See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes | + + + +## Example: Manage Surface Hub settings with Micosoft Intune + +You can use Microsoft Intune to manage Surface Hub settings. + +**To create a configuration policy from a template** + +You'll use the **Windows 10 Team general configuration policy** as the template. + +1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account. +2. On the left-hand navigation menu, click **Policy**. +3. In the Overview page, click **Add Policy**. +4. On **Select a template for the new policy**, expand **Windows**, select **General Configuration (Windows 10 Team and later)**, and then click **Create Policy**. +5. Configure your policy, then click **Save Policy** +6. When prompted, click **Yes** to deploy your new policy to a user or device group. For more information, see [Use groups to manage users and devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune). + +**To create a custom configuration policy** + +You’ll need to create a custom policy to manage settings that are not available in the template. + +1. On the [Intune management portal](https://manage.microsoft.com), sign in with your Intune administrator account. +2. On the left-hand navigation menu, click **Policy**. +3. In the Overview page, click **Add Policy**. +4. On **Select a template for the new policy**, expand **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. +5. Type a name and optional description for the policy. +6. Under OMA-URI Settings, click **Add**. +7. Complete the form to create a new setting, and then click **OK**. +8. Repeat Steps 6 and 7 for each setting you want to configure with this policy. +9. Once you're done, click **Save Policy** and deploy it to a user or device group. + +## Example: Manage Surface Hub settings with System Center Configuration Manager +System Center Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use System Center Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs. + +> [!NOTE] +> These instructions are based on the current branch of System Center Configuration Manager. + +**To create a configuration item for Surface Hub settings** + +1. On the **Assets and Compliance** workspace of the Configuration Manager console, click **Overview** > **Compliance Settings** > **Configuration Items**. +2. On the **Home** tab, in the **Create** group, click **Create Configuration Item**. +3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item. +4. Under **Specify the type of configuration item that you want to create**, select **Windows 8.1 and Windows 10**. +5. Click **Categories** if you create and assign categories to help you search and filter configuration items in the Configuration Manager console. +6. On the **Supported Platforms** page, select **Windows 10** > **All Windows 10 Team and higher**. Unselect the other Windows platforms. +7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**. +8. On the **Windows 10 Team** page, configure the settings you require. +9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**. +10. On the **Additional Settings** page, click **Add**. +11. On the **Browse Settings** dialog, click **Create Setting**. +12. On the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting. +13. Under **Setting type**, select **OMA URI**. +14. Complete the form to create a new setting, and then click **OK**. +15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**. +16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**. +17. Repeat Steps 10 to 16 for each custom setting you want to add to the configuration item. +18. Once you're done, on the **Browse Settings** dialog, click **Close**. +19. Complete the wizard.
You can view the new configuration item in the **Configuration Items** node of the **Assets and Compliance** workspace. + +For more information, see [Create configuration items for Windows 8.1 and Windows 10 devices managed without the System Center Configuration Manager client](https://docs.microsoft.com/sccm/compliance/deploy-use/create-configuration-items-for-windows-8.1-and-windows-10-devices-managed-without-the-client). ## Related topics - [Manage Microsoft Surface Hub](manage-surface-hub.md) [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md new file mode 100644 index 0000000000..5413d28a30 --- /dev/null +++ b/devices/surface-hub/manage-surface-hub-settings.md @@ -0,0 +1,24 @@ +--- +title: Manage Surface Hub settings +description: This section lists topics for managing Surface Hub settings. +keywords: Surface Hub accessibility settings, device account, device reset, windows updates, wireless network management +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: surfacehub +author: TrudyHa +localizationpriority: medium +--- + +# Manage Surface Hub settings + +## In this section + +|Topic | Description| +| ------ | --------------- | +| [Local management for Surface Hub settings](local-management-surface-hub-settings.md) | Learn about Surface Hub settings. | +| [Accessibility](accessibility-surface-hub.md) | Accessibility settings for the Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10.| +| [Change the Surface Hub device account](change-surface-hub-device-account.md) | You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.| +| [Device reset](device-reset-surface-hub.md) | You may need to reset your Surface Hub.| +| [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md) | Options to configure domain name with Surface Hub. | +| [Wireless network management](wireless-network-management-for-surface-hub.md) | Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection. | diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index f1ea0e3ebc..b464c430f2 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -13,212 +13,25 @@ localizationpriority: medium # Manage Microsoft Surface Hub +After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in a couple ways: -How to manage your Surface Hub after finishing the first-run program. +- **Local management** - Every Surface Hub can be configured locally using the **Settings** app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. For more information, see [Local management for Surface Hub settings](local-management-surface-hub-settings.md). +- **Remote management** - Surface Hub allow IT admins to manage settings and policies using a mobile device management (MDM) provider, such as Microsoft Intune, System Center Configuration Manager, and other third-party providers. Additionally, admins can monitor Surface Hubs using Microsoft Operations Management Suite (OMS). For more information, see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md), and [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). -## Introduction - - -After initial setup of Microsoft Surface Hub, the device’s settings and configuration can be modified or changed in several ways: - -- Local management: using the Settings app on the device -- Remote management: using a mobile device management (MDM) solution, like Microsoft Intune, AirWatch, or System Center 2012 R2 Configuration Manager. - -For locally-managed devices, administrator credentials are required to use the Settings app. These can be login credentials for Active Directory, Azure Active Directory (Azure AD), or a local admin account. One of these will have been selected during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)). - -For remotely-managed devices, the device must be enrolled into an MDM solution, either during first run or in the Settings app. - -Be aware that the two management methods are not mutually exclusive—every device will have the capability to be locally managed, and devices can be remotely managed if you choose. - ->**Note** If a device is remotely managed, then any changes to local settings that are also remotely managed will only persist until the next time your Surface Hub syncs with your MDM solution. Once a sync occurs, the settings and policies defined on your MDM solution will be pushed to the device, overwriting the local changes. - - - -## Surface Hub-only settings - - -Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. - -
| Setting | -Location | -Description | -
|---|---|---|
Change friendly name |
-System - About |
-Set the Surface Hub name that people will see when connecting wirelessly. |
-
Collect logs |
-System - About |
-Collect logs to give to Microsoft Support. |
-
Change meeting info shown on the welcome screen |
-System – Microsoft Surface Hub |
-Choose whether meeting organizer, time, and subject show up on the welcome screen. |
-
Session time out |
-System – Microsoft Surface Hub |
-Choose how long the device needs to be inactive before returning to the welcome screen. |
-
Turn on screen with motion sensors |
-System – Microsoft Surface Hub |
-Choose whether the screen turns on when motion is detected. |
-
Configure Microsoft Operational Management Suite (MOMS) |
-System – Microsoft Surface Hub |
-Add information to set up monitoring using MOMS. |
-
Change Skype for Business fully qualified domain name (FQDN) |
-System – Microsoft Surface Hub |
-Add the FQDN for a Skype for Business certificate. |
-
Save BitLocker key |
-System – Microsoft Surface Hub |
-Set the default destination for saving the BitLocker recovery key to a USB drive. |
-
Turn off wireless projection using Miracast |
-Devices - Connect |
-Choose whether presenters can wirelessly project to the Surface Hub using Miracast. |
-
Require a PIN for wireless projection |
-Devices - Connect |
-Choose whether people are required to enter a PIN before they use wireless projection. |
-
Wireless projection (Miracast) channel |
-Devices - Connect |
-Change the channel for Miracast projection. |
-
Change device account |
-Accounts - All accounts |
-Change the Surface Hub's device account. |
-
Check sync status |
-Accounts - All accounts |
-Check the sync status of the device account’s mail and calendar on the Surface Hub. |
-
Turn on password rotation |
-Accounts - All accounts |
-Choose whether the device account’s password will automatically change every day (Active Directory only). |
-
Edit admin account |
-Accounts - All accounts |
-Change the password for the local admin account. |
-
Change maintenance hours |
-Updates & security – Windows Update – Advanced settings |
-Set the hours when updates can be installed. |
-
Configure Windows Server Update Services (WSUS) server |
-Updates & security – Windows Update – Advanced settings |
-Change whether the device receives updates from the WSUS you choose. |
-
| Topic | -Description | -
|---|---|
[Accessibility](accessibility-surface-hub.md) |
-Accessibility settings for the Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10. |
-
[Change the Surface Hub device account](change-surface-hub-device-account.md) |
-You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned. |
-
[Device reset](device-reset-suface-hub.md) |
-You may wish to reset your Surface Hub. |
-
[Install apps on your Surface Hub](install-apps-on-surface-hub.md) |
-Admins can install apps can from either the Windows Store or the Windows Store for Business. |
-
[Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md) |
-A local admin account will be set up on every Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device. |
-
[Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) |
-Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution. |
-
[Monitor your Surface Hub](monitor-surface-hub.md) |
-Monitoring for Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). |
-
[Save your BitLocker key](save-bitlocker-key-surface-hub.md) |
-Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys. |
-
[Using a room control system](use-room-control-system-with-surface-hub.md) |
-Room control systems can be used with your Surface Hub. |
-
[Windows updates](manage-windows-updates-for-surface-hub.md) |
-You can manage Windows updates on your Surface Hub by setting the maintenance window, deferring updates, or using WSUS. |
-
[Wireless network management](wireless-network-management-for-surface-hub.md) |
-Surface Hub offers two options for network connectivity to your corporate network and Internet: wireless, and wired. While both provide network access, we recommend you use a wired connection. |
-
Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx).
Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions:
- A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive.
- The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the telemetry reporting system. | +| Software | Error | **Check your Exchange service**.
Verify:
- The service is available.
- The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details.| Triggers when there's an error syncing the device calendar with Exchange. | +| Software | Error | **Check your Skype for Business service**.
Verify:
- The service is available.
- The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details.
- The domain name for Skype for Business is properly configured - see [Configure a domain name](use-fully-qualified-domain-name-surface-hub.md). | Triggers when Skype fails to sign in. | +| Software | Error | **Reset the device**.
This takes some time, so you should take the device offline.
For more information, see [Device reset](device-reset-surface-hub.md).| Triggers when there is an error cleaning up user and app data at the end of a session. When this operation repeatedly fails, the device is locked to protect user data. You must reset the device to continue. | +| Hardware | Warning | **None**. Indicates negligible impact to functionality.| Triggers when there is an error with any of the following hardware components:
- Virtual pen slots
- NFC driver
- USB hub driver
- Bluetooth driver
- Proximity sensor
- Graphical performance (video card driver)
- Mismatched hard drive
- No keyboard/mouse detected | +| Hardware | Error | **Contact Microsoft support**.
Indicates impact to core functionality (such as Skype, projection, touch, and internet connectivity).
**Note** Some events, including heartbeat, include the device’s serial number that you can use when contacting support.| Triggers when there is an error with any of the following hardware components.
**Components that affect Skype**:
- Speaker driver
- Microphone driver
- Camera driver
**Components that affect wired and wireless projection**:
- Wired touchback driver
- Wired ingest driver
- Wireless adapter driver
- Wi-Fi Direct error
**Other components**:
- Touch digitizer driver
- Network adapter error (not reported to OMS)| + +**To set up an alert** +1. From the Surface Hub solution, select one of the sample queries. +2. Modify the query as desired. See Log Analytics search reference to learn more. +3. Click **Alert** at the top of the page to open the **Add Alert Rule** screen. See [Alerts in Log Analytics](https://azure.microsoft.com/en-us/documentation/articles/log-analytics-alerts/) for details on the options to configure the alert. +4. Click **Save** to complete the alert rule. It will start running immediately. + +## Enroll your Surface Hub + +For Surface Hub to connect to and register with the OMS service, it must have access to the port number of your domains and the URLs. This table list the ports that OMS needs. For more information, see [Configure proxy and firewall settings in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-proxy-firewall/). + +| Agent resource | Ports | Bypass HTTPS inspection? | +| --------------------------- | ----- | ------------------------ | +| *.ods.opinsights.azure.com | 443 | Yes | +| *.oms.opinsights.azure.com | 443 | Yes | +| *.blob.core.windows.net | 443 | Yes | +| ods.systemcenteradvisor.com | 443 | No | + +The Microsoft Monitoring Agent, used to connect devices to OMS, is integrated with the Surface Hub operating system, so there is no need to install additional clients to connect Surface Hub to OMS. + +Once your OMS workspace is set up, there are several ways to enroll your Surface Hub devices: +- [Settings app](#enroll-using-the-settings-app) +- [Provisioning package](#enroll-using-a-provisioning-package) +- [MDM provider](#enroll-using-a-mdm-provider), such as Microsoft Intune and Configuration Manager + +You'll need the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal. + +### Enroll using the Settings app + +**To Enroll using the settings app** + +1. From your Surface Hub, start **Settings**. +2. Enter the device admin credentials when prompted. +3. Select **This device**, and navigate to **Device management**. +4. Under **Monitoring**, select **Configure OMS settings**. +5. In the OMS settings dialog, select **Enable monitoring**. +6. Type the workspace ID and primary key of your OMS workspace. You can get these from the OMS portal. +7. Click **OK** to complete the configuration. + A confirmation dialog will appear telling you whether or not the OMS configuration was successfully applied to the device. If it was, the device will start sending data to OMS. -### Monitoring devices - -Monitoring your Surface Hubs using OMS is much like monitoring any other enrolled devices. - -1. Sign in to the OMS portal. -2. Navigate to the Surface Hub solution pack dashboard. -3. Your device's health will be displayed here. - -You can create OMS alerts based on existing or custom queries that use the data collected through OMS. +### Enroll using a provisioning package +You can use a provisioning package to enroll your Surface Hub. For more infomation, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). + +### Enroll using a MDM provider +You can enroll Surface Hub into OMS using the SurfaceHub CSP. Intune and Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. For more information, see [Manage Surface Hub settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md). ## Related topics - [Manage Microsoft Surface Hub](manage-surface-hub.md) [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md index a4eb84f063..73dd21ac2e 100644 --- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md +++ b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md @@ -13,248 +13,209 @@ localizationpriority: medium # Create provisioning packages (Surface Hub) +This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings. -For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning. +You can apply a provisioning package using a USB during first run, or through the **Settings** app. -In this topic, you'll find the following information: -- [Introduction to provisioning packages](#intro-prov-pkg) -- [What can provisioning packages configure for Microsoft Surface Hubs?](#what-can-prov-pkg) -- [How do I create and deploy a provisioning package?](#how-do-i-prov-pkg) -- [Requirements](#requirements-prov-pkg) -- [Install the Windows Imaging and Configuration Designer](#installing-wicd-prov-pkg) -- [Create a provisioning package for certificates](#creating-prov-pkg-certs) -- [Create a provisioning package for apps](#creating-prov-pkg-apps) -- [Deploy a provisioning package to a Surface Hub](#deploy-to-hub-prov-pkg) - - [Deploy a provisioning package using first run](#deploy-via-oobe-prov-pkg) - - [Deploy a provisioning package using Settings](#deploy-via-settings-prov-pkg) +## Advantages +- Quickly configure devices without using a MDM provider. -### Introduction to provisioning packages +- No network connectivity required. -Provisioning packages are created using Windows Imaging and Configuration Designer (WICD), which is a part of the Windows Assessment and Deployment Kit (ADK). For Surface Hub, the provisioning packages can be placed on a USB drive. +- Simple to apply. -### What can provisioning packages configure for Surface Hubs? +[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages) -Currently, you can use provisioning packages to install certificates and to install Universal Windows Platform (UWP) apps on your Surface Hub. These are the only two supported scenarios. -You may use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange or Skype for Business, or to sideload apps that don't come from the Windows Store (for example, your own in-house apps). +## Requirements ->**Note** Provisioning can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, you must use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details. +To create and apply a provisioning package to a Surface Hub, you'll need the following: - - -### How do I create and deploy a provisioning package? - -Provisioning packages must be created using the Windows Imaging and Configuration Designer (ICD). - -### Requirements - -In order to create and deploy provisioning packages, all of the following are required: - -- Access to the Settings app on Surface Hub (using admin credentials which were configured at initial setup of the Surface Hub). -- Windows Imaging and Configuration Designer (ICD), which is installed as a part of the windows 10 Assessment and Deployment Kit (ADK). +- Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740). - A PC running Windows 10. -- USB flash drive. +- A USB flash drive. +- If you apply the package using the **Settings** app, you'll need device admin credentials. -### Install the Windows Imaging and Configuration Designer +You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub. -1. The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718147). - >**Note** The ADK must be installed on a separate PC, not on the Surface Hub. -2. Run the installer, and set your preferences for installation. When asked what features you want to install, you will see a checklist like the one in the following figure. Note that **Windows Performance Toolkit** and **Windows Assessment Toolkit** should be unchecked, as they are not needed to run the ICD. +## Supported items for Surface Hub provisioning packages - Before going to the next step, make sure you have the following checked: +Currently, you can add these items to provisioning packages for Surface Hub: +- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange. +- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Windows Store for Business, or an app created by an in-house dev. +- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD. +- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). - - **Deployment Tools** - - **Windows Preinstallation Environment** - - **Imaging and Configuration Designer** - - **User State Migration Tool** - All four of these features are required to run the ICD and create a package for the Surfact Hub. +## Create the provisioning package -  +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD). [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) -3. Continue with the installer until the ADK is installed. This may take a while, because the installer downloads remote content. +1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`). -### Create a provisioning package for certificates +2. Click **Advanced provisioning**. -This example will demonstrate how to create a provisioning package to install a certificate. +  + +3. Name your project and click **Next**. -1. On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu. +4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**. -  +  -2. When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**. +5. In the project, under **Available customizations**, select **Common Team edition settings**. -  +  - Select the settings that are **Common to all Windows editions**, and click **Next**. -  +### Add a certificate to your package +You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange. - When asked to import a provisioning package, just click **Finish.** +> [!NOTE] +> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details. -  +1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. -3. ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **Runtime settings** and then expand **Certificates**. Click **Root certificates**. +2. Enter a **CertificateName** and then click **Add**. -  +2. Enter the **CertificatePassword**. - In the center pane, you’ll be asked to specify a **CertificateName** for the Root certificate. You can set this to whatever you want. For the example, we've used the same name as the project. Click **Add**, and an entry will be added in the left pane. +3. For **CertificatePath**, browse and select the certificate. -4. In the **Available customizations** pane on the left, a new category has appeared for **CertificatePath** underneath the **CertificateName** you provided. There’s also a red exclamation icon indicating that there is a required field that needs to be set. Click **CeritficatePath**. +4. Set **ExportCertificate** to **False**. -  +5. For **KeyLocation**, select **Software only**. -5. In the center pane, you’ll be asked to specify the path for the certificate. Enter the name of the .cer file that you want to deploy, either by typing or clicking **Browse**. It must be a root certificate. The provisioning package created will copy the .cer file into the package it creates. -  +### Add a Universal Windows Platform (UWP) app to your package +Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Windows Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Windows Store for Business. -6. Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**. +1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**. -  +2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Windows Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \
+Optionally, you can click **Browse** to change the default output location. -6. Verify that the path is set, then click **Export** in the top menu and choose **Provisioning package**. +8. Click **Next**. -  +9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -7. You'll see a series of dialog boxes next. In the first one, either accept the defaults, or enter new values as needed, and click **Next**. You'll most likely want to accept the defaults. +10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- 
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
- Click **Next** again in the security options dialog box, because this package doesn't need to be encrypted or signed.
+11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.
- 
- Choose where to save the provisioning package, and click **Next**.
+## Apply a provisioning package to Surface Hub
- 
+There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings).
- Review the information shown, and if it looks good, click **Build**.
- 
+### Apply a provisioning package during first run
- You will see a confirmation dialog box similar to the one following. Click the link under **Output location** to open the directory containing the provisioning package.
+> [!IMPORTANT]
+> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings.
- 
+1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding.
-8. Copy the .ppkg from the output directory into the root directory of a USB drive. If it’s not at the root, it won’t be recognized by the device. You’ve finished making the provisioning package—now you just need to deploy it to the Surface Hub.
+2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**.
-### Deploy a provisioning package to a Surface Hub
+ 
-The following two methods for deploying provisioning packages apply to any kind of provisioning package that is being deployed to a Surface Hub. There is no difference in the way cert provisioning packages and app provisioning packages are installed. You may see different description text in the UI depending on what the package is for, but the process is still the same.
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
-### Deploy a provisioning package using first run
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run.
-1. When you turn on the Surface Hub for the first time, the first run process will display the page titled **Hi there**. Make sure the settings on this page are correct before you proceed. (See [Hi there page](first-run-program-surface-hub.md#first-page) for details.) Once you've deployed your provisioning package, the first run process will not return here. It will continue to the next screen.
-2. Insert the USB drive into the Surface Hub.
-3. Press the Windows key on the separate keyboard five times. You’ll see a dialog box asking whether you want to set up your device. Click **Set Up**.
+ 
- IMage
+5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program.
-4. Click on **Removable Media** in the **Provision From** dropdown list, then click **Next**.
+ 
- 
-5. The available packages in the root directory of the USB drive will be listed. Note that you can only install one package during first run. Select the package you want to install and then click **Next**.
+### Apply a package using Settings
- 
-
-6. You’ll then see a dialog asking if it’s from a source you trust. Click **Yes, add it**. The certificate will be installed, and you’ll be taken to the next page of first run.
-
- 
-
-### Deploy a provisioning package using Settings
-
-1. Insert the USB drive into the Surface Hub you want to deploy to.
-2. On the Surface Hub, open **Settings** and enter in the admin credentials.
-3. Navigate to **System > Work Access**. Under the header **Related settings**, click on **Add or remove a management package**.
-4. Here, click the button for **Add a package**.
-
- 
-
-5. Click **Removable media** from the dropdown list. You will see a list of available provisioning packages on the **Settings** page.
-
- 
-
-6. Choose your package and click **Add**.
-
- 
-
-7. You may have to re-enter the admin credentials if User Access Control (UAC) asks for them.
-8. You’ll see a confirmation dialog box. Click **Yes, add it**. The certificate will be installed.
-
-
-
-
+1. Insert the USB flash drive containing the .ppkg file into the Surface Hub.
+2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted.
+3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**.
+4. Select **Add a package**.
+5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted.
+6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**.
diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md
new file mode 100644
index 0000000000..41588251fe
--- /dev/null
+++ b/devices/surface-hub/remote-surface-hub-management.md
@@ -0,0 +1,21 @@
+---
+title: Remote Surface Hub management
+description: This section lists topics for managing Surface Hub.
+keywords: remote management, MDM, install apps, monitor Surface Hub, Operations Management Suite, OMS
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+localizationpriority: medium
+---
+
+# Remote Surface Hub management
+
+## In this section
+
+|Topic | Description|
+| ------ | --------------- |
+| [Manage settings with an MDM provider]( https://technet.microsoft.com/itpro/surface-hub/manage-settings-with-mdm-for-surface-hub) | Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.|
+| [Monitor your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/monitor-surface-hub) | Monitoring for Surface Hub devices is enabled through Microsoft Operations Management Suite.|
+| [Windows updates](https://technet.microsoft.com/itpro/surface-hub/manage-windows-updates-for-surface-hub) | You can manage Windows updates on your Surface Hub by setting the maintenance window, deferring updates, or using WSUS.|
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 1658d8de1a..461864a1aa 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -24,11 +24,11 @@ There are several ways to manage your BitLocker key on the Surface Hub.
2. If you’ve joined the Surface Hub to Azure Active Directory (Azure AD), the BitLocker key will be stored under the account that was used to join the device.
-3. If you’re using a local admin account to manage the device, you can save the BitLocker key by going to Settings and navigating to **System** > **Microsoft Surface Hub**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
+3. If you’re using a local admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive.
+
## Related topics
-
[Manage Microsoft Surface Hub](manage-surface-hub.md)
[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index e948577807..fbed027215 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -7,21 +7,19 @@ author: TrudyHa
localizationpriority: medium
---
-# When to use a fully qualified domain name with Surface Hub
+# Configure domain name for Skype for Business
-A fully qualified domain name (FQDN) is a domain name that explicitly states the location in the Domain Name System (DNS) hierarchy. All levels of a domain are specified. In the case of Skype for Business on the Surface Hub, there are a few scenarios where you need to use a FQDN.
+There are a few scenarios where you need to specify the domain name of your Skype for Business server:
- **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business.
- **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account.
-- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. The Skype app needs to know the FQDN of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
+- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
-## Add FQDN to Surface Hub
+**To configure the domain name for your Skype for Business server**
+1. On Surface Hub, open **Settings**.
+2. Click **This device**, and then click **Calling**.
+3. Under **Skype for Business configuration**, click **Configure domain name**.
+4. Type the domain name for your Skype for Business server, and then click **Ok**.
+> [!TIP]
+> You can type multiple domain names, separated by commas.
For example: lync.com, outlook.com, lync.glbdns.microsoft.com
-You use the Settings app on Surface Hub to add FQDN information. You can add multiple entries, if needed.
-
-**To add Skype for Business Server FQDN**
-1. On Surface Hub open the **Settings** app.
-2. Navigate to **System**, **Microsoft Surface Hub**.
-3. Under **Skype for Business**, click **Add FQDN**.
-4. Type the FQDN for the Skype for Business certificate. You can type multiple FQDNs separated by a comma. For example: lync.com, outlook.com, lync.glbdns.microsoft.com.
-
- 
\ No newline at end of file
+ 
\ No newline at end of file
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index 8593840926..0ccd6ad70d 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -36,10 +36,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele
1. On the Surface Hub, open **Settings** and enter your admin credentials.
2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
-
- 
-
-3. The system will show you the properties for the wireless network connection.
+3. Surface Hub shows you the properties for the wireless network connection.
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 81002929b2..bcf28c02a2 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -35,8 +35,8 @@ App migration or replacement is an essential part of your Chromebook migration.
Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio).
-**Note**
-The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
+> [!NOTE]
+> The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
diff --git a/education/windows/images/PCicon.png b/education/windows/images/PCicon.png
new file mode 100644
index 0000000000..c97c137b83
Binary files /dev/null and b/education/windows/images/PCicon.png differ
diff --git a/education/windows/images/clipboard.png b/education/windows/images/clipboard.png
new file mode 100644
index 0000000000..bbfa2c9e8d
Binary files /dev/null and b/education/windows/images/clipboard.png differ
diff --git a/education/windows/images/education.png b/education/windows/images/education.png
new file mode 100644
index 0000000000..cc4f7fabb2
Binary files /dev/null and b/education/windows/images/education.png differ
diff --git a/education/windows/images/lightbulb.png b/education/windows/images/lightbulb.png
new file mode 100644
index 0000000000..95bea10957
Binary files /dev/null and b/education/windows/images/lightbulb.png differ
diff --git a/education/windows/images/list.png b/education/windows/images/list.png
new file mode 100644
index 0000000000..089827c373
Binary files /dev/null and b/education/windows/images/list.png differ
diff --git a/education/windows/index.md b/education/windows/index.md
index f8d54749bf..794b6706ac 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -1,6 +1,7 @@
---
title: Windows 10 for Education (Windows 10)
-description: Learn about using Windows 10 in schools.
+description: Learn how to use Windows 10 in schools.
+keywords: Windows 10, education
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -9,24 +10,37 @@ author: jdeckerMS
---
# Windows 10 for Education
-[Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers and students to do great things.
+
-[Find out how to get Windows 10 Education or Windows 10 Pro Education for your school](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
+[Windows 10 Education and Windows 10 Pro Education](https://www.microsoft.com/en-us/education/products/windows/default.aspx) empowers staff, administrators, teachers, and students to do great things.
-[Learn more about what features and functionality are supported in each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+##  Learn
-## In this section
+
+
+
+
+[Windows 10 editions for education customers](windows-editions-for-education-customers.md)
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
[Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
Find out more about the features and functionality we support in each edition of Windows.
+[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
When you've made your decision, find out how to buy Windows for your school.
+
+
+
+[Provisioning options for Windows 10](set-up-windows-10.md)
Depending on your school's device management needs, Windows offers a variety of options that you can use to set up Windows 10 on your devices.
+[Get Minecraft Education Edition](get-minecraft-for-education.md)
Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
[Take tests in Windows 10](take-tests-in-windows-10.md)
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
[Chromebook migration guide](chromebook-migration-guide.md)
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
+
+
+
[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
+ [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
+ [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
-
+
- Remove nonessential external hardware, such as docks and USB devices.
- Check all hard drives for errors and attempt repairs. To automatically repair hard drives, open an elevated command prompt, switch to the drive you wish to repair, and type the following command. You will be required to reboot the computer if the hard drive being repaired is also the system drive.
- chkdsk /F @@ -81,14 +84,12 @@ The following steps can resolve many Windows upgrade problems.
- Verify compatibility information and re-install antivirus applications after the upgrade.
- Uninstall all nonessential software. -
- Remove nonessential external hardware, such as docks and USB devices.
- Update firmware and drivers.
- Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process.
- Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS.
For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
+
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Rights Management Service, Office 365, and the Windows Store for Business.
+
+## Deployment and Provisioning
+
+With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
+
+
+
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like Microsoft Intune.
+
+- Create self-contained provisioning packages built with the Windows Imaging and Configuration Designer (ICD).
+
+- Use traditional imaging techniques such as deploying custom images using System Center Configuration Manager.
+
+You have multiple options for upgrading to Windows 10. For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+
+## Identity and Authentication
+
+You can use Windows 10 and services like Azure Active Directory in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+
+You can envision user and device management as falling into these two categories:
+
+- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
+
+- For corporate devices, they can set up corporate access with Azure AD Join. When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.
+ Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+
+- Likewise, for personal devices, employees can use a new, simplified BYOD experience to add their work account to Windows, then access work resources on the device.
+
+- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises.
+ With Windows 10, if you have an on-premises Active Directory domain that’s integrated with Azure AD, when employee devices are joined, they automatically register with Azure AD. This provides:
+
+ - Single sign-on to cloud and on-premises resources from everywhere
+
+ - Enterprise roaming of settings
+
+ - Conditional access to corporate resources based on the health or configuration of the device
+
+ - Windows Hello for Business
+
+ - Windows Hello
+
+ Domain joined PCs and tablets can continue to be managed with the System Center Configuration Manager client or Group Policy.
+
+For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/).
+
+As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
+
+
+
+## Settings and Configuration
+
+Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
+
+**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. This makes MDM the best choice for devices that are constantly on the go.
+
+**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings, or very specific Windows Firewall rules. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
+
+- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
+
+- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
+
+You can use the following generalized decision tree to review the management choices for devices in your organization:
+
+
+
+## Updating and Servicing
+
+With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes.
+
+MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
+
+## Next steps
+
+There are a variety of steps you can take to begin the process of modernizing device management in your organization:
+
+- **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate.
+
+- **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
+
+- **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
+
+- **Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability.
+
+- **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. As additional capabilities become available in the cloud-identity/MDM model, Microsoft is committed to providing a clear path from traditional to modern management.
diff --git a/windows/manage/uev-upgrade-uev-from-previous-releases.md b/windows/manage/uev-upgrade-uev-from-previous-releases.md
index aa12c04977..2487df2e88 100644
--- a/windows/manage/uev-upgrade-uev-from-previous-releases.md
+++ b/windows/manage/uev-upgrade-uev-from-previous-releases.md
@@ -19,9 +19,11 @@ If you’re already using UE-V 2.x and you’re planning to upgrade user devices
2. Verify that UE-V settings were migrated correctly.
-3. Enable the UE-V service on user devices.
+3. Set the template storage path to your current template store.
-4. Install the UE-V template generator if you want to synchronize application settings for custom applications.
+4. Enable the UE-V service on user devices.
+
+5. Install the UE-V template generator if you want to synchronize application settings for custom applications.
> **Important** You can upgrade your existing UE-V installation to Windows 10, version 1607 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10, version 1607..
@@ -49,7 +51,11 @@ After upgrading a user device to Windows 10, version 1607, it’s important to v
2. Navigate to **HKEY_LOCAL_MACHINE\Software\Microsoft\UEV\Agent\Configuration.**
-3. Verify that the settings storage path and the settings template catalog path are pointing to the same locations as before you upgraded the device to Windows 10.
+3. Verify that the settings storage path and the settings template catalog path are pointing to the same locations as before you upgraded the device to Windows 10.
+
+## Set the template storage path to your current template store
+
+Template Settings Storage Path will not automatically migrate. Run Set-UEVConfiguration in PowerShell or use the settings storage path Group Policy to configure and point to your current settings storage folder.
## Enable the UE-V service on user devices
diff --git a/windows/manage/waas-branchcache.md b/windows/manage/waas-branchcache.md
index 9bbd3db6e4..d40091a5ce 100644
--- a/windows/manage/waas-branchcache.md
+++ b/windows/manage/waas-branchcache.md
@@ -64,3 +64,4 @@ In addition to these steps, there is one requirement for WSUS to be able to use
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/manage/waas-configure-wufb.md b/windows/manage/waas-configure-wufb.md
index e6c1f6e142..b8b3caef74 100644
--- a/windows/manage/waas-configure-wufb.md
+++ b/windows/manage/waas-configure-wufb.md
@@ -215,4 +215,5 @@ Enabling allows user to set deferral periods for upgrades and updates. It also
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
\ No newline at end of file
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md
index ec8c9efdd4..0a4d81406e 100644
--- a/windows/manage/waas-delivery-optimization.md
+++ b/windows/manage/waas-delivery-optimization.md
@@ -225,7 +225,7 @@ To specify which devices are preferred, you can set the **Max Cache Age** config
On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet:
-- Set **DOBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s.
+- Set **DOMinBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s.
## Learn more
@@ -249,3 +249,4 @@ On devices that are not preferred, you can choose to set the following policy to
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/manage/waas-deployment-rings-windows-10-updates.md b/windows/manage/waas-deployment-rings-windows-10-updates.md
index 87b46bd064..a29b84d76e 100644
--- a/windows/manage/waas-deployment-rings-windows-10-updates.md
+++ b/windows/manage/waas-deployment-rings-windows-10-updates.md
@@ -73,4 +73,5 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/manage/waas-integrate-wufb.md b/windows/manage/waas-integrate-wufb.md
index 63914b38ff..425b974656 100644
--- a/windows/manage/waas-integrate-wufb.md
+++ b/windows/manage/waas-integrate-wufb.md
@@ -106,4 +106,5 @@ For Windows 10, version 1607, organizations already managing their systems with
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/manage/waas-manage-updates-configuration-manager.md b/windows/manage/waas-manage-updates-configuration-manager.md
index 6a560d09d0..af90f73616 100644
--- a/windows/manage/waas-manage-updates-configuration-manager.md
+++ b/windows/manage/waas-manage-updates-configuration-manager.md
@@ -404,3 +404,4 @@ or Manage Windows 10 updates using System Center Configuration Manager (this top
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/manage/waas-manage-updates-wsus.md b/windows/manage/waas-manage-updates-wsus.md
index 43121c0f0d..2586e69e82 100644
--- a/windows/manage/waas-manage-updates-wsus.md
+++ b/windows/manage/waas-manage-updates-wsus.md
@@ -348,4 +348,5 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
-- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
\ No newline at end of file
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/manage/waas-manage-updates-wufb.md b/windows/manage/waas-manage-updates-wufb.md
index 8cf7dfc5f2..a729beb244 100644
--- a/windows/manage/waas-manage-updates-wufb.md
+++ b/windows/manage/waas-manage-updates-wufb.md
@@ -132,5 +132,6 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/manage/waas-mobile-updates.md b/windows/manage/waas-mobile-updates.md
index 615e3ec321..f87eb7c461 100644
--- a/windows/manage/waas-mobile-updates.md
+++ b/windows/manage/waas-mobile-updates.md
@@ -75,6 +75,7 @@ If a device running Windows 10 Mobile Enterprise, version 1511, has Windows Upda
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md
index e094d5389a..20c26545c4 100644
--- a/windows/manage/waas-optimize-windows-10-updates.md
+++ b/windows/manage/waas-optimize-windows-10-updates.md
@@ -70,5 +70,6 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/manage/waas-overview.md b/windows/manage/waas-overview.md
index 03729bd0a4..1a27b6ce30 100644
--- a/windows/manage/waas-overview.md
+++ b/windows/manage/waas-overview.md
@@ -177,6 +177,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md
new file mode 100644
index 0000000000..adfad1657b
--- /dev/null
+++ b/windows/manage/waas-restart.md
@@ -0,0 +1,90 @@
+---
+title: Manage device restarts after updates (Windows 10)
+description: tbd
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerMS
+localizationpriority: high
+---
+
+# Manage device restarts after updates
+
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+You can use Group Policy settings or mobile device management (MDM) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
+
+## Schedule update installation
+
+When you set the **Configure Automatic Updates** policy to **Auto download and schedule the install**, you also configure the day and time for installation or you specify that installation will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
+
+When **Configure Automatic Updates** is enabled, you can enable one of the following additional policies to manage device restart:
+
+- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
+- **Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
+- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
+
+## Configure active hours
+
+You can configure active hours for devices without setting the **Configure Automatic Updates** policy. *Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
+
+By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. Additionally, administrators can use Group Policy or MDM to set active hours for managed devices.
+
+To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
+
+
+
+MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
+
+To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
+
+
+
+## Limit restart delays
+
+After an update is installed, Windows 10 attemtps automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
+
+## Group Policy settings for restart
+
+In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
+
+| Policy | Applies to Windows 10 | Notes |
+| --- | --- | --- |
+| Turn off auto-restart for updates during active hours |  | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| Always automatically restart at the scheduled time |  | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
+| Specify deadline before auto-restart for update installation |  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
+| No auto-restart with logged on users for scheduled automatic updates installations |  | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. There is no equivalent MDM policy setting for Windows 10 Mobile. | +| Re-prompt for restart with scheduled installations |  | | +| Delay Restart for scheduled installations |  | | +| Reschedule Automatic Updates scheduled installations |  | | + +>[!NOTE] +>If you set conflicting restart policies, the actual restart behavior may not be what you expected. + + + + + +## Related topics + +- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Overview of Windows as a service](waas-overview.md) +- [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) + + + + + + + + diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md index 56bade4088..951dbf5b2a 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/manage/waas-servicing-branches-windows-10-updates.md @@ -25,7 +25,8 @@ Current Branch is the default servicing branch for all Windows 10 devices except | --- | --- | --- | --- | --- | | Home |  |  |  |  | | Pro |  |  |  |  | -| Enterprise |  |  |  |  | +| Enterprise |  |  |  |  | +| Enterprise LTSB |  |  |  |  | | Pro Education |  |  |  |  | | Education |  |  |  |  | | Mobile |  |  |  |  | @@ -124,5 +125,6 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-servicing-strategy-windows-10-updates.md b/windows/manage/waas-servicing-strategy-windows-10-updates.md index aa4a14694e..3d0c53d0b5 100644 --- a/windows/manage/waas-servicing-strategy-windows-10-updates.md +++ b/windows/manage/waas-servicing-strategy-windows-10-updates.md @@ -65,3 +65,4 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) diff --git a/windows/manage/waas-update-windows-10.md b/windows/manage/waas-update-windows-10.md index 210676c642..459edddd80 100644 --- a/windows/manage/waas-update-windows-10.md +++ b/windows/manage/waas-update-windows-10.md @@ -34,6 +34,7 @@ Windows as a service provides a new way to think about building, deploying, and | [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | | [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | | [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | +| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. | >[!TIP] >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. @@ -52,3 +53,4 @@ Windows as a service provides a new way to think about building, deploying, and + diff --git a/windows/manage/waas-wufb-group-policy.md b/windows/manage/waas-wufb-group-policy.md index 9d5bf8c874..952e283c6a 100644 --- a/windows/manage/waas-wufb-group-policy.md +++ b/windows/manage/waas-wufb-group-policy.md @@ -345,4 +345,5 @@ The **Ring 3 Broad IT** deployment ring has now been configured. Finally, config - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) \ No newline at end of file +- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file diff --git a/windows/manage/waas-wufb-intune.md b/windows/manage/waas-wufb-intune.md index 8ce9bae60a..be4b721572 100644 --- a/windows/manage/waas-wufb-intune.md +++ b/windows/manage/waas-wufb-intune.md @@ -268,6 +268,7 @@ You have now configured the **Ring 3 Broad IT** deployment ring to receive CBB f - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) - [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +- [Manage device restarts after updates](waas-restart.md)