mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 22:07:22 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into janb-surface-semm-articles
This commit is contained in:
Jan Backstrom
commit
545de46aaa
@ -2,3 +2,5 @@
|
||||
This repo hosts the WDG ITPro content that is published to TechNet.
|
||||
|
||||
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
|
||||
|
||||
English Handoff Folder Structure Demo!
|
||||
|
||||
@ -29,7 +29,7 @@ If you prefer to use a graphical user interface, you can create a device account
|
||||
1. Sign in to Office 365 by visiting http://portal.office.com/admin/
|
||||
2. Provide the admin credentials for your Office 365 tenant. This will take you to your Office 365 Admin Center.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Once you are at the Office 365 Admin Center, navigate to **Users** in the left panel, and then click **Active Users**.
|
||||
|
||||
@ -37,13 +37,13 @@ If you prefer to use a graphical user interface, you can create a device account
|
||||
|
||||
4. On the controls above the list of users, click **+** to create a new user. You'll need to enter a **Display name**, **User name**, **Password** and an email address for the recipient of the password. Optionally you can change the password manually, but we recommend that you use the auto-generated option. You also need to assign this account a license that gives the account access to Exchange and Skype for Business services.
|
||||
|
||||
|
||||
|
||||
|
||||
Click **Create**.
|
||||
|
||||
5. Once the account has been successfully created, click **Close** on the resulting dialog box, and you will see the admin center Active Users list again.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Select the user you just created from the **Active Users** list. You need to disable the Skype for Business license, because you can’t create a Skype Meeting Room with this option.
|
||||
|
||||
@ -51,7 +51,7 @@ If you prefer to use a graphical user interface, you can create a device account
|
||||
|
||||
In the right panel you can see the account properties and several optional actions. The process so far has created a regular Skype account for this user, which you need to disable. Click **Edit** for the **Assigned license** section, then click the dropdown arrow next to the license to expand the details.
|
||||
|
||||
|
||||
|
||||
|
||||
From the list, uncheck **Skype for Business Online (plan 2)** (this license may vary depending on your organization), and click **SAVE**.
|
||||
|
||||
@ -59,39 +59,39 @@ If you prefer to use a graphical user interface, you can create a device account
|
||||
|
||||
1. In the Office 365 Admin Center’s left panel, click **ADMIN**, and then click **Exchange**.
|
||||
|
||||
|
||||
|
||||
|
||||
2. This will open another tab on your browser to take you to the Exchange Admin Center, where you can create and set the Mailbox Setting for Surface Hub.
|
||||
|
||||
|
||||
|
||||
|
||||
3. To create a Mobile Device Mailbox Policy, click **Mobile** from the left panel and then click **Mobile device mailbox policies**. Surface Hubs require an account with a mobile device mailbox policy that does not require a password, so if you already have an existing policy that matches this requirement, you can apply that policy to the account. Otherwise use the following steps to create a new one to be used only for Surface Hub device accounts.
|
||||
|
||||
|
||||
|
||||
|
||||
4. To create a New Surface Hub mobile device mailbox policy, click the **+** button from the controls above the list of policies to add a new policy. For the name, provide a name that will help you distinguish this policy from other device accounts (for example, *SurfaceHubDeviceMobilePolicy*). Make sure the policy does not require a password for the devices assigned to, so make sure **Require a Password** remains unchecked, then click **Save**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. After you have created the new mobile device mailbox policy, go back to the **Exchange Admin Center** and you will see the new policy listed.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Now, to apply the ActiveSync policy without using PowerShell, you can do the following: In the EAC, click **Recipients** > **Mailboxes** and then select a mailbox.
|
||||
|
||||
|
||||
|
||||
|
||||
7. In the Details pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen.
|
||||
|
||||
|
||||
|
||||
|
||||
8. The mobile device mailbox policy that’s currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**.
|
||||
|
||||
|
||||
|
||||
|
||||
9. Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**.
|
||||
|
||||
|
||||
|
||||
|
||||
### <a href="" id="create-device-acct-o365-complete-acct"></a>Use PowerShell to complete device account creation
|
||||
|
||||
@ -107,11 +107,11 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
|
||||
|
||||
1. Run Windows PowerShell as Administrator.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Create a Credentials object, then create a new session that connects to Skype for Business Online, and provide the global tenant administrator account, then click **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. To connect to Microsoft Online Services, run:
|
||||
|
||||
@ -119,7 +119,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
|
||||
Connect-MsolService -Credential $Cred
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
4. Now to connect to Skype for Business Online Services, run:
|
||||
|
||||
@ -127,7 +127,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
|
||||
$sfbsession = New-CsOnlineSession -Credential $cred
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
5. Finally, to connect to Exchange Online Services, run:
|
||||
|
||||
@ -136,7 +136,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
|
||||
"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" –AllowRedirection
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
6. Now you have to import the Skype for Business Online Session and the Exchange Online session you have just created, which will import the Exchange and Skype Commands so you can use them locally.
|
||||
|
||||
@ -147,7 +147,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
|
||||
|
||||
Note that this could take a while to complete.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Once you’re connected to the online services you need to run a few more cmdlets to configure this account as a Surface Hub device account.
|
||||
|
||||
@ -180,11 +180,11 @@ Now that you're connected to the online services, you can finish setting up the
|
||||
|
||||
You will see the correct email address.
|
||||
|
||||
|
||||
|
||||
|
||||
2. You need to convert the account into to a room mailbox, so run:
|
||||
|
||||
|
||||
|
||||
|
||||
``` syntax
|
||||
Set-Mailbox $strEmail -Type Room
|
||||
@ -196,7 +196,7 @@ Now that you're connected to the online services, you can finish setting up the
|
||||
Set-Mailbox $strEmail -RoomMailboxPassword (ConvertTo-SecureString -String "<your password>" -AsPlainText -Force) -EnableRoomMailboxAccount $true
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
4. Various Exchange properties can be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
|
||||
|
||||
@ -205,7 +205,7 @@ Now that you're connected to the online services, you can finish setting up the
|
||||
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
|
||||
|
||||
@ -260,11 +260,11 @@ You can use the Exchange Admin Center to create a device account:
|
||||
1. Sign in to your Exchange Admin Center using Exchange admin credentials.
|
||||
2. Once you are at the Exchange Admin Center (EAC), navigate to **Recipients** in the left panel.
|
||||
|
||||
|
||||
|
||||
|
||||
3. On the controls above the list of mailboxess, choose **+** to create a new one, and provide a **Display name**, **Name**, and **User logon name**, and then click **Save**.
|
||||
|
||||
|
||||
|
||||
|
||||
### <a href="" id="create-device-acct-exch-mbx-policy"></a>Create a mobile device mailbox policy from the Exchange Admin Center
|
||||
|
||||
@ -274,37 +274,37 @@ You can use the Exchange Admin Center to create a device account:
|
||||
|
||||
1. Go to the Exchange Admin Center.
|
||||
|
||||
|
||||
|
||||
|
||||
2. To create a mobile device mailbox policy, click **Mobile** from the left panel, then **Mobile device mailbox policies**. Surface Hubs require an account with a mobile device mailbox policy that does not require a password, so if you already have an existing policy that matches this requirement, you can apply that policy to the account. Otherwise use the following steps to create a new one to be used only for Surface Hub device accounts.
|
||||
|
||||
|
||||
|
||||
|
||||
3. To create a new mobile device account mailbox policy, click the **+** button from the controls above the list of policies to add a new policy. For the name provide a name that will help you distinguish this policy from other device accounts (for example, *SurfaceHubDeviceMobilePolicy*). The policy must not be password-protected, so make sure **Require a Password** remains unchecked, then click **Save**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. After you have created the new mobile device mailbox policy, go back to the Exchange Admin Center and you will see the new policy listed.
|
||||
|
||||
|
||||
|
||||
|
||||
5. To apply the ActiveSync policy without using PowerShell, you can do the following:
|
||||
|
||||
- In the EAC, click **Recipients** > **Mailboxes** and select a mailbox.
|
||||
|
||||
|
||||
|
||||
|
||||
- In the **Details** pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen.
|
||||
|
||||
|
||||
|
||||
|
||||
- The mobile device mailbox policy that’s currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**.
|
||||
|
||||
|
||||
|
||||
|
||||
- Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**.
|
||||
|
||||
|
||||
|
||||
|
||||
### <a href="" id="create-device-acct-exch-powershell-conf"></a>Use PowerShell to configure the account
|
||||
|
||||
|
||||
@ -116,7 +116,7 @@ You can check online for updated versions at [Surface Hub device account scripts
|
||||
|
||||
Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
|
||||
|
||||
|
||||
|
||||
|
||||
- [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365.
|
||||
- [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
|
||||
|
||||
@ -46,7 +46,7 @@ This is the first screen you'll see when you power up the Surface Hub for the fi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -72,7 +72,7 @@ If no wired connection can be found, then the device will attempt to set up a wi
|
||||
|
||||
If your device does not detect a wired connection that it can use to connect to a network or the Internet, you will see this page. Here you can either connect to a wireless network, or skip making the network connection.
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -97,7 +97,7 @@ If you want to connect to a secured wireless network from this page, click on th
|
||||
|
||||
This page will be shown when you've selected a secured wireless network.
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -121,11 +121,11 @@ This page will be shown when the device detects a wired connection with limited
|
||||
|
||||
- You can select **Enter proxy settings** which will allow you to specify how to use the network proxy. You'll be taken to the next screen.
|
||||
|
||||
|
||||
|
||||
|
||||
This is the screen you'll see if you clicked **Enter proxy settings** on the previous screen.
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -149,7 +149,7 @@ You can skip connecting to a network by selecting **Skip this step**. You'll be
|
||||
|
||||
This screen is purely informational, and shows which recommended settings have been enabled by default.
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -170,7 +170,7 @@ On this page, the Surface Hub will ask for credentials for the device account th
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -192,7 +192,7 @@ If you skip setting it up now, you can add a device account later by using the S
|
||||
|
||||
If you click **Skip setting up a device account**, the device will display a dialog box showing what will happen if the device doesn't have a device account. If you choose **Yes, skip this**, you will be sent to the [Name this device page](#name-this-device).
|
||||
|
||||
|
||||
|
||||
|
||||
### What happens?
|
||||
|
||||
@ -211,7 +211,7 @@ The device will use the UPN or DOMAIN\\User name and password for the device acc
|
||||
|
||||
This page will only be shown if there's a problem. Typically, it means that the device account that you provided was found in Active Directory (AD) or Azure Active Directory (Azure AD), but the Exchange server for the account was not discovered.
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -230,7 +230,7 @@ You can enable Exchange services for a device account later by using the Setting
|
||||
|
||||
If you click **Skip setting up Exchange services**, the device will display a dialog showing what will happen. If you choose **Yes, skip this**, then Exchange services will not be set up.
|
||||
|
||||
|
||||
|
||||
|
||||
### What happens?
|
||||
|
||||
@ -249,7 +249,7 @@ This page will be shown when:
|
||||
- Exchange supported protocols are not supported by the Surface Hub.
|
||||
- Exchange returns incorrect XML.
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -273,7 +273,7 @@ If you choose to skip this check, the Surface Hub will stop looking for the Exch
|
||||
|
||||
This page asks you to provide two names that will be used for identifying the Surface Hub.
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -307,7 +307,7 @@ Because every Surface Hub can be used by any number of authenticated employees,
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -348,7 +348,7 @@ Joining Azure AD has two primary benefits:
|
||||
1. Some employees from your organization will be able to access the device as admins, and will be able to start the Settings app and configure the device. People that have admin permissions will be defined in your Azure AD subscription.
|
||||
2. If your Azure AD is connected to a mobile device management (MDM) solution, the device will enroll with that MDM solution so you can apply policies and configuration.
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -357,11 +357,11 @@ The following input is required:
|
||||
- **User's UPN:** The user principal name (UPN) of an account that can join Azure AD.
|
||||
- **Password:** The password of the account you’re using to join Azure AD.
|
||||
|
||||
|
||||
|
||||
|
||||
If you get to this point and don't have valid credentials for an Azure AD account, the device will allow you to continue by creating a local admin account. Click **Set up Windows with a local account instead**.
|
||||
|
||||
|
||||
|
||||
|
||||
### What happens?
|
||||
|
||||
@ -373,7 +373,7 @@ This page will ask for credentials to join a domain so that the Surface Hub can
|
||||
|
||||
Once the device has been domain joined, you must specify a security group from the domain you joined. This security group will be provisioned as administrators on the Surface Hub, and anyone from the security group can enter their domain credentials to access Settings.
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
@ -385,7 +385,7 @@ The following input is required:
|
||||
|
||||
After the credentials are verified, you will be asked to type a security group name. This input is required.
|
||||
|
||||
|
||||
|
||||
|
||||
### What happens?
|
||||
|
||||
@ -401,7 +401,7 @@ If the join is successful, you'll see the **Enter a security group** page. When
|
||||
|
||||
If you decide not to use Azure Active Directory (Azure AD) or Active Directory (AD) to manage the Surface Hub, you'll need to create a local admin account.
|
||||
|
||||
|
||||
|
||||
|
||||
### Details
|
||||
|
||||
|
||||
@ -21,17 +21,17 @@ Use this procedure if you use Exchange on-prem.
|
||||
- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
|
||||
- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.<p>
|
||||
|
||||
|
||||
|
||||
|
||||
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
|
||||
|
||||
>**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
|
||||
|
||||
|
||||
|
||||
|
||||
- Click **Finish** to create the account.
|
||||
|
||||
|
||||
|
||||
|
||||
2. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
|
||||
|
||||
@ -223,17 +223,17 @@ Use this procedure if you use Exchange online.
|
||||
- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
|
||||
- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
|
||||
|
||||
>**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
|
||||
|
||||
|
||||
|
||||
|
||||
- Click **Finish** to create the account.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Directory synchronization.
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ If you joined your Surface Hub to an Azure Active Directory (Azure AD) subscript
|
||||
|
||||
Alternatively, the device can be enrolled like any other Windows device by going to **Settings** > **Accounts** > **Work access**.
|
||||
|
||||
|
||||
|
||||
|
||||
### Manage a device through MDM
|
||||
|
||||
|
||||
@ -58,9 +58,7 @@ In order to create and deploy provisioning packages, all of the following are re
|
||||
### <a href="" id="installing-wicd-prov-pkg"></a>Install the Windows Imaging and Configuration Designer
|
||||
|
||||
1. The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?LinkId=718147).
|
||||
>**Note** The ADK must be installed on a separate PC, not on the Surface Hub.
|
||||
|
||||
|
||||
>**Note** The ADK must be installed on a separate PC, not on the Surface Hub.
|
||||
|
||||
2. Run the installer, and set your preferences for installation. When asked what features you want to install, you will see a checklist like the one in the following figure. Note that **Windows Performance Toolkit** and **Windows Assessment Toolkit** should be unchecked, as they are not needed to run the ICD.
|
||||
|
||||
@ -73,7 +71,7 @@ In order to create and deploy provisioning packages, all of the following are re
|
||||
|
||||
All four of these features are required to run the ICD and create a package for the Surfact Hub.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Continue with the installer until the ADK is installed. This may take a while, because the installer downloads remote content.
|
||||
|
||||
@ -83,29 +81,29 @@ This example will demonstrate how to create a provisioning package to install a
|
||||
|
||||
1. On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
|
||||
|
||||
|
||||
|
||||
|
||||
2. When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
Select the settings that are **Common to all Windows editions**, and click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
When asked to import a provisioning package, just click **Finish.**
|
||||
|
||||
|
||||
|
||||
|
||||
3. ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **Runtime settings** and then expand **Certificates**. Click **Root certificates**.
|
||||
|
||||
|
||||
|
||||
|
||||
In the center pane, you’ll be asked to specify a **CertificateName** for the Root certificate. You can set this to whatever you want. For the example, we've used the same name as the project. Click **Add**, and an entry will be added in the left pane.
|
||||
|
||||
4. In the **Available customizations** pane on the left, a new category has appeared for **CertificatePath** underneath the **CertificateName** you provided. There’s also a red exclamation icon indicating that there is a required field that needs to be set. Click **CeritficatePath**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. In the center pane, you’ll be asked to specify the path for the certificate. Enter the name of the .cer file that you want to deploy, either by typing or clicking **Browse**. It must be a root certificate. The provisioning package created will copy the .cer file into the package it creates.
|
||||
|
||||
|
||||
@ -68,7 +68,7 @@ You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial
|
||||
|
||||
This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable.
|
||||
|
||||
|
||||
|
||||
|
||||
## Command sets
|
||||
|
||||
|
||||
@ -25,33 +25,33 @@ If a wired network connection is not available, the Surface Hub can use a wirele
|
||||
1. On the Surface Hub, open **Settings** and enter your admin credentials.
|
||||
2. Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. If the network is secured, you'll be asked to enter the security key. Click **Next** to connect.
|
||||
|
||||
|
||||
|
||||
|
||||
### Review wireless settings
|
||||
|
||||
1. On the Surface Hub, open **Settings** and enter your admin credentials.
|
||||
2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. The system will show you the properties for the wireless network connection.
|
||||
|
||||
|
||||
|
||||
|
||||
### Review wired settings
|
||||
|
||||
1. On the Surface Hub, open **Settings** and enter your admin credentials.
|
||||
2. Click **System**, click **Network & Internet**, then click on the network under Ethernet.
|
||||
|
||||
|
||||
|
||||
|
||||
3. The system will show you the properties for the wired network connection.
|
||||
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -1,88 +0,0 @@
|
||||
---
|
||||
title: Deploy Windows 10 in a test lab (Windows 10)
|
||||
description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: deploy
|
||||
author: greg-lindsay
|
||||
---
|
||||
|
||||
# Deploy Windows 10 in a test lab
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
|
||||
## Setting up a proof of concept deployment lab
|
||||
|
||||
This following topics provide instructions for setting up a proof of concept (PoC) lab where you can deploy Windows 10 in a private environment using a minimum amount of resources. The lab utilizes the Microsoft Hyper-V platform to run virtual machines that provide all the services and tools required to deploy Windows 10 on a network.
|
||||
|
||||
<table border="1" cellpadding="2">
|
||||
<tr>
|
||||
<td BGCOLOR="#a0e4fa">Topic</td>
|
||||
<td BGCOLOR="#a0e4fa">Description</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>[Configure the PoC environment](#configure-the-poc-environment)</td>
|
||||
<td>Instructions are provided for installing and configuring Hyper-V and configuring VHDs in preparation for different deployment scenarios.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Topic 2</td>
|
||||
<td>Description 2</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Topic 3</td>
|
||||
<td>Description 3</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Topic 4</td>
|
||||
<td>Description 4</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
## Configure the PoC environment
|
||||
|
||||
### Requirements
|
||||
|
||||
To complete the procedures in this topic
|
||||
|
||||
### Install Hyper-V
|
||||
|
||||
Use one of the following procedures to install Hyper-V on the Hyper-V host computer:
|
||||
Install Hyper-V on a computer running Windows 8/8.1 or Windows 10
|
||||
|
||||
Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
|
||||
|
||||
If your processor supports SLAT Hyper-V Manager is already included in Windows under Programs and Features.
|
||||
|
||||
[hyper-v feature](images/hyper-v-feature.png)
|
||||
|
||||
Note If you installed a 32-bit version of Windows, you won’t be able to create and manage local virtual machines. To fully manage virtual machines by using the host computer, you must install the 64-bit version of Windows 8.1 or Windows 8.
|
||||
|
||||
The Hyper-V feature is not installed by default in Windows 8. To get it, you can use the following Windows PowerShell command:
|
||||
|
||||
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
|
||||
|
||||
You can also install it via the Control Panel in Windows under Turn Windows features on or off, as shown here:
|
||||
|
||||
Important If you know that your processor supports SLAT, but you still get an error message that states Hyper-V cannot be installed, you might need to enable virtualization in the BIOS. The location of this setting will depend on the manufacturer and BIOS version. The following image shows an example of the required settings (under Security) in a Hewlett-Packard BIOS for an Intel processor:
|
||||
|
||||
[security BIOS settings](images/sec-bios.png)
|
||||
|
||||
### Configure Hyper-V
|
||||
|
||||
### Download VHDs
|
||||
|
||||
### Configure VHDs
|
||||
|
||||
## Related Topics
|
||||
|
||||
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -68,7 +68,7 @@ In Active Directory, default local accounts are used by administrators to manage
|
||||
|
||||
Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md).
|
||||
|
||||
On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals Technical Overview](security-principals.md).
|
||||
On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals](security-principals.md).
|
||||
|
||||
A security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below.
|
||||
|
||||
@ -350,7 +350,7 @@ Because it is impossible to predict the specific errors that will occur for any
|
||||
**Important**
|
||||
Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
|
||||
|
||||
<!-- For information how to resolve issues and potential issues from a compromised KRBTGT account, see "Reset the KRBTGT account password." -->
|
||||
For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
|
||||
|
||||
### Read-only domain controllers and the KRBTGT account
|
||||
|
||||
@ -474,7 +474,7 @@ Each default local account in Active Directory has a number of account settings
|
||||
<td><p>Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).</p>
|
||||
<div class="alert">
|
||||
<strong>Note</strong>
|
||||
<p>DES is not enabled by default in Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 7, Windows 8, and Windows 8.1. For these operating systems, you must configure your computers to use the DES-CBC-MD5 or DES-CBC-CRC cipher suites. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx).</p>
|
||||
<p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx).</p>
|
||||
</div>
|
||||
<div>
|
||||
|
||||
@ -571,7 +571,7 @@ If the administrators in your environment can sign in locally to managed servers
|
||||
|
||||
- **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections.
|
||||
|
||||
- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker Overview](http://technet.microsoft.com/library/hh831440.aspx).
|
||||
- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](applocker-overview.md).
|
||||
|
||||
The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
|
||||
|
||||
@ -584,7 +584,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
|
||||
2. Create computer accounts for the new workstations.
|
||||
|
||||
> **Note** You might have to delegate permissions to join the domain by using [KB 932455](http://support.microsoft.com/kb/932455) if the account that joins the workstations to the domain does not already have permissions to join computers to the domain.
|
||||
> **Note** You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
|
||||
|
||||
|
||||
|
||||
@ -846,14 +846,6 @@ In addition, installed applications and management agents on domain controllers
|
||||
|
||||
## See also
|
||||
|
||||
- [Security Principals](security-principals.md)
|
||||
|
||||
[Security Principals Technical Overview](security-principals.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- [Access Control Overview](access-control.md)
|
||||
|
||||
@ -986,7 +986,7 @@ This security group has not changed since Windows Server 2008.
|
||||
|
||||
Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group).
|
||||
|
||||
For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](https://technet.microsoft.com/en-us/library/hh831734.aspx).
|
||||
For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](https://technet.microsoft.com/library/hh831734.aspx).
|
||||
|
||||
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
|
||||
|
||||
@ -1302,7 +1302,7 @@ This security group has not changed since Windows Server 2008.
|
||||
|
||||
Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.
|
||||
|
||||
For information about other means to secure the DNS server service, see [Securing the DNS Server Service](http://technet.microsoft.com/library/cc731367.aspx).
|
||||
For more information about security and DNS, see [DNSSEC in Windows Server 2012](https://technet.microsoft.com/library/dn593694(v=ws.11).aspx).
|
||||
|
||||
This security group has not changed since Windows Server 2008.
|
||||
|
||||
@ -1742,7 +1742,7 @@ Members of this group are Read-Only Domain Controllers in the enterprise. Except
|
||||
|
||||
Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it.
|
||||
|
||||
For more information, see [AD DS: Read-Only Domain Controllers](http://technet.microsoft.com/library/cc732801.aspx).
|
||||
For more information, see [What Is an RODC?](https://technet.microsoft.com/library/cc771030.aspx).
|
||||
|
||||
The Enterprise Read-Only Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
|
||||
|
||||
@ -1866,7 +1866,7 @@ This security group has not changed since Windows Server 2008.
|
||||
|
||||
This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
|
||||
|
||||
For information about other features you can use with this security group, see [Group Policy Planning and Deployment Guide](http://technet.microsoft.com/library/cc754948.aspx).
|
||||
For information about other features you can use with this security group, see [Group Policy Overview](https://technet.microsoft.com/library/hh831791.aspx).
|
||||
|
||||
The Group Policy Creators Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
|
||||
|
||||
@ -2525,7 +2525,7 @@ This group has no default members. Because members of this group can load and un
|
||||
|
||||
The Print Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
|
||||
|
||||
This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assigning Delegated Print Administrator and Printer Permission Settings in Windows Server 2008 R2](http://technet.microsoft.com/library/ee524015(WS.10).aspx).
|
||||
This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assign Delegated Print Administrator and Printer Permission Settings in Windows Server 2012](https://technet.microsoft.com/library/jj190062(v=ws.11).aspx).
|
||||
|
||||
<table>
|
||||
<colgroup>
|
||||
@ -2602,7 +2602,7 @@ Depending on the account’s domain functional level, members of the Protected U
|
||||
|
||||
The Protected Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
|
||||
|
||||
This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](https://technet.microsoft.com/en-us/library/dn466518.aspx).
|
||||
This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](https://technet.microsoft.com/library/dn466518.aspx).
|
||||
|
||||
The following table specifies the properties of the Protected Users group.
|
||||
|
||||
@ -2724,7 +2724,7 @@ This security group has not changed since Windows Server 2008.
|
||||
|
||||
Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
|
||||
|
||||
For information about Remote Desktop Services, see [Remote Desktop Services Design Guide](http://technet.microsoft.com/library/gg750997.aspx).
|
||||
For information about Remote Desktop Services, see [Host desktops and apps in Remote Desktop Services](https://technet.microsoft.com/library/mt718499.aspx).
|
||||
|
||||
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
|
||||
|
||||
@ -2844,7 +2844,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
|
||||
|
||||
Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group.
|
||||
|
||||
For information about RemoteApp programs, see [Overview of RemoteApp](http://technet.microsoft.com/library/cc755055.aspx)
|
||||
For more information, see [Host desktops and apps in Remote Desktop Services](https://technet.microsoft.com/library/mt718499.aspx).
|
||||
|
||||
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
|
||||
|
||||
@ -2978,7 +2978,7 @@ Because administration of a Read-only domain controller can be delegated to a do
|
||||
|
||||
- Read-only Domain Name System (DNS)
|
||||
|
||||
For information about deploying a Read-only domain controller, see [Read-Only Domain Controllers Step-by-Step Guide](http://technet.microsoft.com/library/cc772234.aspx).
|
||||
For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx).
|
||||
|
||||
This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
|
||||
|
||||
@ -3041,7 +3041,7 @@ Members of the Remote Management Users group can access WMI resources over manag
|
||||
|
||||
The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands.
|
||||
|
||||
For more information, see [WS-Management Protocol (Windows)](http://msdn.microsoft.com/library/aa384470.aspx) and [About WMI (Windows)](http://msdn.microsoft.com/library/aa384642.aspx).
|
||||
For more information, see [What's New in MI?](https://msdn.microsoft.com/library/jj819828(v=vs.85).aspx) and [About WMI](http://msdn.microsoft.com/library/aa384642.aspx).
|
||||
|
||||
This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
|
||||
|
||||
@ -3105,9 +3105,10 @@ Computers that are members of the Replicator group support file replication in a
|
||||
**Important**
|
||||
In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers.
|
||||
|
||||
However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows).](http://msdn.microsoft.com/library/windows/desktop/ff384840.aspx)
|
||||
However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see:
|
||||
|
||||
|
||||
- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](http://msdn.microsoft.com/library/windows/desktop/ff384840.aspx)
|
||||
- [DFS Namespaces and DFS Replication Overview](https://technet.microsoft.com/library/jj127250(v=ws.11).aspx)
|
||||
|
||||
This security group has not changed since Windows Server 2008.
|
||||
|
||||
@ -3581,21 +3582,10 @@ This security group was introduced in Windows Server 2012, and it has not chang
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
## See also
|
||||
|
||||
- [Security Principals](security-principals.md)
|
||||
|
||||
[Security Principals Technical Overview](security-principals.md)
|
||||
|
||||
|
||||
[Special Identities](special-identities.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- [Special Identities](special-identities.md)
|
||||
|
||||
- [Access Control Overview](access-control.md)
|
||||
|
||||
@ -132,16 +132,8 @@ If clients do not recognize Dynamic Access Control, there must be a two-way trus
|
||||
|
||||
If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 or higher functional level.
|
||||
|
||||
A file server running Windows Server 2012 or Windows Server 2012 R2 must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
|
||||
|
||||
## Additional resource
|
||||
|
||||
[Access control overview](access-control.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
|
||||
|
||||
## See also
|
||||
|
||||
- [Access control overview](access-control.md)
|
||||
|
||||
@ -48,7 +48,7 @@ This topic describes the following:
|
||||
|
||||
- [Create unique passwords for local accounts with administrative rights](#sec-create-unique-passwords)
|
||||
|
||||
For information about security principals, see [Security Principals Technical Overview](security-principals.md).
|
||||
For information about security principals, see [Security Principals](security-principals.md).
|
||||
|
||||
## <a href="" id="sec-default-accounts"></a>Default local user accounts
|
||||
|
||||
@ -99,7 +99,7 @@ As a security best practice, use your local (non-Administrator) account to sign
|
||||
|
||||
In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers.
|
||||
|
||||
In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx) and [Group Policy](http://technet.microsoft.com/windowsserver/bb310732.aspx).
|
||||
In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx).
|
||||
|
||||
**Note**
|
||||
Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
|
||||
@ -141,7 +141,7 @@ The security identifiers (SIDs) that pertain to the default HelpAssistant accoun
|
||||
|
||||
For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
|
||||
|
||||
In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default. For more information about remote desktop connections for those client operating systems designated in the **Applies To** list at the beginning of this topic, see [Enable Remote Desktop](http://technet.microsoft.com/library/dd744299.aspx).
|
||||
In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default.
|
||||
|
||||
## <a href="" id="sec-localsystem"></a>Default local system accounts
|
||||
|
||||
@ -200,7 +200,7 @@ In addition, UAC can require administrators to specifically approve applications
|
||||
|
||||
For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.
|
||||
|
||||
For summary information about UAC, see [User Account Control](http://technet.microsoft.com/library/cc731416.aspx). For detailed information about special conditions when you use UAC, see [User Account Control](http://technet.microsoft.com/library/cc772207.aspx).
|
||||
For more information about UAC, see [User Account Control](user-account-control-overview.md).
|
||||
|
||||
The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
|
||||
|
||||
@ -384,10 +384,7 @@ The following table shows the Group Policy settings that are used to deny networ
|
||||
<tr class="even">
|
||||
<td><p></p></td>
|
||||
<td><p>Policy name</p></td>
|
||||
<td><p>[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)</p>
|
||||
<p>(Windows Server 2008 R2 and later.)</p>
|
||||
<p>Deny logon through Terminal Services</p>
|
||||
<p>(Windows Server 2008)</p></td>
|
||||
<td><p>[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p></p></td>
|
||||
@ -437,23 +434,16 @@ The following table shows the Group Policy settings that are used to deny networ
|
||||
|
||||
1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then click **User Rights Assignment**.
|
||||
|
||||
**Note**
|
||||
Depending on the Windows operating system, you can choose the name of the Remote Interactive logon user right.
|
||||
2. Double-click **Deny log on through Remote Desktop Services**, and then select **Define these settings**.
|
||||
|
||||
|
||||
|
||||
2. On computers that run Windows Server 2008, double-click **Deny logon through Terminal Services**, and then select **Define these policy settings**.
|
||||
|
||||
3. On computers running Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2, double-click **Deny logon through Remote Desktop Services**, and then select **Define these settings**.
|
||||
|
||||
4. Click **Add User or Group**, type the user name of the default Administrator account, and > **OK**. (The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
|
||||
3. Click **Add User or Group**, type the user name of the default Administrator account, and > **OK**. (The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
|
||||
|
||||
**Important**
|
||||
In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolves to a name that is underlined or includes a domain name, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator because this also blocks domain accounts in that group.
|
||||
|
||||
|
||||
|
||||
5. For any additional local accounts in the Administrators group on all of the workstations that you are setting up, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as the previous step, and > **OK**.
|
||||
4. For any additional local accounts in the Administrators group on all of the workstations that you are setting up, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as the previous step, and > **OK**.
|
||||
|
||||
8. Link the GPO to the first **Workstations** OU as follows:
|
||||
|
||||
@ -498,16 +488,8 @@ Passwords can be randomized by:
|
||||
|
||||
The following resources provide additional information about technologies that are related to local accounts.
|
||||
|
||||
- [Security Principals Technical Overview](security-principals.md)
|
||||
- [Security Principals](security-principals.md)
|
||||
|
||||
- [Security Identifiers Technical Overview](security-identifiers.md)
|
||||
- [Security Identifiers](security-identifiers.md)
|
||||
|
||||
- [Access Control Overview](access-control.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -155,14 +155,6 @@ Within your organization, you can set application control policies to regulate a
|
||||
|
||||
## See also
|
||||
|
||||
- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](https://technet.microsoft.com/library/jj884082(v=ws.11).aspx)
|
||||
|
||||
[Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](https://technet.microsoft.com/library/jj884082(v=ws.11).aspx)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- [Access Control Overview](access-control.md)
|
||||
|
||||
@ -41,7 +41,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice,
|
||||
|
||||
## Security identifier architecture
|
||||
|
||||
A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, the Windows Server 2012 operating system), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
|
||||
A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -138,10 +138,6 @@ For descriptions and settings information about the domain security groups that
|
||||
|
||||
For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md).
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## See also
|
||||
|
||||
- [Access Control Overview](access-control.md)
|
||||
@ -106,4 +106,4 @@ The following table provides links to additional resources that are related to s
|
||||
|---------------|-------------|
|
||||
| **Product evaluation** | [What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)<br>[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) |
|
||||
| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
|
||||
| **Related technologies** | [Security Principals Technical Overview](security-principals.md)<br>[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |
|
||||
| **Related technologies** | [Security Principals](security-principals.md)<br>[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |
|
||||
@ -1002,21 +1002,10 @@ Any user accessing the system through Terminal Services has the Terminal Server
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
## See also
|
||||
|
||||
- [Active Directory Security Groups](active-directory-security-groups.md)
|
||||
|
||||
[Active Directory Security Groups](active-directory-security-groups.md)
|
||||
|
||||
|
||||
[Security Principals Technical Overview](security-principals.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- [Security Principals](security-principals.md)
|
||||
|
||||
- [Access Control Overview](access-control.md)
|
||||
@ -23,7 +23,7 @@ The **Inventory** page in Windows Store for Business shows all apps in your inve
|
||||
|
||||
All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
|
||||
|
||||
|
||||
|
||||
|
||||
Store for Business shows this info for each app in your inventory:
|
||||
|
||||
@ -168,13 +168,13 @@ For each app in your inventory, you can view and manage license details. This gi
|
||||
|
||||
2. Click **Manage**, and then choose **Inventory**.
|
||||
|
||||
3. Click the ellipses for and app, and then choose **View license details**.
|
||||
3. Click the ellipses for an app, and then choose **View license details**.
|
||||
|
||||
|
||||
|
||||
|
||||
You'll see the names of people in your organization who have installed the app and are using one of the licenses.
|
||||
|
||||
|
||||
|
||||
|
||||
On **Assigned licenses**, you can do several things:
|
||||
|
||||
@ -190,9 +190,9 @@ For each app in your inventory, you can view and manage license details. This gi
|
||||
|
||||
**To assign an app to more people**
|
||||
|
||||
- Click Assign to people, type the email address for the employee that you're assigning the app to, and click **Assign**.
|
||||
- Click **Assign to people**, type the email address for the employee that you're assigning the app to, and click **Assign**.
|
||||
|
||||
|
||||
|
||||
|
||||
Store for Business updates the list of assigned licenses.
|
||||
|
||||
@ -200,7 +200,7 @@ For each app in your inventory, you can view and manage license details. This gi
|
||||
|
||||
- Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
|
||||
|
||||
|
||||
|
||||
|
||||
Store for Business updates the list of assigned licenses.
|
||||
|
||||
|
||||
@ -23,29 +23,29 @@ You can make an app available in your private store when you acquire the app, or
|
||||
|
||||
**To acquire an app and make it available in your private store**
|
||||
|
||||
1. Sign in to the Store for Business.
|
||||
1. Sign in to the [Store for Business](https://businessstore.microsoft.com).
|
||||
|
||||
2. Click an app and then click **Get the app** to acquire the app for your organization.
|
||||
|
||||
3. You'll have a few options for distributing the app -- choose **Add to your private store where all people in your organization can find and install it.**
|
||||
|
||||
|
||||
|
||||
|
||||
It will take approximately twelve hours before the app is available in the private store.
|
||||
|
||||
**To make an app in inventory available in your private store**
|
||||
|
||||
1. Sign in to the Store for Business.
|
||||
1. Sign in to the [Store for Business](https://businessstore.microsoft.com).
|
||||
|
||||
2. Click **Manage**, and then choose **Inventory**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
|
||||
|
||||
4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
|
||||
|
||||
|
||||
|
||||
|
||||
The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
|
||||
|
||||
|
||||
@ -48,14 +48,14 @@ If your vendor doesn’t support the ability to synchronize applications from th
|
||||
|
||||
This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices.
|
||||
|
||||
|
||||
|
||||
|
||||
## Distribute online-licensed apps
|
||||
|
||||
|
||||
This diagram shows how you can use a management tool to distribute an online-licensed app to employees in your organization. Once synchronized from Store for Business, management tools use the Windows Management framework to distribute applications to devices. For Online licensed applications, the management tool calls back in to Store for Business management services to assign an application prior to issuing the policy to install the application.
|
||||
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ Organizations might want control the set of apps that are available to their emp
|
||||
|
||||
The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this:
|
||||
|
||||
|
||||
|
||||
|
||||
Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.
|
||||
|
||||
|
||||
@ -19,9 +19,9 @@ author: TrudyHa
|
||||
|
||||
The private store is a feature in the Windows Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
|
||||
|
||||
The name of your private store is shown on a tab in the Windows Store.
|
||||
The name of your private store is shown on a tab in the Windows Store app.
|
||||
|
||||
|
||||
|
||||
|
||||
You can change the name of your private store in Store for Business.
|
||||
|
||||
@ -33,13 +33,13 @@ You can change the name of your private store in Store for Business.
|
||||
|
||||
You'll see your private store name.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Click **Change**.
|
||||
|
||||
4. Type a new display name for your private store, and click **Save**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -204,11 +204,11 @@ These permissions allow people to:
|
||||
|
||||
2. Click **Settings**, and then choose **Permissions**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Click **Add people**, type a name, choose the role you want to assign, and click **Save** .
|
||||
|
||||
|
||||
|
||||
|
||||
4.
|
||||
|
||||
|
||||
@ -34,7 +34,7 @@ Before signing up for the Store for Business, make sure you're the global admini
|
||||
|
||||
- If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign-in), and then accept Store for Business terms.
|
||||
|
||||
|
||||
|
||||
|
||||
**To sign up for Azure AD accounts through Office 365 for Business**
|
||||
|
||||
@ -44,43 +44,43 @@ Before signing up for the Store for Business, make sure you're the global admini
|
||||
|
||||
Type the required info and click **Next.**
|
||||
|
||||
|
||||
|
||||
|
||||
- Step 2: Create an ID.
|
||||
|
||||
We'll use info you provided on the previous page to build your user ID. Check the info and click **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
- Step 3: You're in.
|
||||
|
||||
Let us know how you'd like to receive a verification code, and click either **Text me**, or **Call me**. We'll send you a verification code
|
||||
|
||||
|
||||
|
||||
|
||||
- Verification.
|
||||
|
||||
Type your verification code and click **Create my account**.
|
||||
|
||||
|
||||
|
||||
|
||||
- Save this info.
|
||||
|
||||
Be sure to save the portal sign-in page and your user ID info. Click **You're ready to go**.
|
||||
|
||||
|
||||
|
||||
|
||||
- At this point, you'll have an Azure AD directory created with one user account. That user account is the global administrator. You can use that account to sign in to Store for Business.
|
||||
|
||||
2. <a href="" id="sign-in"></a>Sign in with your Azure AD account.
|
||||
|
||||
|
||||
|
||||
|
||||
3. <a href="" id="accept-terms"></a>Read through and accept Store for Business terms.
|
||||
|
||||
4. Welcome to the Store for Business. Click **Next** to continue.
|
||||
|
||||
|
||||
|
||||
|
||||
### Next steps
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user