From f7188724367f4df12d670fb034523bfa456139e5 Mon Sep 17 00:00:00 2001 From: modcaster Date: Wed, 3 Jan 2018 11:34:03 -0500 Subject: [PATCH 01/19] Updates 20180103 --- devices/surface/change-history-for-surface.md | 8 +++ .../surface/microsoft-surface-data-eraser.md | 57 +++++++++---------- ...ice-compatibility-with-windows-10-ltsc.md} | 35 ++++++------ .../wake-on-lan-for-surface-devices.md | 15 +++-- 4 files changed, 64 insertions(+), 51 deletions(-) rename devices/surface/{surface-device-compatibility-with-windows-10-ltsb.md => surface-device-compatibility-with-windows-10-ltsc.md} (58%) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 361d2c1eaa..9aa9194b2a 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -12,6 +12,14 @@ ms.date: 11/03/2017 This topic lists new and updated topics in the Surface documentation library. +## January 2018 + +|New or changed topic | Description | +| --- | --- | +|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.45 information | +|[Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC)](surface-device-compatibility-with-windows-10-ltsc.md) | Updated Current Branch (CB) or Current Branch for Business (CBB) servicing options with Semi-Annual Channel (SAC) information | +|[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | Added Surface Book 2, Surface Laptop, Surface Pro, Surface Pro with LTE Advanced, and Surface Pro information | + ## December 2017 |New or changed topic | Description | diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 309dd1a401..fd67224039 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -8,8 +8,9 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library -author: miladCA -ms.date: 10/03/2017 +author: brecords +ms.author: jdecker +ms.date: 01/03/2018 --- # Microsoft Surface Data Eraser @@ -24,26 +25,17 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d Compatible Surface devices include: -- Surface Studio - -- Surface Pro - -- Surface Laptop - -- Surface Book - -- Surface Pro 4 - -- Surface Pro 3 - -- Surface 3 - -- Surface 3 LTE - -- Surface Pro 2 - ->[!NOTE] ->Surface Pro devices with 1 TB storage are not currently supported by Microsoft Surface Data Eraser. +* Surface Book 2 +* Surface Pro with LTE Advanced (Model 1807) +* Surface Pro (Model 1796) +* Surface Laptop +* Surface Studio +* Surface Book +* Surface Pro 4 +* Surface 3 LTE +* Surface 3 +* Surface Pro 3 +* Surface Pro 2 Some scenarios where Microsoft Surface Data Eraser can be helpful include: @@ -151,6 +143,20 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### Version 3.2.45 + +This version of Microsoft Surface Data Eraser adds support for the following: + +- Surface Book 2 + +- Surface Pro with LTE Advanced + +- Surface Pro 1TB + +>[!NOTE] +>Surface Data Eraser v3.2.45 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/en-us/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information. + + ### Version 3.2.36 This version of Microsoft Surface Data Eraser adds support for the following: @@ -161,10 +167,3 @@ This version of Microsoft Surface Data Eraser adds support for the following: >[!NOTE] >The Microsoft Surface Data Eraser USB drive creation tool is unable to run on Windows 10 S. To wipe a Surface Laptop running Windows 10 S, you must first create the Microsoft Surface Data Eraser USB drive on another computer with Windows 10 Pro or Windows 10 Enterprise. - -  - - - - - diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md similarity index 58% rename from devices/surface/surface-device-compatibility-with-windows-10-ltsb.md rename to devices/surface/surface-device-compatibility-with-windows-10-ltsc.md index 0eceabaef8..0d4409c657 100644 --- a/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md +++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md @@ -1,20 +1,21 @@ --- -title: Surface device compatibility with Windows 10 Long-Term Servicing Branch (Surface) +title: Surface device compatibility with Windows 10 Long-Term Servicing Channel (Surface) description: Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition. keywords: ltsb, update, surface servicing options ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library -author: DavbeaMSFT -ms.date: 10/16/2017 +author: brecords +ms.author: jdecker +ms.date: 01/03/2018 --- -# Surface device compatibility with Windows 10 Long-Term Servicing Branch (LTSB) +# Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC) -Surface devices are designed to provide best-in-class experiences in productivity and general-purpose scenarios. Regular updates enable Surface devices to bring to life new innovations and to evolve with the new capabilities delivered by Windows 10 Feature Updates. Feature Updates are available only in Windows 10 Pro or Windows 10 Enterprise editions that receive continuous updates through the Current Branch (CB) or Current Branch for Business (CBB) servicing options. +Surface devices are designed to provide best-in-class experiences in productivity and general-purpose scenarios. Regular updates enable Surface devices to bring to life new innovations and to evolve with the new capabilities delivered by Windows 10 Feature Updates. Feature Updates are available only in Windows 10 Pro or Windows 10 Enterprise editions that receive continuous updates through the Semi-Annual Channel (SAC). -In contrast to the CB and CBB servicing options, you cannot select the Long-Term Servicing Branch (LTSB) option in Windows 10 settings. To use the LTSB servicing option, you must install a separate edition of Windows 10 Enterprise, known as *Windows 10 Enterprise LTSB*. In addition to providing an extended servicing model, the Windows 10 Enterprise LTSB edition also provides an environment with several Windows components removed. The core Surface experiences that are impacted by LTSB include: +In contrast to the SAC servicing option, formerly known as the Current Branch (CB) or Current Branch for Business (CBB) servicing options, you cannot select the Long-Term Servicing Channel (LTSC) option in Windows 10 settings. To use the LTSC servicing option, you must install a separate edition of Windows 10 Enterprise, known as Windows 10 Enterprise LTSC, formerly known as Windows 10 Enterprise LTSB (Long-Term Servicing Branch. In addition to providing an extended servicing model, the Windows 10 Enterprise LTSC edition also provides an environment with several Windows components removed. The core Surface experiences that are impacted by LTSC include: * Windows Feature Updates, including enhancements such as: @@ -27,15 +28,15 @@ In contrast to the CB and CBB servicing options, you cannot select the Long-Term * Key touch-optimized in-box applications including Microsoft Edge, OneNote, Calendar, and Camera -The use of the Windows 10 Enterprise LTSB environment on Surface devices results in sub-optimal end-user experiences and you should avoid using it in environments where users want and expect a premium, up-to-date user experience. +The use of the Windows 10 Enterprise LTSC environment on Surface devices results in sub-optimal end-user experiences and you should avoid using it in environments where users want and expect a premium, up-to-date user experience. -The LTSB servicing option is designed for device types and scenarios where the key attribute is for features or functionality to never change. Examples include systems that power manufacturing or medical equipment, or embedded systems in kiosks, such as ATMs or airport ticketing systems. +The LTSC servicing option is designed for device types and scenarios where the key attribute is for features or functionality to never change. Examples include systems that power manufacturing or medical equipment, or embedded systems in kiosks, such as ATMs or airport ticketing systems. >[!NOTE] ->For general information about Windows servicing branches, including LTSB, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/update/waas-overview#long-term-servicing-branch). +>For general information about Windows servicing branches, including LTSC, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/update/waas-overview#long-term-servicing-branch). >[!NOTE] ->As a general guideline, devices that fulfill the following criteria are considered general-purpose devices and should be paired with Windows 10 Pro or Windows 10 Enterprise using the CB or CBB servicing option: +>As a general guideline, devices that fulfill the following criteria are considered general-purpose devices and should be paired with Windows 10 Pro or Windows 10 Enterprise using the Semi-Annual Channel servicing option: * Devices that run productivity software such as Microsoft Office @@ -43,17 +44,17 @@ The LTSB servicing option is designed for device types and scenarios where the k * Devices that are used for general Internet browsing (for example, research or access to social media) -Before you choose to use Windows 10 Enterprise LTSB edition on Surface devices, consider the following limitations: +Before you choose to use Windows 10 Enterprise LTSC edition on Surface devices, consider the following limitations: -* Driver and firmware updates are not explicitly tested against releases of Windows 10 Enterprise LTSB. +* Driver and firmware updates are not explicitly tested against releases of Windows 10 Enterprise LTSC. -* If you encounter problems, Microsoft Support will provide troubleshooting assistance. However, due to the servicing nature of the Windows LTSB, issue resolution may require that devices be upgraded to a more recent version of Windows 10 Enterprise LTSB, or to Windows 10 Pro or Enterprise with the CB or CBB servicing option. +* If you encounter problems, Microsoft Support will provide troubleshooting assistance. However, due to the servicing nature of the Windows LTSC, issue resolution may require that devices be upgraded to a more recent version of Windows 10 Enterprise LTSC, or to Windows 10 Pro or Enterprise with the SAC servicing option. -* Surface device replacements (for example, devices replaced under warranty) may contain subtle variations in hardware components that require updated device drivers and firmware. Compatibility with these updates may require the installation of a more recent version of Windows 10 Enterprise LTSB or Windows 10 Pro or Enterprise with the CB or CBB servicing option. +* Surface device replacements (for example, devices replaced under warranty) may contain subtle variations in hardware components that require updated device drivers and firmware. Compatibility with these updates may require the installation of a more recent version of Windows 10 Enterprise LTSC or Windows 10 Pro or Enterprise with the SAC servicing option. >[!NOTE] ->Organizations that standardize on a specific version of Windows 10 Enterprise LTSB may be unable to adopt new generations of Surface hardware without also updating to a later version of Windows 10 Enterprise LTSB or Windows 10 Pro or Enterprise. For more information, see the **How will Windows 10 LTSBs be supported?** topic in the **Supporting the latest processor and chipsets on Windows** section of [Lifecycle Policy FAQ—Windows products](https://support.microsoft.com/help/18581/lifecycle-policy-faq-windows-products#b4). +>Organizations that standardize on a specific version of Windows 10 Enterprise LTSC may be unable to adopt new generations of Surface hardware without also updating to a later version of Windows 10 Enterprise LTSC or Windows 10 Pro or Enterprise. For more information, see the **How will Windows 10 LTSBs be supported?** topic in the **Supporting the latest processor and chipsets on Windows** section of [Lifecycle Policy FAQ—Windows products](https://support.microsoft.com/help/18581/lifecycle-policy-faq-windows-products#b4). -Surface devices running Windows 10 Enterprise LTSB edition will not receive new features. In many cases these features are requested by customers to improve the usability and capabilities of Surface hardware. For example, new improvements for High DPI applications in Windows 10, version 1703. Customers that use Surface devices in the LTSB configuration will not see the improvements until they either update to a new Windows 10 Enterprise LTSB release or upgrade to a version of Windows 10 with support for the CB and CBB servicing options. +Surface devices running Windows 10 Enterprise LTSC edition will not receive new features. In many cases these features are requested by customers to improve the usability and capabilities of Surface hardware. For example, new improvements for High DPI applications in Windows 10, version 1703. Customers that use Surface devices in the LTSC configuration will not see the improvements until they either update to a new Windows 10 Enterprise LTSC release or upgrade to a version of Windows 10 with support for the SAC servicing option. -Devices can be changed from Windows 10 Enterprise LTSB to a more recent version of Windows 10 Enterprise, with support for the CB and CBB servicing options, without the loss of user data by performing an upgrade installation. You can also perform an upgrade installation on multiple devices by leveraging the Upgrade Task Sequence Templates available in the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. For more information, see [Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/upgrade-surface-devices-to-windows-10-with-mdt). +Devices can be changed from Windows 10 Enterprise LTSC to a more recent version of Windows 10 Enterprise, with support for the SAC servicing option, without the loss of user data by performing an upgrade installation. You can also perform an upgrade installation on multiple devices by leveraging the Upgrade Task Sequence Templates available in the Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. For more information, see [Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/upgrade-surface-devices-to-windows-10-with-mdt). diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md index e6cca68ac7..b9d7b5d2e3 100644 --- a/devices/surface/wake-on-lan-for-surface-devices.md +++ b/devices/surface/wake-on-lan-for-surface-devices.md @@ -6,25 +6,30 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library -author: jobotto -ms.date: 10/16/2017 +author: brecords +ms.author: jdecker +ms.date: 01/03/2018 --- # Wake On LAN for Surface devices -Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anniversary Update) or later and use a Surface Ethernet adapter to connect to a wired network, are capable of Wake On LAN (WOL) from Connected Standby. With WOL, you can remotely wake up devices to perform management or maintenance tasks or enable management solutions (such as System Center Configuration Manager) automatically – even if the devices are powered down. For example, you can deploy applications to Surface devices left docked with a Surface Dock or Surface Pro 3 Docking Station by using System Center Configuration Manager during a window in the middle of the night, when the office is empty. +Surface devices that run Windows 10, version 1607 (also known as Windows 10 Anniversary Update) or later and use a Surface Ethernet adapter to connect to a wired network, are capable of Wake On LAN (WOL) from Connected Standby. With WOL, you can remotely wake up devices to perform management or maintenance tasks or enable management solutions (such as System Center Configuration Manager) automatically. For example, you can deploy applications to Surface devices left docked with a Surface Dock or Surface Pro 3 Docking Station by using System Center Configuration Manager during a window in the middle of the night, when the office is empty. >[!NOTE] ->Surface devices must be connected to AC power to support WOL. +>Surface devices must be connected to AC power and in Connected Standby (Sleep) to support WOL. WOL is not possible from devices that are in hibernation or powered off. ## Supported devices The following devices are supported for WOL: +* Surface Book 2 +* Surface Pro with LTE Advanced (Model 1807) +* Surface Pro (Model 1796) +* Surface Laptop * Surface Book * Surface Pro 4 -* Surface Pro 3 * Surface 3 +* Surface Pro 3 * Surface Ethernet adapter * Surface Dock * Surface Docking Station for Surface Pro 3 From 49284b04a7a55c80c77586c9908461ef805f3ae3 Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Fri, 5 Jan 2018 09:46:59 +0000 Subject: [PATCH 02/19] Updated index.md --- education/trial-in-a-box/index.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 8c336aa231..1325664e46 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -42,7 +42,7 @@ Trial in a Box puts the Microsoft education technology into an easy package so y **If you want to try the Educator Experience** 1. Turn on **Device A**. -2. Connect **Device A** to your school's Wi-Fi network. +2. Connect **Device A** to your school's Wi-Fi network or connect with a local Ethernet connection. 3. Log in using the **Teacher Username** and **Teacher Password** included in the **Credentials Sheet** located in your kit. 4. Click the Educator image or follow the instructions in [Get started for Educators](educator-tib-get-started.md). @@ -50,10 +50,12 @@ Trial in a Box puts the Microsoft education technology into an easy package so y **If you want to try the IT Administrator Experience** -1. Turn on **Device A**. -2. Connect **Device A** to your school's Wi-Fi network. -3. Log in using the **Administrator Username** and **Administrator Password** included in the **Credentials Sheet** located in your kit. -4. Click the IT Administrator image or follow the instructions in [Get started for IT Admins](itadmin-tib-get-started.md). +1. Set up **Device A** first.  Setup **Device B** after you have completed setup of **Device A**. +2. Turn on **Device A**. +3. Connect **Device A** to your school's Wi-Fi network or connect with a local Ethernet connection. +4. Log in using the **Administrator Username** and **Administrator Password** included in the **Credentials Sheet** located in your kit. +5. Please immediately register both devices with your hardware manufacturer to activate the manufacturer's warranty. +6. Click the IT Administrator image or follow the instructions in [Get started for IT Admins](itadmin-tib-get-started.md). [![Get started for IT Admins](images/itadmin_rotated.png)](itadmin-tib-get-started.md) From 8e33cab61a0ef54a5e2da244d0bd99704fe39d36 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 8 Jan 2018 22:31:16 +0000 Subject: [PATCH 03/19] Merged PR 5203: Added new Search policies to Policy CSP --- .../policy-configuration-service-provider.md | 7 + .../mdm/policy-csp-search.md | 124 +++++++++++++++++- 2 files changed, 130 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 5b84c2bf80..49edda7d65 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2482,6 +2482,9 @@ The following diagram shows the Policy configuration service provider in tree fo
Search/AllowCloudSearch
+
+ Search/AllowCortanaInAAD +
Search/AllowIndexingEncryptedStoresOrItems
@@ -2506,6 +2509,10 @@ The following diagram shows the Policy configuration service provider in tree fo
Search/DisableRemovableDriveIndexing
+
+ Search/DoNotUseWebResults +
+
Search/PreventIndexingLowDiskSpaceMB
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index e9f8199032..204a76ade1 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/14/2017 +ms.date: 01/08/2018 --- # Policy CSP - Search +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -22,6 +24,9 @@ ms.date: 12/14/2017
Search/AllowCloudSearch
+
+ Search/AllowCortanaInAAD +
Search/AllowIndexingEncryptedStoresOrItems
@@ -46,6 +51,9 @@ ms.date: 12/14/2017
Search/DisableRemovableDriveIndexing
+
+ Search/DoNotUseWebResults +
Search/PreventIndexingLowDiskSpaceMB
@@ -105,6 +113,61 @@ ms.date: 12/14/2017
+**Search/AllowCortanaInAAD** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, next major update. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow.. + + + +The following list shows the supported values: + +- 0 (default) - Not allowed. The Cortana consent page will not appear in AAD OOBE during setup. +- 1 - Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup. + + + + + + + + + + +
+ **Search/AllowIndexingEncryptedStoresOrItems** @@ -460,6 +523,65 @@ The following list shows the supported values:
+**Search/DoNotUseWebResults** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, next major update. Don't search the web or display web results in Search. + +This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search. +If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. + +If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search. + + + +The following list shows the supported values: + +- 0 - Not allowed. Queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. +- 1 (default) - Allowed. Queries will be performed on the web and web results will be displayed when a user performs a query in Search. + + + + + + + + + +
+ **Search/PreventIndexingLowDiskSpaceMB** From 63d725cae3fe4197a9f9957a4cf233c6d302c9f0 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 9 Jan 2018 16:10:45 +0000 Subject: [PATCH 04/19] Merged PR 5208: add redirect for renamed file in Surface add redirect for renamed file in Surface --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a6fe5c98cf..64e5ee645b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,6 +6,11 @@ "redirect_document_id": true }, { +"source_path": "windows/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md", +"redirect_url": "/windows/devices/surface/surface-device-compatibility-with-windows-10-ltsc", +"redirect_document_id": true +}, +{ "source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md", "redirect_url": "/windows/configuration/basic-level-windows-diagnostic-events-and-fields", "redirect_document_id": true From 90e4d7cdb30f516c4192b0fe03e6b92ebd7c8364 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 9 Jan 2018 17:37:39 +0000 Subject: [PATCH 05/19] Merged PR 5210: fix redirect and links for Surface try again --- devices/surface/TOC.md | 2 +- devices/surface/change-history-for-surface.md | 2 +- devices/surface/deploy.md | 2 +- devices/surface/ltsb-for-surface.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 27d7b79e79..5dd7130ea6 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,6 +1,6 @@ # [Surface](index.md) ## [Deploy Surface devices](deploy.md) -### [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md) +### [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsc.md) #### [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md) ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) ### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 9aa9194b2a..a18646b616 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -57,7 +57,7 @@ New or changed topic | Description |New or changed topic | Description | | --- | --- | -|[Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md) | New (supersedes [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md))| +|[Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsc.md) | New (supersedes [Long-Term Servicing Branch for Surface devices](ltsb-for-surface.md))| ## January 2017 diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index a05b2ce399..d76f67bec8 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -17,7 +17,7 @@ Get deployment guidance for your Surface devices including information about MDT | Topic | Description | | --- | --- | -| [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition. | +| [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md) | Find out about compatibility and limitations of Surface devices running Windows 10 Enterprise LTSB edition. | | [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.| | [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. | | [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.| diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index fdb52daf8f..a4c9d85f83 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -12,7 +12,7 @@ ms.date: 04/25/2017 # Long-Term Servicing Branch (LTSB) for Surface devices >[!WARNING] ->For updated information on this topic, see [Surface device compatibility with Windows 10 Long-Term Servicing Branch](surface-device-compatibility-with-windows-10-ltsb.md). For additional information on this update, see the [Documentation Updates for Surface and Windows 10 LTSB Compatibility](https://blogs.technet.microsoft.com/surface/2017/04/11/documentation-updates-for-surface-and-windows-10-ltsb-compatibility) post on the Surface Blog for IT Pros. +>For updated information on this topic, see [Surface device compatibility with Windows 10 Long-Term Servicing Channel](surface-device-compatibility-with-windows-10-ltsc.md). For additional information on this update, see the [Documentation Updates for Surface and Windows 10 LTSB Compatibility](https://blogs.technet.microsoft.com/surface/2017/04/11/documentation-updates-for-surface-and-windows-10-ltsb-compatibility) post on the Surface Blog for IT Pros. General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB). From afc714eb0ff86698a49fc49ad212fb21c6c9194e Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Tue, 9 Jan 2018 21:05:58 +0000 Subject: [PATCH 06/19] Merged PR 5220: Updated MDM documentation change history table --- ...ew-in-windows-mdm-enrollment-management.md | 1440 ++--------------- .../policy-configuration-service-provider.md | 3 - .../mdm/policy-csp-deliveryoptimization.md | 52 - 3 files changed, 118 insertions(+), 1377 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 127887c17e..76543bd50f 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/05/2017 +ms.date: 01/08/2018 --- # What's new in MDM enrollment and management @@ -26,6 +26,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What's new in Windows 10, version 1607](#whatsnew1607) - [What's new in Windows 10, version 1703](#whatsnew10) - [What's new in Windows 10, version 1709](#whatsnew1709) +- [Change history in MDM documentation](#change-history-in-mdm-documentation) - [Breaking changes and known issues](#breaking-changes-and-known-issues) - [Get command inside an atomic command is not supported](#getcommand) - [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification) @@ -44,7 +45,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [User provisioning failure in Azure Active Directory joined Windows 10 PC](#userprovisioning) - [Requirements to note for VPN certificates also used for Kerberos Authentication](#kerberos) - [Device management agent for the push-button reset is not working](#pushbuttonreset) -- [Change history in MDM documentation](#change-history-in-mdm-documentation) - [FAQ](#faq) ## What's new in Windows 10, version 1511 @@ -1382,6 +1382,122 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### January 2018 + + ++++ + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, next major update:

+
    +
  • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration
    • +
  • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold
    • +
  • Browser/EnableExtendedBooksTelemetry
    • +
  • Browser/UseSharedFolderForBooks
    • +
  • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter
    • +
  • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
    • +
  • DeliveryOptimization/DODelayForegroundDownloadFromHttp
    • +
  • DeliveryOptimization/DOGroupIdSource
    • +
  • DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
    • +
  • DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
    • +
  • DeliveryOptimization/DORestrictPeerSelectionBy
    • +
  • DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
    • +
  • DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
    • +
  • KioskBrowser/BlockedUrlExceptions
    • +
  • KioskBrowser/BlockedUrls
    • +
  • KioskBrowser/DefaultURL
    • +
  • KioskBrowser/EnableHomeButton
    • +
  • KioskBrowser/EnableNavigationButtons
    • +
  • KioskBrowser/RestartOnIdleTime
    • +
  • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
    • +
  • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
    • +
  • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
    • +
  • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
    • +
  • LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge
    • +
  • LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    • +
  • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
    • +
  • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
    • +
  • Search/AllowCortanaInAAD
    • +
  • Search/DoNotUseWebResults
    • +
  • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
    • +
  • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
    • +
  • SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
    • +
  • TaskScheduler/EnableXboxGameSaveTask
    • +
  • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
    • +
  • UserRights/AccessCredentialManagerAsTrustedCaller
    • +
  • UserRights/AccessFromNetwork
    • +
  • UserRights/ActAsPartOfTheOperatingSystem
    • +
  • UserRights/AllowLocalLogOn
    • +
  • UserRights/BackupFilesAndDirectories
    • +
  • UserRights/ChangeSystemTime
    • +
  • UserRights/CreateGlobalObjects
    • +
  • UserRights/CreatePageFile
    • +
  • UserRights/CreatePermanentSharedObjects
    • +
  • UserRights/CreateSymbolicLinks
    • +
  • UserRights/CreateToken
    • +
  • UserRights/DebugPrograms
    • +
  • UserRights/DenyAccessFromNetwork
    • +
  • UserRights/DenyLocalLogOn
    • +
  • UserRights/DenyRemoteDesktopServicesLogOn
    • +
  • UserRights/EnableDelegation
    • +
  • UserRights/GenerateSecurityAudits
    • +
  • UserRights/ImpersonateClient
    • +
  • UserRights/IncreaseSchedulingPriority
    • +
  • UserRights/LoadUnloadDeviceDrivers
    • +
  • UserRights/LockMemory
    • +
  • UserRights/ManageAuditingAndSecurityLog
    • +
  • UserRights/ManageVolume
    • +
  • UserRights/ModifyFirmwareEnvironment
    • +
  • UserRights/ModifyObjectLabel
    • +
  • UserRights/ProfileSingleProcess
    • +
  • UserRights/RemoteShutdown
    • +
  • UserRights/RestoreFilesAndDirectories
    • +
  • UserRights/TakeOwnership
    • +
  • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
    • +
  • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
    • +
  • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
    • +
  • WindowsDefenderSecurityCenter/HideSecureBoot
    • +
  • WindowsDefenderSecurityCenter/HideTPMTroubleshooting
    • +
+
+ ### December 2017 @@ -1686,1326 +1802,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
-### July 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[VPNv2 CSP](vpnv2-csp.md)

Added DeviceTunnel profile in Windows 10, version 1709.

-
[BitLocker CSP](bitlocker-csp.md)Added the following statements:. -
    -
  • When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.
    • -
  • When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
    • -
-
[Policy CSP](policy-configuration-service-provider.md) -

Added the following new policies for Windows 10, version 1709:

-
    -
  • Education/DefaultPrinterName
    • -
  • Education/PreventAddingNewPrinters
    • -
  • Education/PrinterNames
    • -
  • Security/ClearTPMIfNotReady
    • -
  • WindowsDefenderSecurityCenter/CompanyName
    • -
  • WindowsDefenderSecurityCenter/DisableAppBrowserUI
    • -
  • WindowsDefenderSecurityCenter/DisableEnhancedNotifications
    • -
  • WindowsDefenderSecurityCenter/DisableFamilyUI
    • -
  • WindowsDefenderSecurityCenter/DisableHealthUI
    • -
  • WindowsDefenderSecurityCenter/DisableNetworkUI
    • -
  • WindowsDefenderSecurityCenter/DisableNotifications
    • -
  • WindowsDefenderSecurityCenter/DisableVirusUI
    • -
  • WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
    • -
  • WindowsDefenderSecurityCenter/Email
    • -
  • WindowsDefenderSecurityCenter/EnableCustomizedToasts
    • -
  • WindowsDefenderSecurityCenter/EnableInAppCustomization
    • -
  • WindowsDefenderSecurityCenter/Phone
    • -
  • WindowsDefenderSecurityCenter/URL
    • -
-

Experience/AllowFindMyDevice - updated the description to include active digitizers.

-
[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)Added the following statement to [MSI/ProductID/DownloadInstall](enterprisedesktopappmanagement-csp.md#msi-productid-downloadinstall): -
    -
  • In Windows 10, version 1703 service release, a new tag "DownloadFromAad" was added to the "Enforcement" section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.
    • -
-
[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)Added the following information about the settings pages in AssigneAccessXML: -
    -
  • Starting in Windows 10, version 1703, you can specify the settings pages using the settings URI. For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page.
    • -
  • In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.
    • -
-
[DeviceStatus CSP](devicestatus-csp.md)

Added the following settings in Windows 10, version 1709:

-
    -
  • DeviceStatus/DomainName
    • -
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
    • -
  • DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
    • -
  • DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus
    • -
      -
[AssignedAccess CSP](assignedaccess-csp.md)

Here are the changes in Windows 10, version 1709.

-
    -
  • Added Configuration node
    • -
-

Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.

-
[SurfaceHub CSP](surfacehub-csp.md)

Changed PasswordRotationPeriod to PasswordRotationEnabled.

-
- -### June 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)Added a list of registry locations that ingested policies are allowed to write to.
[Firewall CSP](firewall-csp.md)Added the following nodes: -
    -
  • Profiles
    • -
  • Direction
    • -
  • InterfaceTypes
    • -
  • EdgeTraversal
    • -
  • Status
    • -
-Also Added [Firewall DDF file](firewall-ddf-file.md).
[TPMPolicy CSP](tpmpolicy-csp.md)New CSP added in Windows 10, version 1703.
[Policy CSP](policy-configuration-service-provider.md) -

Added the following new policies for Windows 10, version 1703:

-
    -
  • Start/AllowPinnedFolderDocuments
    • -
  • Start/AllowPinnedFolderDownloads
    • -
  • Start/AllowPinnedFolderFileExplorer
    • -
  • Start/AllowPinnedFolderHomeGroup
    • -
  • Start/AllowPinnedFolderMusic
    • -
  • Start/AllowPinnedFolderNetwork
    • -
  • Start/AllowPinnedFolderPersonalFolder
    • -
  • Start/AllowPinnedFolderPictures
    • -
  • Start/AllowPinnedFolderSettings
    • -
  • Start/AllowPinnedFolderVideos
    • -
  • Update/AutoRestartDeadlinePeriodInDays
    • -
-

Added the following new policies for Windows 10, version 1709:

-
    -
  • CredentialProviders/EnableWindowsAutoPilotResetCredentials
    • -
  • DeviceGuard/EnableVirtualizationBasedSecurity
    • -
  • DeviceGuard/RequirePlatformSecurityFeatures
    • -
  • DeviceGuard/LsaCfgFlags
    • -
  • Power/DisplayOffTimeoutOnBattery
    • -
  • Power/DisplayOffTimeoutPluggedIn
    • -
  • Power/HibernateTimeoutOnBattery
    • -
  • Power/HibernateTimeoutPluggedIn
    • -
  • Power/StandbyTimeoutOnBattery
    • -
  • Power/StandbyTimeoutPluggedIn
    • -
  • Defender/AttackSurfaceReductionOnlyExclusions
    • -
  • Defender/AttackSurfaceReductionRules
    • -
  • Defender/CloudBlockLevel
    • -
  • Defender/CloudExtendedTimeout
    • -
  • Defender/EnableGuardMyFolders
    • -
  • Defender/EnableNetworkProtection
    • -
  • Defender/GuardedFoldersAllowedApplications
    • -
  • Defender/GuardedFoldersList
    • -
  • Update/ScheduledInstallEveryWeek
    • -
  • Update/ScheduledInstallFirstWeek
    • -
  • Update/ScheduledInstallFourthWeek
    • -
  • Update/ScheduledInstallSecondWeek
    • -
  • Update/ScheduledInstallThirdWeek
    • -
-

EnterpriseCloudPrint/DiscoveryMaxPrinterLimit is only supported in Windows 10 Mobile and Mobile Enterprise.

-
[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)Updated the CSP in Windows 10, version 1709. Added the following settings: -
    -
  • DeviceTagging/Group
    • -
  • DeviceTagging/Criticality
    • -
-
[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md).
[DynamicManagement CSP](dynamicmanagement-csp.md)The DynamicManagement CSP is not supported in Windows 10 Mobile and Mobile Enterprise. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.
[CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md)In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.
- -### May 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md) -

Added the following new policies for Windows 10, version 1703:

-
    -
  • Browser/AllowFlashClickToRun
    • -
  • Experience/AllowFindMyDevice
    • -
  • Privacy/LetAppsAccessTasks
    • -
  • Privacy/LetAppsAccessTasks_ForceAllowTheseApps
    • -
  • Privacy/LetAppsAccessTasks_ForceDenyTheseApps
    • -
  • Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
    • -
-

Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.

-

Added a statment that the following policies must target ./User.

-
    -
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
    • -
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
    • -
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
    • -
  • EnterpriseCloudPrint/CloudPrintResourceId
    • -
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
    • -
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
    • -
-
[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)

Added a section describing SyncML examples of various ADMX elements.

-
[BitLocker CSP](bitlocker-csp.md) -

Added the following setting:

-
    -
  • AllowWarningForOtherDiskEncryption
    • -
-

Note that SystemDrivesMinimumPINLength is 6 digits instead of 4.

-
[Reporting CSP](reporting-csp.md)

Added new settings in Windows 10, version 1703.

-
    -
  • EnterpriseDataProtection/RetrieveByTimeRange/Type
    • -
  • EnterpriseDataProtection/RetrieveByCount/Type
    • -
-
[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)

Added following deep link parameters to the table:

-
    -
  • Username
    • -
  • Servername
    • -
  • Accesstoken
    • -
  • Deviceidentifier
    • -
  • Tenantidentifier
    • -
  • Ownership
    • -
-
[Firewall CSP](firewall-csp.md)

Added new CSP in Windows 10, version 1709.

-
MDM support for Windows 10 S

Updated the following topics to indicate MDM support in Windows 10 S.

-
    -
  • [Configuration service provider reference](configuration-service-provider-reference.md)
    • -
  • [Policy CSP](policy-configuration-service-provider.md)
    • -
-
- -### April 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

-
    -
  • DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
    • -
  • Start/ImportEdgeAssets
    • -
  • Update/DetectionFrequency
    • -
  • Update/PauseFeatureUpdatesStartTime
    • -
  • Update/PauseQualityUpdatesStartTime
    • -
  • Update/SetEDURestart
    • -
  • WiFi/AllowWiFiDirect
    • -
  • WirelessDisplay/AllowProjectionFromPC
    • -
  • WirelessDisplay/AllowProjectionFromPCOverInfrastructure
    • -
  • WirelessDisplay/AllowProjectionToPCOverInfrastructure
    • -
  • WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver
    • -
-

DeviceLock/EnforceLockScreenAndLogonImage is not supported in Windows 10 Pro edition.

-
[DMSessionActions CSP](sharedpc-csp.md)

Added new CSP for Windows 10, version 1703.

-

[CertificateStore CSP](certificatestore-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

-
    -
  • My/WSTEP/Renew/RetryAfterExpiryInterval
    • -
-

[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

-
    -
  • SCEP/UniqueID/Install/AADKeyIdentifierList
    • -
-

[DMAcc CSP](dmacc-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

-
    -
  • AccountUID/EXT/Microsoft/InitiateSession
    • -
-

[DMClient CSP](dmclient-csp.md)

Updated in Windows 10, version 1703. Added the following nodes and settings:

-
    -
  • HWDevID
    • -
  • Provider/ProviderID/ManagementServerToUpgradeTo
    • -
  • Provider/ProviderID/CustomEnrollmentCompletePage
    • -
  • Provider/ProviderID/CustomEnrollmentCompletePage/Title
    • -
  • Provider/ProviderID/CustomEnrollmentCompletePage/BodyText
    • -
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkHref
    • -
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkText
    • -
-
[SharedPC CSP](dmsessionactions-csp.md)

Added new settings in Windows 10, version 1703.

-
    -
  • RestrictLocalStorage
    • -
  • KioskModeAUMID
    • -
  • KioskModeUserTileDisplayText
    • -
  • InactiveThreshold
    • -
  • MaxPageFileSizeMB
    • -
-

The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300.

-
[RemoteLock CSP](remotelock-csp.md)

Added following setting:

-
    -
  • LockAndRecoverPIN
    • -
-
[NodeCache CSP](nodecache-csp.md)

Added following settings:

-
    -
  • ChangedNodesData
    • -
  • AutoSetExpectedValue
    • -
-
[Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)

Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF topics of various CSPs.

-
[RemoteWipe CSP](remotewipe-csp.md)

Added new setting in Windows 10, version 1703.

-
    -
  • doWipeProtected
    • -
-
[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)

Added new setting in the March service release of Windows 10, version 1607.

-
    -
  • MSI/UpgradeCode/[Guid]
    • -
-
[MDM Bridge WMI Provider](https://msdnstage.redmond.corp.microsoft.com/en-us/library/windows/desktop/dn905224(v=vs.85).aspx)

Updated for Windows 10, version 1703. Added new classes and properties.

-
[Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)

Added a new topic describing how to deploy and configure App-V apps using MDM.

-
- -### March 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

-
    -
  • Accounts/AllowMicrosoftAccountSignInAssistant
    • -
  • Connectivity/AllowConnectedDevices
    • -
  • Display/TurnOffGdiDPIScalingForApps
    • -
  • Display/TurnOnGdiDPIScalingForApps
    • -
  • Location/EnableLocation
    • -
  • SmartScreen/EnableAppInstallControl
    • -
  • SmartScreen/EnableSmartScreenInShell
    • -
  • SmartScreen/PreventOverrideForFilesInShell
    • -
  • Update/IgnoreMOAppDownloadLimit
    • -
  • Update/IgnoreMOUpdateDownloadLimit
    • -
-

For Windows 10, version 1703, added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files.

-
[DeviceLock/DevicePasswordEnabled](policy-configuration-service-provider.md#devicelock-devicepasswordenabled) in Policy CSP

Added the following note:

-

**DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:

-
    -
  • DevicePasswordEnabled is the parent policy of the following: -
    • AllowSimpleDevicePassword
      • -
    • MinDevicePasswordLength
      • -
    • AlphanumericDevicePasswordRequired -
      • MinDevicePasswordComplexCharacters
      •   -
    • MaxDevicePasswordFailedAttempts
      • -
    • MaxInactivityTimeDeviceLock
[Personalization CSP](personalization-csp.md)

Added new CSP for Windows 10, version 1703.

[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)

Added new CSP for Windows 10, version 1703.

[HealthAttestation CSP](healthattestation-csp.md)

Added the following settings:.

-
    -
  • HASEndpoint - added in Windows 10, version 1607, but not documented
    • -
  • TpmReadyStatus - added in the March service release of Windows 10, version 1607
    • -

[SurfaceHub CSP](surfacehub-csp.md)

Updated in Windows 10, version 1703. Added the following nodes and settings:

-
    -
  • InBoxApps/SkypeForBusiness
    • -
  • InBoxApps/SkypeForBusiness/DomainName
    • -
  • InBoxApps/Connect
    • -
  • InBoxApps/Connect/AutoLaunch
    • -
  • Properties/DefaultVolume
    • -
  • Properties/ScreenTimeout
    • -
  • Properties/SessionTimeout
    • -
  • Properties/SleepTimeout
    • -
  • Properties/AllowSessionResume
    • -
  • Properties/AllowAutoProxyAuth
    • -
  • Properties/DisableSigninSuggestions
    • -
  • Properties/DoNotShowMyMeetingsAndFiles
    • -
-
[NetworkQoSPolicy CSP](networkqospolicy-csp.md)

Added new CSP for Windows 10, version 1703.

[EnterpriseAPN CSP](enterpriseapn-csp.md)

Added the following setting:

-
    -
  • Roaming
    • -
-

[WindowsLicensing CSP](windowslicensing-csp.md)

Added the following setting for Windows 10, version 1703:

-
    -
  • ChangeProductKey
    • -
-

Added the following new node and settings in Windows 10, version 1607, but not previously documented:

-
    -
  • Subscriptions
    • -
  • Subscriptions/SubscriptionId
    • -
  • Subscriptions/SubscriptionId/Status
    • -
  • Subscriptions/SubscriptionId/Name
    • -
-
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Added the following settings:

-
    -
  • RevokeOnMDMHandoff
    • -
  • SMBAutoEncryptedFileExtensions
    • -
[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

-
    -
  • Configuration/TelemetryReportingFrequency
    • -
-
- -### February 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[SecureAssessment CSP](secureassessment-csp.md)

Updated the following setting names:

-
    -
  • AllowScreenMonitoring - previously ScreenCaptureCapability
    • -
  • RequirePrinting - previously PrintingCapability
    • -
-
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Added the following statement to [Settings/EDPShowIcons](enterprisedataprotection-csp.md#settings-edpshowicons):

    -
  • Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

-
    -
  • ApplicationDefaults/DefaultAssociationsConfiguration
    • -
  • Browser/AllowAddressBarDropdown
    • -
  • Browser/AllowMicrosoftCompatibilityList
    • -
  • Browser/AllowSearchEngineCustomization
    • -
  • Browser/ClearBrowsingDataOnExit
    • -
  • Browser/ConfigureAdditionalSearchEngines
    • -
  • Browser/DisableLockdownOfStartPages
    • -
  • Browser/PreventFirstRunPage
    • -
  • Browser/PreventLiveTileDataCollection
    • -
  • Browser/SetDefaultSearchEngine
    • -
  • Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
    • -
  • Connectivity/AllowConnectedDevices
    • -
  • DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
    • -
  • Experience/AllowTailoredExperiencesWithDiagnosticData
    • -
  • Experience/AllowWindowsSpotlightOnActionCenter
    • -
  • Experience/AllowWindowsSpotlightWindowsWelcomeExperience
    • -
  • Settings/ConfigureTaskbarCalendar
    • -
  • Settings/PageVisibilityList
    • -
  • Start/HideAppList
    • -
  • Start/HideChangeAccountSettings
    • -
  • Start/HideFrequentlyUsedApps
    • -
  • Start/HideHibernate
    • -
  • Start/HideLock
    • -
  • Start/HidePowerButton
    • -
  • Start/HideRecentJumplists
    • -
  • Start/HideRecentlyAddedApps
    • -
  • Start/HideRestart
    • -
  • Start/HideShutDown
    • -
  • Start/HideSignOut
    • -
  • Start/HideSleep
    • -
  • Start/HideSwitchAccount
    • -
  • Start/HideUserTile
    • -
  • Start/NoPinningToTaskbar
    • -
  • System/AllowFontProviders
    • -
  • System/DisableOneDriveFileSync
    • -
  • TextInput/AllowKeyboardTextSuggestions
    • -
  • TimeLanguageSettings/AllowSet24HourClock
    • -
  • Update/ActiveHoursMaxRange
    • -
  • Update/AutoRestartNotificationSchedule
    • -
  • Update/AutoRestartRequiredNotificationDismissal
    • -
  • Update/EngagedRestartDeadline
    • -
  • Update/EngagedRestartSnoozeSchedule
    • -
  • Update/EngagedRestartTransitionSchedule
    • -
  • Update/SetAutoRestartNotificationDisable
    • -
  • WindowsLogon/HideFastUserSwitching
    • -
-

Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in Windows 10 Mobile Enteprise and IoT Enterprise

-

Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.

-

Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.

-
[NetworkProxy CSP](networkproxy-csp.md)

Added new CSP for Windows 10, version 1703.

[BitLocker CSP](bitlocker-csp.md)

Added new CSP for Windows 10, version 1703.

[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.

[DynamicManagement CSP](dynamicmanagement-csp.md)

Added new CSP for Windows 10, version 1703.

[Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)

New mobile application management (MAM) support added in Windows 10, version 1703.

[PassportForWork CSP](passportforwork-csp.md)

Updated in Windows 10, version 1703. Added the following new node and settings:

-
    -
  • TenantId/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
    • -
  • TenantId/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
    • -
  • TenantId/Policies/EnablePinRecovery
    • -
[Office CSP](office-csp.md)

Added new CSP for Windows 10, version 1703.

- -### January 2017 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Reboot CSP](reboot-csp.md)

RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. Also updated the Note in RebootNow.

-
[Device update management](device-update-management.md)

Updated the following section:

-
    -
  • [Recommended Flow for Using the Server-Server Sync Protocol](device-update-management.md#recommendedflow)
    • -
[SecureAssessment CSP](secureassessment-csp.md)

Updated in Windows 10, version 1703. Added the following settings

-
    -
  • AllowTextSuggestions
    • -
  • PrintingCapability
    • -
  • ScreenCaptureCapability
    • -
-
[DevDetail CSP](devdetail-csp.md)

Updated in Windows 10, version 1703. Added the following setting: DeviceHardwareData

[Messaging CSP](messaging-csp.md)

Added new CSP for Windows 10, version 1703. This CSP is only supported in Windows 10 Mobile and Mobile Enteprise editions.

-
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

-
    -
  • DeliveryOptimization/DOAllowVPNPeerCaching
    • -
  • DeliveryOptimization/DOMinDiskSizeAllowedToPeer
    • -
  • DeliveryOptimization/DOMinFileSizeToCache
    • -
  • DeliveryOptimization/DOMinRAMAllowedToPeer
    • -
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
    • -
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
    • -
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
    • -
  • EnterpriseCloudPrint/CloudPrintResourceId
    • -
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
    • -
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
    • -
  • Messaging/AllowMMS
    • -
  • Messaging/AllowRCS
    • -
  • Privacy/LetAppsGetDiagnosticInfo
    • -
  • Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
    • -
  • Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
    • -
  • Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
    • -
  • Privacy/LetAppsRunInBackground
    • -
  • Privacy/LetAppsRunInBackground_ForceAllowTheseApps
    • -
  • Privacy/LetAppsRunInBackground_ForceDenyTheseApps
    • -
  • Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
    • -
-

Added the following new policy for the January service release of Windows 10, version 1607: Update/UpdateServiceUrlAlternate

-

Removed TextInput/AllowLinguisticDataCollection from Policy CSP in Windows 10 version 1703.

-
[CleanPC CSP](cleanpc-csp.md)

Added new CSP for Windows 10, version 1703.

[DeveloperSetup CSP](developersetup-csp.md)

Added new CSP for Windows 10, version 1703.

Added a download of Windows 10 version 1607 DDF files

You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).

-
[DeviceStatus CSP](devicestatus-csp.md)

Added the following values for DeviceStatus/NetworkIdentifiers/MacAddress/Type setting:

-
    -
  • 2 - WLAN (or other Wirless interface)
    • -
  • 1 - LAN (or other Wired interface)
    • -
  • 0 - Unknown
    • -
- -### December, 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Update CSP](update-csp.md)

Added the following nodes:

-
    -
  • FailedUpdates/Failed Update Guid/RevisionNumber
    • -
  • InstalledUpdates/Installed Update Guid/RevisionNumber
    • -
  • PendingRebootUpdates/Pending Reboot Update Guid/RevisionNumber
    • -
-
[AppLocker CSP](applocker-csp.md)

Added information about exempt applications list to the EnterpriseDataProtection setting.

-
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

To Settings/RequireProtectionUnderLockConfig, added supported values.

-
[CM_CellularEntries CSP](cm-cellularentries-csp.md)

To PurposeGroups setting, added the following values Windows 10, version 1709:

-
    -
  • Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
    • -
  • Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
    • -
-
[CellularSettings CSP](cellularsettings-csp.md)

[CM_CellularEntries CSP](cm-cellularentries-csp.md)

[EnterpriseAPN CSP](enterpriseapn-csp.md)

In the Windows 10, version 1709, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.

-
Updated the DDF topics.The following DDF topics were updated: -
    -
  • [DeviceManageability DDF file](devicemanageability-ddf.md)
    • -
  • [ClientCertificateInstall DDF file](clientcertificateinstall-ddf-file.md)
    • -
  • [DevDetail DDF file](devdetail-ddf-file.md)
    • -
  • [DeviceStatus DDF file](devicestatus-ddf.md)
    • -
  • [DevInfo DDF file](DevInfo-ddf-file.md)
    • -
  • [RootCATrustedCertificates DDF file](rootcacertificates-ddf-file.md)
    • -
  • [PassportForWork DDF](passportforwork-ddf.md)
    • -
  • [EnterpriseExt DDF](enterpriseext-ddf.md)
    • -
[Reporting CSP](reporting-csp.md)

Reporting/SecurityAuditing setting is not supported in Windows 10, version 1607 in the desktop editions.

-
- -### November 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[EnterpriseAPN CSP](enterpriseapn-csp.md)

The EnterpriseAPN configuration service provider (CSP) is not supported in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), versions 1511 and 1607.

-
[Defender CSP](defender-csp.md)

Added the following values for Defender/Scan setting:

-
    -
  • 1 - quick scan
    • -
  • 2 - full scan
    • -
-
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Added data recovery agent (DRA) information to Settings/DataRecoveryCertificate.

-
[Disconnecting from the management infrastructure (unenrollment)](disconnecting-from-mdm-unenrollment.md)

Added information about unenrollment from Azure Active Directory Join.

-
[Policy CSP](policy-configuration-service-provider.md)

Updated the description of the following policies.

    -
  • [Browser/Homepages](policy-configuration-service-provider.md#browser-homepages)
    • -
  • [DeviceLock/MaxInactivityTimeDeviceLock](policy-configuration-service-provider.md#devicelock-maxinactivitytimedevicelock)
    • -
  • [Experience/ConfigureWindowsSpotlightOnLockScreen](policy-configuration-service-provider.md#experience-configurewindowsspotlightonlockscreen)
    • -

-
- -### October 27, 2016 - - ---- - - - - - - - - - - - - - - - -
New or updated topicDescription
[CM_ProxyEntries CSP](cm-proxyentries-csp.md)

Support for OMA DM was added in Windows 10, version 1607

-
[AppLocker CSP](applocker-csp.md)

[Recommended deny list for Windows Information Protection](applocker-csp.md#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. -

-
- -### October 21, 2016 - - ---- - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Updated the most restricted values for the following policies:

-
    -
  • Browser/AllowDoNotTrack
    • -
  • Browser/AllowPasswordManager
    • -
  • Browser/AllowPopups
    • -
  • Browser/AllowSmartScreen
    • -
- -  - -### October 6, 2016 - - ---- - - - - - - - - - - - - - - - - -
New or updated topicDescription

WindowsTeam CSP

Deleted the WindowsTeam CSP topic. You should use [SurfaceHub](surfacehub-csp.md) instead.

[Policy CSP](policy-configuration-service-provider.md)

Added the following policies:

-
    -
  • Search/DisableBackoff
    • -
  • Search/DisableRemovableDriveIndexing
    • -
  • Search/PreventIndexingLowDiskSpaceMB
    • -
  • Search/PreventRemoteQueries
    • -
- -  - -### September 29, 2016 - - ---- - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Updated the following policy:

-
    -
  • System/AllowBuildPreview - supported in Windows 10 Mobile and Windows 10 Mobile Enterprise
    • -
  • Experience/AllowThirdPartySuggestionsInWindowsSpotlight - supported in Windows 10 Pro.
    • -
- -  - -### September 22, 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[AppLocker CSP](applocker-csp.md)

Added the following note the the list of [Inbox apps and components](applocker-csp.md#inboxappsandcomponents):

-
-Note This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience. -
-

[ComputerName](https://msdn.microsoft.com/library/windows/hardware/mt188590) in Windows Provisioning settings reference

ComputerName does not support asterisk (*) and does not support empty string.

[Policy CSP](policy-configuration-service-provider.md)

Updated the supported values for [Update/BranchReadinessLevel](policy-configuration-service-provider.md#update-branchreadinesslevel)

[Device update management](device-update-management.md)

Updated the following section:

-
    -
  • [Getting update metadata using the Server-Server sync protocol](device-update-management.md#gettingupdatemetadata)
    • -
- -  - -### September 12, 2016 - - ---- - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following statement to Update/DeferUpdatePeriod policy:

-

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:

-
    -
  • Update/RequireDeferUpgrade must be set to 1
    • -
  • System/AllowTelemetry must be set to 1 or higher
    • -
-

Added new policy Experience/AllowThirdPartySuggestionsInWindowsSpotlight in Windows 10, version 1607.

- -  - -### September 8, 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

Updated the names for the following settings:

-
    -
  • AppInventoryQuery
    • -
  • AppInventoryResults
    • -
[Policy CSP](policy-configuration-service-provider.md)

Updated the following policy description:

-

-
-
System/AllowTelemetry
-

Allow the device to send diagnostic and usage telemetry data, such as Watson.

-

The following lists describe the supported values:

-

Windows 8.1 values

-
    -
  • 0 – Not allowed
    • -
  • 1 – Allowed, except for Secondary Data Requests.
    • -
  • 2 (default) – Allowed.
    • -
-

Windows 10 values

-
    -
  • 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. -
    -Note  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -
    -
    • -
  • 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
    • -
  • 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
    • -
  • 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.
    • -
-
-Important If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. -
-

Most restricted value is 0.

-
-
[OMA DM protocol support](oma-dm-protocol-support.md)

Updated the following description:

-
    -
  • LocURI - Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
    • -
[VPNv2 CSP](vpnv2-csp.md)

Updated the following description:

-
    -

  • VPNv2/ProfileName - Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/).

    -

    Supported operations include Get, Add, and Delete.

    -
    -Note  If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. -
    -
    • -
[MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224)

Replaced the descriptions for each class member with links to the corresponding node in the CSP topic. The CSP topics contain the most up-to-date information.

- -  - -### September 2, 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md) -

[PolicyManager CSP](policymanager-csp.md)

Added the following note:

-
    -
  • You cannot disable or enable Contact Support and Windows Feedback apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
    • -
[PassportForWork CSP](passportforwork-csp.md)

Added the following note:

-
-Important  Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. -
-
[ProfileXML XSD](vpnv2-profile-xsd.md)

Updated the [Native profile example](vpnv2-profile-xsd.md#native-profile-example) example.

[Policy CSP](policy-configuration-service-provider.md) -

[Device update management](device-update-management.md)

The following policies are not supported in Windows 10 Mobile Enterprise:

-
    -
  • DeferUpgradePeriod
    • -
  • DeferFeatureUpdatesPeriodInDays
    • -
  • PauseFeatureUpdates
    • -
  • ExcludeWUDrivers
    • -
-
-Note  Since these policies are not blocked, you will not get a failure message when you use them to configure a Windows 10 Mobile Enterprise device. However, the policies will not take effect. -
-

Added additional information about update policies supported for Windows Update for Business in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement).

[DevDetail CSP](devdetail-csp.md)

In Ext/Microsoft/DeviceName node, the Replace operation is only supported in Windows 10 Mobile, and not supported in the desktop.

- -  - -### August 25, 2016 - - ---- - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Policy DDF file](policy-ddf-file.md)

Updated version for Windows 10, version 1607

[MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)

Updated the section about enrolling in MDM on a desktop. Added a new section for enrolling in MDM on a phone.

- -  - -### August 18, 2016 - - ---- - - - - - - - - - - - - -
New or updated topicDescription
[CertificateStore CSP](certificatestore-csp.md) -

[CertificateStore DDF file](certificatestore-ddf-file.md)

Added the following new settings in Windows 10, version 1607:

-
    -
  • My/WSTEP/Renew/LastRenewalAttemptTime
    • -
  • My/WSTEP/Renew/RenewNow
    • -
- -  - -### August 11, 2016 - - ---- - - - - - - - - - - - - - - - - -
New or updated topicDescription
[Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)

Added new section:

-
    -
  • [Retry logic in case of a failure](bulk-enrollment-using-windows-provisioning-tool.md#retry-logic-in-case-of-a-failure)
    • -
[Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)

Added a link to MDM enrollment templates and CSS files:

-
    -
  • [Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)
    • -
- -  - -### August 2, 2016 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New or updated topicDescription
[OMA DM protocol support](oma-dm-protocol-support.md)

Added a table of common SyncML response codes that occur during OMA DM sessions.

[Mobile device enrollment](mobile-device-enrollment.md)

Updated the following section:

-
    -
  • [Enrollment error messages](mobile-device-enrollment.md#enrollment-error-messages)
    • -
[SUPL CSP](supl-csp.md)

LocMasterSwitchDependencyNII setting is not deprecated. Removed the note that it's deprecated in Windows 10.

[Push notification support for device management](push-notification-windows-mdm.md)

Added the following section:

-
    -
  • [Get WNS credentials and PFN for MDM push notification](push-notification-windows-mdm.md#get-wns-credentials-and-pfn-for-mdm-push-notification)
    • -
[RemoteWipe CSP](remotewipe-csp.md)

Updated [The Remote Wipe Process](remotewipe-csp.md#the-remote-wipe-process) section. Added the following note:

-
-Note  On the desktop, the remote wipe effectively performs a factory reset and the PC does not retain any information about the command once the wipe completes. Any response from the device about the actual status or result of the command may be inconsistent and unreliable because the MDM information has been removed. -
-
[Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)

Added new step-by-step guide for creating and applying provisioning packages.

-   ## FAQ diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 49edda7d65..40beecbd85 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -794,9 +794,6 @@ The following diagram shows the Policy configuration service provider in tree fo
DeliveryOptimization/DOAllowVPNPeerCaching
-
- DeliveryOptimization/DOCacheHost -
DeliveryOptimization/DODelayBackgroundDownloadFromHttp
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 3448fec985..38798af024 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -27,9 +27,6 @@ ms.date: 01/03/2018
DeliveryOptimization/DOAllowVPNPeerCaching
-
- DeliveryOptimization/DOCacheHost -
DeliveryOptimization/DODelayBackgroundDownloadFromHttp
@@ -199,55 +196,6 @@ The following list shows the supported values:
-**DeliveryOptimization/DOCacheHost** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4cross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Added in Windows 10, next major update. TBD - - - - - - - - - - - -
- **DeliveryOptimization/DODelayBackgroundDownloadFromHttp** From 107d71425cb35feb520c8e4f21205c7fd8f6efc2 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 10 Jan 2018 00:06:45 +0000 Subject: [PATCH 07/19] Merged PR 5223: Updated and merged syummary tables, categorized scenarios Updates to the topic for clarity --- .../windows-10-deployment-scenarios.md | 165 +++++++++--------- 1 file changed, 85 insertions(+), 80 deletions(-) diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 3904305e1b..8340b166b5 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -16,62 +16,54 @@ author: greg-lindsay **Applies to** - Windows 10 -To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. +To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. -The following tables summarize different Windows 10 deployment options and requirements. +The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. +- Dynamic deployment methods enable you to configure applications and settings for specific use cases. +- Traditional deployment methods use tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager.
  -| Scenario | Description | More information | -| :---: | :---: | :---: | -| [Windows AutoPilot](#windows-autopilot) | Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. |[Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-autopilot) | -| [In-place upgrade](#in-place-upgrade) | Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. |[Perform an in-place upgrade to Windows 10 with MDT](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit)
[Perform an in-place upgrade to Windows 10 using Configuration Manager](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager) | -| [Subscription Activation](#windows-10-subscription-activation) | Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. |[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) | -| [AAD / MDM](#dynamic-provisioning) | The device is automatically joined to AAD and configured by MDM. |[Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm) | -| [Provisioning packages](#dynamic-provisioning) | Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. |[Configure devices without MDM](https://docs.microsoft.com/windows/configuration/configure-devices-without-mdm) | -| [Bare metal](#new-computer) | Deploy a new device, or wipe an existing device and deploy with a fresh image. |[Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt)
[Install a new version of Windows on a new computer with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/install-new-windows-version-new-computer-bare-metal) | -| [Refresh](#computer-refresh) | Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. |[Refresh a Windows 7 computer with Windows 10](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager) | -| [Replace](#computer-replace) | Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. |[Replace a Windows 7 computer with a Windows 10 computer](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager) | + +
Mitigation +
-OS requirements: -
  +[Analyze log files](#analyze-log-files) in order to determine the files or registry entires that are blocking data migration. - - - - - - - - -
- Category - - Scenario - - Windows 10 1703 or later - - Windows 7 up to Windows 10 1607 -
- Modern +This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. + +Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory. + +To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files. + +
+ + + + + + + + + - - + - @@ -79,91 +71,99 @@ OS requirements: Dynamic -
CategoryScenarioDescriptionMore information
Modern + +[Windows AutoPilot](#windows-autopilot) + Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. - Windows AutoPilot - - - - X +Overview of Windows AutoPilot
- In-place upgrade + +[In-place upgrade](#in-place-upgrade) + + + Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. - - - +Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
- Subscription Activation + +[Subscription Activation](#windows-10-subscription-activation) - + Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. - X +Windows 10 Subscription Activation
- AAD / MDM + + [AAD / MDM](#dynamic-provisioning) - + The device is automatically joined to AAD and configured by MDM. - +Azure Active Directory integration with MDM
- Provisioning packages + + [Provisioning packages](#dynamic-provisioning) - + Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. - +Configure devices without MDM
Traditional - Bare metal + + + [Bare metal](#new-computer) - + Deploy a new device, or wipe an existing device and deploy with a fresh image. - + Deploy a Windows 10 image using MDT
Install a new version of Windows on a new computer with System Center Configuration Manager
- Refresh + + [Refresh](#computer-refresh) - + Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. - + Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
- Replace + + [Replace](#computer-replace) - + Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. - + Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager

  ->[!NOTE] ->There is no pre-existing OS in the Windows AutoPilot or bare metal scenarios, so apps and settings are not migrated. In all other scenarios the existing apps and user settings are typically migrated to the new operating system. -## Windows AutoPilot +>[!IMPORTANT] +>The Windows AutoPilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+>Except for clean install scenarios such as traditional bare metal and Windows AutoPilot, all the methods described can optionally migrate apps and settings to the new OS. + +## Modern deployment methods + +Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience. + +### Windows AutoPilot Windows AutoPilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows AutoPilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. For more information about Windows AutoPilot, see [Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows AutoPilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). -## Windows 10 Subscription Activation - -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation). - -## In-place upgrade +### In-place upgrade For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. @@ -188,26 +188,27 @@ There are some situations where you cannot use in-place upgrade; in these situat - Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. - Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. + ## Dynamic provisioning For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: -- Changing the Windows edition with a single reboot. For organizations that have Software Assurance for Windows, it is easy to change a device from Windows 10 Pro to Windows 10 Enterprise, just by specifying an appropriate product or setup key. When the device restarts, all of the Windows 10 Enterprise features will be enabled. +### Windows 10 Subscription Activation -- Configuring the device with VPN and Wi-Fi connections that may be needed to gain access to organization resources. -- Installation of additional apps needed for organization functions. -- Configuration of common Windows settings to ensure compliance with organization policies. -- Enrollment of the device in a mobile device management (MDM) solution, such as Microsoft Intune. +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation). -There are two primary dynamic provisioning scenarios: -- **Azure Active Directory (Azure AD) Join with automatic mobile device management (MDM) enrollment.** In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. +### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment -- **Provisioning package configuration.** Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm). -Either way, these scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). +### Provisioning package configuration + +Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). + +These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. @@ -226,6 +227,7 @@ The traditional deployment scenario can be divided into different sub-scenarios. - **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). ### New computer + This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). The deployment process for the new machine scenario is as follows: @@ -241,6 +243,7 @@ The deployment process for the new machine scenario is as follows: After taking these steps, the computer is ready for use. ### Computer refresh + A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. The deployment process for the wipe-and-load scenario is as follows: @@ -260,6 +263,7 @@ The deployment process for the wipe-and-load scenario is as follows: After taking these steps, the machine is ready for use. ### Computer replace + A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. The deployment process for the replace scenario is as follows: @@ -271,6 +275,7 @@ The deployment process for the replace scenario is as follows: **Note**
In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. ## Related topics + - [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) - [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230) From 2b4591935a9564d933f9025e7107002fe9be3624 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 10 Jan 2018 00:53:41 +0000 Subject: [PATCH 08/19] Merged PR 5226: Added System/FeedbackHubAlwaysSaveDiagnosticsLocally to Policy CSP --- .../policy-configuration-service-provider.md | 6 + .../mdm/policy-csp-system.md | 104 +++++++++++++++++- 2 files changed, 109 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 40beecbd85..70a293fad5 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2755,12 +2755,18 @@ The following diagram shows the Policy configuration service provider in tree fo
System/BootStartDriverInitialization
+
+ System/DisableEnterpriseAuthProxy +
System/DisableOneDriveFileSync
System/DisableSystemRestore
+
+ System/FeedbackHubAlwaysSaveDiagnosticsLocally +
System/LimitEnhancedDiagnosticDataWindowsAnalytics
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 78872346bf..909326c959 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/14/2017 +ms.date: 12/19/2017 --- # Policy CSP - System +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -46,12 +48,18 @@ ms.date: 12/14/2017
System/BootStartDriverInitialization
+
+ System/DisableEnterpriseAuthProxy +
System/DisableOneDriveFileSync
System/DisableSystemRestore
+
+ System/FeedbackHubAlwaysSaveDiagnosticsLocally +
System/LimitEnhancedDiagnosticDataWindowsAnalytics
@@ -603,6 +611,50 @@ ADMX Info:
+**System/DisableEnterpriseAuthProxy** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. + + + + + + +
+ **System/DisableOneDriveFileSync** @@ -731,6 +783,56 @@ ADMX Info:
+**System/FeedbackHubAlwaysSaveDiagnosticsLocally** + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducation
check mark4check mark4check mark4check mark4check mark4
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, next major update. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. + + + +The following list shows the supported values: + +- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. +- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. + + + + + + + + + +
+ **System/LimitEnhancedDiagnosticDataWindowsAnalytics** From a58fb36ae9ef68ebbca7f89bc1d20c338992f818 Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Wed, 10 Jan 2018 08:34:57 +0000 Subject: [PATCH 09/19] Updated itadmin-tib-get-started.md: Added note on length of time intune can take to activate. Also added link to the bottom to get more info for IT Admins. --- education/trial-in-a-box/itadmin-tib-get-started.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index 790c442aac..0980686e42 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -25,6 +25,8 @@ Hello, IT administrators! In this guide, we'll show you how to quickly and easil 1. [Log in with your IT admin credentials](#task1) 2. [Configure a new device with Set up School PCs](#task2) 3. [Go through Intune for Education express configuration](#task3) +> [!NOTE] +> It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user. 4. [Buy an app from Microsoft Store for Education and deploy it to devices in your tenant](#task4) 5. [Add new folders to all devices in your tenant](#task5) @@ -232,4 +234,5 @@ Looking for other IT admin tasks to try? * [Try the BYOD scenario](https://docs.microsoft.com/en-us/education/get-started/finish-setup-and-other-tasks#connect-other-devices-to-your-cloud-infrastructure) ## Get more info +[Microsoft Education documentation and resources](https://docs.microsoft.com/education/) [Microsoft Education Trial in a Box](index.md) From 27ba56f6f5bed9c8ae139edf0a546cb36b0bbbdc Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Wed, 10 Jan 2018 08:47:02 +0000 Subject: [PATCH 10/19] Updated educator-tib-get-started.md: Added more specific commands to the Minecraft instructions. --- education/trial-in-a-box/educator-tib-get-started.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index d1c799ce87..8bbee0b66d 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -107,7 +107,15 @@ Learn about Code Builder for Minecraft: Education Edition. 5. Double click on the world to launch it in Minecraft: Education Edition. 6. Once inside the world, click **Play** and use the guide to walk around and click on the different subject area examples to learn more about teaching and learning with Minecraft: Education Edition. - To visit a specific subject area section, right click on the button under the name of that subject area. Remember that the mouse works as your “eyes” in the game. Simply move your mouse around to look around the world. Use the Minecraft Controls key included below to walk forwards, backwards, left, and right in the game. Explore and have fun! + To visit a specific subject area section, right click on the button under the name of that subject area. Remember that the mouse works as your “eyes” in the game. Simply move your mouse around to look around the world. +* To move forward, use the W key. +* To move left, use the A key. +* To move right, The D key. +* And to move backward, use the S key. +* Want to get a bird’s eye view of the world? Double tap the space bar. +* To safely land, hold the shift key + +To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram. ![Minecraft mouse and keyboard controls](images/mcee_keyboard_mouse_controls.png) From e23a6dda10133a8444d18ffa63111a9467fa7614 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 10 Jan 2018 14:42:34 +0000 Subject: [PATCH 11/19] Merged PR 5229: Corrected syntax of Surface redirection --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 64e5ee645b..56172647cf 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,8 +6,8 @@ "redirect_document_id": true }, { -"source_path": "windows/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md", -"redirect_url": "/windows/devices/surface/surface-device-compatibility-with-windows-10-ltsc", +"source_path": "devices/surface/surface-device-compatibility-with-windows-10-ltsb.md", +"redirect_url": "/devices/surface/surface-device-compatibility-with-windows-10-ltsc", "redirect_document_id": true }, { From 3a88f5cf871e01364a23aec7665baee6b3ddb67b Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 10 Jan 2018 15:58:13 +0000 Subject: [PATCH 12/19] Merged PR 5230: Added missing VPN settings (WCD) --- ...change-history-for-configure-windows-10.md | 1 + .../wcd/wcd-connectivityprofiles.md | 26 ++++++++++++++++--- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index c6dd23361e..26d0466e4a 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -19,6 +19,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md) New or changed topic | Description --- | --- +[ConnectivityProfiles](wcd/wcd-connectivityprofiles.md) | Added settings for VPN **Native** and **Third Party** profile types. [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) | Clarified that the TopMFUApps elements in layoutmodification.xml are not supported in Windows 10, version 1709. ## November 2017 diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index 606cb7c349..5c8c80dffc 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker -ms.date: 09/06/2017 +ms.date: 01/10/2018 --- # ConnectivityProfiles (Windows Configuration Designer reference) @@ -114,15 +114,33 @@ Configure settings to change the default maximum transmission unit ([MTU](#mtu)) | Setting | Description | | --- | --- | | **ProfileType** | Choose between **Native** and **Third Party** | -| RememberCredentials | Select whether credentials should be cached | | AlwaysOn | Set to **True** to automatically connect the VPN at sign-in | -| LockDown | When set to **True**:
- Profile automatically becomes an "always on" profile
- VPN cannot be disconnected
-If the profile is not connected, the user has no network connectivity
- No other profiles can be connected or modified | | ByPassForLocal | When set to **True**, requests to local resources on the same Wi-Fi neetwork as the VPN client can bypass VPN | | DnsSuffix | Enter one or more comma-separated DNS suffixes. The first suffix listed is usedas the primary connection-specific DNS suffix for the VPN interface. The list is added to the SuffixSearchList. | -| TrustedNetworkDetection | Enter a comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. | +| LockDown | When set to **True**:
- Profile automatically becomes an "always on" profile
- VPN cannot be disconnected
-If the profile is not connected, the user has no network connectivity
- No other profiles can be connected or modified | | Proxy | Configure to **Automatic** or **Manual** | | ProxyAutoConfigUrl | When **Proxy** is set to **Automatic**, enter the URL to automatically retrieve the proxy settings | | ProxyServer | When **Proxy** is set to **Manual**, enter the proxy server address as a fully qualified hostname or enter `IP address:Port` | +| RememberCredentials | Select whether credentials should be cached | +| TrustedNetworkDetection | Enter a comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. | + +When **ProfileType** is set to **Native**, the following additional settings are available. + +Setting | Description +--- | --- +AuthenticationUserMethod | When you set **NativeProtocolType** to **IKEv2**, choose between **EAP** and **MSChapv2**. +EAPConfiguration | When you set **AuthenticationUserMethod** to **EAP**, enter the HTML-encoded XML to configure EAP. For more information, see [EAP configuration](https://docs.microsoft.com/windows/client-management/mdm/eap-configuration). +NativeProtocolType | Choose between **PPTP**, **L2TP**, **IKEv2**, and **Automatic**. +RoutingPolicyType | Choose between **SplitTunnel**, in which traffic can go over any interface as determined by the networking stack, and **ForceTunnel**, in which all IP traffic must go over the VPN interface. +Server | Enter the public or routable IP address or DNS name for the VPN gateway. It can point to the exteranl IP of a gateway or a virtual IP for a server farm. + +When **ProfileType** is set to **Third Party**, the following additional settings are available. + +Setting | Description +--- |--- +PluginProfileCustomConfiguration | Enter HTML-encoded XML for SSL-VPN plug-in specific configuration, including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plug-in provider for format and other details. Most plug-ins can also configure values based on the server negotiations as well as defaults. +PluginProfilePackageFamilyName | Choose between **Pulse Secure VPN**, **F5 VPN Client**, and **SonicWALL Mobile Connect**. +PluginProfileServerUrlList | Enter a comma-separated list of servers in URL, hostname, or IP format. ## WiFiSense From fe38865cc4ebfddc8f9aa21f368e1a0aa4cc537f Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 10 Jan 2018 16:27:52 +0000 Subject: [PATCH 13/19] Merged PR 5227: Merge msfb-14856406 to master MSfB What's New --- ...tory-microsoft-store-business-education.md | 6 +- ...-new-microsoft-store-business-education.md | 14 +- windows/deployment/windows-autopilot/TOC.md | 16 +- .../windows-10-autopilot-demo-vm.md | 416 +++++++++--------- .../windows-autopilot/windows-10-autopilot.md | 266 +++++------ 5 files changed, 362 insertions(+), 356 deletions(-) diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 6f1400e394..4d706c69f6 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.date: 11/30/2017 +ms.date: 1/8/2018 --- # Microsoft Store for Business and Education release history @@ -15,6 +15,10 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## November 2017 + +- **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file. + ## October 2017 - Bug fixes and permformance improvements. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index a5f0578801..38af4a8e01 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.date: 11/30/2017 +ms.date: 1/8/2018 --- # What's new in Microsoft Store for Business and Education @@ -15,11 +15,9 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**November 2017** +**December 2017** -| | | -|-----------------------|---------------------------------| -| ![Microsoft Store for Business Edcucation, Export users link.](images/msfb-wn-1711-export-user.png) |**Export list of Minecraft: Education Edition users**

Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file.

**Applies to**:
Microsoft Store for Education | +We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!