**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
## Getting ready to use Enterprise Site Discovery
+Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options:
+
+- Collect your hardware inventory using the MOF Editor, while connecting to a client device.
+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.
+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes.
**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output.
-  **To set up Enterprise Site Discovery**
+ **To set up Enterprise Site Discovery**
-- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1`. For more info, see [about Execution Policies](http://go.microsoft.com/fwlink/p/?linkid=517460).
-
-### Optional: Set up your firewall for WMI data
+- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETElemetrySetUp.ps1`. For more info, see [about Execution Policies](http://go.microsoft.com/fwlink/p/?linkid=517460).
+### WMI only: Set up your firewall for WMI data
If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
-  **To set up your firewall**
+ **To set up your firewall**
-1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
+1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**.
-2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
+2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**.
-3. Restart your computer to start collecting your WMI data.
+3. Restart your computer to start collecting your WMI data.
-## Setting up Enterprise Site Discovery using PowerShell
-After you finish the initial setup for Site Discovery using PowerShell, you have the option to continue with PowerShell or to switch to Group Policy.
+## Use PowerShell to finish setting up Enterprise Site Discovery
+You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery).
**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device.
-### Setting up zones or domains for data collection
-You can determine which zones or domains are used for data collection, using PowerShell.
+- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
-- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process.
-
-- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
+- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process.
 **To set up data collection using a domain allow list**
-
-- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
-
**Important**
Wildcards, like \*.microsoft.com, aren’t supported.
+
+ - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`.
+
+ **Important**
Wildcards, like \*.microsoft.com, aren’t supported.
 **To set up data collection using a zone allow list**
+
+ - Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
+
+ **Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
-- Start PowerShell in elevated mode (using admin privileges) and run IETElemetrySetUp.ps1, using this command: `.\IETElemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`.
-
**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported.
-
-## Setting up Enterprise Site Discovery using Group Policy
-If you don’t want to continue using PowerShell, you can switch to Group Policy after the initial Site Discovery setup.
+## Use Group Policy to finish setting up Enterprise Site Discovery
+You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery).
**Note**
All of the Group Policy settings can be used individually or as a group.
 **To set up Enterprise Site Discovery using Group Policy**
@@ -136,7 +143,6 @@ If you don’t want to continue using PowerShell, you can switch to Group Policy
|Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:
microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com |
### Combining WMI and XML Group Policy settings
-
You can use both the WMI and XML settings individually or together, based on:
 **To turn off Enterprise Site Discovery**
@@ -163,12 +169,17 @@ You can use both the WMI and XML settings individually or together, based on:
+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.
+-OR-
+- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+
+### Collect your hardware inventory using the MOF Editor while connected to a client device
+You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
 **To collect your inventory**
@@ -193,8 +204,8 @@ You can collect your hardware inventory using the MOF Editor, while you’re con
5. Click **OK** to close the default windows.
Your environment is now ready to collect your hardware inventory and review the sample reports.
-### Collect your hardware inventory using the MOF Editor with a MOF import file
-You can collect your hardware inventory using the MOF Editor and a MOF import file.
+### Collect your hardware inventory using the MOF Editor with a .MOF import file
+You can collect your hardware inventory using the MOF Editor and a .MOF import file.
 **To collect your inventory**
@@ -207,8 +218,8 @@ You can collect your hardware inventory using the MOF Editor and a MOF import fi
4. Click **OK** to close the default windows.
Your environment is now ready to collect your hardware inventory and review the sample reports.
-### Collect your hardware inventory using the SMS\DEF.MOF file
-You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file.
+### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
 **To collect your inventory**
@@ -281,7 +292,7 @@ You can collect your hardware inventory using the using the Systems Management S
3. Save the file and close it to the same location.
Your environment is now ready to collect your hardware inventory and review the sample reports.
-### Viewing the sample reports
+## View the sample reports with your collected data
The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
### SCCM Report Sample – ActiveX.rdl
@@ -336,7 +347,7 @@ Each site is validated and if successful, added to the global site list when you
3. Click **OK** to close the **Bulk add sites to the list** menu.
-## Turn off data collection on your client computers
+## Turn off data collection on your client devices
After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off.
 **To stop collecting data, using PowerShell**
diff --git a/mdop/appv-v5/TOC.md b/mdop/appv-v5/TOC.md
index 2e81d5ad03..1a7c936696 100644
--- a/mdop/appv-v5/TOC.md
+++ b/mdop/appv-v5/TOC.md
@@ -79,6 +79,7 @@
##### [How to Access the Client Management Console 5.1](how-to-access-the-client-management-console51.md)
##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server 5.1](how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md)
#### [Migrating to App-V 5.1 from a Previous Version](migrating-to-app-v-51-from-a-previous-version.md)
+##### [Check Registry Keys before installing App-V 5.x Server](check-reg-key-svr.md)
##### [How to Convert a Package Created in a Previous Version of App-V 5.1](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md)
##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md)
##### [How to Migrate Extension Points From an App-V 4.6 SP2 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-sp2-package-to-app-v-51-for-a-specific-user.md)
diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md
index a4418a6430..84f1b27782 100644
--- a/mdop/appv-v5/about-app-v-50-sp3.md
+++ b/mdop/appv-v5/about-app-v-50-sp3.md
@@ -197,7 +197,7 @@ Complete the following steps to upgrade each component of the App-V infrastructu
-
If you are upgrading the App-V Server from App-V SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).
If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).
Follow the steps in [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md).
To use the App-V client user interface, download the existing version from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).
+Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).
Upgrading from App-V 4.x
For more information, see:
+You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.1. For more information, see:
“Differences between App-V 4.6 and App-V 5.0” in [About App-V 5.0](about-app-v-50.md)
[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v.md)
See [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md)
Follow these steps:
+Do one of the following, depending on the method you are using to upgrade the Management database and/or Reporting database:
+| Database upgrade method | +Step | +
|---|---|
Windows Installer |
+Skip this step and go to step 2, “If you are upgrading the App-V Server...” |
+
SQL scripts |
+Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts.md). |
+
If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).
Follow the steps in [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)
+
Step 2: Upgrade the App-V Sequencer.
| Setting Name | -Setup Flag | -Description | -Setting Options | -Registry Key Value | -Disabled Policy State Keys and Values | -
|---|---|---|---|---|---|
PackageInstallationRoot |
-PACKAGEINSTALLATIONROOT |
-Specifies directory where all new applications and updates will be installed. |
-String |
-Streaming\PackageInstallationRoot |
-Policy value not written (same as Not Configured) |
-
PackageSourceRoot |
-PACKAGESOURCEROOT |
-Overrides source location for downloading package content. |
-String |
-Streaming\PackageSourceRoot |
-Policy value not written (same as Not Configured) |
-
AllowHighCostLaunch |
-Not available. |
-This setting controls whether virtualized applications are launched on Windows 10 machines connected via a metered network connection (For example, 4G). |
-True (enabled); False (Disabled state) |
-Streaming\AllowHighCostLaunch |
-0 |
-
ReestablishmentRetries |
-Not available. |
-Specifies the number of times to retry a dropped session. |
-Integer (0-99) |
-Streaming\ReestablishmentRetries |
-Policy value not written (same as Not Configured) |
-
ReestablishmentInterval |
-Not available. |
-Specifies the number of seconds between attempts to reestablish a dropped session. |
-Integer (0-3600) |
-Streaming\ReestablishmentInterval |
-Policy value not written (same as Not Configured) |
-
AutoLoad |
-AUTOLOAD |
-Specifies how new packages should be loaded automatically by App-V on a specific computer. |
-(0x0) None; (0x1) Previously used; (0x2) All |
-Streaming\AutoLoad |
-Policy value not written (same as Not Configured) |
-
LocationProvider |
-Not available. |
-Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. |
-String |
-Streaming\LocationProvider |
-Policy value not written (same as Not Configured) |
-
CertFilterForClientSsl |
-Not available. |
-Specifies the path to a valid certificate in the certificate store. |
-String |
-Streaming\CertFilterForClientSsl |
-Policy value not written (same as Not Configured) |
-
VerifyCertificateRevocationList |
-Not available. |
-Verifies Server certificate revocation status before steaming using HTTPS. |
-True(enabled); False(Disabled state) |
-Streaming\VerifyCertificateRevocationList |
-0 |
-
SharedContentStoreMode |
-SHAREDCONTENTSTOREMODE |
-Specifies that streamed package contents will be not be saved to the local hard disk. |
-True(enabled); False(Disabled state) |
-Streaming\SharedContentStoreMode |
-0 |
-
Name -
-Note
-
-This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet. -
-
- |
-PUBLISHINGSERVERNAME |
-Displays the name of publishing server. |
-String |
-Publishing\Servers\{serverId}\FriendlyName |
-Policy value not written (same as Not Configured) |
-
URL -
-Note
-
-This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet. -
-
- |
-PUBLISHINGSERVERURL |
-Displays the URL of publishing server. |
-String |
-Publishing\Servers\{serverId}\URL |
-Policy value not written (same as Not Configured) |
-
GlobalRefreshEnabled -
-Note
-
-This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet. -
-
- |
-GLOBALREFRESHENABLED |
-Enables global publishing refresh (Boolean) |
-True(enabled); False(Disabled state) |
-Publishing\Servers\{serverId}\GlobalEnabled |
-False |
-
GlobalRefreshOnLogon -
-Note
-
-This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet. -
-
- |
-GLOBALREFRESHONLOGON |
-Triggers a global publishing refresh on logon. ( Boolean) |
-True(enabled); False(Disabled state) |
-Publishing\Servers\{serverId}\GlobalLogonRefresh |
-False |
-
GlobalRefreshInterval -
-Note
-
-This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet. -
-
- |
-GLOBALREFRESHINTERVAL |
-Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. |
-Integer (0-744 |
-Publishing\Servers\{serverId}\GlobalPeriodicRefreshInterval |
-0 |
-
GlobalRefreshIntervalUnit -
-Note
-
-This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet. -
-
- |
-GLOBALREFRESHINTERVALUNI |
-Specifies the interval unit (Hour 0-23, Day 0-31). |
-0 for hour, 1 for day |
-Publishing\Servers\{serverId}\GlobalPeriodicRefreshIntervalUnit |
-1 |
-
UserRefreshEnabled -
-Note
-
-This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet. -
-
- |
-USERREFRESHENABLED |
-Enables user publishing refresh (Boolean) |
-True(enabled); False(Disabled state) |
-Publishing\Servers\{serverId}\UserEnabled |
-False |
-
UserRefreshOnLogon -
-Note
-
-This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet. -
-
- |
-USERREFRESHONLOGON |
-Triggers a user publishing refresh onlogon. ( Boolean) -Word count (with spaces): 60 |
-True(enabled); False(Disabled state) |
-Publishing\Servers\{serverId}\UserLogonRefresh |
-False |
-
UserRefreshInterval -
-Note
-
-This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet. -
-
- |
-USERREFRESHINTERVAL |
-Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. -Word count (with spaces): 85 |
-Integer (0-744 Hours) |
-Publishing\Servers\{serverId}\UserPeriodicRefreshInterval |
-0 |
-
UserRefreshIntervalUnit -
-Note
-
-This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet. -
-
- |
-USERREFRESHINTERVALUNIT |
-Specifies the interval unit (Hour 0-23, Day 0-31). |
-0 for hour, 1 for day |
-Publishing\Servers\{serverId}\UserPeriodicRefreshIntervalUnit |
-1 |
-
MigrationMode |
-MIGRATIONMODE |
-Migration mode allows the App-V client to modify shortcuts and FTA’s for packages created using a previous version of App-V. |
-True(enabled state); False (disabled state) |
-Coexistence\MigrationMode |
-- |
CEIPOPTIN |
-CEIPOPTIN |
-Allows the computer running the App-V 5.1 Client to collect and return certain usage information to help allow us to further improve the application. |
-0 for disabled; 1 for enabled |
-SOFTWARE/Microsoft/AppV/CEIP/CEIPEnable |
-0 |
-
EnablePackageScripts |
-ENABLEPACKAGESCRIPTS |
-Enables scripts defined in the package manifest of configuration files that should run. |
-True(enabled); False(Disabled state) |
-\Scripting\EnablePackageScripts |
-- |
RoamingFileExclusions |
-ROAMINGFILEEXCLUSIONS |
-Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /ROAMINGFILEEXCLUSIONS='desktop;my pictures' |
-- | - | - |
RoamingRegistryExclusions |
-ROAMINGREGISTRYEXCLUSIONS |
-Specifies the registry paths that do not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients |
-String |
-Integration\RoamingReglstryExclusions |
-Policy value not written (same as Not Configured) |
-
IntegrationRootUser |
-Not available. |
-Specifies the location to create symbolic links associated with the current version of a per-user published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %localappdata%\Microsoft\AppV\Client\Integration. |
-String |
-Integration\IntegrationRootUser |
-Policy value not written (same as Not Configured) |
-
IntegrationRootGlobal |
-Not available. |
-Specifies the location to create symbolic links associated with the current version of a globally published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %allusersprofile%\Microsoft\AppV\Client\Integration |
-String |
-Integration\IntegrationRootGlobal |
-Policy value not written (same as Not Configured) |
-
VirtualizableExtensions |
-Not available. |
-A comma -delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment. -When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application that is associated with the extension point is locally installed. If the extension is located, the RunVirtual command line parameter will be added, and the application will run virtually. -For more information about the RunVirtual parameter, see [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md). |
-String |
-Integration\VirtualizableExtensions |
-Policy value not written |
-
ReportingEnabled |
-Not available. |
-Enables the client to return information to a reporting server. |
-True (enabled); False (Disabled state) |
-Reporting\EnableReporting |
-False |
-
ReportingServerURL |
-Not available. |
-Specifies the location on the reporting server where client information is saved. |
-String |
-Reporting\ReportingServer |
-Policy value not written (same as Not Configured) |
-
ReportingDataCacheLimit |
-Not available. |
-Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024. |
-Integer [0-1024] |
-Reporting\DataCacheLimit |
-Policy value not written (same as Not Configured) |
-
ReportingDataBlockSize |
-Not available. |
-Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited. |
-Integer [1024 - Unlimited] |
-Reporting\DataBlockSize |
-Policy value not written (same as Not Configured) |
-
ReportingStartTime |
-Not available. |
-Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0-23 corresponding to the hour of the day. By default the ReportingStartTime will start on the current day at 10 P.M.or 22. -
-Note
-
-You should configure this setting to a time when computers running the App-V 5.1 client are least likely to be offline. -
-
- |
-Integer (0 – 23) |
-Reporting\ StartTime |
-Policy value not written (same as Not Configured) |
-
ReportingInterval |
-Not available. |
-Specifies the retry interval that the client will use to resend data to the reporting server. |
-Integer |
-Reporting\RetryInterval |
-Policy value not written (same as Not Configured) |
-
ReportingRandomDelay |
-Not available. |
-Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data. This can help to prevent collisions on the server. |
-Integer [0 - ReportingRandomDelay] |
-Reporting\RandomDelay |
-Policy value not written (same as Not Configured) |
-
EnableDynamicVirtualization -
-Important
-
-This setting is available only with App-V 5.0 SP2 or later. -
-
- |
-Not available. |
-Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications. |
-1 (Enabled), 0 (Disabled) |
-HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Virtualization |
-- |
EnablePublishingRefreshUI -
-Important
-
-This setting is available only with App-V 5.0 SP2. -
-
- |
-Not available. |
-Enables the publishing refresh progress bar for the computer running the App-V 5.1 Client. |
-1 (Enabled), 0 (Disabled) |
-HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing |
-- |
HideUI -
-Important
-
-This setting is available only with App-V 5.0 SP2. -
-
- |
-Not available. |
-Hides the publishing refresh progress bar. |
-1 (Enabled), 0 (Disabled) |
-- | - |
ProcessesUsingVirtualComponents |
-Not available. |
-Specifies a list of process paths (that may contain wildcards), which are candidates for using dynamic virtualization (supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization. |
-String |
-Virtualization\ProcessesUsingVirtualComponents |
-Empty string. |
-
When this step is required |
+You are upgrading from App-V 5.0 SP1 with any subsequent Hotfix Packages that you installed by using an .msp file. |
+
Which components require that you do this step |
+Only the App-V Server components that you are upgrading. |
+
When you need to do this step |
+Before you upgrade the App-V Server to App-V 5.x |
+
What you need to do |
+Using the information in the following tables, update each registry key value under |
+
| Key name | +Description | +
|---|---|
IS_MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED |
+Describes whether a public access account is required to access non-local management databases. Value is set to “1” if it is required. |
+
MANAGEMENT_DB_NAME |
+Name of the Management database. |
+
MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT |
+Account used for read (public) access to the Management database. +Used when |
+
MANAGEMENT_DB_PUBLIC_ACCESS_ACCOUNT_SID |
+Secure identifier (SID) of the account used for read (public) access to the Management database. +Used when |
+
MANAGEMENT_DB_SQL_INSTANCE |
+SQL Server instance for the Management database. +If the value is blank, the default database instance is used. |
+
MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT |
+Account used for write (administrator) access to the Management database. |
+
MANAGEMENT_DB_WRITE_ACCESS_ACCOUNT_SID |
+Secure identifier (SID) of the account used for write (administrator) access to the Management database. |
+
MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT |
+Management server remote computer account (domain\account). |
+
MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT |
+Installation administrator login for the Management server (domain\account). |
+
MANAGEMENT_SERVER_MACHINE_USE_LOCAL |
+Valid values are: +
|
+
| Key name | +Description | +
|---|---|
MANAGEMENT_ADMINACCOUNT |
+Active Directory Domain Services (AD DS) group or account that is authorized to manage App-V (domain\account). |
+
MANAGEMENT_DB_SQL_INSTANCE |
+SQL server instance that contains the Management database. +If the value is blank, the default database instance is used. |
+
MANAGEMENT_DB_SQL_SERVER_NAME |
+Name of the remote SQL server with the Management database. +If the value is blank, the local computer is used. |
+
| Key name | +Description | +
|---|---|
IS_REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_REQUIRED |
+Describes whether a public access account is required to access non-local reporting databases. Value is set to “1” if it is required. |
+
REPORTING_DB_NAME |
+Name of the Reporting database. |
+
REPORTING_DB_PUBLIC_ACCESS_ACCOUNT |
+Account used for read (public) access to the Reporting database. +Used when |
+
REPORTING_DB_PUBLIC_ACCESS_ACCOUNT_SID |
+Secure identifier (SID) of the account used for read (public) access to the Reporting database. +Used when |
+
REPORTING_DB_SQL_INSTANCE |
+SQL Server instance for the Reporting database. +If the value is blank, the default database instance is used. |
+
REPORTING_DB_WRITE_ACCESS_ACCOUNT |
++ |
REPORTING_DB_WRITE_ACCESS_ACCOUNT_SID |
++ |
REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT |
+Reporting server remote computer account (domain\account). |
+
REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT |
+Installation administrator login for the Reporting server (domain\account). |
+
REPORTING_SERVER_MACHINE_USE_LOCAL |
+Valid values are: +
|
+
| Key name | +Description | +
|---|---|
REPORTING_DB_SQL_INSTANCE |
+SQL Server instance for the Reporting database. +If the value is blank, the default database instance is used. |
+
REPORTING_DB_SQL_SERVER_NAME |
+Name of the remote SQL server with the Reporting database. +If the value is blank, the local computer is used. |
+
| Component | +Description | +
|---|---|
Management server |
+ Provides overall management functionality for the App-V infrastructure. |
+
Management database |
+ Facilitates database predeployments for App-V management. |
+
Publishing server |
+ Provides hosting and streaming functionality for virtual applications. |
+
Reporting server |
+ Provides App-V 5.1 reporting services. |
+
Reporting database |
+ Facilitates database predeployments for App-V reporting. |
+
| Method | +What you need to do | +
|---|---|
You are using a custom Microsoft SQL Server instance. |
+ Select Use the custom instance, and type the name of the instance. +Use the format INSTANCENAME. The assumed installation location is the local computer. +Not supported: A server name using the format ServerName\INSTANCE. |
+
You are using a custom database name. |
+ Select Custom configuration and type the database name. +The database name must be unique, or the installation will fail. |
+
| Method | +What you need to do | +
|---|---|
You are using a custom Microsoft SQL Server instance. |
+ Select Use the custom instance, and type the name of the instance. +Use the format INSTANCENAME. The assumed installation location is the local computer. +Not supported: A server name using the format ServerName\INSTANCE. |
+
You are using a custom database name. |
+ Select Custom configuration and type the database name. +The database name must be unique, or the installation will fail. |
+
| Item to configure | +Description and examples | +
|---|---|
Type the AD group with sufficient permissions to manage the App-V environment. |
+ Example: MyDomain\MyUser +After installation, you can add additional users or groups by using the Management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use Domain local or Universal groups are required to perform this action. |
+
Website name: Specify the custom name that will be used to run the publishing service. |
+ If you do not have a custom name, do not make any changes. |
+
Port binding: Specify a unique port number that will be used by App-V. |
+ Example: 12345 +Ensure that the port specified is not being used by another website. |
+
| Item to configure | +Description and examples | +
|---|---|
Specify the URL for the management service. |
+ Example: http://localhost:12345 |
+
Website name: Specify the custom name that will be used to run the publishing service. |
+ If you do not have a custom name, do not make any changes. |
+
Port binding: Specify a unique port number that will be used by App-V. |
+ Example: 54321 +Ensure that the port specified is not being used by another website. |
+
| Item to configure | +Description and examples | +
|---|---|
Website name: Specify the custom name that will be used to run the Reporting Service. |
+ If you do not have a custom name, do not make any changes. |
+
Port binding: Specify a unique port number that will be used by App-V. |
+ Example: 55555 +Ensure that the port specified is not being used by another website. |
+
[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)
With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.
With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
| Threat | Windows 10 mitigation | |
|---|---|---|
"Man in the middle" attacks, when an attacker reroutes communications between two users through the attacker's computer without the knowledge of the two communicating users |
+Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos). |
+|
Firmware bootkits replace the firmware with malware. |
All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs. |
@@ -395,6 +394,22 @@ Table 3. Threats and Windows 10 mitigations
The sections that follow describe these improvements in more detail.
+**SMB hardening improvements for SYSVOL and NETLOGON connections**
+
+In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos).
+
+- **What value does this change add?**
+This change reduces the likelihood of man-in-the-middle attacks.
+
+- **What works differently?**
+If SMB signing and mutual authentication are unavailable, a Windows 10 or Windows Server 2016 computer won’t process domain-based Group Policy and scripts.
+
+
+> **Note:** The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values.
+
+For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](http://go.microsoft.com/fwlink/p/?LinkId=789216) and [MS15-011 & MS15-014: Hardening Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=789215).
+
+
**Secure hardware**
Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors.
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
index 142e4e88a6..5a0c3eadfe 100644
--- a/windows/manage/windows-10-start-layout-options-and-policies.md
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -57,7 +57,7 @@ The following table lists the different parts of Start and any applicable policy
MDM: Allow Windows Consumer Features -Group Policy: Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences +Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences
Note
This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. |