows Update for Business](windows-update-for-business.md) |New | - -## November 2015 - -|New or changed topic |Description | -|---------------------|------------| -|[AppLocker](applocker.md) |New | -|[BitLocker](bitlocker.md) |New | -|[Credential Guard](credential-guard.md) |New | -|[Device Guard](device-guard-overview.md) |New | -|[Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) |New | -|[Security auditing](security-auditing.md) |New | -|[Trusted Platform Module](trusted-platform-module.md) |New | -|[Windows spotlight on the lock screen](windows-spotlight.md) |New | -|[Windows Store for Business overview](windows-store-for-business-overview.md) |New | - -## Related topics -- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md) -- [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md) -- [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) -- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md) - -  - -  - - - - - diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md deleted file mode 100644 index 3edfe53458..0000000000 --- a/windows/whats-new/credential-guard.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: What's new in Credential Guard (Windows 10) -description: Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: 59C206F7-2832-4555-97B4-3070D93CC3C5 -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in Credential Guard? - -**Applies to** -- Windows 10 -- Windows Server 2016 - -Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. - -## New features in Windows 10, version 1511 - -- **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations: - - Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials. - - Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials. - - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. -- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy. -- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled. - -[Learn how to deploy and manage Credential Guard within your organization](../keep-secure/credential-guard.md). -  -  diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md deleted file mode 100644 index e42271af40..0000000000 --- a/windows/whats-new/device-guard-overview.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Device Guard overview (Windows 10) -description: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. -ms.assetid: FFE244EE-5804-4CE8-A2A9-48F49DC3AEF2 -ms.pagetype: mobile, security -keywords: Device Guard -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# Device Guard overview - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows Server 2016 - -Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. - -Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. - -For details on how to implement Device Guard, see [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). - -## Why use Device Guard -With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise. -Device Guard also helps protect against [zero day attacks](https://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](https://go.microsoft.com/fwlink/p/?LinkId=534210). -## Virtualization-based security using Windows 10 Enterprise Hypervisor - -Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer. - ->**Important**  Device Guard devices that run Kernel Code Integrity with virtualization-based security (VBS) must have compatible drivers (legacy drivers can be updated) and meet requirements for the hardware and firmware that support virtualization-based security. For more information, see [Hardware, firmware, and software requirements for Device Guard](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard) diff --git a/windows/whats-new/device-management.md b/windows/whats-new/device-management.md deleted file mode 100644 index 79260f0f69..0000000000 --- a/windows/whats-new/device-management.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Enterprise management for Windows 10 devices (Windows 10) -description: Windows 10 provides mobile device management (MDM) capabilities that enable enterprise-level management of devices. -ms.assetid: 36DA67A1-25F1-45AD-A36B-AEEAC30C9BC4 -ms.prod: w10 -ms.pagetype: devices, mobile -ms.mktglfcycl: explore -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-corporate-devices ---- - -# Enterprise management for Windows 10 devices - -This page has been redirected to **What's new in Windows 10, versions 1507 and 1511**. - - diff --git a/windows/whats-new/edge-ie11-whats-new-overview.md b/windows/whats-new/edge-ie11-whats-new-overview.md deleted file mode 100644 index 8c053fd990..0000000000 --- a/windows/whats-new/edge-ie11-whats-new-overview.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10) -description: Resources to help you explore the Windows 10 browsing options for your enterprise. -redirect_url: https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11 ---- - diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md deleted file mode 100644 index a6816c161f..0000000000 --- a/windows/whats-new/edp-whats-new-overview.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Enterprise data protection (EDP) overview (Windows 10) -description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip ---- \ No newline at end of file diff --git a/windows/whats-new/images/bulk-token.PNG b/windows/whats-new/images/bulk-token.PNG new file mode 100644 index 0000000000..b0d2221824 Binary files /dev/null and b/windows/whats-new/images/bulk-token.PNG differ diff --git a/windows/whats-new/images/ldstore.PNG b/windows/whats-new/images/ldstore.PNG new file mode 100644 index 0000000000..63f0eedee7 Binary files /dev/null and b/windows/whats-new/images/ldstore.PNG differ diff --git a/windows/whats-new/images/wcd-options.png b/windows/whats-new/images/wcd-options.png new file mode 100644 index 0000000000..b3d998ba1b Binary files /dev/null and b/windows/whats-new/images/wcd-options.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index ff170bce3b..b64a85a590 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10 (Windows 10) -description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more. +description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Windows Hello, Device Guard, and more. ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"] ms.prod: w10 @@ -15,6 +15,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) - [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) - [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/lockdown-features-windows-10.md b/windows/whats-new/lockdown-features-windows-10.md deleted file mode 100644 index 67a759be13..0000000000 --- a/windows/whats-new/lockdown-features-windows-10.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) -description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. -ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14 -keywords: lockdown, embedded -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/lockdown-features-windows-10 ---- - -# Lockdown features from Windows Embedded 8.1 Industry - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md deleted file mode 100644 index e8b4935152..0000000000 --- a/windows/whats-new/microsoft-passport.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Windows Hello overview (Windows 10) -description: In Windows 10, Windows Hello replaces passwords with strong two-factor authentication. -ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B -keywords: password, hello, fingerprint, iris, biometric, passport -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: mobile, security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport ---- - -# Windows Hello overview - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md deleted file mode 100644 index 18725fae2a..0000000000 --- a/windows/whats-new/new-provisioning-packages.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Provisioning packages (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/deploy/provisioning-packages ---- - -# Provisioning packages - - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md deleted file mode 100644 index 8683fc520d..0000000000 --- a/windows/whats-new/security-auditing.md +++ /dev/null @@ -1,125 +0,0 @@ ---- -title: What's new in security auditing (Windows 10) -description: Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. -ms.assetid: CB35A02E-5C66-449D-8C90-7B73C636F67B -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -ms.pagetype: security, mobile -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in security auditing? - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows Server 2016 - -Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. - -## New features in Windows 10, version 1511 - -- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. - -## New features in Windows 10 - -In Windows 10, security auditing has added some improvements: -- [New audit subcategories](#bkmk-auditsubcat) -- [More info added to existing audit events](#bkmk-moreinfo) - -### New audit subcategories - -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: -- [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. - When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. -- [Audit PNP Activity](../keep-secure/audit-pnp-activity.md) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. - Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. - -### More info added to existing audit events - -With Windows 10, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: -- [Changed the kernel default audit policy](#bkmk-kdal) -- [Added a default process SACL to LSASS.exe](#bkmk-lsass) -- [Added new fields in the logon event](#bkmk-logon) -- [Added new fields in the process creation event](#bkmk-logon) -- [Added new Security Account Manager events](#bkmk-sam) -- [Added new BCD events](#bkmk-bcd) -- [Added new PNP events](#bkmk-pnp) - -### Changed the kernel default audit policy - -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. - -### Added a default process SACL to LSASS.exe - -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. -This can help identify attacks that steal credentials from the memory of a process. - -### New fields in the logon event - -The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: -1. **MachineLogon** String: yes or no - If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. -2. **ElevatedToken** String: yes or no - If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. -3. **TargetOutboundUserName** String - **TargetOutboundUserDomain** String - The username and domain of the identity that was created by the LogonUser method for outbound traffic. -4. **VirtualAccount** String: yes or no - If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. -5. **GroupMembership** String - A list of all of the groups in the user's token. -6. **RestrictedAdminMode** String: yes or no - If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. - For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). - -### New fields in the process creation event - -The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: -1. **TargetUserSid** String - The SID of the target principal. -2. **TargetUserName** String - The account name of the target user. -3. **TargetDomainName** String - The domain of the target user.. -4. **TargetLogonId** String - The logon ID of the target user. -5. **ParentProcessName** String - The name of the creator process. -6. **ParentProcessId** String - A pointer to the actual parent process if it's different from the creator process. - -### New Security Account Manager events - -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: -- SamrEnumerateGroupsInDomain -- SamrEnumerateUsersInDomain -- SamrEnumerateAliasesInDomain -- SamrGetAliasMembership -- SamrLookupNamesInDomain -- SamrLookupIdsInDomain -- SamrQueryInformationUser -- SamrQueryInformationGroup -- SamrQueryInformationUserAlias -- SamrGetMembersInGroup -- SamrGetMembersInAlias -- SamrGetUserDomainPasswordInformation - -### New BCD events - -Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): -- DEP/NEX settings -- Test signing -- PCAT SB simulation -- Debug -- Boot debug -- Integrity Services -- Disable Winload debugging menu - -### New PNP events - -Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. -[Learn how to manage your security audit policies within your organization](../keep-secure/security-auditing-overview.md). diff --git a/windows/whats-new/security.md b/windows/whats-new/security.md deleted file mode 100644 index 5cf158fc99..0000000000 --- a/windows/whats-new/security.md +++ /dev/null @@ -1,204 +0,0 @@ ---- -title: What's new in Windows 10 security (Windows 10) -description: There are several key client security improvements Microsoft has made in Windows 10. -ms.assetid: 6B8A5F7A-ABD3-416C-87B0-85F68B214C81 -keywords: secure, data loss prevention, multifactor authentication -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: TrudyHa ---- - -# What's new in Windows 10 security - -There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources. - -Microsoft designed the Windows 10 operating system to be the most secure version of the Windows operating system to date. To achieve this goal, Windows 10 employs advanced and now widely available hardware features to help protect users and devices against modern cyber threats. With thousands of new malware variants discovered daily and malicious hacking techniques evolving rapidly, never before has Windows client security been more important. In Windows 10, organizations can deploy new threat-resistant security features that harden the operating system in ways that can benefit Bring Your Own Device (BYOD) and corporate-owned device scenarios, as well as devices for special use cases, such as kiosks, ATMs, and point-of-sale (PoS) systems. These new threat-resistant features are modular—that is, they’re designed to be deployed together, although you can also implement them individually. With all these new features enabled together, organizations can protect themselves immediately against a majority of today’s most sophisticated threats and malware. - -In addition to new, impactful threat mitigations, Windows 10 includes several improvements in built-in information protection, including a new data loss-prevention (DLP) component. These improvements allow organizations to separate business and personal data easily, define which apps have access to business data, and determine how data can be shared (for example, copy and paste). Unlike other DLP solutions, Microsoft integrated this functionality deeply into the Windows platform, offering the same type of security capabilities that container-based solutions offer but without altering such user experiences as requiring mode changes or switching applications. - -Finally, new identity-protection and access control features make it easier to implement two-factor authentication (2FA) across the entire enterprise, which empowers organizations to transition away from passwords. Windows 10 introduces Microsoft Passport, a new 2FA user credential built directly into the operating system that users can access with either a PIN or a new biometrics-driven capability called Windows Hello. Together, these technologies provide a simple logon experience for users, with the robust security of multifactor authentication (MFA). Unlike third-party multifactor solutions, Microsoft Passport is designed specifically to integrate with Microsoft Azure Active Directory (Azure AD) and hybrid Active Directory environments and requires minimal administrative configuration and maintenance. - -## Threat resistance - -Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks and the personal enjoyment of temporarily taking a system offline. Since then, attacker’s motives have shifted toward monetizing their attacks, which includes holding machines and data hostage until the owners pay the demanded ransom and exploiting the valuable information the attackers discover for monetary gain. Unlike these examples, modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that results in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets, seemingly unlimited human resources, and unknown motives. Threats like these require a different approach and mitigations that can meet the challenge. - -Windows 10 introduces several new security features that help mitigate modern threats and protect organizations against cyber attackers, regardless of their motive. Microsoft has made significant investments in Windows 10 to make it the most malware-resistant Windows operating system to date. Rather than simply adding defenses to the operating system, as was the case in previous Windows releases, Microsoft introduces architectural changes in Windows 10 that address entire classes of threats. By fundamentally changing the way the operating system works, Microsoft seeks to make Windows 10 much more difficult for modern attackers to exploit. New features in Windows 10 include Device Guard, configurable code integrity, virtualization-based security (VBS), and improvements to Windows Defender, to name just a few. By enabling all these new features together, organizations can immediately protect themselves against the types of malware responsible for approximately 95 percent of modern attacks. - -### Virtualization-based security - -In the server world, virtualization technologies like Microsoft Hyper-V have proven extremely effective in isolating and protecting virtual machines (VMs) in the data center. Now, with those virtualization capabilities becoming more pervasive in modern client devices, there is an incredible opportunity for new Windows client security scenarios. Windows 10 can use virtualization technology to isolate core operating system services in a segregated, virtualized environment, similar to a VM. This additional level of protection, called virtualization-based security, ensures that no one can manipulate those services, even if the kernel mode of the host operating system is compromised. - -Just like with client Hyper-V, Windows itself can now take advantage of processors equipped with second-level address translation (SLAT) technology and virtualization extensions, such as Intel Virtualization Technology (VT) x and AMD V, to create a secure execution environment for sensitive Windows functions and data. This VBS environment protects the following services: - -- **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#configurable-code-integrity) section. -- **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. - -**Note**
-To determine whether virtualization is supported for a client machine model, simply run **systeminfo** from a command prompt window. -  -VBS provides the core framework for some of the most impactful mitigations Windows 10 offers. Having client machines within your organization that can employ this functionality is crucial to modern threat resistance. For more information about the specific hardware features that each Windows 10 feature requires, including VBS, see the [Windows 10 hardware considerations](#hardware) section. - -### Device Guard - -Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization-based-security) section. For more information about configurable code integrity, see the [Configurable code integrity](#configurable-code-integrity) section. - -Although Microsoft intends the Device Guard feature set to run alongside new Windows security features such as Credential Guard, it can run independently. Depending on your organization’s client resources, you can selectively choose which features make sense for your environment and device compatibility. For information about the hardware requirements for Device Guard and other Windows 10 security features, see the [Windows 10 hardware considerations](#hardware) section. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. - -For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#configurable-code-integrity) section. - -New desktops and laptops will be available to expedite your Device Guard implementation efforts. Device Guard-ready devices will require the least amount of physical interaction with the actual device before it’s ready for use. - -Going forward, all devices will fall into one of the following three categories: -- **Device Guard capable**. These devices will meet all the hardware requirements for Device Guard. You will still need to properly prepare devices with components that require enablement or configuration for Device Guard deployment. Device drivers on the device must be compatible with HVCI and may require updates from the original equipment manufacturer (OEM). -- **Device Guard ready**. Device Guard-ready devices will come directly from the OEM with all necessary hardware components and drivers to run Device Guard. In addition, all of these components will be pre-configured and enabled, which minimizes the effort needed to deploy Device Guard. No interaction with the BIOS is necessary to deploy these devices, and you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to manage them. -- **Not supported for Device Guard**. Many current devices cannot take advantage of all Device Guard features because they don’t have the required hardware components or HVCI-compatible drivers. However, most of these devices can enable some Device Guard features, such as configurable code integrity. - -For more information about how to prepare for, manage, and deploy Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). - -### Configurable code integrity - -*Code integrity* is the Windows component that verifies that the code Windows is running is trusted and safe. Like the operating modes found in Windows itself, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). Microsoft has used KMCI in recent versions of Windows to prevent the Windows kernel from executing unsigned drivers. Although this approach is effective, drivers aren’t the only route malware can take to penetrate the operating system’s kernel mode space. So, for Windows 10, Microsoft has raised the standard for kernel mode code out of the box by requiring the use of security best practices regarding memory management and has provided enterprises with a way to set their own UMCI and KMCI standards. - -Historically, UMCI has been available only for Windows RT and Windows Phone devices, which made it difficult for attackers to infect such devices with viruses and malware. This reduced infection rate results from the way the operating system determines which code to execute. Natively, binaries follow a process to prove to the operating system that they are trustworthy before the operating system allows them to execute. This process is intended to restrict the execution of arbitrary code and thereby decrease the risk of malware infection. This successful trust-nothing operating system model is now available in Windows 10 through a feature called *configurable code integrity*. -Configurable code integrity allows IT organizations to create and deploy code integrity policies that stipulate exactly which binaries can run in their environment. Administrators can manage this trust at a certification authority or publisher level down to the individual hash values for each executed binary. This level of customization allows organizations to create policies that are as restrictive as they desire. In addition, organizations can choose to provide different levels of restriction for certain types of machines. For example, fixed-workload devices such as kiosks and PoS systems would likely receive a strict policy, because their purpose is to provide the same service day after day. Administrators can manage devices that have more variable workloads, such as users’ PCs, at a higher level, providing certain software publishers’ applications for installation or aligning those devices with the organization’s software catalog. - -**Note**
-Configurable code integrity is not intended to replace technologies that allow or block programs such as AppLocker or an organization’s antivirus software. Rather, it complements such technologies by establishing a baseline of security, and then using those additional technologies to fine-tune client security. -  -Configurable code integrity is not limited to Windows Store applications. In fact, it is not even limited to existing signed applications. Windows 10 gives you a way to sign line-of-business or third-party applications without having to repackage them: you can monitor the application’s installation and initial execution to create a list of binaries called a catalog file. When created, you sign these catalog files and add the signing certificate to the code integrity policy so that those binaries contained within the catalog files are allowed to execute. Then, you can use Group Policy, Configuration Manager, or any other familiar management tool to distribute these catalog files to your client machines. Historically, most malware has been unsigned; simply by deploying code integrity policies, your organization can immediately protect itself against unsigned malware, which is responsible for most modern attacks. - -**Note**
-For detailed deployment and planning information about configurable code integrity, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). -  -The process to create, test, and deploy a code integrity policy is as follows: -1. **Create a code integrity policy.** Use the Windows PowerShell cmdlet **New-CIPolicy**, available in Windows 10, to create a new code integrity policy. This cmdlet scans a PC for all listings of a specific policy level. For example, if you set the rule level to **Hash**, the cmdlet would add hash values for all discovered binaries to the policy that resulted from the scan. When you enforce and deploy the policy, this list of hash values determines exactly which binaries are allowed to run on the machines that receive the policy. Code integrity policies can contain both a kernel mode and user mode execution policy, restricting what can run in either or both modes. Finally, when created, this policy is converted to binary format so that the managed client can consume it when the policy is copied to the client’s code integrity folder. -2. **Audit the code integrity policy for exceptions.** When you first create a code integrity policy, audit mode is enabled by default so that you can simulate the effect of a code integrity policy without actually blocking the execution of any binaries. Instead, policy exceptions are logged in the CodeIntegrity event log so that you can add the exceptions to the policy later. Be sure to audit any policy to discover potential issues before you deploy it. -3. **Merge the audit results with the existing policy.** After you have audited a policy, you can use the audit events to create an additional code integrity policy. Because each machine processes just one code integrity policy, you must merge the file rules within this new code integrity policy with the original policy. To do so, run the **Merge-CIPolicy** cmdlet, which is available in Windows 10 Enterprise. -4. **Enforce and sign the policy.** After you create, audit, and merge the resulting code integrity policies, it’s time to enforce your policy. To do so, run the **Set-RuleOption** cmdlet to remove the **Unsigned Policy** rule. When enforced, no binaries that are exceptions to the policy will be allowed to run. In addition to enforcing a policy, signed policies offer an additional level of protection. Signed code integrity policies inherently protect themselves against manipulation and deletion, even by administrators. -5. **Deploy the code integrity policy.** When you have enforced and optionally signed your code integrity policy, it’s ready for deployment. To deploy your code integrity policies, you can use Microsoft client management technologies, mobile device management solutions, or Group Policy, or you can simply copy the file to the correct location on your client computers. For Group Policy deployment, a new administrative template is available in Windows 10 and the Windows Server 2016 operating system to simplify the deployment process. - -**Note**
-Configurable code integrity is available in Windows 10 Enterprise and Windows 10 Education. -  -You can enable configurable code integrity as part of a Device Guard deployment or as a stand-alone component. In addition, you can run configurable code integrity on hardware that is compatible with the Windows 7 operating system, even if such hardware is not Device Guard ready. Code integrity policies can align with an existing application catalog, existing corporate imaging strategy, or with any other method that provides the organization’s desired levels of restriction. For more information about configurable code integrity with Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). - -### Measured Boot and remote attestation - -Although software-based antimalware and antivirus solutions are effective, they have no way to detect pre–operating system resource modification or infection such as by bootkits and rootkits—malicious software that can manipulate a client before the operating system and antimalware solutions load. Bootkits and rootkits and similar software are nearly impossible to detect using software-based solutions alone, so Windows 10 uses the client’s Trusted Platform Module (TPM) and the Windows Measured Boot feature to analyze the overall boot integrity. When requested, Windows 10 reports integrity information to the Windows cloud-based device health attestation service, which can then be used in coordination with management solutions such as Intune to analyze the data and provide conditional access to resources based on the device’s health state. - -Measured Boot uses one of TPM’s key functionalities and provides unique benefits to secure organizations. The feature can accurately and securely report the state of a machine’s trusted computing base (TCB). By measuring a system’s TCB, which consists of crucial startup-related security components such as firmware, the Operating System Loader, and drivers and software, the TPM can store the current device state in platform configuration registers (PCRs). When this measurement process is complete, the TPM cryptographically signs this PCR data so that Measured Boot information can be sent to either the Windows cloud-based device health attestation service or a non-Microsoft equivalent for signing or review. For example, if a company only wants to validate a computer’s BIOS information before allowing network access, PCR\[0\], which is the PCR that contains BIOS information, would be added to the policy for the attestation server to validate. This way, when the attestation server receives the manifest from the TPM, the server knows which values that PCR should contain. - -Measured Boot by itself does not prevent malware from loading during the startup process, but it does provide a TPM-protected audit log that allows a trusted remote attestation server to evaluate the PC’s startup components and determine its trustworthiness. If the remote attestation server indicates that the PC loaded an untrusted component and is therefore out of compliance, a management system can use the information for conditional access scenarios to block the PC’s access to network resources or perform other quarantine actions. - -### Improvements in Windows Defender - -For Windows 10, Microsoft has revamped Windows Defender and combined it with Microsoft System Center Endpoint Protection. Unlike with Microsoft System Center 2012 R2, there will be no System Center Endpoint Protection client to deploy to Windows 10 machines because Windows Defender is built into the operating system and enabled by default. - -In addition to simplified deployment, Windows Defender contains several improvements. The most important improvements to Windows Defender are: - -- **Early Launch Antimalware (ELAM) compatible.** After Secure Boot has verified that the loading operating system is trusted, ELAM can start a registered and signed antimalware application before any other operating system components. Windows Defender is compatible with ELAM. -- **Local context for detections and centralized sensory data.** Unlike most antimalware software and previous versions of Windows Defender, Windows Defender in Windows 10 reports additional information about the context of discovered threats. This information includes the source of the content that contains the threat as well as the historical movement of the malware throughout the system. When collection is complete, Windows Defender reports this information (when users elect to enable cloud-based protection) and uses it to mitigate threats more quickly. -- **User Account Control (UAC) integration.** Windows Defender is now closely integrated with the UAC mechanism in Windows 10. Whenever a UAC request is made, Windows Defender automatically scans the threat before prompting the user, which helps prevent users from providing elevated privileges to malware. -- **Simplified management.** In Windows 10, you can manage Windows Defender much more easily than ever before. Manage settings through Group Policy, Intune, or Configuration Manager. - -## Information protection - -Protecting the integrity of company data as well as preventing the inappropriate disclosure and sharing of that data are a top priority for IT organizations. Trends like BYOD and mobility make the task of information protection more challenging than ever before. Windows 10 includes several improvements to built-in information protection, including a new Windows Information Protection (WIP) feature that offers DLP capability. This feature allows an organizations’ users to classify data themselves and gives you the ability to automatically classify data as it ingresses from business resources. It can also help prevent users from copying business content to unauthorized locations such as personal documents or websites. - -Unlike some current DLP solutions, WIP does not require users to switch modes or apps or work within containers to protect data, and the protection happens behind the scenes without altering the user experience that your users have grown accustomed to in Windows. For more information about WIP in Windows 10, see the [Windows Information Protection](#windows-information-protection) section. - -In addition to WIP, Microsoft has made substantial improvements to BitLocker, including simplified manageability through Microsoft BitLocker Administration and Monitoring (MBAM), used-space-only encryption, and single sign-on (SSO) capability. For more information about BitLocker improvements in Windows 10, see the [Improvements in BitLocker](#bitlocker) section. - -### Windows Information Protection - -DLP systems are intended to protect sensitive corporate data through encryption and managed use while the data is in use, in motion, or at rest. Traditional DLP software is typically invasive and frustrating for users and can be complicated for administrators to configure and deploy. Windows 10 now includes a Windows Information Protection (WIP) feature that offers DLP capabilities and is built in and simple to use. This solution gives you the flexibility to define policies that will help determine what kind of data to protect as business data and what should be considered personal. Based on these policies, you can also choose what to do, either automatically or manually, whenever you suspect that data is about to be or has been compromised. For example, if an employee has a personal but managed device that contains business data, an IT organization could block that user from copying and pasting business data to nonbusiness documents and locations or could even selectively wipe the business data from the device at any time without affecting the personal data on the device. - -You can configure WIP policies to encrypt and protect files automatically based on the network source from which the content was acquired, such as an email server, file share, or a Microsoft SharePoint site. The policies can work with on-premises resources as well as those that originate from the Internet. When specified, any data retrieved from internal network resources will always be protected as business data; even if that data is copied to portable storage, such as a flash drive or CD, the protection remains. In an effort to allow easy corrections of misclassified data, users who feel that WIP has incorrectly protected their personal data can modify the data’s classification. When such a modification occurs, you have access to audit data on the client machine. You can also use a policy to prevent users from reclassifying data. The WIP feature in Windows 10 also includes policy controls that allow you to define which apps have access to business data and even which have access to the corporate virtual private network (VPN). - -To manage WIP, you use the same system management tools you probably already use to manage your Windows client computers, such as Configuration Manager and Intune. For more information about WIP, see [Protect your enterprise data using Windows Information Protection](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). - -### Improvements in BitLocker - -With so many laptops stolen annually, protecting data at rest should be a top priority for any IT organization. Microsoft has provided an encryption solution called BitLocker directly in Windows since 2004. If your last encounter with BitLocker was in Windows 7, you’ll find that the manageability and SSO capabilities that were previously lacking are now included in Windows 10. These and other improvements make BitLocker one of the best choices on the marketplace for protecting data on Windows devices. Windows 10 builds on the BitLocker improvements made in the Windows 8.1 and Windows 8 operating systems to make BitLocker more manageable and to simplify its deployment even further. - -Microsoft has made the following key improvements to BitLocker: -- **Automatic drive encryption through Device Encryption.** By default, BitLocker is automatically enabled on clean installations of Windows 10 if the device has passed the Device Encryption Requirements test from the Windows Hardware Certification Kit. Many Windows 10–compatible PCs will meet this requirement. This version of BitLocker is called Device Encryption. Whenever devices on which Drive Encryption is enabled join your domain, the encryption keys can be escrowed in either Active Directory or MBAM. -- **MBAM improvements.** MBAM provides a simplified management console for BitLocker administration. It also simplifies recovery requests by providing a self-service portal in which users can recover their drives without calling the help desk. -- **SSO.** BitLocker for Windows 7 often required the use of a pre-boot PIN to access the protected drive’s encryption key and allow Windows to start. In Windows 10, user input-based preboot authentication (in other words, a PIN) is not required because the TPM maintains the keys. In addition, modern hardware often mitigates the cold boot attacks (for example, port-based direct memory access attacks) that have previously necessitated PIN protection. For more information to determine which cases and device types require the use of PIN protection, refer to [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md). -- **Used-space-only encryption.** Rather than encrypting an entire hard drive, you can configure BitLocker to encrypt only the used space on a drive. This option drastically reduces the overall encryption time required. - -## Identity protection and access control - -User credentials are vital to the overall security of an organization’s domain. Until Windows 10, user name-password combinations were the primary way for a person to prove his or her identity to a machine or system. Unfortunately, passwords are easily stolen, and attackers can use them remotely to spoof a user’s identity. Some organizations deploy public key infrastructure (PKI)-based solutions, like smart cards, to address the weaknesses of passwords. Because of the complexity and costs associated with these solutions, however, they’re rarely deployed and, even when they are used, frequently used only to protect top-priority assets such as the corporate VPN. Windows 10 introduces new identity-protection and access control features that address the weaknesses of today’s solutions and can effectively remove the need for user passwords in an organization. - -Windows 10 also includes a feature called Microsoft Passport, a new 2FA mechanism built directly into the operating system. The two factors of authentication include a combination of something you know (for example, a PIN), something you have (for example, your PC, your phone), or something about the user (for example, biometrics). With Microsoft Passport enabled, when you log on to a computer, Microsoft Passport is responsible for brokering user authentication around the network, providing the same SSO experience with which you’re familiar. For more information about Microsoft Passport, see the [Microsoft Passport](#passport) section. - -The biometrics factor available for Microsoft Passport is driven by another new feature in Windows 10 called Windows Hello. Windows Hello uses a variety of biometric sensors to accept different points of biometric measurement, such as the face, iris, and fingerprints, which allows organizations to choose from various options when they consider what makes the most sense for their users and devices. By combining Windows Hello with Microsoft Passport, users no longer need to remember a password to access corporate resources. For more information about Windows Hello, see the [Windows Hello](#hello) section. - -Finally, Windows 10 uses VBS to isolate the Windows service responsible for maintaining and brokering a user’s derived credentials (for example, Kerberos ticket, NTLM hash) through a feature called Credential Guard. In addition to service isolation, the TPM protects credential data while the machine is running and while it’s off. Credential Guard provides a comprehensive strategy to protect user-derived credentials at runtime as well as at rest, thus preventing them from being accessed and used in pass-the-hash–type attacks. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. - -### Microsoft Passport - -Historically, companies have mitigated the risk of credential theft by implementing 2FA. In this method, a combination of something you know (for example, a PIN), something you have (traditionally a smart card or token), or possibly something about the user (for example, biometrics) strengthens the logon process. The additional factor beyond something you know requires that a credential thief acquire a physical device or, in the case of biometrics, the actual user. - -Microsoft Passport introduces a strong 2FA mechanism integrated directly into Windows. Many organizations use 2FA today but don’t integrate its functionality into their organization because of the expense and time required to do so. Therefore, most organizations use MFA only to secure VPN connections and the highest-value resources on their network, and then use traditional passwords for logon to devices and to navigate the rest of the network. Microsoft Passport is unlike these other forms of 2FA in that Microsoft designed it specifically to address the complexity, cost, and user experience challenges of traditional 2FA solutions, making it simple to deploy throughout the enterprise through existing infrastructure and devices. - -Microsoft Passport can use the biometric information from Windows Hello or a unique PIN with cryptographic signing keys stored in the device’s TPM. For organizations that don’t have an existing PKI, the TPM—or Windows, when no TPM is present—can generate and protect these keys. If your organization has an on-premises PKI or wants to deploy one, you can use certificates from the PKI to generate the keys, and then store them in the TPM. When the user has registered the device and uses Windows Hello or a PIN to log in to the device, the Microsoft Passports private key fulfills any subsequent authentication requests. Microsoft Passport combines the deployment flexibility of virtual smart cards with the robust security of physical smart cards without requiring the extra infrastructure components needed for traditional smart card deployments and hardware such as cards and readers. - -In Windows 10, the physical factor of authentication is the user’s device—either his or her PC or mobile phone. By using the new phone sign-in capability which will available to Windows Insiders as a preview in early 2016, users can unlock their PC without ever touching it. Users simply enroll their phone with Microsoft Passport by pairing it with the PC via Wi-Fi or Bluetooth and install a simple-to-use application on their phone that allows them to select which PC to unlock. When selected, users can enter a PIN or their biometric login from their phone to unlock their PC. - -### Windows Hello -Passwords represent a losing identity and access control mechanism. When an organization relies on password-driven Windows authentication, attackers only have to determine a single string of text to access anything on a corporate network that those credentials protect. Unfortunately, attackers can use several methods to retrieve a user’s password, making credential theft relatively easy for determined attackers. By moving to an MFA mechanism to verify user identities, organizations can remove the threats that single-factor options like passwords represent. - -Windows Hello is the enterprise-grade biometric integration feature in Windows 10. This feature allows users to use their face, iris, or fingerprint rather than a password to authenticate. Although biometric logon capabilities have been around since the Windows XPoperating system, they have never been as easy, seamless, and secure as they are in Windows 10. In previous uses of biometrics in Windows, the operating system used the biometric information only to unlock the device; then, behind the scenes the user’s traditional password was used to access resources on the organization’s network. Also, the IT organization had to run additional software to configure the biometric devices to log in to Windows or applications. Windows Hello is integrated directly into the operating system and so doesn’t require additional software to function. However, as with any other biometrics-based login, Windows Hello requires specific hardware to function: -- **Facial recognition.** To establish facial recognition, Windows Hello uses special infrared (IR) cameras and anti-spoofing technology to reliably tell the difference between a photograph and a living person. This requirement ensures that no one can take a person’s PC and spoof his or her identity simply by obtaining a high-definition picture. Many manufacturers already offer PC models that include such cameras and are therefore compatible with Windows Hello. For those machines that don’t currently include these special cameras, several external cameras are available. -- **Fingerprint recognition.** Fingerprint sensors already exist in a large percentage of consumer and business PCs. Most of them (whether external or integrated into laptops or USB keyboards) work with Windows Hello. The detection and anti-spoofing technology available in Windows 10 is much more advanced than in previous versions of Windows, making it more difficult for attackers to deceive the operating system. -- **Iris recognition.** Like facial recognition, iris-based recognition uses special IR cameras and anti-spoofing technology to reliably tell the difference between the user’s iris and an impostor. Iris recognition will be available in mobile devices by the end of 2016 but is also available for independent hardware vendors and OEMs to incorporate into PCs. -With Windows Hello in conjunction with Microsoft Passport, users have the same SSO experience they would if they logged on with domain credentials: they simply use biometrics, instead. In addition, because no passwords are involved, users won’t be calling the help desk saying that they have forgotten their password. For an attacker to spoof a user’s identity, he or she would have to have physical possession of both the user and the device on which the user is set up for Windows Hello. From a privacy perspective, organizations can rest assured that the biometric data Windows Hello uses is not centrally stored; can’t be converted to images of the user’s fingerprint, face, or iris; and is designed never to leave the device. In the end, Windows Hello and Microsoft Passport can completely remove the necessity for passwords for Azure AD and hybrid Azure AD/Active Directory environments and the apps and web services that depend on them for identity services. For more information about Microsoft Passport, see the [Microsoft Passport](#passport) section. - -### Credential Guard - -Pass the hash is the most commonly used derived credential attack today. This attack begins with an attacker extracting a user account’s derived credentials (hash value) from memory. Then, by using a product such as Mimikatz, the attacker reuses (passes) those credentials to other machines and resources on the network to gain additional access. Microsoft designed Credential Guard specifically to eliminate derived credential theft and abuse in pass-the-hash–type attacks. - -Credential Guard is another new feature in Windows 10 Enterprise that employs VBS to protect domain credentials against theft, even when the host operating system is compromised. To achieve such protection, Credential Guard isolates a portion of the LSA service, which is responsible for managing authentication, inside a virtualized container. This container is similar to a VM running on a hypervisor but is extremely lightweight and contains only those files and components required to operate the LSA and other isolated services. By isolating a portion of the LSA service within this virtualized environment, credentials are protected even if the system kernel is compromised, removing the attack vector for pass the hash. - -For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization-based-security) section. - -> [!NOTE] -> Starting in Windows 10, version 1607, you can configure Credential Guard on a VM. - -  -The Credential Guard feature is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing a MFA option such as Microsoft Passport with Credential Guard, you can gain additional protection against such threats. For more in-depth information about how Credential Guard works and the specific mitigations it provides, see [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md). - -## Windows 10 hardware considerations - -Most of the features this article describes rely on specific hardware to maximize their capabilities. By purchasing hardware that includes these features during your next purchase cycle, you will be able to take advantage of the most comprehensive client security package Windows 10 has to offer. Careful consideration about which hardware vendor and specific models to purchase is vital to the success of your organization’s client security portfolio. Table 1 contains a list of each new Windows 10 security feature and its hardware requirements. - -Table 1. Windows 10 hardware requirements - -| Windows 10 feature | TPM | Input/output memory management unit | Virtualization extensions | SLAT | UEFI 2.3.1 | x64 architecture only | -|-------------------------------------------------|-----|-------------------------------------|---------------------------|------|------------|-----------------------| -| Credential Guard | R | N | Y | Y | Y | Y | -| Device Guard | N | Y | Y | Y | Y | Y | -| BitLocker | R | N | N | N | N | N | -| Configurable code integrity | N | N | N | N | R | R | -| Microsoft Passport | R | N | N | N | N | N | -| Windows Hello | R | N | N | N | N | N | -| VBS | N | Y | Y | Y | N | Y | -| UEFI Secure Boot | R | N | N | N | Y | N | -| Device health attestation through Measured Boot | Y | N | N | N | Y | Y | -  - -**Note**
-In this table, **R** stands for *recommended*, **Y** means that the hardware component is *required* for that Windows 10 feature, and **N** means that the hardware component is *not used* with that Windows 10 feature. -  -## Related topics - -- [Windows 10 Specifications](https://go.microsoft.com/fwlink/p/?LinkId=717550) -- [Making Windows 10 More Personal and More Secure with Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=717551) -- [Protect BitLocker from pre-boot attacks](../keep-secure/protect-bitlocker-from-pre-boot-attacks.md) -- [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md) -- [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md) -- [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md) diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md deleted file mode 100644 index e4a2614653..0000000000 --- a/windows/whats-new/trusted-platform-module.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: What's new in Trusted Platform Module (Windows 10) -description: This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. -ms.assetid: CE8BBC2A-EE2D-4DFA-958E-2A178F2E6C44 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security, mobile -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/trusted-platform-module-overview ---- - -# What's new in Trusted Platform Module? - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows Server 2016 - -This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. - -## New features in Windows 10, version 1511 - -- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). - -## New features in Windows 10 - -The following sections describe the new and changed functionality in the TPM for Windows 10: -- [Device health attestation](#bkmk-dha) -- [Microsoft Passport](microsoft-passport.md) support -- [Device Guard](device-guard-overview.md) support -- [Credential Guard](credential-guard.md) support - -## Device health attestation - -Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. -Some things that you can check on the device are: -- Is Data Execution Prevention supported and enabled? -- Is BitLocker Drive Encryption supported and enabled? -- Is SecureBoot supported and enabled? - -> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. -  -[Learn how to deploy and manage TPM within your organization](../keep-secure/trusted-platform-module-overview.md). -  -  diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md deleted file mode 100644 index 4a670324d3..0000000000 --- a/windows/whats-new/user-account-control.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: What's new in User Account Control (Windows 10) -description: User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. -ms.assetid: 9281870C-0819-4694-B4F1-260255BB8D07 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in User Account Control? - -**Applies to** -- Windows 10 - -User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. - -You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. - -For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](../keep-secure/user-account-control-group-policy-and-registry-key-settings.md). - -In Windows 10, User Account Control has added some improvements. - -## New features in Windows 10 - -- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](http://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. - -[Learn how to manage User Account Control within your organization](../keep-secure/user-account-control-overview.md). -  -  diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 92c077d28e..f23a6b2556 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -13,7 +13,9 @@ localizationpriority: high Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511. -> **Note:** For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +>[!NOTE] +>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +  ## Deployment @@ -249,7 +251,6 @@ Windows 10 provides mobile device management (MDM) capabilities for PCs, laptop ### MDM support - MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. @@ -299,7 +300,7 @@ Lockdown settings can also be configured for device look and feel, such as a the A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](../manage/customize-and-export-start-layout.md). -Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](../manage/windows-spotlight.md). +Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](../configure/windows-spotlight.md). ### Windows Store for Business **New in Windows 10, version 1511** diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 2a85e07f4d..265b3b3910 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -14,7 +14,9 @@ localizationpriority: high Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update). -> **Note:** For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +>[!NOTE] +>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +    ## Deployment @@ -128,7 +130,7 @@ Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilit ### Shared PC mode -Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../manage/set-up-shared-or-guest-pc.md) +Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../configure/set-up-shared-or-guest-pc.md) ### Application Virtualization (App-V) for Windows 10 diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md new file mode 100644 index 0000000000..38aa45cd92 --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -0,0 +1,184 @@ +--- +title: What's new in Windows 10, version 1703 (Windows 10) +description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile. +keywords: ["What's new in Windows 10", "Windows 10", "creators update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: TrudyHa +localizationpriority: high +ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617 +--- + +# What's new in Windows 10, version 1703 + +Below is a list of some of the new and updated features in Windows 10, version 1703 (also known as the Creators Update). + +>[!NOTE] +>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +  +## Configuration + +### Windows Configuration Designer + +Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Windows Store as an app](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). + +Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages. + +![wizards for desktop, mobile, kiosk, HoloLens, Surface Hub](images/wcd-options.png) + +[Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md) + + +### Bulk enrollment in Azure Active Directory + +Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Bulk enrollment in Azure AD is available in the desktop, mobile, kiosk, and Surface Hub wizards. + +![get bulk token action in wizard](images/bulk-token.png) + + +### Windows Spotlight + +The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: + +- **Turn off the Windows Spotlight on Action Center** +- **Do not use diagnostic data for tailored experiences** +- **Turn off the Windows Welcome Experience** + +[Learn more about Windows Spotlight.](../configure/windows-spotlight.md) + + +### Start and taskbar layout + +Enterprises can apply a customized Start and taskbar layout to devices running Windows 10 Pro, version 1703. + +Additional MDM policy settings are available for Start and taskbar layout. For details, see [Manage Windows 10 Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md). + +Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md). + +### Lockdown Designer for Windows 10 Mobile lockdown files + +The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md). + +![Lockdown Designer app in Store](images/ldstore.png) + +[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md) + + + + +## Deployment + +### MBR2GPT.EXE + +MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. + +Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. + +For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md). + +### Cortana at work + +Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. + +Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. + +## Security + +### Windows Defender Advanced Threat Protection + +New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10, version 1703 include: +- **Detection**
+ Enhancements to the detection capabilities include: + - [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. + - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks + - Upgraded detections of ransomware and other advanced attacks + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed + +- **Investigation**
+ Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations. + + Other investigation enhancements include: + - [Investigate a user account](../keep-secure/investigate-user-windows-defender-advanced-threat-protection.md) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. + - [Alert process tree](../keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. + - [Pull alerts using REST API](../keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) - Use REST API to pull alerts from Windows Defender ATP. + +- **Response**
+ When detecting an attack, security response teams can now take immediate action to contain a breach: + - [Take response actions on a machine](../keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a file](../keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. + + +- **Other features** + - [Check sensor health state](../keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. + + + +### Windows Defender Antivirus +New features for Windows Defender Antivirus (AV) in Windows 10, version 1703 include: + +- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md) +- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md) +- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md) + +Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md). + +The new library includes information on: +- [Deploying and enabling AV protection](../keep-secure/deploy-windows-defender-antivirus.md) +- [Managing updates](../keep-secure/manage-updates-baselines-windows-defender-antivirus.md) +- [Reporting](../keep-secure/report-monitor-windows-defender-antivirus.md) +- [Configuring features](../keep-secure/configure-windows-defender-antivirus-features.md) +- [Troubleshooting](../keep-secure/troubleshoot-windows-defender-antivirus.md) + +Some of the highlights of the new library include: +- [Evaluation guide for Windows Defender AV](../keep-secure/evaluate-windows-defender-antivirus.md) +- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](../keep-secure/deployment-vdi-windows-defender-antivirus.md) + + +### Device Guard and Credential Guard + +Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime. +For more information, see [Device Guard Requirements](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-requirements-for-improved-security) and [Credential Guard Security Considerations](../keep-secure/credential-guard.md#security-considerations). + +### Group Policy Security Options + +The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. + +## Update + +### Windows Update for Business + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates). + +You are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details. + +### Optimize update delivery + +[Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now supported on System Center Configuration Manager, starting with version 1702 of Configuration Manager, in addition to current Express support on Windows Update, Windows Update for Business and WSUS. + +Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. + +Added policies include: +- [Allow uploads while the device is on battery while under set Battery level](../update/waas-delivery-optimization.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](../update/waas-delivery-optimization.md#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](../update/waas-delivery-optimization.md#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](../update/waas-delivery-optimization.md#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](../update/waas-delivery-optimization.md#minimum-peer-caching-content-file-size) + +To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](../update/waas-delivery-optimization.md) + +## Manage + +### Application Virtualization for Windows (App-V) +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +To see info about these updates, see [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](https://technet.microsoft.com/en-us/itpro/windows/manage/appv-auto-provision-a-vm), [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](https://technet.microsoft.com/en-us/itpro/windows/manage/appv-auto-batch-sequencing), [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](https://technet.microsoft.com/en-us/itpro/windows/manage/appv-auto-batch-updating), and [Automatically cleanup unpublished packages on the App-V client](https://technet.microsoft.com/en-us/itpro/windows/manage/appv-auto-clean-unpublished-packages) + +## Related topics + +- [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update) +- [Windows 10 release information](https://technet.microsoft.com/windows/release-info) +- [What's new in MDM in Windows 10, version 1703](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) +- [Manage Windows upgrades with Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md) diff --git a/windows/whats-new/windows-spotlight.md b/windows/whats-new/windows-spotlight.md deleted file mode 100644 index 15caeeb2a9..0000000000 --- a/windows/whats-new/windows-spotlight.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Windows Spotlight on the lock screen (Windows 10) -description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. -ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A -keywords: ["lockscreen"] -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/windows-spotlight ---- - -# Windows Spotlight on the lock screen - - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md deleted file mode 100644 index abb7c7f8f3..0000000000 --- a/windows/whats-new/windows-store-for-business-overview.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Windows Store for Business overview (Windows 10) -description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps. -ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C -ms.prod: w10 -ms.pagetype: store, mobile -ms.mktglfcycl: manage -ms.sitesec: library -redirect_url: https://technet.microsoft.com/itpro/windows/manage/windows-store-for-business-overview -author: TrudyHa ---- diff --git a/windows/whats-new/windows-update-for-business.md b/windows/whats-new/windows-update-for-business.md deleted file mode 100644 index 4b69cf6ecd..0000000000 --- a/windows/whats-new/windows-update-for-business.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: What's new in Windows Update for Business (Windows 10) -description: Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. -ms.assetid: 9271FC9A-6AF1-4BBD-A272-909BF54363F4 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: TrudyHa -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in Windows Update for Business? - - -**Applies to** - -- Windows 10 - -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. - -## Benefits of Windows Update for Business - - -By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - -- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). - -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. - -- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). - -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](http://technet.microsoft.com/library/gg682129.aspx). - -## Learn more - - -[Windows Update for Business](../plan/windows-update-for-business.md) - -[Setup and deployment](../plan/setup-and-deployment.md) - -[Integration with management solutions](../plan/integration-with-management-solutions-.md) - -  - -  - - - - -