deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into 8284704

Browse Source
This commit is contained in:
JanKeller1 2016-08-09 08:30:41 -07:00
commit 7c25a20b19
5 changed files with 33 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/deploy/upgrade-analytics-get-started.md
View File

@ -37,7 +37,7 @@ If you are already using OMS, youll find Upgrade Analytics in the Solutions G
If you are not using OMS: If you are not using OMS:
1. Go to the [Upgrade Analytics website](http://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process. 1. Go to the [Upgrade Analytics page on Microsoft.com](http://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. 2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.

2
windows/deploy/upgrade-analytics-release-notes.md
View File

@ -1,5 +1,5 @@
--- ---
title: Upgrade Analytics release notes (Windows 10) title: Upgrade Analytics release notes (Windows 10)
description: Provides tips and limitations about Upgrade Analytics. description: Provides tips and limitations about Upgrade Analytics.
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements#important-information-about-this-release
--- ---

4
windows/deploy/upgrade-analytics-requirements.md
View File

@ -29,7 +29,7 @@ Upgrade Analytics is offered as a solution in the Microsoft Operations Managemen
If youre already using OMS, youll find Upgrade Analytics in the Solutions Gallery. Click the Upgrade Analytics tile in the gallery and then click Add on the solutions details page. Upgrade Analytics is now visible in your workspace. If youre already using OMS, youll find Upgrade Analytics in the Solutions Gallery. Click the Upgrade Analytics tile in the gallery and then click Add on the solutions details page. Upgrade Analytics is now visible in your workspace.
If you are not using OMS, go to \[link to new Upgrade Analytics Web page on Microsoft.com\] and select **Upgrade Analytics Service** to kick off the OMS onboarding process. During the onboarding process, youll create an OMS workspace and add the Upgrade Analytics solution to it. If you are not using OMS, go to [the Upgrade Analytics page on Microsoft.com](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics) and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, youll create an OMS workspace and add the Upgrade Analytics solution to it.
Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
@ -37,7 +37,7 @@ Important: You can use either a Microsoft Account or a Work or School account to
After youve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, youll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Analytics. After youve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, youll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Analytics.
See \[link to Steve Mays PDF doc when its published\] for more information about what user computer data Upgrade Analytics collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data. See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Analytics collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, youll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this. **Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, youll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.

81
windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
View File

@ -80,11 +80,11 @@ The server side configuration to enable Network Unlock also requires provisionin
## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure Network Unlock ## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure Network Unlock
The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. The following steps allow an administrator to configure Network Unlock in a domain where the domain functional level is at least Windows Server 2012.
### <a href="" id="bkmk-stepone"></a>Step One: Install the WDS Server role ### <a href="" id="bkmk-stepone"></a>Step One: Install the WDS Server role
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock, you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role.
To install the role using Windows PowerShell, use the following command: To install the role using Windows PowerShell, use the following command:
@ -114,72 +114,39 @@ Install-WindowsFeature BitLocker-NetworkUnlock
``` ```
### <a href="" id="bkmk-stepfour"></a>Step Four: Create the Network Unlock certificate ### <a href="" id="bkmk-stepfour"></a>Step Four: Create the Network Unlock certificate
Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate. Network Unlock can use imported certificates from an existing PKI infrastructure.
To enroll a certificate from an existing certification authority (CA), do the following: To enroll a certificate from an existing certification authority (CA), do the following:
1. Open Certificate Manager on the WDS server using **certmgr.msc** 1. Open Certificate Manager on the WDS server using **certmgr.msc**.
2. Under the Certificates - Current User item, right-click Personal 2. Under the Certificates - Current User item, right-click **Personal**.
3. Select All Tasks, then **Request New Certificate** 3. Select All Tasks, then **Request New Certificate**.
4. Select **Next** when the Certificate Enrollment wizard opens 4. Select **Next** when the Certificate Enrollment wizard opens.
5. Select Active Directory Enrollment Policy 5. Select **Active Directory Enrollment Policy**.
6. Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate: 6. Choose the certificate template created for Network Unlock on the domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate:
- Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain" - Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain"
7. Create the certificate. Ensure the certificate appears in the Personal folder. 7. Create the certificate. Ensure the certificate appears in the Personal folder.
8. Export the public key certificate for Network Unlock 8. Export the public key certificate for Network Unlock:
1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. 1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**.
2. Select **No, do not export the private key**. 2. Select **No, do not export the private key**.
3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file.
4. Give the file a name such as BitLocker-NetworkUnlock.cer. 4. Give the file a name such as BitLocker-NetworkUnlock.cer.
9. Export the public key with a private key for Network Unlock 9. Export the public key with a private key for Network Unlock:
1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. 1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**.
2. Select **Yes, export the private key**. 2. Select **Yes, export the private key**.
3. Complete the wizard to create the .pfx file. 3. Complete the wizard to create the .pfx file.
To create a self-signed certificate, do the following:
1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf
2. Add the following contents to the previously created file:
``` syntax
[NewRequest]
Subject="CN=BitLocker Network Unlock certificate"
Exportable=true
RequestType=Cert
KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG"
KeyLength=2048
Keyspec="AT_KEYEXCHANGE"
SMIME=FALSE
HashAlgorithm=sha512
[Extensions]
1.3.6.1.4.1.311.21.10 = "{text}"
_continue_ = "OID=1.3.6.1.4.1.311.67.1.1"
2.5.29.37 = "{text}"
_continue_ = "1.3.6.1.4.1.311.67.1.1"
```
3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name:
``` syntax
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
```
4. Verify the previous command properly created the certificate by confirming the .cer file exists
5. Launch the Certificate Manager by running **certmgr.msc**
6. Create a .pfx file by opening the **Certificates Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server ### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. 1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import** 2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**.
3. In the **File to Import** dialog, choose the .pfx file created previously. 3. In the **File to Import** dialog, choose the .pfx file created previously.
4. Enter the password used to create the .pfx and complete the wizard. 4. Enter the password used to create the .pfx and complete the wizard.
@ -189,18 +156,18 @@ With certificate and key deployed to the WDS server for Network Unlock, the fina
The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock. The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock.
1. Open Group Policy Management Console (gpmc.msc) 1. Open Group Policy Management Console (gpmc.msc).
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option 2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
The following steps describe how to deploy the required Group Policy setting: The following steps describe how to deploy the required Group Policy setting:
>**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. >**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
   
1. Copy the .cer file created for Network Unlock to the domain controller 1. Copy the .cer file created for Network Unlock to the domain controller.
2. On the domain controller, launch Group Policy Management Console (gpmc.msc) 2. On the domain controller, launch Group Policy Management Console (gpmc.msc).
3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. 3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
4. Deploy the public certificate to clients 4. Deploy the public certificate to clients:
1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**
2. Right-click the folder and choose **Add Network Unlock Certificate** 2. Right-click the folder and choose **Add Network Unlock Certificate**
@ -212,16 +179,16 @@ The following steps describe how to deploy the required Group Policy setting:
An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following: An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
1. Open Group Policy Management Console (gpmc.msc) 1. Open Group Policy Management Console (gpmc.msc).
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option 2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock ### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates. The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
1. Open the Certificates Template snap-in (certtmpl.msc). 1. Open the Certificates Template snap-in (certtmpl.msc).
2. Locate the User template. Right-click the template name and select **Duplicate Template** 2. Locate the User template. Right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected. 3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option. 4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected. 5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
@ -237,9 +204,9 @@ The following steps detail how to create a certificate template for use with Bit
- **Name:** **BitLocker Network Unlock** - **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK** 14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template. 17. Select **OK** to complete configuration of the template.
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.

10
windows/manage/settings-that-can-be-locked-down.md
View File

@ -266,27 +266,27 @@ The following table lists the settings pages and page groups. Use the page name
<tr class="even"> <tr class="even">
<td align="left"></td> <td align="left"></td>
<td align="left">Narrator</td> <td align="left">Narrator</td>
<td align="left">SettingsPageEaseoOfAccessNarrator</td> <td align="left">SettingsPageEaseOfAccessNarrator</td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td align="left"></td> <td align="left"></td>
<td align="left">Magnifier</td> <td align="left">Magnifier</td>
<td align="left">SettingsPageEaseoOfAccessMagnifier</td> <td align="left">SettingsPageEaseOfAccessMagnifier</td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"></td> <td align="left"></td>
<td align="left">High contrast</td> <td align="left">High contrast</td>
<td align="left">SettingsPageEaseoOfAccessHighContrast</td> <td align="left">SettingsPageEaseOfAccessHighContrast</td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td align="left"></td> <td align="left"></td>
<td align="left">Closed captions</td> <td align="left">Closed captions</td>
<td align="left">SettingsPageEaseoOfAccessClosedCaptioning</td> <td align="left">SettingsPageEaseOfAccessClosedCaptioning</td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"></td> <td align="left"></td>
<td align="left">More options</td> <td align="left">More options</td>
<td align="left">SettingsPageEaseoOfAccessMoreOptions</td> <td align="left">SettingsPageEaseOfAccessMoreOptions</td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td align="left">Privacy</td> <td align="left">Privacy</td>