From e3c9ffcd872d09844a5daa915973452fda7ec853 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Thu, 24 Aug 2017 17:38:23 +0000 Subject: [PATCH 1/5] Merged PR 2862: Update to Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts in Policy CSP --- .../mdm/new-in-windows-mdm-enrollment-management.md | 5 +++++ windows/client-management/mdm/policy-csp-privacy.md | 11 +++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 494fb897c3..a55e1acb45 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1443,6 +1443,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess

    • Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).

    +

    There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:

    + diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index a390391af7..8f5423f922 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -34,11 +34,11 @@ ms.date: 08/21/2017 Mobile Enterprise - check mark1 - check mark1 + check mark3 + check mark3 - check mark1 - check mark1 + check mark3 + check mark3 check mark check mark @@ -48,6 +48,9 @@ ms.date: 08/21/2017

    Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. +> [!Note] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. +

    The following list shows the supported values: - 0 (default)– Not allowed. From 3b27342e54d02192623fcb299b925841e7bd93a3 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Thu, 24 Aug 2017 17:38:53 +0000 Subject: [PATCH 2/5] Merged PR 2863: Update to Start/HideAppList in Policy CSP --- windows/client-management/mdm/policy-csp-start.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 6c0dd2a75b..c33b8625ee 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -448,10 +448,10 @@ ms.date: 08/09/2017 cross mark - check mark2 + check mark3 - check mark2 - check mark2 + check mark3 + check mark3 cross mark cross mark @@ -462,7 +462,10 @@ ms.date: 08/09/2017 > [!NOTE] > This policy requires reboot to take effect. -

    Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list. +

    Allows IT Admins to configure Start by collapsing or removing the all apps list. + +> [!Note] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.

    The following list shows the supported values: From e28e96c2fac5b140464dc1ac97559f3d0474af88 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 24 Aug 2017 19:17:17 +0000 Subject: [PATCH 3/5] Merged PR 2844: Moved service acct configuration under step 11, and updated ms.date, fixed HEAD conflict Moved service acct configuration under step 11 in "poc" topic, and updated ms.date in several topics --- .../deployment/deploy-enterprise-licenses.md | 1 + windows/deployment/deploy-whats-new.md | 1 + .../deployment/vda-subscription-activation.md | 1 + .../windows-10-enterprise-e3-overview.md | 1 + ...s-10-enterprise-subscription-activation.md | 1 + windows/deployment/windows-10-poc-mdt.md | 1 + .../windows-10-poc-sc-config-mgr.md | 1 + windows/deployment/windows-10-poc.md | 43 ++++++++++--------- 8 files changed, 29 insertions(+), 21 deletions(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 40f279e10f..a05a03bbe9 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index fddacf3a05..e11c92867c 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,6 +7,7 @@ ms.localizationpriority: high ms.prod: w10 ms.sitesec: library ms.pagetype: deploy +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 8d3a787f3c..a6f560cc33 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index f76208ce9c..5f663ae222 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: mdt +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index 8e9912ed68..c767d18075 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -7,6 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index d9870313ca..f7f79e2f18 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -7,6 +7,7 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, mdt ms.localizationpriority: high +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 63e2727b2a..eb042d424b 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -7,6 +7,7 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, sccm ms.localizationpriority: high +ms.date: 08/23/2017 author: greg-lindsay --- diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 621de876bd..5a67eebb9e 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -7,6 +7,7 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, mdt, sccm ms.localizationpriority: high +ms.date: 08/23/2017 author: greg-lindsay --- @@ -771,6 +772,27 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Add-DnsServerForwarder -IPAddress 192.168.0.2 + **Configure service and user accounts** + + Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. + + >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + + On DC1, open an elevated Windows PowerShell prompt and type the following commands: + + 

    +    New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
+    Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
+    Set-ADUser -Identity user1 -PasswordNeverExpires $true
+    Set-ADUser -Identity administrator -PasswordNeverExpires $true
+    Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
+    Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+
    + 12. Minimize the DC1 VM window but **do not stop** the VM. Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. @@ -984,27 +1006,6 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Restart-Computer -### Configure service and user accounts - -Windows 10 deployment with MDT and System Center Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. - ->To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -On DC1, open an elevated Windows PowerShell prompt and type the following commands: - -
    -New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
-Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
-Set-ADUser -Identity user1 -PasswordNeverExpires $true
-Set-ADUser -Identity administrator -PasswordNeverExpires $true
-Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
-Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
-Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-
    - This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. ## Appendix A: Verify the configuration From 12e372ce3adc36d46a88797b9bf238a7b1c7faf6 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 24 Aug 2017 21:37:41 +0000 Subject: [PATCH 4/5] Merged PR 2876: Fixing wrong LTSC references credit to - andreiztm (GitHub) --- .../update/waas-servicing-channels-windows-10-updates.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index dd5cbaf8b7..cddacc1917 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -181,12 +181,12 @@ During the life of a device, it may be necessary or desirable to switch between Use media to upgrade to the latest Windows Insider Program build. -Long-Term Servicing Channel (Targeted) -Use media to upgrade to a later Long-Term Servicing Channel build. (Note that the Long-Term Servicing Channel build must be a later build.) +Semi-Annual Channel (Targeted) +Use media to upgrade. Note that the Semi-Annual Channel build must be a later build. -Long-Term Servicing Channel -Use media to upgrade to a later Long-Term Servicing Channel for Business build (Long-Term Servicing Channel build plus fixes). Note that it must be a later build. +Semi-Annual Channel +Use media to upgrade. Note that the Semi-Annual Channel build must be a later build. From 7d33997c6cba8f798d58961ee8a84552409c6c01 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 24 Aug 2017 15:04:34 -0700 Subject: [PATCH 5/5] gp updates for 3ps --- .../use-group-policy-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index 79abd8d757..eb1d2a3b47 100644 --- a/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -82,7 +82,7 @@ Reporting | Configure time out for detections in non-critical failed state | Not Reporting | Configure time out for detections in recently remediated state | Not used Reporting | Configure time out for detections requiring additional action | Not used Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -Root | Turn off Windows Defender Antivirus | Not used +Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly) Root | Define addresses to bypass proxy server | Not used Root | Define proxy auto-config (.pac) for connecting to the network | Not used Root | Define proxy server for connecting to the network | Not used