From 1e7c9a3ddc01731249a17f1079f3e8b13a613e7a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:06:31 -0700 Subject: [PATCH 01/23] Added text back in --- ...ate-and-verify-an-efs-dra-certificate.1.md | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md new file mode 100644 index 0000000000..03d72f1d40 --- /dev/null +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md @@ -0,0 +1,90 @@ + +--- +title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) +description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +--- + +# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate +**Applies to:** + +- Windows 10 Insider Preview +- Windows 10 Mobile Preview + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. + +The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. + +>**Important**
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** + +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. + +2. Run this command: + + `cipher /r:` + + Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
+ Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. + + >**Note**
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + +**To verify your data recovery certificate is correctly set up on an EDP client computer** + +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c ` + + Where *<filename>* is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** + +1. Copy your EDP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d ` + + Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + +**To recover your EDP-protected desktop data after unenrollment** + +1. Have your employee sign in to the unenrolled device, open a command prompt, and type: + + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + + Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Sign in to the unenrolled device as the employee, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to log back in to the device or to lock and unlock the device. + + The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 472827a8dd58583098ee0355bbe611e3daefc57c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:10:34 -0700 Subject: [PATCH 02/23] Fixing topic issue --- ...ate-and-verify-an-efs-dra-certificate.1.md | 90 ------------------- 1 file changed, 90 deletions(-) delete mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md deleted file mode 100644 index 03d72f1d40..0000000000 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md +++ /dev/null @@ -1,90 +0,0 @@ - ---- -title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) -description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ---- - -# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. - -The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. - ->**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. - -**To manually create an EFS DRA certificate** - -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. - -2. Run this command: - - `cipher /r:` - - Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - >**Important**
- Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. - - >**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. - -**To verify your data recovery certificate is correctly set up on an EDP client computer** - -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c ` - - Where *<filename>* is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** - -1. Copy your EDP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d ` - - Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. - -**To recover your EDP-protected desktop data after unenrollment** - -1. Have your employee sign in to the unenrolled device, open a command prompt, and type: - - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` - - Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. - -2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: - - `cipher.exe /D <“new_location”>` - -3. Sign in to the unenrolled device as the employee, and type: - - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` - -4. Ask the employee to log back in to the device or to lock and unlock the device. - - The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 1c25b6c8ab4bce0b9a4222d0722be7d35e82a3e4 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:13:08 -0700 Subject: [PATCH 03/23] Fixing broken topics --- ...ange-history-for-keep-windows-10-secure.md | 1 + ...reate-and-verify-an-efs-dra-certificate.md | 89 +++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.md diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 4b25f1edc5..1fe970c712 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md new file mode 100644 index 0000000000..84de2b4519 --- /dev/null +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -0,0 +1,89 @@ +--- +title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) +description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +--- + +# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate +**Applies to:** + +- Windows 10 Insider Preview +- Windows 10 Mobile Preview + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. + +The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. + +>**Important**
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** + +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. + +2. Run this command: + + `cipher /r:` + + Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
+ Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. + + >**Note**
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + +**To verify your data recovery certificate is correctly set up on an EDP client computer** + +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c ` + + Where *<filename>* is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** + +1. Copy your EDP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d ` + + Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + +**To recover your EDP-protected desktop data after unenrollment** + +1. Have your employee sign in to the unenrolled device, open a command prompt, and type: + + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + + Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Sign in to the unenrolled device as the employee, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to log back in to the device or to lock and unlock the device. + + The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 7df7f72ddd510af164c35612f20beb5d8e8eb400 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:22:50 -0700 Subject: [PATCH 04/23] Added DRA topic to TOC --- windows/keep-secure/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index e2590ac099..027a9f1fa0 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -30,6 +30,7 @@ ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) +#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) From 401cb6a038cd9ef26bd009665be9ebe35d38657c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:32:56 -0700 Subject: [PATCH 05/23] Moved topic in TOC --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 027a9f1fa0..59d9b683d8 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -29,8 +29,8 @@ ##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) -### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] +### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) From 4fe90bda85afbb122143c490c251614cb2f8568e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:36:20 -0700 Subject: [PATCH 06/23] Updated to include DRA topic --- windows/keep-secure/overview-create-edp-policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md index 02e9e28ec7..abd098560f 100644 --- a/windows/keep-secure/overview-create-edp-policy.md +++ b/windows/keep-secure/overview-create-edp-policy.md @@ -24,6 +24,7 @@ Microsoft Intune and System Center Configuration Manager Technical Preview versi |------|------------| |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. | |[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. | +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |     From 6bc10261524a6452cd066afe5b69d4915154665a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 08:13:40 -0700 Subject: [PATCH 07/23] changed description slightly --- windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 84de2b4519..1d26215059 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -1,6 +1,6 @@ --- title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) -description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library From ad50f83f256d3203941d982b8f933aa90e8ab19b Mon Sep 17 00:00:00 2001 From: jamiejdt Date: Tue, 19 Jul 2016 16:30:30 -0700 Subject: [PATCH 08/23] Commit --- .../uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md | 1 + ...om-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md b/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md index bea4eef51e..724ad604c8 100644 --- a/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md +++ b/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md @@ -81,6 +81,7 @@ UE-V settings location templates cannot be created from virtualized applications - Windows operating system files that are located in %Systemroot% If registry keys and files that are stored in excluded locations are required to synchronize application settings, you can manually add the locations to the settings location template during the template creation process. +However, only changes to the HKEY\_CURRENT\_USER hive will be sync-ed. ### Replace the default Microsoft templates diff --git a/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md b/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md index 04136b1e89..d0fe551e08 100644 --- a/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md +++ b/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md @@ -49,7 +49,8 @@ The UE-V Generator excludes locations, which commonly store application software - Windows operating system files that are located in %Systemroot%, which requires administrator rights and might require to set a UAC agreement -If registry keys and files that are stored in these locations are required to synchronize application settings, you can manually add the excluded locations to the settings location template during the template creation process. +If registry keys and files that are stored in these locations are required to synchronize application settings, you can manually add the excluded locations to the settings location template during the template creation process + (except for registry entries in the HKEY\_LOCAL\_MACHINE hive). ## Edit Settings Location Templates with the UE-V Generator From dc9ef4ea5ac9d88a783743ffd38583999858f344 Mon Sep 17 00:00:00 2001 From: Nicola Dolci Date: Tue, 19 Jul 2016 19:03:47 -0700 Subject: [PATCH 09/23] Updated for production Updated to handle lang set, transformer options, metadata --- .localization-config | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/.localization-config b/.localization-config index c24369eb99..d363f9d920 100644 --- a/.localization-config +++ b/.localization-config @@ -1,8 +1,21 @@ -{ - "locales": [ "zh-cn" ], +{ + + "filters": [ + + { + "metadata": { + "localizationpriority": [ "high", "medium" ] + } + } +], + + "locales": [ "ja-jp", "de-de", "fr-fr", "zh-cn", "zh-tw", "ko-kr", "es-es", "it-it", "ru-ru", "pt-br" ], "files": ["!/*.md", "**/**/*.md", "**/*.md"], - "includeDependencies": true, - "autoPush": true, + "includeDependencies": true, + "autoPush": true, "xliffVersion": "2.0", - "useJavascriptMarkdownTransformer": true -} + "useJavascriptMarkdownTransformer": true, + "markdownTransformerOptions": { + "lockBackslashEscapeChars": false + } +} From 93b769ffba7fa51eed376247096e7b7f54d5fbd6 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Wed, 20 Jul 2016 15:40:21 +1000 Subject: [PATCH 10/23] add line break --- ...oints-script-windows-defender-advanced-threat-protection.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 37cff93fb6..9d4a39eccc 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -45,6 +45,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. @@ -66,4 +67,4 @@ For security reasons, the package used to offboard endpoints will expire 30 days - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) From d84da1c2ef7ae786fbdd905f0654a64a0f4849ce Mon Sep 17 00:00:00 2001 From: Nicola Dolci Date: Wed, 20 Jul 2016 11:54:47 -0700 Subject: [PATCH 11/23] Removing medium, just high for now --- .localization-config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.localization-config b/.localization-config index d363f9d920..148efa2f39 100644 --- a/.localization-config +++ b/.localization-config @@ -4,7 +4,7 @@ { "metadata": { - "localizationpriority": [ "high", "medium" ] + "localizationpriority": [ "high" ] } } ], From 295373c1b741337d166c56e4a302f989a036f40e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 20 Jul 2016 14:12:17 -0700 Subject: [PATCH 12/23] Updated topic based on tech review --- ...reate-and-verify-an-efs-dra-certificate.md | 60 ++++++++++++------- 1 file changed, 40 insertions(+), 20 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 1d26215059..eb3965f6f1 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -1,6 +1,7 @@ --- title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +keywords: Windows Information Protection, WIP, WIP, Enterprise Data Protection ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -15,12 +16,12 @@ ms.pagetype: security [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. -The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. +The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. +If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx). **To manually create an EFS DRA certificate** @@ -37,30 +38,32 @@ If you already have an EFS DRA certificate for your organization, you can skip c The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. >**Important**
- Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. >**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. -**To verify your data recovery certificate is correctly set up on an EDP client computer** +**To verify your data recovery certificate is correctly set up on an WIP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. +1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: +2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. + +3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: `cipher /c ` Where *<filename>* is the name of the file you created in Step 1. -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. +4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. **To recover your data using the EFS DRA certificate in a test environment** -1. Copy your EDP-encrypted file to a location where you have admin access. +1. Copy your WIP-encrypted file to a location where you have admin access. -2. Install the EFSDRA.pfx file, using your password. +2. Install the EFSDRA.pfx file, using its password. 3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: @@ -68,22 +71,39 @@ If you already have an EFS DRA certificate for your organization, you can skip c Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. -**To recover your EDP-protected desktop data after unenrollment** +**To quickly recover WIP-protected desktop data after unenrollment** +It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. + +>**Important**
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 1. Have your employee sign in to the unenrolled device, open a command prompt, and type: - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + `Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW` - Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + Where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. -2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: +2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: `cipher.exe /D <“new_location”>` -3. Sign in to the unenrolled device as the employee, and type: +3. Have your employee sign in to the unenrolled device, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”` + +4. Ask the employee to lock and unlock the device. + + The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + +## Related topics +- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) + +- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx) + +- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) + +- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) + +- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/en-us/library/cc875821.aspx#EJAA) - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` -4. Ask the employee to log back in to the device or to lock and unlock the device. - The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 56f2bb27c97968abedd87bc6543f40a3629bf770 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 20 Jul 2016 14:22:07 -0700 Subject: [PATCH 13/23] Fixed typo --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 59d9b683d8..86c984bbe8 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -29,7 +29,7 @@ ##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) -#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] +#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) From e6ca478c43c5b69593cdee2c0b43bc5af4b756cc Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 20 Jul 2016 14:26:51 -0700 Subject: [PATCH 14/23] Added spacing --- windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index eb3965f6f1..a2e26f0b66 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -71,7 +71,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. -**To quickly recover WIP-protected desktop data after unenrollment** +**To quickly recover WIP-protected desktop data after unenrollment**
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. >**Important**
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. From 4358b36b4cdcdf9ec1cace6eb59f100f09033086 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 21 Jul 2016 14:46:06 +1000 Subject: [PATCH 15/23] fix typo --- ...oints-mdm-windows-defender-advanced-threat-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 22692ee168..699d49c7ec 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -53,7 +53,7 @@ Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThrea Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
Default value: 1 | Windows Defender ATP Sample sharing is enabled -> **Note**  Policies **Health Status for onboarded machines** use read-only properties and can't be remediated. +> **Note**  The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. ### Offboard and monitor endpoints @@ -82,11 +82,11 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP -> **Note**  Policies **Health Status for offboarded machines** use read-only properties and can't be remediated. +> **Note**  The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) From c0e1575f37b597d4c3b0349170049c15b022db37 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 06:59:22 -0700 Subject: [PATCH 16/23] Updated with note about expired DRA certs --- windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index a2e26f0b66..5f9b52ebf2 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -21,7 +21,7 @@ If you don’t already have an EFS DRA certificate, you’ll need to create and The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx). +If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx).

If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. **To manually create an EFS DRA certificate** From 6c16831ff5860de735e0f9bae5de1806dbe72d87 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 07:30:54 -0700 Subject: [PATCH 17/23] Updated --- ...change-history-for-keep-windows-10-secure.md | 2 +- windows/manage/manage-cortana-in-enterprise.md | 17 +++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1fe970c712..1292a8cbbc 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,7 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |New | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md index b44e4c4920..98ed3188ee 100644 --- a/windows/manage/manage-cortana-in-enterprise.md +++ b/windows/manage/manage-cortana-in-enterprise.md @@ -50,14 +50,15 @@ Set up and manage Cortana by using the following Group Policy and mobile device |Group policy |MDM policy |Description | |-------------|-----------|------------| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.

**Note**
Employees can still perform searches even with Cortana turned off. | -|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInput Personalization |Specifies whether to turn on automatic learning, which allows the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|None |System/AllowLocation |Specifies whether to allow app access to the Location service. | -|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUse Location |Specifies whether search and Cortana can provide location aware search and Cortana results.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearch Permissions |Specifies what level of safe search (filtering adult content) is required.

**Note**
This setting only applies to Windows 10 Mobile. | -|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|User Configuration\Administrative Templates\Start Menu and Taskbar\Do not search communications |None |Specifies whether the Start menu search box searches communications.

**Important**
Cortana won’t work if this setting is turned off (disabled). | +|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.

**Note**
This setting only applies to Windows 10 for desktop devices. | +|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). | +|None |System/AllowLocation |Specifies whether to allow app access to the Location service.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). | +|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

Use this setting if you only want to support Azure AD in your organization. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.

**Note**
This setting only applies to Windows 10 Mobile. | +|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.

**In Windows 10 Pro edition**
This setting can’t be managed.

**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled). | +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.

**Important**
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off. | **More info:** - For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381). From bf5d33eeb69ecdac384328a9919cbf75d06dad42 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 21 Jul 2016 11:05:35 -0700 Subject: [PATCH 18/23] fixing links for loc and removing content from redirected topics --- .../connect-and-display-with-surface-hub.md | 4 +- .../surface-hub/device-reset-suface-hub.md | 32 +--------- .../apps-in-windows-store-for-business.md | 2 +- ...ge-inventory-windows-store-for-business.md | 64 +------------------ .../working-with-line-of-business-apps.md | 2 +- 5 files changed, 7 insertions(+), 97 deletions(-) diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index e5250193a8..5291c1653e 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -224,7 +224,7 @@ In replacement PC mode, the embedded computer of the Surface Hub is turned off a ### Software requirements -You can run Surface Hub in replacement PC mode with 64-bit versions of Windows 10 Home, Windows 10 Pro and Windows 10 Enterprise. You can download the [Surface Hub Replacement PC driver package](https://www.microsoft.com/en-us/download/details.aspx?id=52210) from the Microsoft download center. We recommend that you install these drivers on any computer you plan to use as a replacement PC. +You can run Surface Hub in replacement PC mode with 64-bit versions of Windows 10 Home, Windows 10 Pro and Windows 10 Enterprise. You can download the [Surface Hub Replacement PC driver package](https://www.microsoft.com/download/details.aspx?id=52210) from the Microsoft download center. We recommend that you install these drivers on any computer you plan to use as a replacement PC. ### Hardware requirements @@ -389,7 +389,7 @@ Replacement PC ports on 84" Surface Hub. **To use replacement PC mode** -1. Download and install the [Surface Hub Replacement PC driver package](https://www.microsoft.com/en-us/download/details.aspx?id=52210) on the replacement PC. +1. Download and install the [Surface Hub Replacement PC driver package](https://www.microsoft.com/download/details.aspx?id=52210) on the replacement PC. **Note**  We recommend that you set sleep or hibernation on the replacement PC so the Surface Hub will turn off the display when it isn't being used. diff --git a/devices/surface-hub/device-reset-suface-hub.md b/devices/surface-hub/device-reset-suface-hub.md index b90a11ada6..f91cbdd7b9 100644 --- a/devices/surface-hub/device-reset-suface-hub.md +++ b/devices/surface-hub/device-reset-suface-hub.md @@ -2,7 +2,7 @@ title: Device reset (Surface Hub) description: You may wish to reset your Microsoft Surface Hub. ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF -redirect_url: https://technet.microsoft.com/en-us/itpro/surface-hub/device-reset-surface-hub +redirect_url: https://technet.microsoft.com/itpro/surface-hub/device-reset-surface-hub keywords: reset Surface Hub ms.prod: w10 ms.mktglfcycl: manage @@ -11,36 +11,6 @@ ms.pagetype: surfacehub author: TrudyHa --- -# Device reset (Surface Hub) - - -You may wish to reset your Microsoft Surface Hub. - -Typical reasons for a reset include: - -- The device isn’t running well after installing an update. -- You’re repurposing the device for a new meeting space and want to reconfigure it. -- You want to change how you locally manage the device. - -Initiating a reset will return the device to the last cumulative Windows update, and remove all local user files and configuration, including: - -- The device account -- MDM enrollment -- Domain join or Azure AD join information -- Local admins on the device -- Configurations from MDM or the Settings app - -**Important Note**
-Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality. - -After the reset, you'll be taken through the [first run program](first-run-program-surface-hub.md) again. - -## Related topics - - -[Manage Microsoft Surface Hub](manage-surface-hub.md) - -[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)   diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md index a7e6a9418d..f74b81160c 100644 --- a/windows/manage/apps-in-windows-store-for-business.md +++ b/windows/manage/apps-in-windows-store-for-business.md @@ -51,7 +51,7 @@ Apps that you acquire from the Store for Business only work on Windows 10-based Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. -Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/en-us/windows/uwp/publish/organizational-licensing). +Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing). **Note**
We are still setting up the catalog of apps for Windows Store for Business. If you are searching for an app and it isn’t available, please check again in a couple of days. diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md index 8535d16d65..f8db99379b 100644 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ b/windows/manage/manage-inventory-windows-store-for-business.md @@ -1,70 +1,10 @@ --- title: Manage inventory in Windows Store for Business (Windows 10) description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses. -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business +redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library --- -# Manage inventory in Window Store for Business -When you acquire apps from the Windows Store for Business, we add them to the inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses. - -## Distribute apps -You can assign apps to people, or you can make apps available in your private store. Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md). - -**To make an app in inventory available in your private store** - -1. Sign in to the [Store for Business](http://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Inventory**. -3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page. -4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**. - -The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. - -Employees can claim apps that admins added to the private store by doing the following. - -**To claim an app from the private store** - -1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app. -2. Click the private store tab. -3. Click the app you want to install, and then click **Install**. - -Another way to distribute apps is by assigning them to people in your organization. - -**To assign an app to an employee** - -1. Sign in to the [Store for Business](http://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Inventory**. -3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. -4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. - -Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**. - -## Manage licenses -For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. You can also remove an app from the private store. - -**To assign licenses** -1. Sign in to the [Store for Business](http://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Inventory**. -3. Find an app, click the ellipses under **Action**, and then choose **View license details**. -4. Click **Assign to people**, type the name you are assigning the license to, and then click **Assign**. - -Store for Business assigns a license to the person, and adds them to the list of assigned licenses. - -**To reclaim licenses** -1. Sign in to the [Store for Business](http://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Inventory**. -3. Find an app, click the ellipses under **Action**, and then choose **View license details**. -4. Click the name of the person you are reclaiming the license from, and then click **Reclaim licenses**. - -Store for Business reclaims the license, and updates the number of avialable licenses. After you reclaim a license, you can assign a license to another employee. - -**To remove an app from the private store** - -If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store. -1. Sign in to the [Store for Business](http://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Inventory**. -3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**. - -The app will still be in your inventory, but your employees will not have access to the app from your private store. + diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md index 4d8a12acf5..e0d0c284fe 100644 --- a/windows/manage/working-with-line-of-business-apps.md +++ b/windows/manage/working-with-line-of-business-apps.md @@ -81,7 +81,7 @@ After an app is published and available in the Store, ISVs publish an updated ve 5. Click **Save** to save your changes and start the app submission process. For more information, see [Organizational licensing options]( http://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](http://go.microsoft.com/fwlink/p/?LinkId=627543).
-**Note** In order to get the LOB app, the organization must be located in a [supported market](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app. +**Note** In order to get the LOB app, the organization must be located in a [supported market](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app. ### Add app to inventory (admin) From 7468e811803ba6bc28d9f50bb63b261ace0d419b Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 21 Jul 2016 11:22:21 -0700 Subject: [PATCH 19/23] fixing SCCM usage --- devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index ff64d340d8..434d8f6989 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -35,7 +35,7 @@ Alternatively, the device can be enrolled like any other Windows device by going ### Manage a device through MDM -The following table lists the device settings that can be managed remotely using MDM, including the OMA URI paths that 3rd party MDM providers need to create policies. Intune and SCCM have special templates to help create policies to manage these settings. +The following table lists the device settings that can be managed remotely using MDM, including the OMA URI paths that 3rd party MDM providers need to create policies. Intune and System Center Configuration Manager have special templates to help create policies to manage these settings. From de7a346622e0f2e9dc0f6a2ca20ca4398d96768b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 12:07:33 -0700 Subject: [PATCH 20/23] Fixed typo --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1292a8cbbc..c3532cc64d 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,7 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |New | +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | From c219db57dd40a612eb4e54613c91e7185fb09c1d Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 21 Jul 2016 13:26:26 -0700 Subject: [PATCH 21/23] fixing file name error with new file and adding redirect --- windows/manage/TOC.md | 2 +- ...managemement-windows-store-for-business.md | 222 +---------------- ...y-management-windows-store-for-business.md | 223 ++++++++++++++++++ 3 files changed, 225 insertions(+), 222 deletions(-) create mode 100644 windows/manage/app-inventory-management-windows-store-for-business.md diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 4c43c597ce..5c21315e5e 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -46,7 +46,7 @@ #### [Distribute apps with a management tool](distribute-apps-with-management-tool.md) #### [Distribute offline apps](distribute-offline-apps.md) ### [Manage apps](manage-apps-windows-store-for-business-overview.md) -#### [App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md) +#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md) #### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md) #### [Manage access to private store](manage-access-to-private-store.md) #### [Manage private store settings](manage-private-store-settings.md) diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md index ca7d24b2a2..cbb66bff6b 100644 --- a/windows/manage/app-inventory-managemement-windows-store-for-business.md +++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md @@ -2,6 +2,7 @@ title: App inventory management for Windows Store for Business (Windows 10) description: You can manage all apps that you've acquired on your Inventory page. ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2 +redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -9,224 +10,3 @@ ms.pagetype: store author: TrudyHa --- -# App inventory management for Windows Store for Business - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -You can manage all apps that you've acquired on your **Inventory** page. - -The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). - -All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses. - -![Image shows Inventory page in Windows Store for Business with status status options for an app.](images/wsfb-inventoryaddprivatestore.png) - -Store for Business shows this info for each app in your inventory: - -- Name - -- Access to actions for the app - -- Last modified date - -- Supported devices - -- Private store status - -### Find apps in your inventory - -There are a couple of ways to find specific apps, or groups of apps in your inventory. - -**Search** - Use the Search box to search for an app. - -**Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes: - -- **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). - -- **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory. - -- **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps. - -- **Private store** - **In private store**, or **Not in private store**, depending on whether or not you've added the app to your private store. - -### Manage apps in your inventory - -Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table. - -
----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ActionOnline-licensed appOffline-licensed app

Assign to employees

X

Add to private store

X

Remove from private store

X

View license details

X

View product details

X

X

Download for offline use

X

- -  - -The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). - -### Distribute apps - -For online-licensed apps, there are a couple of ways to distribute apps from your inventory: - -- Assign apps to people in your organization. - -- Add apps to your private store, and let people in your organization install the app. - -If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md). - -Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md). - -**To make an app in inventory available in your private store** - -1. Sign in to the [Store for Business](http://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Inventory**. -3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page. -4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**. - -The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. - -Employees can claim apps that admins added to the private store by doing the following. - -**To claim an app from the private store** - -1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app. -2. Click the private store tab. -3. Click the app you want to install, and then click **Install**. - -Another way to distribute apps is by assigning them to people in your organization. - -If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store. - -**To remove an app from the private store** - -1. Sign in to the [Store for Business](http://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Inventory**. -3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**. - -The app will still be in your inventory, but your employees will not have access to the app from your private store. - -**To assign an app to an employee** - -1. Sign in to the [Store for Business](http://businessstore.microsoft.com). -2. Click **Manage**, and then choose **Inventory**. -3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. -4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. - -Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**. - -### Manage app licenses - -For each app in your inventory, you can view and manage license details. This give you another way to assign apps to people in your organization. It also allows you to reclaim app licenses after they've been assigned to people, or claimed by people in your organization. - -**To view license details** - -1. Sign in to [Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=691845) - -2. Click **Manage**, and then choose **Inventory**. - -3. Click the ellipses for an app, and then choose **View license details**. - - ![Image showing Inventory page in Windows Store for Business.](images/wsfb-inventory-viewlicense.png) - - You'll see the names of people in your organization who have installed the app and are using one of the licenses. - - ![Image showing assigned licenses for an app.](images/wsfb-licensedetails.png) - - On **Assigned licenses**, you can do several things: - - - Assign the app to other people in your organization. - - - Reclaim app licenses. - - - View app details. - - - Add the app to your private store, if it is not in the private store. - - You can assign the app to more people in your organization, or reclaim licenses. - - **To assign an app to more people** - - - Click **Assign to people**, type the email address for the employee that you're assigning the app to, and click **Assign**. - - ![Image showing Assign to people dialog for assigning app licenses to people in your organization.](images/wsfb-licenseassign.png) - - Store for Business updates the list of assigned licenses. - - **To reclaim licenses** - - - Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**. - - ![Image showing Assign to people dialog for reclaiming app licenses from people in your organization.](images/wsfb-licensereclaim.png) - - Store for Business updates the list of assigned licenses. - -### Download offline-licensed app - -Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store. - -You can download offline-licensed apps from your inventory. You'll need to download these items: - -- App metadata - -- App package - -- App license - -- App framework - -For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). - -For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md). - -  - -  - - - - - diff --git a/windows/manage/app-inventory-management-windows-store-for-business.md b/windows/manage/app-inventory-management-windows-store-for-business.md new file mode 100644 index 0000000000..11ddab7ae7 --- /dev/null +++ b/windows/manage/app-inventory-management-windows-store-for-business.md @@ -0,0 +1,223 @@ +--- +title: App inventory management for Windows Store for Business (Windows 10) +description: You can manage all apps that you've acquired on your Inventory page. +ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +--- + +# App inventory management for Windows Store for Business + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +You can manage all apps that you've acquired on your **Inventory** page. + +The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). + +All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses. + +![Image shows Inventory page in Windows Store for Business with status status options for an app.](images/wsfb-inventoryaddprivatestore.png) + +Store for Business shows this info for each app in your inventory: + +- Name + +- Access to actions for the app + +- Last modified date + +- Supported devices + +- Private store status + +### Find apps in your inventory + +There are a couple of ways to find specific apps, or groups of apps in your inventory. + +**Search** - Use the Search box to search for an app. + +**Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes: + +- **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). + +- **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory. + +- **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps. + +- **Private store** - **In private store**, or **Not in private store**, depending on whether or not you've added the app to your private store. + +### Manage apps in your inventory + +Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ActionOnline-licensed appOffline-licensed app

Assign to employees

X

Add to private store

X

Remove from private store

X

View license details

X

View product details

X

X

Download for offline use

X

+ +  + +The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). + +### Distribute apps + +For online-licensed apps, there are a couple of ways to distribute apps from your inventory: + +- Assign apps to people in your organization. + +- Add apps to your private store, and let people in your organization install the app. + +If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md). + +Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md). + +**To make an app in inventory available in your private store** + +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page. +4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**. + +The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. + +Employees can claim apps that admins added to the private store by doing the following. + +**To claim an app from the private store** + +1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app. +2. Click the private store tab. +3. Click the app you want to install, and then click **Install**. + +Another way to distribute apps is by assigning them to people in your organization. + +If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store. + +**To remove an app from the private store** + +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**. + +The app will still be in your inventory, but your employees will not have access to the app from your private store. + +**To assign an app to an employee** + +1. Sign in to the [Store for Business](http://businessstore.microsoft.com). +2. Click **Manage**, and then choose **Inventory**. +3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. +4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. + +Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**. + +### Manage app licenses + +For each app in your inventory, you can view and manage license details. This give you another way to assign apps to people in your organization. It also allows you to reclaim app licenses after they've been assigned to people, or claimed by people in your organization. + +**To view license details** + +1. Sign in to [Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=691845) + +2. Click **Manage**, and then choose **Inventory**. + +3. Click the ellipses for an app, and then choose **View license details**. + + ![Image showing Inventory page in Windows Store for Business.](images/wsfb-inventory-viewlicense.png) + + You'll see the names of people in your organization who have installed the app and are using one of the licenses. + + ![Image showing assigned licenses for an app.](images/wsfb-licensedetails.png) + + On **Assigned licenses**, you can do several things: + + - Assign the app to other people in your organization. + + - Reclaim app licenses. + + - View app details. + + - Add the app to your private store, if it is not in the private store. + + You can assign the app to more people in your organization, or reclaim licenses. + + **To assign an app to more people** + + - Click **Assign to people**, type the email address for the employee that you're assigning the app to, and click **Assign**. + + ![Image showing Assign to people dialog for assigning app licenses to people in your organization.](images/wsfb-licenseassign.png) + + Store for Business updates the list of assigned licenses. + + **To reclaim licenses** + + - Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**. + + ![Image showing Assign to people dialog for reclaiming app licenses from people in your organization.](images/wsfb-licensereclaim.png) + + Store for Business updates the list of assigned licenses. + +### Download offline-licensed app + +Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store. + +You can download offline-licensed apps from your inventory. You'll need to download these items: + +- App metadata + +- App package + +- App license + +- App framework + +For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). + +For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md). \ No newline at end of file From ba15030bda2e67f9377c4dc871599a2e9b5677ea Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 21 Jul 2016 13:41:20 -0700 Subject: [PATCH 22/23] redirect --- .../app-inventory-managemement-windows-store-for-business.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md index cbb66bff6b..1dedc043ff 100644 --- a/windows/manage/app-inventory-managemement-windows-store-for-business.md +++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md @@ -2,7 +2,7 @@ title: App inventory management for Windows Store for Business (Windows 10) description: You can manage all apps that you've acquired on your Inventory page. ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2 -redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business +redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library From 9cd12df9683d08e8ed48d3930cd64ab287af1fa4 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 21 Jul 2016 16:38:04 -0700 Subject: [PATCH 23/23] removing en-us from redirected links --- ...nfigure-windows-10-devices-to-stop-data-flow-to-microsoft.md | 2 +- windows/manage/disconnect-your-organization-from-microsoft.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md index 66f10dbf1e..377c8066cf 100644 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md @@ -1,6 +1,6 @@ --- title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services +redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services --- # Configure Windows 10 devices to stop data flow to Microsoft diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md index f1077326eb..8a9777af29 100644 --- a/windows/manage/disconnect-your-organization-from-microsoft.md +++ b/windows/manage/disconnect-your-organization-from-microsoft.md @@ -1,4 +1,4 @@ --- title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft +redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services --- \ No newline at end of file