deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into sh-7964624

Browse Source 
# Conflicts:

#	devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
This commit is contained in:
Trudy Hakala 2016-10-07 09:37:20 -07:00
commit 75366ac669
170 changed files with 4056 additions and 581 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
browsers/internet-explorer/ie11-deploy-guide/index.md
View File

@ -6,6 +6,7 @@ ms.prod: ie11
ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3
title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
ms.sitesec: library
localizationpriority: low
---

1
browsers/internet-explorer/ie11-ieak/index.md
View File

@ -6,6 +6,7 @@ ms.prod: ie11
ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac
title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros)
ms.sitesec: library
localizationpriority: low
---

12
devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md
View File

@ -11,7 +11,7 @@ localizationpriority: medium
---
# End a Surface Hub meeting with I'm Done
Surface Hub is a collaboration device designed to be used simultaneously and sequentially by multiple people. At the end of a Surface Hub meeting, one of the attendees can tap or click **I'm Done** to end the meeting. Tapping **I'm Done** tells Surface Hub to clean up info from the current meeting, so that it will be ready for the next meeting. When a meeting attendee taps **I'm Done**, Surface Hub cleans up, or resets, these states.
Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **I'm Done** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states:
- Applications
- Operating system
- User interface
@ -35,6 +35,7 @@ Skype does not store personally-identifiable information on Surface Hub. Informa
## Operating System
The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting.
### File System
Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:<br>
- Music
@ -53,7 +54,7 @@ Surface Hub also clears these directories, since many applications often write t
- Public Downloads
### Credentials
User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap Im done.
User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **Im done**.
## User interface
User interface (UI) settings are returned to their default values when **I'm Done** is selected.
@ -69,7 +70,7 @@ User interface (UI) settings are returned to their default values when **I'm Don
Accessibility features and apps are returned to default settings when **I'm Done** is selected.
- Filter keys
- High contrast
- Stickey keys
- Sticky keys
- Toggle keys
- Mouse keys
- Magnifier
@ -80,12 +81,11 @@ The clipboard is cleared to remove data that was copied to the clipboard during
## Frequently asked questions
**What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**<br>
When you don't tap **I"m Done** at the end of your meeting, Surface Hub enters a Resume state. This is similar to leaving content on a whiteboard in a meeting room, and forgetting to erase the whiteboard. When you return to the meeting room, that content will still be on the whiteboard unless someone erarses it. With Surface Hub, meeting content is still available if an attendee doesn't tap **I'm Done**. However, Surface Hub removes all meeting data during daily maintenance. Any meeting that wasn't ended with **I'm Done** will be cleaned up during maintenance.
Surface Hub only cleans up meeting content when users tap **I'm Done**. If you leave the meeting without tapping **I'm Done**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one.
**Are documents recoverable?**<br>
Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. 3rd-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub.
Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting.
**Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**<br>
No. Currently, the clean-up actions from **I'm Done** do not comply with this standard.

BIN
devices/surface-hub/images/wicd-screen02b.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 8.0 KiB

After

Width:  |  Height:  |  Size: 56 KiB

11
devices/surface-hub/index.md
View File

@ -36,14 +36,3 @@ Documents related to the Microsoft Surface Hub.
</tr>
</tbody>
</table>
 
 
 

133
devices/surface-hub/intro-to-surface-hub.md
View File

@ -15,143 +15,14 @@ localizationpriority: medium
Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organizations infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device.
### <a href="" id="surface-hub-features-and-interactions"></a>Surface Hub features and interactions with other services
The capabilities of your Surface Hub will depend on what other Microsoft products and technologies are available to it in your infrastructure. The products listed in the following table each support specific features in Surface Hub.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Scenario</th>
<th align="left">Requirement</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>One-touch meeting join, meetings calendar, and email (for example, sending whiteboards)</p></td>
<td align="left"><p>Device account with Microsoft Exchange 2013 or later, or Exchange Online and a network connection to where the account is hosted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Meetings using Skype for Business</p></td>
<td align="left"><p>Device account with Skype for Business (Lync Server 2013 or later) or Skype for Business Online, and a network connection so the account can be accessed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Web browsing through Microsoft Edge</p></td>
<td align="left"><p>Internet connectivity.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Remote and multi-device management</p></td>
<td align="left"><p>Supported mobile device management (MDM) solutions (Microsoft Intune, System Center 2012 R2 Configuration Manager, or supported third-party solution).</p></td>
</tr>
<tr class="even">
<td align="left"><p>Group-based local management (directory of employees who can manage a device)</p></td>
<td align="left"><p>Active Directory or Azure Active Directory (Azure AD).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Universal Windows app installation</p></td>
<td align="left"><p>Windows Imaging and Configuration Designer (ICD) or supported MDM solutions (Intune, Configuration Manager, or supported third-party solution).</p></td>
</tr>
<tr class="even">
<td align="left"><p>OS updates</p></td>
<td align="left"><p>Internet connectivity or Windows Server Update Services (WSUS).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Device monitoring and health</p></td>
<td align="left"><p>Microsoft Operations Management Suite (OMS).</p></td>
</tr>
</tbody>
</table>
 
Youll need to understand how each of these services interacts with Surface Hub. See [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) for details.
### <a href="" id="setup-dependencies"></a>Surface Hub Setup dependencies
## Surface Hub setup process
Review these dependencies to make sure Surface Hub features will work in your environment.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Dependency</th>
<th align="left">Purpose</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Active Directory (if using an on-premises deployment)</p></td>
<td align="left"><p>The Surface Hub must be able to connect to the domain controller in order to validate the device accounts credentials, as well as to access information like the device accounts display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Office 365 (if using an online deployment)</p></td>
<td align="left"><p>The Surface Hub must have Internet access in order to reach your Office 365 tenant. The device will connect to the Office 365 in order to validate the device accounts credentials, as well as to access information like the device accounts display name, alias, Exchange server, and SIP address.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Device account</p></td>
<td align="left"><p>The device account is an Active Directory and/or Azure AD account that enables several key features for the Surface Hub. Learn more about device accounts in [Create and test a device account](create-and-test-a-device-account-surface-hub.md).</p></td>
</tr>
<tr class="even">
<td align="left"><p>Exchange and Exchange ActiveSync</p></td>
<td align="left"><p>The Surface Hub must be able to reach the device accounts Exchange servers. Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.</p>
<p>ActiveSync is used to sync the device accounts calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Skype for Business</p></td>
<td align="left"><p>The Surface Hub must be able to reach the device accounts Skype for Business servers. Skype for Business is used for various conferencing features, like video calls, IM, and screen sharing.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Certificate-based authentication</p></td>
<td align="left"><p>If certificate-based authentication is required to establish a connection with Exchange ActiveSync or Skype for Business, those certificates must be deployed to each Surface Hub.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Dynamic IP</p></td>
<td align="left"><p>The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address. Network or Internet access is required, depending on the configuration of your topology (on-premises or online respectively) in order to validate the device account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Proxy servers</p></td>
<td align="left"><p>If your topology requires a connection to a proxy server to reach Active Directory, Microsoft Online Services, or your Exchange or Skype for Business servers, then you can configure it during first run, or in Settings.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Mobile device management (MDM) solution provider</p></td>
<td align="left"><p>If you want to manage devices remotely and by groups (apply settings or policies to multiple devices at a time), you must set up a MDM solution and enroll the device to that solution.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Operations Management Suite (OMS)</p></td>
<td align="left"><p>OMS is used to monitor Surface Hub devices.</p></td>
</tr>
</tbody>
</table>
 
### Surface Hub setup process
In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Read through all the info before you start. Heres the general order of things youll need to do:
In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need:
1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)
2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md)
3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md)
After you have your Surface Hub running in your organization, youll need info about:
- [Device maintenance and management](manage-surface-hub.md)
In the unlikely event that you run into problems, see [Troubleshoot Surface Hub](troubleshoot-surface-hub.md).
 
 

100
devices/surface-hub/prepare-your-environment-for-surface-hub.md
View File

@ -14,87 +14,63 @@ localizationpriority: medium
# Prepare your environment for Microsoft Surface Hub
This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment.
## Create and test a device account
This section contains an overview of setup dependencies and the setup process. Review the info in this section to help you prepare your environment and gather information needed to set up your Surface Hub.
A "device account" is an account that Surface Hub uses in order to access features from Exchange, like email and calendar, and to enable Skype for Business. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
## Review infrastructure dependencies
Review these dependencies to make sure Surface Hub features will work in your IT infrastructure.
## Check network availability
| Dependency | Purpose |
|-------------------------------------------------------|-------------------------------------------------------|
| Active Directory or Azure Active Directory (Azure AD) | <p>The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device accounts credentials, as well as to access information like the device accounts display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.</p>You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. |
| Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync | <p>Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.</p>ActiveSync is used to sync the device accounts calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. |
| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing. |
| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
| Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
| Network and Internet access | <p>In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.</p><p>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</p>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. |
Additionally, note that Surface Hub requires the following open ports:
- HTTPS: 443
- HTTP: 80
Depending on your environment, access to additional ports may be needed:
- For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
- For on-premises installations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx).
Microsoft collects telemetry to help improve your Surface Hub experience. Add these sites to your allow list:
- Telemetry client endpoint: `https://vortex.data.microsoft.com/`
- Telemetry settings endpoint: `https://settings.data.microsoft.com/`
In order to function properly, the Surface Hub must have access to a wired or wireless network that meets these requirements:
## Work with other admins
- Access to your Active Directory or Azure Active Directory (Azure AD) instance, as well as your Microsoft Exchange and Skype for Business servers
- Can receive an IP address using DHCP
- Open ports:
- HTTPS: 443
- HTTP: 80
A wired connection is preferred.
## Certificates
Surface Hub interacts with a few different products and services. Depending on the size of your organization, there could be multiple people supporting different products in your environment. You'll want to include people who manage Exchange, Active Directory (or Azure Active Directory), mobile device management (MDM), and network resources in your planning and prep for Surface Hub deployments.
Your Surface Hub may require certificates for ActiveSync, Skype for Business, network usage, or other authentication. To install certificates, you can either create a provisioning package (in order to install at first run, or after first run in Settings), or deploy them through a mobile device management (MDM) solution (after first run only).
## Create and verify device account
To install certificates using provisioning packages, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). To install them using MDM, see the documentation for your MDM solution.
A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
## Create provisioning packages
After you've created your device account, there are a couple of ways to verify that it's setup correctly.
- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
- Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub.
Currently, Surface Hub can use provisioning packages only to install certificates and to install Universal Windows Platform (UWP) apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.
## Prepare for first-run program
There are a few more item to consider before you start the [first-run program](first-run-program-surface-hub.md).
Customers will use provisioning packages to authenticate (for example, to Exchange or Skype for Business), or to sideload apps that don't come from the Windows Store or Windows Store for Business.
### Create provisioning packages (optional)
You can use provisioning packages to add certificates, customize settings and install apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. You can [install provisioning packages at first-run](first-run-program-surface-hub.md#first-page).
## Know the Exchange server for your device account
### Set up admin groups
Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins).
### Review and complete Surface Hub setup worksheet (optional)
When you go through the first-run program for your Surface Hub, there's some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you go through the first-run program. For more information, see [Setup worksheet](setup-worksheet-surface-hub.md).
You should know which Exchange server the device account will use for email and calendar services. The device will attempt to discover this automatically during first run, but if auto-discovery doesn't work, you may need to enter the server info manually.
### Admin group management
Every Surface Hub can be configured individually by opening the Settings app on the device. To prevent people who are not administrators from changing settings, the Settings app requires local administrator credentials to open the app and change settings. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed.
## Skype for Business
Certificates may be required in order to have the Surface Hub use Skype for Business.
## <a href="" id="prepare-checklist"></a>Checklist for preparation
In order to ensure that your environment is ready for the Surface Hub, verify the items in the following list.
1. The device account has been created.
Test this by running:
- Surface Hub device account validation PowerShell scripts
- Lync Windows app from the Windows Store (if Lync runs successfully, then Skype for Business will most likely run).
2. Ensure that there is a working network/Internet connection for the device to connect to:
- It must be able to receive an IP address using DHCP (Surface Hub cannot be configured with a static IP address)
- It must have these ports open:
- HTTPS: 443
- HTTP: 80
If your network runs through a proxy, you'll need the proxy address or script information as well.
3. In order to improve your experience, we collect data. To collect data, we need these sites whitelisted:
- Telemetry client endpoint: https://vortex.data.microsoft.com/
- Telemetry settings endpoint: https://settings.data.microsoft.com/
4. Choose the local admin method you want to set up during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)). Also, decide whether you'll be using MDM (see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)).
5. You've created provisioning packages, as needed. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md).
6. Have all necessary information available from the [Setup worksheet](setup-worksheet-surface-hub.md).
## In this section
<table>
<colgroup>
<col width="50%" />

2
devices/surface-hub/setup-worksheet-surface-hub.md
View File

@ -33,7 +33,7 @@ You should fill out one list for each Surface Hub you need to configure, althoug
<p>If your network uses a proxy for network and/or Internet access, you must provide a script or server/port information.</p>
</td>
<td>
<p>Proxy script: http://contoso/proxy.pa </br>
<p>Proxy script: <code>http://contoso/proxy.pa</code> </br>
- OR - </br>
Server and port info: 10.10.10.100, port 80
</p>

31
devices/surface/TOC.md
View File

@ -1,22 +1,25 @@
# [Surface](index.md)
## [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
## [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
## [Deploy Surface devices](deploy.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
### [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
#### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
#### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md)
## [Surface firmware and driver updates](update.md)
### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
### [Surface Dock Updater](surface-dock-updater.md)
## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
## [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
## [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
## [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
## [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
## [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
## [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
## [Surface Data Eraser](microsoft-surface-data-eraser.md)
## [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md)
## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
## [Surface Dock Updater](surface-dock-updater.md)
### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
## [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)
## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
## [Surface Data Eraser](microsoft-surface-data-eraser.md)

3
devices/surface/advanced-uefi-security-features-for-surface.md Normal file
View File

@ -0,0 +1,3 @@
---
redirect_url: https://technet.microsoft.com/itpro/surface/advanced-uefi-security-features-for-surface-pro-3
---

43
devices/surface/deploy.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Deploy Surface devices (Surface)
description: Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator.
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: heatherpoulsen
---
# Deploy Surface devices
Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator.
## In this section
| Topic | Description |
| --- | --- |
| [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.|
| [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. |
| [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.|
| [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)| Get guidance and answers to help you perform a network deployment to Surface devices.|
| [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)| See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. |
 
## Related topics
[Surface TechCenter](https://technet.microsoft.com/windows/surface)
[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
 
 

97
devices/surface/index.md
View File

@ -2,6 +2,7 @@
title: Surface (Surface)
description:
ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04
localizationpriority: high
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
@ -12,96 +13,28 @@ author: heatherpoulsen
# Surface
## Purpose
This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization.
For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface).
## In this section
| Topic | Description |
| --- | --- |
| [Deploy Surface devices](deploy.md) | Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. |
| [Surface firmware and driver updates](update.md) | Find out how to download and manage the latest firmware and driver updates for your Surface device. |
| [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. |
| [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
| [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
| [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
| [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. |
| [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)</p></td>
<td><p>Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.</p></td>
</tr>
<tr class="even">
<td><p>[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)</p></td>
<td><p>Walk through the process of customizing the Surface out-of-box experience for end users in your organization.</p></td>
</tr>
<tr class="odd">
<td><p>[Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)</p></td>
<td><p>Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.</p></td>
</tr>
<tr class="even">
<td><p>[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)</p></td>
<td><p>Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.</p></td>
</tr>
<tr class="odd">
<td><p>[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)</p></td>
<td><p>Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.</p></td>
</tr>
<tr class="even">
<td><p>[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)</p></td>
<td><p>Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.</p></td>
</tr>
<tr class="odd">
<td><p>[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)</p></td>
<td><p>Get guidance and answers to help you perform a network deployment to Surface devices.</p></td>
</tr>
<tr class="even">
<td><p>[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)</p></td>
<td><p>Read about the different methods you can use to manage the process of Surface Dock firmware updates.</p></td>
</tr>
<tr class="odd">
<td><p>[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)</p></td>
<td><p>Explore the available options to manage firmware and driver updates for Surface devices.</p></td>
</tr>
<tr class="even">
<td><p>[Manage Surface UEFI settings](manage-surface-uefi-settings.md)<p></td>
<td><p>Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.</p></td>
</tr>
<tr class="odd">
<td><p>[Surface Data Eraser](microsoft-surface-data-eraser.md)</p></td>
<td><p>Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.</p></td>
</tr>
<tr class="even">
<td><p>[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)</p></td>
<td><p>See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.</p></td>
</tr>
<tr class="odd">
<td><p>[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)</p></td>
<td><p>Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.</p></td>
</tr>
<tr class="even">
<td><p>[Surface Dock Updater](surface-dock-updater.md)</p></td>
<td><p>Get a detailed walkthrough of Microsoft Surface Dock Updater.</p></td>
</tr>
<tr class="odd">
<td><p>[Surface Enterprise Management Mode](surface-enterprise-management-mode.md)</p></td>
<td><p>See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization.
</p></td>
</tr>
<tr class="even">
<td><p>[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)</p></td>
<td><p>Find out how to perform a Windows 10 upgrade deployment to your Surface devices.</p></td>
</tr>
</tbody>
</table>
 

7
devices/surface/manage-surface-uefi-settings.md
View File

@ -14,7 +14,8 @@ author: miladCA
Current and future generations of Surface devices, including Surface Pro 4 and Surface Book, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the devices operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings.
>**Note:**&nbsp;&nbsp;Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI.
>[!NOTE]
>Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI.
You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot.
@ -137,3 +138,7 @@ Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as sh
![Exit Surface UEFI and restart the device](images/manage-surface-uefi-fig8.png "Exit Surface UEFI and restart the device")
*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
## Related topics
[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

6
devices/surface/microsoft-surface-deployment-accelerator.md
View File

@ -115,6 +115,10 @@ This version is the original release of SDA. This version of SDA includes suppor
* Windows 8.1
## Related topics
[Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
[Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md)

34
devices/surface/surface-enterprise-management-mode.md
View File

@ -13,7 +13,8 @@ author: jobotto
Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
>**Note**:&nbsp;&nbsp;SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).
>[!NOTE]
>SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
@ -25,7 +26,8 @@ The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown i
*Figure 1. Microsoft Surface UEFI Configurator*
>**Note**:&nbsp;&nbsp;Windows 10 is required to run Microsoft Surface UEFI Configurator
>[!NOTE]
>Windows 10 is required to run Microsoft Surface UEFI Configurator
You can use the Microsoft Surface UEFI Configurator tool in three modes:
@ -36,7 +38,7 @@ You can use the Microsoft Surface UEFI Configurator tool in three modes:
#### Download Microsoft Surface UEFI Configurator
You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
### Configuration package
@ -48,7 +50,8 @@ Surface UEFI configuration packages are the primary mechanism to implement and m
See the [Surface Enterprise Management Mode certificate requirements](#surface-enterprise-management-mode-certificate-requirements) section of this article for more information about the requirements for the SEMM certificate.
>**Note**:&nbsp;&nbsp;You can also specify a UEFI password with SEMM that is required to view the **Security**, **Devices**, **Boot Configuration**, or **Enterprise Management** pages of Surface UEFI.
>[!NOTE]
>You can also specify a UEFI password with SEMM that is required to view the **Security**, **Devices**, **Boot Configuration**, or **Enterprise Management** pages of Surface UEFI.
After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device.
@ -85,7 +88,8 @@ You can configure the following advanced settings with SEMM:
* Display of the Surface UEFI **Devices** page
* Display of the Surface UEFI **Boot** page
>**Note**:&nbsp;&nbsp;When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
>[!NOTE]
>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
![Certificate thumbprint display](images\surface-ent-mgmt-fig5-success.png "Certificate thumbprint display")
@ -113,11 +117,13 @@ In some scenarios, it may be impossible to use a Surface UEFI reset package. (Fo
When you use the process on the **Enterprise Management** page to reset SEMM on a Surface device, you are provided with a Reset Request. This Reset Request can be saved as a file to a USB drive, copied as text, or read as a QR Code with a mobile device to be easily emailed or messaged. Use the Microsoft Surface UEFI Configurator Reset Request option to load a Reset Request file or enter the Reset Request text or QR Code. Microsoft Surface UEFI Configurator will generate a verification code that can be entered on the Surface device. If you enter the code on the Surface device and click **Restart**, the device will be unenrolled from SEMM.
>**Note**:&nbsp;&nbsp;A Reset Request expires two hours after it is created.
>[!NOTE]
>A Reset Request expires two hours after it is created.
## Surface Enterprise Management Mode certificate requirements
>**Note**:&nbsp;&nbsp;The SEMM certificate is required to perform any modification to SEMM or Surface UEFI settings on enrolled Surface devices. If the SEMM certificate is corrupted or lost, SEMM cannot be removed or reset. Manage your SEMM certificate accordingly with an appropriate solution for backup and recovery.
>[!NOTE]
>The SEMM certificate is required to perform any modification to SEMM or Surface UEFI settings on enrolled Surface devices. If the SEMM certificate is corrupted or lost, SEMM cannot be removed or reset. Manage your SEMM certificate accordingly with an appropriate solution for backup and recovery.
Packages created with the Microsoft Surface UEFI Configurator tool are signed with a certificate. This certificate ensures that after a device is enrolled in SEMM, only packages created with the approved certificate can be used to modify the settings of UEFI. The following settings are recommended for the SEMM certificate:
@ -132,8 +138,9 @@ Packages created with the Microsoft Surface UEFI Configurator tool are signed wi
It is also recommended that the SEMM certificate be authenticated in a two-tier public key infrastructure (PKI) architecture where the intermediate certification authority (CA) is dedicated to SEMM, enabling certificate revocation. For more information about a two-tier PKI configuration, see [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348).
>**Note**:&nbsp;&nbsp;You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios.
To use this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate with a password of `12345678`.<br/><br/>The certificate generated by this script is not recommended for production environments.
>[!NOTE]
>You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios.
> To use this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate with a password of `12345678`.<br/><br/>The certificate generated by this script is not recommended for production environments.
```
if (-not (Test-Path "Demo Certificate")) { New-Item -ItemType Directory -Force -Path "Demo Certificate" }
@ -160,4 +167,11 @@ $TestUefiV2 | Export-PfxCertificate -Password $pw -FilePath "Demo Certificate\Te
For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must be exported with the private key and with password protection. Microsoft Surface UEFI Configurator will prompt you to select the SEMM certificate file (.pfx) and certificate password when it is required.
>**Note**:&nbsp;&nbsp;For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
>[!NOTE]
>For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
## Related topics
[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)

38
devices/surface/update.md Normal file
View File

@ -0,0 +1,38 @@
---
title: Surface firmware and driver updates (Surface)
description: Find out how to download and manage the latest firmware and driver updates for your Surface device.
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: heatherpoulsen
---
# Surface firmware and driver updates
Find out how to download and manage the latest firmware and driver updates for your Surface device.
## In this section
| Topic | Description |
| --- | --- |
| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.|
| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.|
| [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|
 
## Related topics
[Surface TechCenter](https://technet.microsoft.com/windows/surface)
[Surface for IT pros blog](http://blogs.technet.com/b/surface/)
 
 

2
education/windows/deploy-windows-10-in-a-school.md
View File

@ -565,7 +565,7 @@ After you create the Windows Store for Business portal, configure it by using th
Now that you have created your Windows Store for Business portal, youre ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business.
**Note**&nbsp;&nbsp;Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
**Note**&nbsp;&nbsp;Your educational institution can now use a credit card to pay for apps in Windows Store for Business.
You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.

23
education/windows/set-up-school-pcs-technical.md
View File

@ -191,16 +191,6 @@ The **Set up School PCs** app produces a specialized provisioning package that m
</tr>
<tr> <td> <p> Turn off the advertising ID </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components </strong></p> </td>
</tr>
<tr> <td> <p> Do not show Windows Tips </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td> <p> Turn off Microsoft consumer experiences </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td> <p> Microsoft Passport for Work </p> </td> <td> <p> Disabled</p> </td>
</tr>
<tr> <td> <p> Prevent the usage of OneDrive for file storage </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Biometrics</strong></p> </td>
</tr>
<tr> <td> <p> Allow the use of biometrics </p> </td> <td> <p> Disabled</p> </td>
@ -209,6 +199,11 @@ The **Set up School PCs** app produces a specialized provisioning package that m
</tr>
<tr> <td> <p> Allow domain users to log on using biometrics </p> </td> <td> <p> Disabled</p> </td>
</tr>
<tr><td colspan="2"><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Cloud Content</strong></td></tr>
<tr> <td> <p> Do not show Windows Tips </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td> <p> Turn off Microsoft consumer experiences </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Data Collection and Preview Builds</strong></p> </td>
</tr>
<tr> <td> <p> Toggle user control over Insider builds </p> </td> <td> <p> Disabled</p> </td>
@ -235,10 +230,18 @@ The **Set up School PCs** app produces a specialized provisioning package that m
</tr>
<tr> <td> <p> Configure corporate home pages </p> </td> <td> <p> Enabled, about:blank</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>OneDrive</strong></p> </td>
</tr>
<tr> <td> <p> Prevent the usage of OneDrive for file storage </p> </td> <td> <p> Enabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Search</strong></p> </td>
</tr>
<tr> <td> <p> Allow Cortana </p> </td> <td> <p> Disabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Admin Templates</strong> > <strong>Windows Components</strong> > <strong>Windows Hello for Business</strong></p> </td>
</tr>
<tr> <td> <p> Use Windows Hello for Business </p> </td> <td> <p> Disabled</p> </td>
</tr>
<tr> <td colspan="2"> <p> <strong>Windows Settings</strong> > <strong>Security Settings</strong> > <strong>Local Policies</strong> > <strong>Security Options</strong></p> </td>
</tr>
<tr><td><p>Accounts: Block Microsoft accounts</p><p>**Note** Microsoft accounts can still be used in apps.</p></td><td><p>Enabled</p></td></tr>

2
education/windows/use-set-up-school-pcs-app.md
View File

@ -18,6 +18,8 @@ author: jdeckerMS
Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
[Download the Set up School PCs app from the Windows Store](https://www.microsoft.com/store/apps/9nblggh4ls40)
![Run app, turn on PC, insert USB key](images/app1.jpg)
## What does this app do?

26
mdop/TOC.md
View File

@ -1,21 +1,21 @@
# [Microsoft Desktop Optimization Pack](index.md)
## [Advanced Group Policy Management](agpm/)
## [Advanced Group Policy Management](agpm/index.md)
## [Application Virtualization]()
### [Application Virtualization 5](appv-v5/)
### [Application Virtualization 4](appv-v4/)
### [Application Virtualization 5](appv-v5/index.md)
### [Application Virtualization 4](appv-v4/index.md)
### [SoftGrid Application Virtualization](softgrid-application-virtualization.md)
## [Diagnostics and Recovery Toolset]()
### [Diagnostics and Recovery Toolset 10](dart-v10/)
### [Diagnostics and Recovery Toolset 8](dart-v8/)
### [Diagnostics and Recovery Toolset 7](dart-v7/)
### [Diagnostics and Recovery Toolset 10](dart-v10/index.md)
### [Diagnostics and Recovery Toolset 8](dart-v8/index.md)
### [Diagnostics and Recovery Toolset 7](dart-v7/index.md)
### [Diagnostics and Recovery Toolset 6.5](dart-v65.md)
## [Microsoft Bitlocker Administration and Monitoring]()
### [Microsoft Bitlocker Administration and Monitoring 2.5](mbam-v25/)
### [Microsoft Bitlocker Administration and Monitoring 2](mbam-v2/)
### [Microsoft Bitlocker Administration and Monitoring 1](mbam-v1/)
### [Microsoft Bitlocker Administration and Monitoring 2.5](mbam-v25/index.md)
### [Microsoft Bitlocker Administration and Monitoring 2](mbam-v2/index.md)
### [Microsoft Bitlocker Administration and Monitoring 1](mbam-v1/index.md)
## [Microsoft Enterprise Desktop Virtualization]()
### [Microsoft Enterprise Desktop Virtualization 2](medv-v2/)
### [Microsoft Enterprise Desktop Virtualization 2](medv-v2/index.md)
## [User Experience Virtualization]()
### [User Experience Virtualization 2](uev-v2/)
### [User Experience Virtualization 1](uev-v1/)
## [MDOP Solutions and Scenarios](solutions/)
### [User Experience Virtualization 2](uev-v2/index.md)
### [User Experience Virtualization 1](uev-v1/index.md)
## [MDOP Solutions and Scenarios](solutions/index.md)

46
mdop/agpm/choosing-which-version-of-agpm-to-install.md
View File

@ -13,7 +13,7 @@ ms.prod: w10
# Choosing Which Version of AGPM to Install
Each release of Microsoft Advanced Group Policy Management (AGPM) supports specific versions of the Windows operating system. We strongly recommend that you run the AGPM Client and AGPM Server on the same line of operating systems, for example, Windows 8.1 with Windows Server 2012 R2, Windows 8 with Windows Server 2012, and so on.
Each release of Microsoft Advanced Group Policy Management (AGPM) supports specific versions of the Windows operating system. We strongly recommend that you run the AGPM Client and AGPM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
We recommend that you install the AGPM Server on the most recent version of the operating system in the domain. AGPM uses the Group Policy Management Console (GPMC) to back up and restore Group Policy Objects (GPOs). Because newer versions of the GPMC provide additional policy settings that are not available in earlier versions, you can manage more policy settings by using the most recent version of the operating system.
@ -45,8 +45,8 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Windows 10</p></td>
<td align="left"><p>Windows 10</p></td>
<td align="left"><p>Windows Server 2016 or Windows 10</p></td>
<td align="left"><p>Windows Server 2016 or Windows 10</p></td>
<td align="left"><p>Supported</p></td>
</tr>
<tr class="even">
@ -55,19 +55,19 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
<td align="left"><p>Supported</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, Windows 8.1, or Windows 8</p></td>
<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, or Windows 8.1</p></td>
<td align="left"><p>Windows Server 2012 or Windows 8.1</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
<td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 or Windows 8</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
<td align="left"><p>Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
@ -77,7 +77,7 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
<tr class="odd">
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
</tr>
</tbody>
</table>
@ -113,29 +113,29 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP2, and
<td align="left"><p>Supported</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, Windows 8.1, or Windows 8</p></td>
<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, or Windows 8.1</p></td>
<td align="left"><p>Windows Server 2012 or Windows 8.1</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
<td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 or Windows 8</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
<td align="left"><p>Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
<td align="left"><p>Not supported</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
</tr>
</tbody>
</table>
@ -164,29 +164,29 @@ Table 2 lists the operating systems on which you can install AGPM 4.0 SP1, and t
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
<td align="left"><p>Windows Server 2012</p></td>
<td align="left"><p>Windows Server 2012</p></td>
<td align="left"><p>Supported</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
<td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2008 R2, or Windows 7</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
<td align="left"><p>Supported</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2, or Windows 7</p></td>
</tr>
</tbody>
</table>

6
mdop/agpm/index.md
View File

@ -18,11 +18,11 @@ Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of th
## AGPM Version Information
[AGPM 4.0 SP3](agpm-40-sp3-navengl.md) supports Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
[AGPM 4.0 SP3](agpm-40-sp3-navengl.md) supports Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
[AGPM 4.0 SP2](agpm-40-sp2-navengl.md) supports Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
[AGPM 4.0 SP2](agpm-40-sp2-navengl.md) supports Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
[AGPM 4.0 SP1](agpm-40-sp1-navengl.md) supports Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
[AGPM 4.0 SP1](agpm-40-sp1-navengl.md) supports Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
[AGPM 4](agpm-4-navengl.md) supports Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.

4
mdop/agpm/release-notes-for-microsoft-advanced-group-policy-management-40-sp3.md
View File

@ -88,6 +88,10 @@ If a user who has the Editor role submits a request to deploy a GPO, and the use
**Workaround:** None.
### Added mechanism to override AGPM default behavior of removing GPO permission changes
As of HF02, AGPM has added a registry key to enable overriding the default AGPM GPO permission behavior. For more information, please see [Changes to Group Policy object permissions through AGPM are ignored](https://support.microsoft.com/kb/3174540)
## Related topics

22
mdop/agpm/whats-new-in-agpm-40-sp3.md
View File

@ -22,7 +22,7 @@ AGPM 4.0 SP3 supports the following features and functionality.
### Support for Windows 10
AGPM 4.0 SP3 adds support for the Windows 10 operating systems.
AGPM 4.0 SP3 adds support for the Windows 10 and Windows Server 2016 operating systems.
### Support for PowerShell
@ -111,7 +111,7 @@ You can upgrade the AGPM Client or AGPM Server to AGPM 4.0 SP3 without being pr
## Supported configurations
AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM supports mixed configurations, we strongly recommend that you run the AGPM Client and AGPM Server on the same operating system line—for example, Windows 10 only, Windows 8.1 with Windows Server 2012 R2, and so on.
AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM supports mixed configurations, we strongly recommend that you run the AGPM Client and AGPM Server on the same operating system line—for example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
**AGPM 4.0 SP3 supported operating systems and policy settings**
@ -130,7 +130,7 @@ AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Windows 10</p></td>
<td align="left"><p>Windows Server 2016 or Windows 10</p></td>
<td align="left"><p>Windows 10</p></td>
<td align="left"><p>Supported</p></td>
</tr>
@ -140,29 +140,29 @@ AGPM 4.0 SP3 supports the configurations in the following table. Although AGPM
<td align="left"><p>Supported</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, Windows 8.1, or Windows 8</p></td>
<td align="left"><p>Windows Server 2012 or Windows 8</p></td>
<td align="left"><p>Windows Server 2012 R2, Windows Server 2012, or Windows 8.1</p></td>
<td align="left"><p>Windows Server 2012</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
<td align="left"><p>Windows Server 2008 R2 or Windows 7</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1 or Windows 8</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
<td align="left"><p>Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
<td align="left"><p>Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7</p></td>
<td align="left"><p>Windows Server 2012, Windows Server 2008 R2, or Windows 7</p></td>
<td align="left"><p>Not supported</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Windows Server 2008 or Windows Vista with SP1</p></td>
<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, Windows 8, or Windows 7</p></td>
<td align="left"><p>Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7</p></td>
</tr>
</tbody>
</table>
@ -190,7 +190,7 @@ The following table describes the behavior of AGPM 4.0 SP3 Client and Server in
**Remote Server Administration Tools**
**Windows 10**
**Windows 10 or Windows Server 2016**
If the .NET Framework 4.5.1 is not enabled or installed, the installer blocks the installation.

63
mdop/appv-v5/app-v-51-supported-configurations.md
View File

@ -58,16 +58,21 @@ Microsoft provides support for the current service pack and, in some cases, the
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p>Microsoft Windows Server 2016</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
@ -147,16 +152,21 @@ The following table lists the operating systems that are supported for the App-V
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p>Microsoft Windows Server 2016</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
@ -195,16 +205,21 @@ The following table lists the operating systems that are supported for the App-V
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p>Microsoft Windows Server 2016</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
@ -267,6 +282,8 @@ The following table lists the SQL Server versions that are supported for the App
The following table lists the operating systems that are supported for the App-V 5.1 client installation.
**Note:** With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client
<table>
<colgroup>
<col width="33%" />
@ -282,7 +299,7 @@ The following table lists the operating systems that are supported for the App-V
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows 10</p></td>
<td align="left"><p>Microsoft Windows 10 (pre-1607 version)</p></td>
<td align="left"><p></p></td>
<td align="left"><p>32-bit or 64-bit</p></td>
</tr>
@ -292,11 +309,6 @@ The following table lists the operating systems that are supported for the App-V
<td align="left"><p>32-bit or 64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows 8</p></td>
<td align="left"><p></p></td>
<td align="left"><p>32-bit or 64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows 7</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>32-bit or 64-bit</p></td>
@ -344,16 +356,21 @@ The following table lists the operating systems that are supported for App-V 5.1
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p>Microsoft Windows Server 2016</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
@ -393,32 +410,32 @@ The following table lists the operating systems that are supported for the App-V
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p>Microsoft Windows Server 2016</p></td>
<td align="left"></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td align="left"><p>Microsoft Windows 10</p></td>
<td align="left"><p></p></td>
<td align="left"><p>32-bit and 64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows 8.1</p></td>
<td align="left"><p></p></td>
<td align="left"><p>32-bit and 64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows 8</p></td>
<td align="left"><p>Microsoft Windows 8.1</p></td>
<td align="left"><p></p></td>
<td align="left"><p>32-bit and 64-bit</p></td>
</tr>

38
mdop/appv-v5/release-notes-for-app-v-51.md
View File

@ -143,6 +143,44 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
**Workaround**: Use a different filename
## Intermittent "File Not Found" error when Mounting a Package
Occassionally when mounting a package, a "File Not Found" (0x80070002) error is generated. Typically, this occurs when a folder in an App-V package contains many files ( i.e. 20K or more). This can cause streaming to take longer than expected and to time out which generates the "File Not Found" error.
**Workaround**: Starting with HF06, a new registry key has been introduced to enable extending this time-out period.
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<tbody>
<tr>
<td align="left">Path</td>
<td align="left">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Streaming</td>
</tr>
<tr>
<td align="left">Setting</td>
<td align="left">StreamResponseWaitTimeout</td>
</tr>
<tr>
<td align="left">DataType</td>
<td align="left">DWORD</td>
</tr>
<tr>
<td align="left">Units</td>
<td align="left">Seconds</td>
</tr>
<tr>
<td align="left">Default</td>
<td align="left">5<br />
**Note**: this value is the default if the registry key is not defined or a value <=5 is specified.
</td>
</tr>
</tbody>
</table>
## Got a suggestion for App-V?

3
mdop/mbam-v25/about-mbam-25-sp1.md
View File

@ -88,7 +88,7 @@ For a list of all languages supported for client and server in MBAM 2.5 and MBAM
### Support for Windows 10
MBAM 2.5 SP1 adds support for Windows 10, in addition to the same software that is supported in earlier versions of MBAM.
MBAM 2.5 SP1 adds support for Windows 10 and Windows Server 2016, in addition to the same software that is supported in earlier versions of MBAM.
Windows 10 is supported in both MBAM 2.5 and MBAM 2.5 SP1.
@ -217,6 +217,7 @@ After installation, the service will now set the MBAM agent service to use delay
The compliance calculation logic for "Locked Fixed Data" volumes has been changed to report the volumes as "Compliant," but with a Protector State and Encryption State of "Unknown" and with a Compliance Status Detail of "Volume is locked". Previously, locked volumes were reported as “Non-Compliant”, a Protector State of "Encrypted", an Encryption State of "Unknown", and a Compliance Status Detail of "An unknown error".
## How to Get MDOP Technologies

44
mdop/mbam-v25/mbam-25-supported-configurations.md
View File

@ -137,6 +137,8 @@ The following tables show the languages that are supported for the MBAM Client (
### MBAM Server operating system requirements
We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
The following table lists the operating systems that are supported for the MBAM Server installation.
<table>
@ -156,21 +158,27 @@ The following table lists the operating systems that are supported for the MBAM
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Windows Server 2008 R2</p></td>
<td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>Windows Server 2016</p></td>
<td align="left"><p>Standard or Datacenter</p></td>
<td align="left"></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows Server 2012 R2</p></td>
<td align="left"><p>Standard or Datacenter</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2012</p></td>
<td align="left"><p>Standard or Datacenter</p></td>
<td align="left"></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows Server 2012 R2</p></td>
<td align="left"><p>Standard or Datacenter</p></td>
<td align="left"><p></p></td>
<td align="left"><p>Windows Server 2008 R2</p></td>
<td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
</tr>
</tbody>
@ -441,6 +449,8 @@ The following table lists the server processor, RAM, and disk space requirements
### Client operating system requirements
We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
The following table lists the operating systems that are supported for MBAM Client installation. The same requirements apply to the Stand-alone and the Configuration Manager Integration topologies.
<table>
@ -472,20 +482,14 @@ The following table lists the operating systems that are supported for MBAM Clie
<td align="left"><p>32-bit or 64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows 8</p></td>
<td align="left"><p>Enterprise</p></td>
<td align="left"><p></p></td>
<td align="left"><p>32-bit or 64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows 7</p></td>
<td align="left"><p>Enterprise or Ultimate</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>32-bit or 64-bit</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>Windows To Go</p></td>
<td align="left"><p>Windows 8, Windows 8.1, and Windows 10 Enterprise</p></td>
<td align="left"><p>Windows 8.1 and Windows 10 Enterprise</p></td>
<td align="left"><p></p></td>
<td align="left"><p>32-bit or 64-bit</p></td>
</tr>
@ -532,30 +536,24 @@ The following table lists the operating systems that are supported for MBAM Grou
<td align="left"><p>32-bit or 64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Windows 8</p></td>
<td align="left"><p>Enterprise, or Pro</p></td>
<td align="left"><p></p></td>
<td align="left"><p>32-bit or 64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Windows 7</p></td>
<td align="left"><p>Enterprise, or Ultimate</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>32-bit or 64-bit</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>Windows Server 2012 R2</p></td>
<td align="left"><p>Standard or Datacenter</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td align="left"><p>Windows Server 2012</p></td>
<td align="left"><p>Standard or Datacenter</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>Windows Server 2008 R2</p></td>
<td align="left"><p>Standard, Enterprise, or Datacenter</p></td>
<td align="left"><p>SP1</p></td>

16
mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
View File

@ -118,6 +118,22 @@ If Internet Explorer Enhanced Security Configuration (ESC) is turned on, an "Acc
**Workaround:** If the "Access Denied" error message appears when you try to view reports on the MBAM Server, you can set a Group Policy Object or change the default manually in your image to disable Enhanced Security Configuration. You can also alternatively view the reports from another computer on which ESC is not enabled.
### Support for Bitlocker XTS-AES encryption algorithm
Bitlocker added support for the XTS-AES encryption algorithm in Windows 10, version 1511.
As of HF02, MBAM now supports this Bitlocker option and is a client-only update.
However, there are two known limitations:
* MBAM will correctly report compliance status but the **Cipher Strength** field in MBAM reports will be empty.
MBAM pre-built reports and compliance charts wont break but the **Cipher Strength** column will be empty for XTS machines.
Also, if a customer has a custom report that uses this particular field, they may have to make adjustments to accommodate this update.
* Customers must use the same encryption strength for OS and data volumes on the same machine.
If different encryption strengths are used, MBAM will report the machine as **non-compliant**.
### Self-Service Portal automatically adds "-" on Key ID entry
As of HF02, the MBAM Self-Service Portal automatically adds the '-' on Key ID entry.
**Note:** The Server has to be reconfigured for the Javascript to take effect.
## Got a suggestion for MBAM?

6
mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md
View File

@ -70,7 +70,7 @@ If upon installation the user or administrator choses to participate in the Cust
### Monitor Application Settings
The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is runs at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory.
The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is run at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory.
<table>
<colgroup>
@ -96,7 +96,7 @@ The **Monitor Application Settings** task is used to synchronize settings for Wi
### Sync Controller Application
The **Sync Controller Application** task is used to start the Sync Controller to synchronize settings from the computer to the settings storage location. By default, the task runs every 30 minutes. At that time, local settings are synchronized to the settings storage location, and updated settings on the settings storage location are synchronized to the computer. The Sync Controller application runs the Microsoft.Uev.SyncController.exe, which is located in the UE-V Agent installation directory.
**Note:** As per the **Monitor Application Settings** task, this task is run at logon but is delayed by 30 seconds to not affect the logon detrimentally.
<table>
<colgroup>
<col width="50%" />
@ -305,7 +305,7 @@ The following additional information applies to UE-V scheduled tasks:
- ll task sequence programs are located in the UE-V Agent installation folder, `%programFiles%\Microsoft User Experience Virtualization\Agent\[architecture]\`, by default.
- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V 2 default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30 min default to a higher amount if necessary.
- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V 2 default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30 min default to a higher amount if necessary. If users complain that settings do not synchronize fast enough on logon, then you can remove the delay setting for the scheduled task. (You can find the delay setting in the **Edit Trigger** dialogue box)
- You do not need to disable the Template Auto Update scheduled task if you use another method to keep the clients templates in sync (i.e. Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately.

10
windows/TOC.md
View File

@ -1,6 +1,6 @@
# [Windows 10 and Windows 10 Mobile](index.md)
## [What's new in Windows 10](whats-new/)
## [Plan for Windows 10 deployment](plan/)
## [Deploy Windows 10](deploy/)
## [Keep Windows 10 secure](keep-secure/)
## [Manage and update Windows 10](manage/)
## [What's new in Windows 10](whats-new/index.md)
## [Plan for Windows 10 deployment](plan/index.md)
## [Deploy Windows 10](deploy/index.md)
## [Keep Windows 10 secure](keep-secure/index.md)
## [Manage and update Windows 10](manage/index.md)

1
windows/deploy/TOC.md
View File

@ -9,6 +9,7 @@
#### [Prepare your environment](upgrade-analytics-prepare-your-environment.md)
#### [Resolve application and driver issues](upgrade-analytics-resolve-issues.md)
#### [Deploy Windows](upgrade-analytics-deploy-windows.md)
#### [Review site discovery](upgrade-analytics-review-site-discovery.md)
### [Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)

3
windows/deploy/change-history-for-deploy-windows-10.md
View File

@ -15,6 +15,9 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
| New or changed topic | Description |
|----------------------|-------------|
| [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) | New |
| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated with prerequisites for site discovery |
| [Resolve application and driver issues](upgrade-analytics-resolve-issues.md) | Updated with app status info for Ready For Windows |
| [Review site discovery](upgrade-analytics-review-site-discovery.md) | New |
## RELEASE: Windows 10, version 1607

1
windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
View File

@ -6,7 +6,6 @@ keywords: deployment, task sequence, custom, customize
ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
---

1
windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
View File

@ -7,7 +7,6 @@ ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
localizationpriority: high
author: mtniehaus
ms.pagetype: mdt
---

BIN
windows/deploy/images/upgrade-analytics-create-iedataoptin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/deploy/images/upgrade-analytics-most-active-sites.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/deploy/images/upgrade-analytics-namepub-rollup.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.2 KiB

BIN
windows/deploy/images/upgrade-analytics-query-activex-name.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.6 KiB

BIN
windows/deploy/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.8 KiB

BIN
windows/deploy/images/upgrade-analytics-ready-for-windows-status.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.3 KiB

BIN
windows/deploy/images/upgrade-analytics-site-activity-by-doc-mode.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/deploy/images/upgrade-analytics-site-domain-detail.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 248 KiB

BIN
windows/deploy/images/upgrade-process.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 354 KiB

3
windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
View File

@ -92,9 +92,10 @@ By default MDT stores the log files locally on the client. In order to capture a
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
``` syntax
New-Item -Path E:\Logs -ItemType directory
New-SmbShare ?Name Logs$ ?Path E:\Logs -ChangeAccess EVERYONE
New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
```

1
windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -6,7 +6,6 @@ keywords: install, configure, deploy, deployment
ms.prod: w10
localizationpriority: high
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
author: mtniehaus
---

1
windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
View File

@ -7,7 +7,6 @@ ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
localizationpriority: high
ms.pagetype: mdt
author: mtniehaus
---

21
windows/deploy/upgrade-analytics-get-started.md
View File

@ -95,10 +95,15 @@ The compatibility update KB scans your computers and enables application usage t
| **Operating System** | **KBs** |
|----------------------|-----------------------------------------------------------------------------|
| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2976978><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513. |
| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513. |
| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2952664 must be installed before you can download and install KB3150513. |
IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
| **Site discovery** | **KB** |
|----------------------|-----------------------------------------------------------------------------|
| [Review site discovery](upgrade-analytics-review-site-discovery.md) | [KB 3170106](https://support.microsoft.com/en-us/kb/3170106)<br>Site discovery requires July 2016 security update for Internet Explorer. |
### Automate data collection
To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
@ -151,9 +156,19 @@ To run the Upgrade Analytics deployment script:
3. For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode.
4. Notify users if they need to restart their computers. By default, this is set to off.
4. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
5. After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
> *IEOptInLevel = 0 Internet Explorer data collection is disabled*
>
> *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
>
> *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
>
> *IEOptInLevel = 3 Data collection is enabled for all sites*
5. Notify users if they need to restart their computers. By default, this is set to off.
6. After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
## Seeing data from computers in Upgrade Analytics

43
windows/deploy/upgrade-analytics-resolve-issues.md
View File

@ -22,6 +22,12 @@ Upgrade decisions include:
The blades in the **Resolve issues** section are:
- Review applications with known issues
- Review applications with no known issues
- Review drivers with known issues
As you review applications with known issues, you can also see ISV support of applications for [Ready for Windows](https://www.readyforwindows.com/).
## Review applications with known issues
Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
@ -67,14 +73,39 @@ For applications assessed as **Fix available**, review the table below for detai
| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but wont migrate. | Remove the application before upgrading and reinstall on the new operating system.<br> |
| Fix available | Yes | Disk encryption blocking upgrade | The applications encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.<br> |
### ISV support for applications with Ready for Windows
[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/).
Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example:
![Upgrade analytics Ready for Windows status](images/upgrade-analytics-ready-for-windows-status.png)
If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance.
![Upgrade analytics Ready for Windows status guidance precedence](images/upgrade-analytics-ready-for-windows-status-guidance-precedence.png)
If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows.
![Name publisher rollup](images/upgrade-analytics-namepub-rollup.png)
The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses)
| Ready for Windows Status | Query rollup level | What this means | Guidance |
|-------------------|--------------------------|-----------------|----------|
|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. |
| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. |
| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. |
| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A |
| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.|
|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.|
|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.|
| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A |
## Review applications with no known issues
Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
<img src="media/image7.png" width="197" height="336" />
-->
![Review applications with no known issues](images/upgrade-analytics-apps-no-known-issues.png)
Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
@ -95,10 +126,6 @@ To change an application's upgrade decision:
Drivers that wont migrate to the new operating system are listed, grouped by availability.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
<img src="media/image8.png" width="197" height="316" />
-->
![Review drivers with known issues](images/upgrade-analytics-drivers-known.png)
Availability categories are explained in the table below.

68
windows/deploy/upgrade-analytics-review-site-discovery.md Normal file
View File

@ -0,0 +1,68 @@
---
title: Review site discovery
description: Explains how to review internet web site discovery with Upgrade Analytics.
ms.prod: w10
author: Justinha
---
# Review site discovery
This section of the Upgrade Analytics workflow provides an inventory of web sites that are being used by client computers that run Internet Explorer on Windows 8.1 and Windows 7 in your environment. This inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. Data from Microsoft Edge is not collected.
> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
## Install prerequisite security update for Internet Explorer
Ensure the following prerequisites are met before using site discovery:
1. Install the latest Internet Explorer 11 Cumulative Update. This update provides the capability for site discovery and is available in the [July 2016 cumulative update (KB3170106)](https://support.microsoft.com/kb/3170106) and later.
2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script) to allow Internet Explorer data collection before you run it.
If necessary, you can also enable it by creating the following registry entry.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
Entry name: IEDataOptIn
Data type: DWORD
Values:
> *IEOptInLevel = 0 Internet Explorer data collection is disabled*
>
> *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
>
> *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
>
> *IEOptInLevel = 3 Data collection is enabled for all sites*
For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx).
![Create the IEDataOptIn registry key](images/upgrade-analytics-create-iedataoptin.png)
## Review most active sites
This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page.
For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL.
![Most active sites](Images/upgrade-analytics-most-active-sites.png)
Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name.
![Site domain detail](images/upgrade-analytics-site-domain-detail.png)
## Review document modes in use
This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes).
![Site activity by document mode](images/upgrade-analytics-site-activity-by-doc-mode.png)
## Run browser-related queries
You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries.
![](images/upgrade-analytics-query-activex-name.png)

2
windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md
View File

@ -23,4 +23,6 @@ The Upgrade Analytics workflow gives you compatibility and usage information abo
3. [Identifying computers that are upgrade ready](upgrade-analytics-deploy-windows.md)
4. [Review site discovery](upgrade-analytics-review-site-discovery.md)

4
windows/deploy/windows-10-upgrade-paths.md
View File

@ -19,9 +19,11 @@ author: greg-lindsay
This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
>**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported.
>**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
>**Free upgrade**: Some upgrade paths qualify for a free upgrade using Windows Update. For a list of upgrade paths that are available as part of the free upgrade offer, see [Free upgrade paths](#Free-upgrade-paths).
>**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#Free-upgrade-paths).
✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
D = Edition downgrade; personal data is maintained, applications and settings are removed.

1
windows/keep-secure/TOC.md
View File

@ -35,6 +35,7 @@
#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
## [VPN profile options](vpn-profile-options.md)

5
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -16,8 +16,11 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
| New or changed topic | Description |
| --- | --- |
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) | New |
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
| [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate |
| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq example and added a new Windows PowerShell example for creating a self-signed certificate |
## August 2016
|New or changed topic | Description |

12
windows/keep-secure/create-wip-policy-using-intune.md
View File

@ -139,7 +139,7 @@ For this example, were going to add Internet Explorer, a desktop app, to the
The **Add App Rule** box appears.
![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png)
![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Internet Explorer*.
@ -279,7 +279,7 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
The **Add App Rule** box appears.
![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png)
![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Allowed app list*.
@ -370,8 +370,8 @@ There are no default locations included with WIP, you must add each of your netw
</tr>
<tr>
<td>Enterprise Cloud Resources</td>
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the <code>/*AppCompat*/</code> string to this setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/*AppCompat*/</code></td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
@ -380,8 +380,8 @@ There are no default locations included with WIP, you must add each of your netw
</tr>
<tr>
<td>Enterprise Proxy Servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldnt include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when youre visiting another company and not on that companys guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.<p>This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because theyre used for WIP-protected traffic.<p>This setting is also required if theres a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when youre visiting another company and not on the guest network. To make sure this doesnt happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise Internal Proxy Servers</td>

9
windows/keep-secure/create-wip-policy-using-sccm.md
View File

@ -391,8 +391,8 @@ There are no default locations included with WIP, you must add each of your netw
</tr>
<tr>
<td>Enterprise Cloud Resources</td>
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the <code>/*AppCompat*/</code> string to this setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/*AppCompat*/</code></td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
@ -401,8 +401,13 @@ There are no default locations included with WIP, you must add each of your netw
</tr>
<tr>
<td>Enterprise Proxy Servers</td>
<<<<<<< HEAD
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.<p>This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because theyre used for WIP-protected traffic.<p>TThis setting is also required if theres a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when youre visiting another company and not on the guest network. To make sure this doesnt happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
=======
<td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldnt include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when youre visiting another company and not on that companys guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
>>>>>>> refs/remotes/origin/master
</tr>
<tr>
<td>Enterprise Internal Proxy Servers</td>

143
windows/keep-secure/credential-guard.md
View File

@ -30,7 +30,9 @@ Credential Guard isolates secrets that previous versions of Windows stored in th
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.
Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases.
Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used.
Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
@ -38,89 +40,64 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
## Hardware and software requirements
The PC must meet the following hardware and software requirements to use Credential Guard:
To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Requirement</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Windows 10 Enterprise</p></td>
<td align="left"><p>The PC must be running Windows 10 Enterprise.</p></td>
</tr>
<tr class="even">
<td align="left"><p>UEFI firmware version 2.3.1 or higher and Secure Boot</p></td>
<td align="left"><p>To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Virtualization extensions</p></td>
<td align="left"><p>The following virtualization extensions are required to support virtualization-based security:</p>
<ul>
<li>Intel VT-x or AMD-V</li>
<li>Second Level Address Translation</li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>x64 architecture</p></td>
<td align="left"><p>The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>A VT-d or AMD-Vi IOMMU (Input/output memory management unit)</p></td>
<td align="left"><p>In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹</p></td>
</tr>
<tr class="even">
<td align="left"><p>Trusted Platform Module (TPM) version 1.2 or 2.0</p></td>
<td align="left"><p>TPM 1.2 and 2.0 provides protection for encryption keys used by virtualization-based security to protect Credential Guard secrets where all other keys are stored. See the following table to determine which TPM versions are supported on your OS.</p>
<table>
<th>OS version</th>
<th>Required TPM</th>
<tr>
<td>Windows 10 version 1507</td>
<td>TPM 2.0</td>
</tr>
<tr>
<td>Windows 10 version 1511, Windows Server 2016, or later</td>
<td>TPM 2.0 or TPM 1.2</td>
</tr>
</table>
<div class="alert">
<strong>Note</strong>  If you don't have a TPM installed, Credential Guard will still be enabled, but the virtualization-based security keys used to protect Credential Guard secrets will not bound to the TPM. Instead, the keys will be protected in a UEFI Boot Service variable.
</div>
</td>
</tr>
<tr class="odd">
<td align="left"><p>Secure firmware update process</p></td>
<td align="left"><p>To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.</p><p>Credential Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes.</p></td>
</tr>
<tr class="even">
<td align="left"><p>The firmware is updated for [Secure MOR implementation](http://msdn.microsoft.com/library/windows/hardware/mt270973.aspx)</p></td>
<td align="left"><p>Credential Guard requires the secure MOR bit to help prevent certain memory attacks.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Physical PC</p></td>
<td align="left"><p>For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Virtual machine</p></td>
<td align="left"><p>For PCs running Windows 10, version 1607 or Windows Server 2016, you can run Credential Guard on a Generation 2 virtual machine.</p></td>
</tr>
</tr>
<tr class="even">
<td align="left"><p>Hypervisor</p></td>
<td align="left"><p>You must use the Windows hypervisor.</p></td>
</tr>
</tbody>
</table>
 
¹ If you choose the **Secure Boot and DMA protection** option in the Group Policy setting, an IOMMU is required. The **Secure Boot** Group Policy option enables Credential Guard on devices without an IOMMU.
You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> [!NOTE]
> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.<br>
> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx).
## Credential Guard requirements for baseline protections
|Baseline Protections - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | **Requirements**: These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>- VT-x (Intel) or<br>- AMD-V<br>And:<br>- Extended page tables, also called Second Level Address Translation (SLAT).<br><br>**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU<br><br>**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br><br>**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)<br><br>**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).<br><br>**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation<br><br>**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT<br><br>**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
> [!IMPORTANT]
> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Credential Guard can provide.
## Credential Guard requirements for improved security
The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
### 2015 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4)
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- BIOS password or stronger authentication must be supported.<br>- In the BIOS configuration, BIOS authentication must be set.<br>- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
<br>
### 2016 Additional Qualification Requirements for Credential Guard (starting with Windows 10, version 1607, and Windows Server 2016)
> [!IMPORTANT]
> The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them.
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:<br>Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>- The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).<br><br>**Security benefits**:<br>- Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>- HSTI provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.<br><br>**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>- Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.<br><br>**Security benefits**:<br>- Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>- Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
<br>
### 2017 Additional Qualification Requirements for Credential Guard (announced as options for future Windows operating systems for 2017)
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Firmware: **UEFI NX Protections** | **Requirements**:<br>- All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.<br><br>UEFI Runtime Services:<br>- Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.<br>- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.<br>- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.<br>- Reduces attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
## Manage Credential Guard

1
windows/keep-secure/guidance-and-best-practices-wip.md
View File

@ -26,3 +26,4 @@ This section includes info about the enlightened Microsoft apps, including how t
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). |

77
windows/keep-secure/limitations-with-wip.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Limitations while using Windows Information Protection (WIP) (Windows 10)
description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
localizationpriority: high
---
# Limitations while using Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
This table provides info about the most common problems you might encounter while running WIP in your organization.
<table>
<tr>
<th>Limitation</th>
<th>How it appears</th>
<th>Workaround</th>
</tr>
<tr>
<td>Enterprise data on USB drives is tied to the device it was protected on.</td>
<td>Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.</td>
<td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td>
</tr>
<tr>
<td>Direct Access is incompatible with WIP.</td>
<td>Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isnt a corporate network resource.</td>
<td>We recommend that you use VPN for client access to your intranet resources.<p><strong>Note</strong><br>VPN is optional and isnt required by WIP.</td>
</tr>
<tr>
<td><strong>NetworkIsolation</strong> Group Policy setting is incompatible with WIP.</td>
<td>The <strong>NetworkIsolation</strong> Group Policy setting has incompatible network settings that can conflict and cause problems with WIP.</td>
<td>We recommend that you dont use the NetworkIsolation Group Policy setting.</td>
</tr>
<tr>
<td>Cortana can potentially allow data leakage if its on the allowed apps list.</td>
<td>If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.</td>
<td>We dont recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.</td>
</tr>
<tr>
<td>WIP is designed for use by a single user per device.</td>
<td>A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled users content can be revoked during the unenrollment process.</td>
<td>We recommend only having one user per managed device.</td>
</tr>
<tr>
<td>Installers copied from an enterprise network file share might not work properly.</td>
<td>An app might fail to properly install because it cant read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.</td>
<td>To fix this, you can:
<ul>
<li>Start the installer directly from the file share.<p>-OR-</li>
<li>Decrypt the locally copied files needed by the installer.<p>-OR-</li>
<li>Mark the file share with the installation media as “personal”. To do this, youll need to set the Enterprise IP ranges as <strong>Authoritative</strong> and then exclude the IP address of the file server, or youll need to put the file server on the Enterprise Proxy Server list.</li>
</ul></td>
</tr>
<tr>
<td>Changing your primary Corporate Identity isnt supported.</td>
<td>You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.</td>
<td>Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.</td>
</tr>
<tr>
<td>Redirected folders with Client Side Caching are not compatible with WIP.</td>
<td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.</td>
</tr>
<tr>
<td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
<td>A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.</td>
<td>Open File Explorer and change the file ownership to **Personal** before you upload.</td>
</tr>
</table>

2
windows/keep-secure/protect-enterprise-data-using-wip.md
View File

@ -48,7 +48,7 @@ To help address this security insufficiency, companys developed data loss pre
Unfortunately, data loss prevention systems have their own problems. For example, the more detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss preventions systems is that it provides a jarring experience that interrupts the employees natural workflow by blocking some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesnt see and cant understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companys developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person wont be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.

8
windows/keep-secure/remote-credential-guard.md
View File

@ -35,7 +35,6 @@ The Remote Desktop client and server must meet the following requirements in ord
- They must be running at least Windows 10, version 1607 or Windows Server 2016.
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
## Enable Remote Credential Guard
You must enable Remote Credential Guard on the target device by using the registry.
@ -60,12 +59,13 @@ You can use Remote Credential Guard on the client device by setting a Group Poli
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
2. Double-click **Restrict delegation of credentials to remote servers**.
3. In the **Use the following restricted mode** box:
- If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Require Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
3. Under **Use the following restricted mode**:
- If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Prefer Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
> **Note:** Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
- If you want to allow Remote Credential Guard, choose **Prefer Remote Credential Guard**.
- If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
4. Click **OK**.
![Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)

4
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -74,6 +74,8 @@ Event ID | Error Type | Resolution steps
## Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on endpoints, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section.
Use the following tables to understand the possible causes of issues while onboarding:
- Microsoft Intune error codes and OMA-URIs table
@ -114,7 +116,7 @@ Channel name: Admin
ID | Severity | Event description | Troubleshooting steps
:---|:---|:---|:---
1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
## Troubleshoot onboarding issues on the endpoint
If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:

1
windows/keep-secure/windows-defender-advanced-threat-protection.md
View File

@ -20,6 +20,7 @@ localizationpriority: high
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.

18
windows/manage/TOC.md
View File

@ -1,6 +1,22 @@
# [Manage and update Windows 10](index.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
## [Update Windows 10 in the enterprise](waas-update-windows-10.md)
### [Overview of Windows as a service](waas-overview.md)
### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
### [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
### [Manage updates for Windows 10 Mobile Enterprise](waas-mobile-updates.md)
### [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
#### [Configure Windows Update for Business](waas-configure-wufb.md)
#### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
#### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
#### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
## [Manage corporate devices](manage-corporate-devices.md)
### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
@ -35,7 +51,6 @@
### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
## [Configure devices without MDM](configure-devices-without-mdm.md)
## [Windows 10 servicing options](introduction-to-windows-10-servicing.md)
## [Application Virtualization (App-V) for Windows](appv-for-windows.md)
### [Getting Started with App-V](appv-getting-started.md)
#### [What's new in App-V](appv-about-appv.md)
@ -71,6 +86,7 @@
##### [About App-V Reporting](appv-reporting.md)
##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](appv-install-the-reporting-server-on-a-standalone-computer.md)
#### [App-V Deployment Checklist](appv-deployment-checklist.md)
#### [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
#### [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
#### [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
### [Operations for App-V](appv-operations.md)

4
windows/manage/acquire-apps-windows-store-for-business.md
View File

@ -13,9 +13,9 @@ localizationpriority: high
As an admin, you can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md).
## App licensing model
The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Admins control whether or not offline apps are available in Store for Business with an offline app visibility setting. For more information, see [offline license visibility](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#offline-licensing).
For more information, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md).
For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
## Payment options
Some apps are free, and some have a price. Apps can be purchased in the Windows Store for Business using your credit card. You can enter your credit card information on **Account Information**, or when you purchase an app. Currently, we accept these credit cards:

BIN
windows/manage/application-development-for-windows-as-a-service.zip Normal file
View File

Binary file not shown.

2
windows/manage/apps-in-windows-store-for-business.md
View File

@ -80,7 +80,7 @@ Distribution options for online-licensed apps include the ability to:
- Distribute through a management tool.
**Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
**Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. Admins control whether or not offline apps are available in Store for Business with an offline app visibility setting. For more information, see [offline license visibility](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#offline-licensing).
You have the following distribution options for offline-licensed apps:

6
windows/manage/appv-deploying-appv.md
View File

@ -30,6 +30,12 @@ App-V supports a number of different deployment options. Review this topic for i
This section provides a deployment checklist that can be used to assist with installing App-V.
- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)<br>
[Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)<br>
[Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
These sections describe how to use App-V to deliver Microsoft Office as a virtualized application to computers in your organization.
## Other Resources for Deploying App-V

2
windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
View File

@ -14,7 +14,7 @@ ms.prod: w10
**Applies to**
- Windows 10, version 1607
Use the information in this article to use Microsoft Application Virtualization (App-V), or later versions, to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V.
Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V.
This topic contains the following sections:

444
windows/manage/appv-deploying-microsoft-office-2016-with-appv.md Normal file
View File

@ -0,0 +1,444 @@
---
title: Deploying Microsoft Office 2016 by Using App-V (Windows 10)
description: Deploying Microsoft Office 2016 by Using App-V
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# Deploying Microsoft Office 2016 by Using App-V
**Applies to**
- Windows 10, version 1607
Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2013, see [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md). For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md).
This topic contains the following sections:
- [What to know before you start](#what-to-know-before-you-start)
- [Creating an Office 2016 package for App-V with the Office Deployment Tool](#creating-an-office-2016-package-for-app-v-with-the-office-deployment-tool) 
- [Publishing the Office package for App-V](#publishing-the-office-package-for-app-v) 
- [Customizing and managing Office App-V packages](#customizing-and-managing-office-app-v-packages) 
## What to know before you start
Before you deploy Office 2016 by using App-V, review the following planning information.
### Supported Office versions and Office coexistence
Use the following table to get information about supported versions of Office and about running coexisting versions of Office.
| **Information to review** | **Description** |
|-------------------------------------|------------------------|
| [Supported versions of Microsoft Office](appv-planning-for-using-appv-with-office.md#bkmk-office-vers-supp-appv) | - Supported versions of Office<br>- Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)<br>- Office licensing options |
| [Planning for using App-V with coexisting versions of Office](appv-planning-for-using-appv-with-office.md#bkmk-plan-coexisting) | Considerations for installing different versions of Office on the same computer |
### Packaging, publishing, and deployment requirements
Before you deploy Office by using App-V, review the following requirements.
 
| **Task** | **Requirement** |
|-----------|-------------------|
| Packaging | - All of the Office applications that you want to deploy to users must be in a single package.<br>- In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.<br>- If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). |
| Publishing | - You can publish only one Office package to each client computer.<br>- You must publish the Office package globally. You cannot publish to the user. |
| Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:<br>- Office 365 ProPlus<br>- Visio Pro for Office 365<br>- Project Pro for Office 365 | You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx). |
### Excluding Office applications from a package
The following table describes the recommended methods for excluding specific Office applications from a package.
| **Task** | **Details** |
|-------------|---------------|
| Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool. | Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.<br><br>For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#BKMK_ExcludeAppElement). |
| Modify the DeploymentConfig.xml file | Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.<br>For more information, see [Disabling Office 2016 applications](#disabling-office-2016-applications). |
## Creating an Office 2016 package for App-V with the Office Deployment Tool
Complete the following steps to create an Office 2016 package for App-V.
>**Important**&nbsp;&nbsp;In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
### Review prerequisites for using the Office Deployment Tool
The computer on which you are installing the Office Deployment Tool must have:
 
| **Prerequisite** | **Description** |
|----------------------|--------------------|
| Prerequisite software | .Net Framework 4 |
| Supported operating systems | - 64-bit version of Windows 10<br>- 64-bit version of Windows 8 or 8.1<br>- 64-bit version of Windows 7 |
>**Note**&nbsp;&nbsp;In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
### Create Office 2016 App-V Packages Using Office Deployment Tool
You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Subscription Licensing.
Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
### Download the Office Deployment Tool
Office 2016 App-V Packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation:
1. Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
> **Important**&nbsp;&nbsp;You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
Example: \\\\Server\\Office2016
3. Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
### Download Office 2016 applications
After you download the Office Deployment Tool, you can use it to get the latest Office 2016 applications. After getting the Office applications, you create the Office 2016 App-V package.
The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
**Step 1: Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
1. Open the sample XML file in Notepad or your favorite text editor.
2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
```
<Configuration>
<Add SourcePath= \\Server\Office2016” OfficeClientEdition="32" >
<Product ID="O365ProPlusRetail ">
<Language ID="en-us" />
</Product>
<Product ID="VisioProRetail">
<Language ID="en-us" />
</Product>
</Add>
</Configuration>
```
>**Note**&nbsp;&nbsp;The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the “&lt;! - -“ from the beginning of the line, and the “-- &gt;” from the end of the line.
The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016, which is the location where Office applications will be saved. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
| **Input** | **Description** | **Example** |
|--------------|----------------------------|----------------|
| Add element | Specifies the products and languages to include in the package. | N/A |
| OfficeClientEdition (attribute of Add element) | Specifies the edition of Office 2016 product to use: 32-bit or 64-bit. The operation fails if **OfficeClientEdition** is not set to a valid value. | **OfficeClientEdition**="32"<br>**OfficeClientEdition**="64" |
| Product element | Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.<br>For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297). | `Product ID ="O365ProPlusRetail"`<br>`Product ID ="VisioProRetail"`<br>`Product ID ="ProjectProRetail"` |
| Language element | Specifies the language supported in the applications | `Language ID="en-us"` |
| Version (attribute of Add element) | Optional. Specifies a build to use for the package<br>Defaults to latest advertised build (as defined in v32.CAB at the Office source). | `16.1.2.3` |
| SourcePath (attribute of Add element) | Specifies the location in which the applications will be saved to. | `Sourcepath = "\\Server\Office2016"` |
| Channel (part of Add element) | Optional. Defines which channel to use for updating Office after it is installed.<br>The default is **Deferred** for Office 365 ProPlus and **Current** for Visio Pro for Office 365 and Project Online Desktop Client. <br>For more information about update channels, see [Overview of update channels for Office 365 ProPlus](https://technet.microsoft.com/library/mt455210.aspx). | `Channel="Current"`<br><br>`Channel="Deferred"`<br><br>`Channel="FirstReleaseDeferred"`<br><br>`Channel="FirstReleaseCurrent"` |
After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
**Step 2: Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details:
`\\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml`
In the example:
| Element | Description |
|-------------------------------|--------------------------------------|
| **\\\\server\\Office2016** | is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml. |
| **Setup.exe** | is the Office Deployment Tool. |
| **/download** | downloads the Office 2016 applications that you specify in the customConfig.xml file. |
| **\\\\server\\Office2016\\Customconfig.xml** | passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\\\Server\\Office2016. |
### Convert the Office applications into an App-V package
After you download the Office 2016 applications through the Office Deployment Tool, use the Office Deployment Tool to convert them into an Office 2016 App-V package. Complete the steps that correspond to your licensing model.
**Summary of what youll need to do:**
- Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers.
- Create an Office App-V package for either Subscription Licensing package by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
The following table summarizes the values you need to enter in the CustomConfig.xml file. The steps in the sections that follow the table will specify the exact entries you need to make.
>**Note**&nbsp;&nbsp;You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported.
| **Product ID** | **Subscription Licensing** |
|--------------------------------------------------|-------------------------------------------------------------|
| **Office 2016** | O365ProPlusRetail |
| **Office 2016 with Visio 2016** | O365ProPlusRetail<br>VisioProRetail |
| **Office 2016 with Visio 2016 and Project 2016** | O365ProPlusRetail<br>VisioProRetail<br>ProjectProRetail |
#### How to convert the Office applications into an App-V package
1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
- **SourcePath**: Point to the Office applications downloaded earlier.
- **ProductID**: Specify the type of licensing, as shown in the following example:
- Subscription Licensing:
```
<Configuration>
<Add SourcePath= "\\server\Office 2016" OfficeClientEdition="32" >
<Product ID="O365ProPlusRetail">
<Language ID="en-us" />
</Product>
<Product ID="VisioProRetail">
<Language ID="en-us" />
</Product>
</Add>
</Configuration>
```
In this example, the following changes were made to create a package with Subscription licensing:
**SourcePath** is the path, which was changed to point to the Office applications that were downloaded earlier.<br>
**Product ID** for Office was changed to `O365ProPlusRetail`.<br>
**Product ID** for Visio was changed to `VisioProRetail`.
- **ExcludeApp** (optional): Lets you specify Office programs that you dont want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access.
- **PACKAGEGUID** (optional): By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
>**Note**&nbsp;&nbsp;Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
For example:
``` syntax
\\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml \\server\share\Office2016AppV
```
In the example:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>\\server\Office2016</code></p></td>
<td align="left"><p>is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>Setup.exe</code></p></td>
<td align="left"><p>is the Office Deployment Tool.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>/packager</code></p></td>
<td align="left"><p>creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>\\server\Office2016\Customconfig.xml</code></p></td>
<td align="left"><p>passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>\\server\share\Office2016AppV</code></p></td>
<td align="left"><p>specifies the location of the newly created Office App-V package.</p></td>
</tr>
</tbody>
</table>
After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:<br>
- **App-V Packages** contains an Office 2016 App-V package and two deployment configuration files.
- **WorkingDir**
**Note**&nbsp;&nbsp;To troubleshoot any issues, see the log files in the %temp% directory (default).
3. Verify that the Office 2016 App-V package works correctly:
1. Publish the Office 2016 App-V package, which you created globally, to a test computer, and verify that the Office 2016 shortcuts appear.
2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
## Publishing the Office package for App-V
Use the following information to publish an Office package.
### Methods for publishing Office App-V packages
Deploy the App-V package for Office 2016 by using the same methods you use for any other package:
- System Center Configuration Manager
- App-V Server
- Stand-alone through Windows PowerShell commands
### Publishing prerequisites and requirements
| **Prerequisite or requirement** | **Details** |
|---------------------------------------|--------------------|
| Enable Windows PowerShell scripting on the App-V clients | To publish Office 2016 packages, you must run a script.<br><br>Package scripts are disabled by default on App-V clients. To enable scripting, run the following Windows PowerShell command:<br>`Set-AppvClientConfiguration -EnablePackageScripts 1` |
| Publish the Office 2016 package globally | Extension points in the Office App-V package require installation at the computer level.<br><br>When you publish at the computer level, no prerequisite actions or redistributables are needed, and the Office 2016 package globally enables its applications to work like natively installed Office, eliminating the need for administrators to customize packages. |
### How to publish an Office package
Run the following command to publish an Office package globally:
- `Add-AppvClientPackage <Path_to_AppV_Package > | Publish-AppvClientPackage -global`
- From the Web Management Console on the App-V Server, you can add permissions to a group of computers instead of to a user group to enable packages to be published globally to the computers in the corresponding group.
## Customizing and managing Office App-V packages
To manage your Office App-V packages, use the same operations as you would for any other package, with a few exceptions as outlined in the following sections.
- [Enabling Office plug-ins by using connection groups](#enabling-office-plug-ins-by-using-connection-groups) 
- [Disabling Office 2016 applications](#disabling-office-2016-applications) 
- [Disabling Office 2016 shortcuts](#disabling-office-2016-shortcuts) 
- [Managing Office 2016 package upgrades](#managing-office-2016-package-upgrades) 
- [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office) 
### Enabling Office plug-ins by using connection groups
Use the steps in this section to enable Office plug-ins with your Office package. To use Office plug-ins, you must use the App-V Sequencer to create a separate package that contains just the plug-ins. You cannot use the Office Deployment Tool to create the plug-ins package. You then create a connection group that contains the Office package and the plug-ins package, as described in the following steps.
#### To enable plug-ins for Office App-V packages
1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins.
3. Create an App-V package that includes the desired plug-ins.
4. Add a Connection Group through App-V server, System Center Configuration Manager, or a Windows PowerShell cmdlet.
5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
> **Important**&nbsp;&nbsp;The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
6. Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2016 App-V package.
7. Verify that the Deployment Configuration File of the plug-in package has the same settings that the Office 2016 App-V package has.
Since the Office 2016 App-V package is integrated with the operating system, the plug-in package settings should match. You can search the Deployment Configuration File for “COM Mode” and ensure that your plug-ins package has that value set as “Integrated” and that both "InProcessEnabled" and "OutOfProcessEnabled" match the settings of the Office 2016 App-V package you published.
8. Open the Deployment Configuration File and set the value for **Objects Enabled** to **false**.
9. If you made any changes to the Deployment Configuration file after sequencing, ensure that the plug-in package is published with the file.
10. Ensure that the Connection Group you created is enabled onto your desired computer. The Connection Group created will likely “pend” if the Office 2016 App-V package is in use when the Connection Group is enabled. If that happens, you have to reboot to successfully enable the Connection Group.
11. After you successfully publish both packages and enable the Connection Group, start the target Office 2016 application and verify that the plug-in you published and added to the connection group works as expected.
### Disabling Office 2016 applications
You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
>**Note**&nbsp;&nbsp;To exclude specific Office applications (for example, Access) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
#### To disable an Office 2016 application
1. Open a Deployment Configuration File with a text editor such as **Notepad** and search for “Applications."
2. Search for the Office application you want to disable, for example, Access 2016.
3. Change the value of "Enabled" from "true" to "false."
4. Save the Deployment Configuration File.
5. Add the Office 2016 App-V Package with the new Deployment Configuration File.
``` syntax
<Application Id="[{AppVPackageRoot}]\officel6\lync.exe" Enabled="true">
<VisualElements>
<Name>Lync 2016</Name>
<Icon />
<Description />
</VisualElements>
</Application>
<Application Id="[(AppVPackageRoot}]\office16\MSACCESS.EXE" Enabled="true">
<VisualElements>
<Name>Access 2016</Name>
<Icon />
<Description />
</VisualElements>
</Application>
```
6. Re-add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
### Disabling Office 2016 shortcuts
You may want to disable shortcuts for certain Office applications instead of unpublishing or removing the package. The following example shows how to disable shortcuts for Microsoft Access.
#### To disable shortcuts for Office 2016 applications
1. Open a Deployment Configuration File in Notepad and search for “Shortcuts”.
2. To disable certain shortcuts, delete or comment out the specific shortcuts you dont want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems &lt;shortcut&gt; &lt;/shortcut&gt; intact to disable the Microsoft Access shortcut.
``` syntax
Shortcuts
-->
<Shortcuts Enabled="true">
<Extensions>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{Common Programs}]\Microsoft Office 2016\Access 2016.lnk</File>
<Target>[{AppvPackageRoot}])office16\MSACCESS.EXE</Target>
<Icon>[{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico</Icon>
<Arguments />
<WorkingDirectory />
<AppuserModelId>Microsoft.Office.MSACCESS.EXE.16</AppUserModelId>
<AppUsermodelExcludeFroeShowInNewInstall>true</AppUsermodelExcludeFroeShowInNewInstall>
<Description>Build a professional app quickly to manage data.</Description>
<ShowCommand>l</ShowCommand>
<ApplicationId>[{AppVPackageRoot}]\officel6\MSACCESS.EXE</ApplicationId>
</Shortcut>
```
3. Save the Deployment Configuration File.
4. Republish Office 2016 App-V Package with new Deployment Configuration File.
Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
### Managing Office 2016 package upgrades
To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a previously deployed Office 2016 package, perform the following steps.
#### How to upgrade a previously deployed Office 2016 package
1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
> **Note**&nbsp;&nbsp;Office App-V packages have two Version IDs:
> - An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
> - A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
### Deploying Visio 2016 and Project 2016 with Office
The following table describes the requirements and options for deploying Visio 2016 and Project 2016 with Office.
| **Task** | **Details** |
|---------------------|---------------|
| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.<br>If you are not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic. |
| How can I deploy Visio 2016 and Project 2016 to specific users? | Use one of the following methods:<br>**To create two different packages and deploy each one to a different group of users**:<br>Create and deploy the following packages:<br>- A package that contains only Office - deploy to computers whose users need only Office.<br>- A package that contains Office, Visio, and Project - deploy to computers whose users need all three applications.<br><br>**To create only one package for the whole organization, or create a package intended for users who share computers**:<br>Follow these steps:<br>1. Create a package that contains Office, Visio, and Project.<br>2. Deploy the package to all users.<br>3. Use [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) to prevent specific users from using Visio and Project. |
## Related topics
- [Deploying App-V for Windows 10](appv-deploying-appv.md)
- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
- [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
## Have a suggestion for App-V?
Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).

1
windows/manage/appv-for-windows.md
View File

@ -35,6 +35,7 @@ The topics in this section provide information and step-by-step procedures to he
- [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md)
- [Deploying the App-V Server](appv-deploying-the-appv-server.md)
- [App-V Deployment Checklist](appv-deployment-checklist.md)
- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)

4
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| New or changed topic | Description |
| --- | --- |
| [Update Windows 10 in the enterprise](waas-update-windows-10.md), replaces **Windows 10 servicing options** | New |
| [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter |
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added content for Windows Server 2016 |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the script for setting a custom shell using Shell Launcher. |
@ -25,10 +26,11 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| New or changed topic | Description |
| --- | --- |
| [Create mandatory user profiles](mandatory-user-profile.md) | New |
| [Update Windows 10 in the enterprise](waas-update-windows-10.md) | New section |
| [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Updated sample XML for combined Start and taskbar layout; added note to explain the difference between applying taskbar configuration by Group Policy and by provisioning package |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated instructions for exiting assigned access mode. |
| Application development for Windows as a service | Topic moved to MSDN: [Application development for Windows as a service](https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service)
| Windows 10 servicing options | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview) |
## RELEASE: Windows 10, version 1607

BIN
windows/manage/images/checklistbox.gif
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 870 B

After

Width:  |  Height:  |  Size: 877 B

BIN
windows/manage/images/settings-table.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/manage/images/waas-do-fig1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/manage/images/waas-do-fig2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/manage/images/waas-do-fig3.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 9.6 KiB

After

Width:  |  Height:  |  Size: 9.3 KiB

BIN
windows/manage/images/waas-do-fig4.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 59 KiB

After

Width:  |  Height:  |  Size: 60 KiB

BIN
windows/manage/images/waas-overview-patch.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 119 KiB

After

Width:  |  Height:  |  Size: 119 KiB

BIN
windows/manage/images/waas-overview-timeline.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 85 KiB

BIN
windows/manage/images/waas-sccm-fig1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/manage/images/waas-sccm-fig10.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 56 KiB

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/manage/images/waas-sccm-fig11.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/manage/images/waas-sccm-fig2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 65 KiB

After

Width:  |  Height:  |  Size: 67 KiB

BIN
windows/manage/images/waas-sccm-fig3.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 145 KiB

After

Width:  |  Height:  |  Size: 148 KiB

BIN
windows/manage/images/waas-sccm-fig5.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/manage/images/waas-sccm-fig6.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/manage/images/waas-sccm-fig7.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/manage/images/waas-sccm-fig8.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 29 KiB

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/manage/images/waas-sccm-fig9.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 36 KiB

After

Width:  |  Height:  |  Size: 37 KiB

BIN
windows/manage/images/waas-strategy-fig1.png → windows/manage/images/waas-strategy-fig1a.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 56 KiB

After

Width:  |  Height:  |  Size: 56 KiB

BIN
windows/manage/images/waas-wsus-fig1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 65 KiB

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/manage/images/waas-wsus-fig10.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 70 KiB

After

Width:  |  Height:  |  Size: 72 KiB

BIN
windows/manage/images/waas-wsus-fig11.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 59 KiB

After

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/manage/images/waas-wsus-fig12.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 99 KiB

After

Width:  |  Height:  |  Size: 101 KiB

BIN
windows/manage/images/waas-wsus-fig13.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 62 KiB

After

Width:  |  Height:  |  Size: 63 KiB

BIN
windows/manage/images/waas-wsus-fig14.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/manage/images/waas-wsus-fig15.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/manage/images/waas-wsus-fig16.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 58 KiB

After

Width:  |  Height:  |  Size: 60 KiB

BIN
windows/manage/images/waas-wsus-fig17.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 136 KiB

After

Width:  |  Height:  |  Size: 142 KiB

Some files were not shown because too many files have changed in this diff Show More