From 5bce39ea1811650839de0e837588d34a7c1aa4e7 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 11 Jan 2022 15:57:04 +0530 Subject: [PATCH 01/68] fixed Acrolinx scores --- ...te-a-package-accelerator-with-powershell.md | 8 ++++---- .../appv-release-notes-for-appv-for-windows.md | 14 +++++++------- .../app-v/appv-technical-reference.md | 18 +++++++++--------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 79b713f591..13e617e6bf 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Make sure that you have the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +3. Ensure you have the .apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. 4. Enter the **New-AppvPackageAccelerator** cmdlet. The following parameters are required to use the package accelerator cmdlet: - *InstalledFilesPath* specifies the application installation path. - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the .appv package. + - *InputPackagePath* specifies the path to the.appv package. - *Path* specifies the output directory for the package. - The following example cmdlet shows how you can create a package accelerator with an .appv package and the installation media: + The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: ```PowerShell New-AppvPackageAccelerator -InputPackagePath -Installer -Path @@ -46,6 +46,6 @@ App-V Package Accelerators automatically sequence large, complex applications. A -## Related topics +## Related articles - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index bfabcf0c97..908f5748b5 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -20,13 +20,13 @@ ms.author: greglin The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1607. ## Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client -MSI packages that were generated using an App-V sequencer from previous versions of App-V (App-V versions 5.1 and earlier) include a check to validate that the App-V client is installed on client devices before allowing the MSI package to install. Now that the App-V client is installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail. +There are MSI packages generated by an App-V sequencer from previous versions of App-V (Versions 5.1 and earlier). These packages include a check to validate whether the App-V client is installed on client devices, before allowing the MSI package to be installed. As the App-V client gets installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail. **Workaround**: 1. Install the latest App-V sequencer, which you can get from the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607. See [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information, see [Install the App-V Sequencer](appv-install-the-sequencer.md). -2. Ensure that you have installed the **MSI Tools** included in the Windows 10 SDK, available as follows: +2. Ensure that you've installed the **MSI Tools** included in the Windows 10 SDK, available as follows: - For the **Visual Studio Community 2015 with Update 3** client, which includes the latest Windows 10 SDK and developer tools, see [Downloads and tools for Windows 10](https://developer.microsoft.com/en-us/windows/downloads). @@ -44,21 +44,21 @@ MSI packages that were generated using an App-V sequencer from previous versions `Update-AppvPackageMsi -MsiPackage "" -MsSdkPath ""` - where the path is to the new directory (**C:\MyMsiTools\ for this example**). + where the path is to the new directory (**C:\MyMsiTools\ for this example**). ## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10 -An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server does not understand the Windows 10 operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but is not backported to versions of App-V 5.0 SP3 or earlier. +An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server doesn't understand the Windows 10-operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but isn't backported to versions of App-V 5.0 SP3 or earlier. **Workaround**: Upgrade the App-V 5.0 Management server to the App-V Management server for Windows 10 Clients. ## Custom configurations do not get applied for packages that will be published globally if they are set using the App-V Server If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration will not be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages will not have access to this custom configuration. -**Workaround**: Do one of the following: +**Workaround**: Implement one of the following tasks: -- Assign the package to groups containing only user accounts. This will ensure that the package’s custom configuration will be stored in each user’s profile and will be applied correctly. +- Assign the package to groups containing only user accounts. This assignation ensures that the package’s custom configuration will be stored in each user’s profile and will be applied correctly. -- Create a custom deployment configuration file and apply it to the package on the client using the Add-AppvClientPackage cmdlet with the –DynamicDeploymentConfiguration parameter. See [About App-V Dynamic Configuration](appv-dynamic-configuration.md) for more information. +- Create a custom deployment configuration file and apply it to the package on the client, using the Add-AppvClientPackage cmdlet with the –DynamicDeploymentConfiguration parameter. See [About App-V Dynamic Configuration](appv-dynamic-configuration.md) for more information. - Create a new package with the custom configuration using the App-V Sequencer. diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index 378c6cf052..4eeb5962c1 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -24,21 +24,21 @@ This section provides reference information related to managing App-V. - [Performance Guidance for Application Virtualization](appv-performance-guidance.md) - Provides strategy and context for many performance optimizations. Not all practices will be applicable. However, these are tested and supported. Using all suggested practices that are applicable to your organization will provide the optimal end-user experience. + Provides strategy and context for many performance optimizations. Not all practices will be applicable. However, these practices are tested and supported. Using all suggested practices that are applicable to your organization will provide the optimal end-user experience. - [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) Describes how the following App-V client operations affect the local operating system: - App-V files and data storage locations -- package registry -- package store behavior -- roaming registry and data -- client application lifecycle management -- integration of App-V packages -- dynamic configuration -- side-by-side assemblies -- client logging +- Package registry +- Package store behavior +- Roaming registry and data +- Client application lifecycle management +- Integration of App-V packages +- Dynamic configuration +- Side-by-side assemblies +- Client logging - [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) From 441a66e050ebad0da1089e8b66b16fa1239e4904 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 11 Jan 2022 16:16:04 +0530 Subject: [PATCH 02/68] Update appv-release-notes-for-appv-for-windows.md --- .../app-v/appv-release-notes-for-appv-for-windows.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index 908f5748b5..af731fd9e0 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -109,9 +109,9 @@ In environments that are running the RDS Client or that have multiple concurrent **Workaround**: Have users log out and then log back in. ## Error message is erroneously displayed when the connection group is published only to the user -When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Please ensure that the package is added to the machine and published to the user.” +When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Ensure that the package is added to the machine and published to the user.” -**Workaround**: Do one of the following: +**Workaround**: Execute one of the following tasks: - Publish all packages in a connection group. @@ -119,7 +119,7 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed, - Repair packages individually using the Repair-AppvClientPackage command rather than the Repair-AppvClientConnectionGroup command. - Determine which packages are available to users and then run the **Repair-AppvClientPackage** command once for each package. Use Windows PowerShell cmdlets to do the following: + Determine which packages are available to users and then run the **Repair-AppvClientPackage** command once for each package. Use Windows PowerShell cmdlets to execute the following tasks: 1. Get all the packages in a connection group. @@ -128,7 +128,7 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed, 3. If the package is currently published, run **Repair-AppvClientPackage** on that package. ## Icons not displayed properly in Sequencer -Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons are not 16x16 or 32x32. +Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons is not 16x16 or 32x32. **Workaround**: Only use icons that are 16x16 or 32x32. From 7a36ba87e8d6f916cbaa91dafad567cef50e3ccc Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 12 Jan 2022 12:44:22 +0530 Subject: [PATCH 03/68] updates --- ...w-search-engine-customization-shortdesc.md | 27 ++++++++++-------- ...ure-additional-search-engines-shortdesc.md | 23 +++++++-------- .../configure-kiosk-mode-shortdesc.md | 28 +++++++++++-------- ...rning-off-required-extensions-shortdesc.md | 23 +++++++-------- 4 files changed, 57 insertions(+), 44 deletions(-) diff --git a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md b/windows/client-management/includes/allow-search-engine-customization-shortdesc.md index 4992a19eab..1ecba430cb 100644 --- a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md +++ b/windows/client-management/includes/allow-search-engine-customization-shortdesc.md @@ -1,11 +1,16 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can execute the following tasks in Settings: +- Add new search engines +- Change the default search engine + +With this policy, you can prevent users from customizing the search engine in the Microsoft Edge browser. diff --git a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md index f4a61c024c..873d33a2f0 100644 --- a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md +++ b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can set a default search engine in the Microsoft Edge browser, using the Set default search engine policy. With this policy, you can configure up to five more search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. diff --git a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md index 0247b490e6..c76de7864b 100644 --- a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md +++ b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md @@ -1,11 +1,17 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with a tailored experience for kiosks, or normal browsing in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +For the Microsoft Edge browser, configure a behavior that is to be exhibited in kiosk mode with assigned access. This behavior configuration is for Microsoft Edge as a single-app or as one of many apps running on the kiosk device. + +You can facilitate the following functionalities in the Microsoft Edge browser: +- Execution of InPrivate full screen +- Execution of InPrivate multi-tab with a tailored experience for kiosks +- Provision for normal browsing diff --git a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md b/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md index 7264330137..b7331dd725 100644 --- a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md +++ b/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +The Microsoft Edge browser allows users to uninstall extensions, by default. When the users work with extensions that come under a policy that is enabled, they can configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any extra permissions requested by future updates of the extension get granted automatically. If - at this stage - you disable the policy, the list of extension package family names (PFNs) defined in this policy get ignored. From 48f678b7cdb5a9f4da7617566e0dc4dc04e5348f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 09:30:11 +0530 Subject: [PATCH 04/68] Update appv-create-a-package-accelerator-with-powershell.md --- .../appv-create-a-package-accelerator-with-powershell.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 79b713f591..2583a8e7d4 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Make sure that you have the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +3. Ensure you have the .Apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. 4. Enter the **New-AppvPackageAccelerator** cmdlet. The following parameters are required to use the package accelerator cmdlet: - *InstalledFilesPath* specifies the application installation path. - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the .appv package. + - *InputPackagePath* specifies the path to the.appv package. - *Path* specifies the output directory for the package. - The following example cmdlet shows how you can create a package accelerator with an .appv package and the installation media: + The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: ```PowerShell New-AppvPackageAccelerator -InputPackagePath -Installer -Path @@ -46,6 +46,6 @@ App-V Package Accelerators automatically sequence large, complex applications. A -## Related topics +## Related articles - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) From eafb51f24a0ea3c5d7f87d2992c2fbb77abf6858 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 11:36:05 +0530 Subject: [PATCH 05/68] Acrolinx score improvement effort --- .../includes/provision-favorites-shortdesc.md | 30 ++++++++++++------- .../introduction-page-file.md | 2 +- .../disconnecting-from-mdm-unenrollment.md | 21 ++++++------- 3 files changed, 31 insertions(+), 22 deletions(-) diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md index 30b9677f92..77281a67f6 100644 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ b/windows/client-management/includes/provision-favorites-shortdesc.md @@ -1,11 +1,19 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, you can customize the Favorites list in the Microsoft Edge browser. Whatever you customize becomes the standard list. + +> [!NOTE] +> The standard list of favorites can include folders. + +The favorites that you add also become part of this standard list. + +Once your customized Favorites list appears in the Microsoft Edge browser, you cannot customize it again, such as adding folders for organizing, and adding or removing any of the favorites configured. diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index 329d185fad..be5ce9c487 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -35,7 +35,7 @@ For example, the following Windows servers require page files: - Certificate servers - ADAM/LDS servers -This is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE for Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to make sure that the database cache can release memory if other services or applications request memory. +This requirement is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE for Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to ensure that the database cache can release memory if other services or applications request memory. For Windows Server 2012 Hyper-V and Windows Server 2012 R2 Hyper-V, the page file of the management OS (commonly called the host OS) should be left at the default of setting of "System Managed". diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index a9e4996ee9..f238066bb2 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -1,6 +1,6 @@ --- title: Disconnecting from the management infrastructure (unenrollment) -description: Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin using management server. +description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. MS-HAID: - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' @@ -18,15 +18,16 @@ ms.date: 06/26/2017 # Disconnecting from the management infrastructure (unenrollment) -Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin using management server. User-initiated disconnection is performed much like the initial connection, and it is initiated from the same location in the Setting Control Panel as creating the workplace account. Users may choose to disconnect for any number of reasons, including leaving the company or getting a new device and no longer needing access to their LOB apps on the old device. When an administrator initiates a disconnection, the enrollment client performs the disconnection during its next regular maintenance session. Administrators may choose to disconnect a user’s device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy. +The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. +The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy. -During disconnection, the client does the following: +During disconnection, the client executes the following tasks: - Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. - Removes certificates that are configured by MDM server. -- Ceases enforcement of the settings policies that the management infrastructure has applied. +- Ceases enforcement of the settings policies applied by the management infrastructure. - Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. -- Reports successful initiated disassociation to the management infrastructure if the admin initiated the process. Note that in Windows, user-initiated disassociation is reported to the server as a best effort. +- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. ## In this topic @@ -40,7 +41,7 @@ During disconnection, the client does the following: ## User-initiated disconnection -In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will send a notification to the MDM server notifying that the server the account will be removed. This is a best effort action as no retry is built-in to ensure the notification is successfully sent to the device. +In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device. This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. @@ -126,7 +127,7 @@ When the server initiates disconnection, all undergoing sessions for the enrollm If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the AAD association to the device. -You can only use the Work Access page to unenroll under the following conditions: +You can only use the Work Access page to un-enroll under the following conditions: - Enrollment was done using bulk enrollment. - Enrollment was created using the Work Access page. @@ -135,11 +136,11 @@ You can only use the Work Access page to unenroll under the following conditions ## Unenrollment from Azure Active Directory Join -When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. +When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. ![aadj unenerollment.](images/azure-ad-unenrollment.png) -When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. +At the time a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. @@ -148,7 +149,7 @@ In mobile devices, remote unenrollment for Azure Active Directory Joined devices ## IT admin–requested disconnection -The server requests an enterprise management disconnection request by issuing an Exec OMA DM SyncML XML command to the device using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DM client configuration topic. +The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic. When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management. From 19fd32f7c2c4ef4985892877f97e062822083e4c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 14:26:25 +0530 Subject: [PATCH 06/68] Acrolinx score --- .../mdm/disconnecting-from-mdm-unenrollment.md | 8 ++++---- .../mdm/enrollmentstatustracking-csp.md | 8 ++++---- .../mdm/esim-enterprise-management.md | 8 ++++---- .../mdm/policy-csp-admx-sdiageng.md | 4 ++-- .../mdm/policy-csp-servicecontrolmanager.md | 2 +- .../mdm/push-notification-windows-mdm.md | 8 ++++---- .../client-management/mdm/tenantlockdown-csp.md | 12 ++++++------ windows/client-management/mdm/tpmpolicy-csp.md | 14 +++++++------- 8 files changed, 32 insertions(+), 32 deletions(-) diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index f238066bb2..f3e3c24cf9 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -41,12 +41,12 @@ During disconnection, the client executes the following tasks: ## User-initiated disconnection -In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device. +In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device. This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. > [!NOTE] -> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).   The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. @@ -127,7 +127,7 @@ When the server initiates disconnection, all undergoing sessions for the enrollm If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the AAD association to the device. -You can only use the Work Access page to un-enroll under the following conditions: +You can only use the Work Access page to unenroll under the following conditions: - Enrollment was done using bulk enrollment. - Enrollment was created using the Work Access page. @@ -140,7 +140,7 @@ When a user is enrolled into MDM through Azure Active Directory Join and later, ![aadj unenerollment.](images/azure-ad-unenrollment.png) -At the time a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. +During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index 3b4e865ccb..6cf9e1ad93 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -1,6 +1,6 @@ --- title: EnrollmentStatusTracking CSP -description: Learn how to perform a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations. +description: Learn how to execute a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -11,14 +11,14 @@ ms.date: 05/21/2019 # EnrollmentStatusTracking CSP -During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status). +During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device usage until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar, to configure ESP for blocking the device usage until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status). -ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. See [DMClient CSP](dmclient-csp.md) for more information. +ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. For more information, see [DMClient CSP](dmclient-csp.md). The EnrollmentStatusTracking CSP was added in Windows 10, version 1903. -The following shows the EnrollmentStatusTracking CSP in tree format. +The following example shows the EnrollmentStatusTracking CSP in tree format. ``` ./User/Vendor/MSFT EnrollmentStatusTracking diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index f1dd261229..f3e01980bb 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -12,12 +12,12 @@ ms.topic: conceptual --- # How Mobile Device Management Providers support eSIM Management on Windows -The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. +The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: - Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: - - [HPE’s Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) - - [IDEMIA’s The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: + - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) + - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index d2b7755488..5b902e0ec5 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -66,7 +66,7 @@ manager: dansimp -This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" +This policy setting allows Internet-connected users to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. @@ -116,7 +116,7 @@ This policy setting allows users to access and run the troubleshooting tools tha If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. -If you disable this policy setting, users cannot access or run the troubleshooting tools from the Control Panel. +If this policy setting is disabled, the users cannot access or run the troubleshooting tools from the Control Panel. >[!Note] >This setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files. diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index f8b22ff8c3..5b40aa9385 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -58,7 +58,7 @@ This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. -This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code. +These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code. > [!IMPORTANT] > Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software). diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index 13294f3ce5..0b8ad9e938 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -18,17 +18,17 @@ ms.date: 09/22/2017 # Push notification support for device management -The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). +The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). -To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token that it can use to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a device management session with a device, it can utilize its token and the device ChannelURI and begin communicating with the device. +To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a management session with a device, it can utilize the token and the device ChannelURI, and begin communicating with the device. For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification). Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](/previous-versions/windows/apps/jj676791(v=win.10)). -Note the following restrictions related to push notifications and WNS: +The following restrictions are related to push notifications and WNS: -- Push for device management uses raw push notifications. This means that these raw push notifications do not support or utilize push notification payloads. +- Push for device management uses raw push notifications. This restriction means that these raw push notifications do not support or utilize push notification payloads. - Receipt of push notifications are sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. - A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It is strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server will not attempt to use a ChannelURI that has expired. - Push is not a replacement for having a polling schedule. diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index 52db501db8..af816d6d88 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -16,12 +16,12 @@ manager: dansimp > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, version 1809. -The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes. +The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant if accidental or intentional resets or wipes occur. > [!NOTE] > The forced network connection is only applicable to devices after reset (not new). -The following shows the TenantLockdown configuration service provider in tree format. +The following example shows the TenantLockdown configuration service provider in tree format. ``` ./Vendor/MSFT TenantLockdown @@ -31,13 +31,13 @@ TenantLockdown The root node. **RequireNetworkInOOBE** -Specifies whether to require a network connection during the out-of-box experience (OOBE) at first logon. +Specifies whether to require a network connection during the out-of-box experience (OOBE) at first sign in. -When RequireNetworkInOOBE is true, when the device goes through OOBE at first logon or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option. +When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option. Value type is bool. Supported operations are Get and Replace. -- true - Require network in OOBE -- false - No network connection requirement in OOBE +- True - Require network in OOBE +- False - No network connection requirement in OOBE Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account. diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 6c01205868..0c7915fe7c 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -1,6 +1,6 @@ --- title: TPMPolicy CSP -description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. +description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,11 +14,11 @@ manager: dansimp # TPMPolicy CSP -The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. +The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on) from Windows and inbox applications to public IP addresses, unless directly intended by the user. This definition allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. The TPMPolicy CSP was added in Windows 10, version 1703. -The following shows the TPMPolicy configuration service provider in tree format. +The following example shows the TPMPolicy configuration service provider in tree format. ``` ./Vendor/MSFT TPMPolicy @@ -28,13 +28,13 @@ TPMPolicy

Defines the root node.

**IsActiveZeroExhaust** -

Boolean value that indicates whether network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:

+

Boolean value that indicates that network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). The default value is false. Examples of zero-exhaust configuration and the conditions it requires are described below:

  • There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected.
    • -
  • There should be no traffic during installation of Windows and first logon when local ID is used.
    • -
  • Launching and using a local app (Notepad, Paint, and so on.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, and so on.) should not send any traffic.
    • -
  • Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, and so on.) to Microsoft.
    • +
  • There should be no traffic during installation of Windows and first sign in when local ID is used.
    • +
  • Launching and using a local app (Notepad, Paint, and so on) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, and so on.) should not send any traffic.
    • +
  • Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, and so on) to Microsoft.
Here is an example: From fb92af87d79051b0c9ff2809e3521e0ecb405756 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 14:49:27 +0530 Subject: [PATCH 07/68] Update appv-create-a-package-accelerator-with-powershell.md --- .../appv-create-a-package-accelerator-with-powershell.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 13e617e6bf..6c752ffbf6 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Ensure you have the .apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +3. Ensure there's the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. 4. Enter the **New-AppvPackageAccelerator** cmdlet. The following parameters are required to use the package accelerator cmdlet: - *InstalledFilesPath* specifies the application installation path. - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the.appv package. + - *InputPackagePath* specifies the path to the .appv package. - *Path* specifies the output directory for the package. - The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: + The following example cmdlet shows how you can create a package accelerator with the .appv package and the installation media: ```PowerShell New-AppvPackageAccelerator -InputPackagePath -Installer -Path From b5fc4de8c076a943adb3cff1959663a4a5576a7b Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 14:56:02 +0530 Subject: [PATCH 08/68] Update appv-create-a-package-accelerator-with-powershell.md --- .../appv-create-a-package-accelerator-with-powershell.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 6c752ffbf6..645ed56d14 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Ensure there's the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +3. Ensure there's the App-V package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. 4. Enter the **New-AppvPackageAccelerator** cmdlet. The following parameters are required to use the package accelerator cmdlet: - *InstalledFilesPath* specifies the application installation path. - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the .appv package. + - *InputPackagePath* specifies the path to the App-V package. - *Path* specifies the output directory for the package. - The following example cmdlet shows how you can create a package accelerator with the .appv package and the installation media: + The following example cmdlet shows how you can create a package accelerator with the App-V package and the installation media: ```PowerShell New-AppvPackageAccelerator -InputPackagePath -Installer -Path From eca7661e5574728be0d2cfc797d463b7b0153fc5 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 17 Jan 2022 15:04:29 +0530 Subject: [PATCH 09/68] Delete appv-create-a-package-accelerator-with-powershell.md --- ...e-a-package-accelerator-with-powershell.md | 51 ------------------- 1 file changed, 51 deletions(-) delete mode 100644 windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md deleted file mode 100644 index 2583a8e7d4..0000000000 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: How to create a package accelerator by using Windows PowerShell (Windows 10/11) -description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. -author: greg-lindsay -ms.pagetype: mdop, appcompat, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library -ms.prod: w10 -ms.date: 07/10/2018 -ms.reviewer: -manager: dansimp -ms.author: greglin -ms.topic: article ---- -# How to create a package accelerator by using Windows PowerShell - -[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] - -App-V Package Accelerators automatically sequence large, complex applications. Also, when you apply an App-V Package Accelerator, you don't have to manually install an application to create the virtualized package. - -## Create a package accelerator - -1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). -2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Ensure you have the .Apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. -4. Enter the **New-AppvPackageAccelerator** cmdlet. - - The following parameters are required to use the package accelerator cmdlet: - - - *InstalledFilesPath* specifies the application installation path. - - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the.appv package. - - *Path* specifies the output directory for the package. - - The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: - - ```PowerShell - New-AppvPackageAccelerator -InputPackagePath -Installer -Path - ``` - - You can also use the following optional parameter with the **New-AppvPackageAccelerator** cmdlet: - - - *AcceleratorDescriptionFile* specifies the path to user-created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be included in the package created by the package accelerator. - - - - - -## Related articles - -- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) From 4f4395f6830fb2decab21853dbd87492d91b8b21 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 19 Jan 2022 22:51:05 +0530 Subject: [PATCH 10/68] Acrolinx score enhancement --- ...compatibility-administrator-users-guide.md | 4 +- ...se-management-strategies-and-deployment.md | 43 ++++++++------- ...ection-considerations-for-windows-to-go.md | 6 +-- .../deployment/planning/sua-users-guide.md | 2 +- .../using-the-sdbinstexe-command-line-tool.md | 4 +- .../planning/using-the-sua-wizard.md | 6 +-- .../planning/windows-10-compatibility.md | 10 ++-- .../windows-10-infrastructure-requirements.md | 15 +++--- ...ndows-to-go-frequently-asked-questions.yml | 4 +- .../deployment/update/plan-define-strategy.md | 4 +- .../usmt/understanding-migration-xml-files.md | 4 +- .../usmt-estimate-migration-store-size.md | 20 +++---- .../usmt/usmt-hard-link-migration-store.md | 12 ++--- ...usmt-identify-operating-system-settings.md | 16 +++--- .../deployment/usmt/usmt-scanstate-syntax.md | 8 +-- .../deployment/usmt/xml-file-requirements.md | 8 +-- ...t-to-microsoft-during-activation-client.md | 4 +- .../volume-activation/introduction-vamt.md | 12 ++--- .../manage-activations-vamt.md | 6 +-- .../scenario-proxy-activation-vamt.md | 14 ++--- .../volume-activation/vamt-step-by-step.md | 4 +- .../windows-deployment-scenarios-and-tools.md | 52 +++++++++---------- 22 files changed, 132 insertions(+), 126 deletions(-) diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md index f0d03186b1..e2e505838d 100644 --- a/windows/deployment/planning/compatibility-administrator-users-guide.md +++ b/windows/deployment/planning/compatibility-administrator-users-guide.md @@ -27,7 +27,7 @@ ms.custom: seo-marvel-mar2020 - Windows Server 2012 - Windows Server 2008 R2 -The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following: +The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides: - Compatibility fixes, compatibility modes, and AppHelp messages that you can use to resolve specific compatibility issues. @@ -48,4 +48,4 @@ The following flowchart shows the steps for using the Compatibility Administrato |--- |--- | |[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)|This section provides information about using the Compatibility Administrator tool.| |[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)|This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.| -|[Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)|You must deploy your customized database (.Sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. Including, by using a logon script, by using Group Policy, or by performing file copy operations.| \ No newline at end of file +|[Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)|Ensure that you deploy your customized database (.Sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including, by using a logon script, by using Group Policy, or by performing file copy operations.| \ No newline at end of file diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index 18f52b5803..fae3bcf0a8 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -4,7 +4,7 @@ ms.assetid: fdfbf02f-c4c4-4739-a400-782204fd3c6c ms.reviewer: manager: laurawi ms.author: greglin -description: Learn about deploying your compatibility fixes as part of an application-installation package or through a centralized compatibility-fix database. +description: Learn how to deploy your compatibility fixes into an application-installation package or through a centralized compatibility-fix database. ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: appcompat @@ -28,40 +28,43 @@ ms.custom: seo-marvel-mar2020 - Windows Server 2012 - Windows Server 2008 R2 -After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches: +To use fixes in application-compatibility mitigation strategy, define a strategy to manage your custom compatibility-fix database. Typically, you can use one of the two following approaches: - Deploying your compatibility fixes as part of an application-installation package. - Deploying your compatibility fixes through a centralized compatibility-fix database. -Regardless of which approach you decide to use in your organization, Microsoft provides the following general recommendations for improving the management of your custom compatibility-fix databases: +Microsoft provides general recommends the following remedies for improving the management of your custom compatibility-fix databases. -- **Define standards for when you will apply compatibility fixes.** +> [!NOTE] +> These recommendations are not based on irrespective of the approach you decide to use. The following are the general recommendations. - You must define the standards and scenarios for using compatibility fixes, based on your specific business and technology needs. +- **Define standards for when you will apply compatibility fixes** -- **Define standards for your custom compatibility-fix databases.** + Ensure that the standards and scenarios for using compatibility fixes are defined, based on your specific business and technology needs. - You must define how to associate your compatibility fixes to particular applications. For example, you might want to ensure that your compatibility fixes always include a version check, so that a fix will not be applied to newer versions of your applications. +- **Define standards for your custom compatibility-fix databases** -- **Define your resources responsible for addressing questions and enforcing your standards.** + Compatibility fixes must include a version check, so that mapping to particular applications becomes easy. Ensure that your compatibility fixes always, so that the fix won't be applied to newer versions of your applications. - You must determine who will be responsible for staying current with the technology and standards related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, you must ensure that someone in your organization stays current with the relevant technology. +- **Define your resources responsible for addressing questions and enforcing your standards** + + Ensure you determine who will be responsible for staying current with the technology and standards that are related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, you must ensure that someone in your organization stays current with the relevant technology. ## Strategies for Deploying Your Compatibility Fixes -We recommend that you use one of two strategies to deploy your compatibility fixes into your organization. They are: +We recommend the usage of one of the two strategies to deploy your compatibility fixes into your organization. They are: - Deploying your compatibility fixes as part of an application-installation package. - Deploying your compatibility fixes through a centralized compatibility-fix database. -You must determine which method best meets your organization's deployment needs. +Determine which method best meets your organization's deployment needs. ### Deploying Fixes as Part of an Application-Installation Package -One strategy for deploying compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this is the most straightforward method of deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications. +One strategy to deploy compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this is the most straightforward method of deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications. If the following considerations apply to your organization, you should avoid this strategy and instead consider using a centralized compatibility-fix database, as described in the next section. @@ -114,7 +117,7 @@ If you decide to use the centralized compatibility-fix database deployment strat Deploying your custom compatibility-fix database into your organization requires you to perform the following actions: -1. Store your custom compatibility-fix database (.sdb file) in a location that is accessible to all of your organization's computers. +1. Store your custom compatibility-fix database (.sib file) in a location that is accessible to all of your organization's computers. 2. Use the Sdbinst.exe command-line tool to install the custom compatibility-fix database locally. @@ -122,7 +125,7 @@ In order to meet the two requirements above, we recommend that you use one of th - **Using a Windows Installer package and a custom script** - You can package your .sdb file and a custom deployment script into an .msi file, and then deploy the .msi file into your organization. + You can package your .sib file and a custom deployment script into a file with the .msi extension, and then deploy the .msi file into your organization. > [!IMPORTANT] > You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be: @@ -131,16 +134,16 @@ In order to meet the two requirements above, we recommend that you use one of th - **Using a network share and a custom script** -You can store your .sdb file on your network share and then call to a script that resides on your specified computers. +You can store the .sib file on your network share, and then call to a script available on your specified computers. > [!IMPORTANT] -> You must ensure that you call the script at a time when it will receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights. +> Ensure that you call the script at a time when it can receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights. -### Example Script for an Installation of the .sdb File based on an .msi File +### Example Script for installation of .sib File based on .msi File -The following examples show an installation of a custom compatibility-fix database based on an .msi file. +The following examples show an installation of a custom compatibility-fix database based on a .msi file. ``` 'InstallSDB.vbs @@ -161,7 +164,7 @@ End Function ### Initial Deployment and Updates -Most of your testing of application-compatibility issues will happen prior to the deployment of a new Windows operating system into your environment. As such, a common approach is to include the custom compatibility-fix database, which includes all of your known issues, in your corporate image. Then, as you update your compatibility-fix database, you can provide the updates by using one of the two mechanisms described in the "Deploying Your Custom Compatibility Fix Databases" section earlier in this topic. +Application-compatibility is tested, from which issues are reported, even before a new Windows operating system is deployed. To handle these issues, include the custom compatibility-fix database, which includes all of your known issues, in your corporate image. Later, update your compatibility-fix database; provide the updates by using one of the two mechanisms that are described in the "Deploying Your Custom Compatibility Fix Databases" section. -## Related topics +## Related articles [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index cf91886a29..a40bab3ece 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -53,20 +53,20 @@ If you are using a host computer running Windows 7 that has BitLocker enabled, We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an Auto-Play prompt will not be displayed to the user. This reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. -To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. +To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)). ## Security certifications for Windows To Go -Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following topics. +Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following articles. - [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria) - [FIPS 140 Evaluation](/windows/security/threat-protection/fips-140-validation) -## Related topics +## Related articles [Windows To Go: feature overview](windows-to-go-overview.md) diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index d3fad3aced..83926ee905 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -32,7 +32,7 @@ You can use Standard User Analyzer (SUA) to test your applications and monitor A You can use SUA in either of the following ways: -- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis. +- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for more analysis. - **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues. diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index 3369ff0c1e..46307344ea 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -28,7 +28,7 @@ ms.topic: article - Windows Server 2012 - Windows Server 2008 R2 -You must deploy your customized database (.sdb) files to other computers in your organization. That is, before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. By using a logon script, by using Group Policy, or by performing file copy operations. +Deploy your customized database (.sdb) files to other computers in your organization. That is, before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. By using a logon script, by using Group Policy, or by performing file copy operations. After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. @@ -69,6 +69,6 @@ The following table describes the available command-line options. |-g *GUID*|Specifies the customized database to uninstall by a globally unique identifier (GUID).

For example,
`sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3`| |-n *"name"*|Specifies the customized database to uninstall by file name.

For example,
`sdbinst.exe -n "My_Database"`| -## Related topics +## Related articles [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index 4ee4675b0d..bcbda77946 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -42,7 +42,7 @@ The following flowchart shows the process of using the SUA Wizard. **To test an application by using the SUA Wizard** -1. On the computer where the SUA Wizard is installed, log on by using a non-administrator account. +1. On the computer where the SUA Wizard is installed, sign in by using a non-administrator account. 2. Run the Standard User Analyzer Wizard. @@ -76,9 +76,9 @@ The following flowchart shows the process of using the SUA Wizard. The SUA Wizard closes the issue as resolved on the local computer. - If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md). + If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md). -## Related topics +## Related articles [SUA User's Guide](sua-users-guide.md)   diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md index 1689fef566..1544a8ad6a 100644 --- a/windows/deployment/planning/windows-10-compatibility.md +++ b/windows/deployment/planning/windows-10-compatibility.md @@ -27,7 +27,7 @@ Windows 10 will be compatible with most existing PC hardware; most devices runn For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10. -Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues. +Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Those applications that interface with Windows at a low level, those applications that use undocumented APIs, or those that do not follow recommended coding practices could experience issues. Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store. @@ -36,13 +36,13 @@ For web apps and sites, modern HTML5-based sites should also have a high degree ## Recommended application testing process -Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level: +Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to use more optimized testing processes, which reflect the higher levels of compatibility that are expected. At a high level: -- Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release. +- Identify mission-critical applications and websites, those applications and websites that are essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release. -- For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines. +- For less critical applications, apply an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines. -## Related topics +## Related articles [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index 005813b401..b10e9e5164 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -1,6 +1,6 @@ --- title: Windows 10 infrastructure requirements (Windows 10) -description: Review the specific infrastructure requirements to deploy and manage Windows 10, prior to significant Windows 10 deployments within your organization. +description: Review the infrastructure requirements for deployment and management of Windows 10, prior to significant Windows 10 deployments within your organization. ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64 ms.reviewer: manager: laurawi @@ -22,11 +22,11 @@ ms.topic: article - Windows 10 -There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. +There are specific infrastructure requirements that should be in place for the deployment and management of Windows 10. Fulfill these requirements before any Windows 10-related deployments take place. ## High-level requirements -For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage. +For initial Windows 10 deployments, and for subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage. For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.) @@ -72,7 +72,10 @@ Windows Server Update Services (WSUS) requires some additional configuration to WSUS product list with Windows 10 choices -Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939908(v=ws.10)) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.) +Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's update. Consider using “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939908(v=ws.10)) for more information. + +> [!NOTE] +> The usage of "express installation" packages will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS. ## Activation @@ -93,9 +96,9 @@ Additionally, new product keys will be needed for all types of volume license ac - For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key. - For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.) -Note that Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both. +Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both. -## Related topics +## Related articles [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 408bcd13d0..a912d623b5 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -56,7 +56,7 @@ summary: | - [Why can't I enable BitLocker from Windows To Go Creator?](#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) - - [What power states does Windows To Go support?](#what-power-states-does-windows-to-go-support-) + - [What power states do Windows To Go support?](#what-power-states-does-windows-to-go-support-) - [Why is hibernation disabled in Windows To Go?](#why-is-hibernation-disabled-in-windows-to-go-) @@ -120,7 +120,7 @@ sections: - question: | Does Windows To Go rely on virtualization? answer: | - No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. + No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It's just like a laptop hard drive with Windows 8 that has been put into a USB enclosure. - question: | Who should use Windows To Go? diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index 289cffc216..4ae3eb751c 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -21,7 +21,7 @@ ms.collection: m365initiative-coredeploy Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices. -Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. +Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an extra 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly. @@ -41,6 +41,6 @@ This cadence might be most suitable for you if any of these conditions apply: - You want to wait and see how successful other companies are at adopting a Windows 10 feature update. -- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months). +- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get extra servicing for Windows 10 (30 months of servicing compared to 18 months). diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index f6a8ab4221..4c54794786 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -168,14 +168,14 @@ The default MigUser.xml file does not migrate the following: - ACLS for files in folders outside the user profile. -You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer. +You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this provision may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer. > [!NOTE] > Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than 300 file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#bkmk-multiple) section of this document. ## Using multiple XML files -You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with additional migration rules. +You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with more migration rules. |XML migration file|Modifies the following components:| |--- |--- | diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 51ea6051cb..7d7d97e2cd 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -24,7 +24,7 @@ The disk space requirements for a migration are dependent on the size of the mig - [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers. -- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer. +- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how large the migration store will be on a particular computer. - [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure. @@ -35,13 +35,13 @@ The disk space requirements for a migration are dependent on the size of the mig - **Source Computer.** The source computer needs enough available space for the following: - - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. + - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. + - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Extra disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. - - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. + - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be large is when non-NTFS file systems exist on the system and contain data being migrated. -- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following: +- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following components: - [Operating system.](#bkmk-estmigstoresize) @@ -49,12 +49,12 @@ The disk space requirements for a migration are dependent on the size of the mig - [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage. - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. + - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Extra disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. ## Calculate Disk Space Requirements using the ScanState Tool -You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day to day use so it is recommended that you use the calculations as an estimate when planning your migration. +You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day-to-day use so it is recommended that you use the calculations as an estimate when planning your migration. **To run the ScanState tool on the source computer with USMT installed,** @@ -82,7 +82,7 @@ You can use the ScanState tool to calculate the disk space requirements for a pa The migration store will not be created by running this command, but `StorePath` is a required parameter. -The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). +The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this condition in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md). **Note**   To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *<path to a file>* is still available in USMT. @@ -108,7 +108,7 @@ Additionally, USMT performs a compliance check for a required minimum of 250 MB ## Estimate Migration Store Size -Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate these is to survey several computers to arrive at an average for the size of the store that you will need. +Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate the required space is to survey several computers to arrive at an average for the size of the store that you will need. The amount of space that is required in the store will vary, depending on the local storage strategies your organization uses. For example, one key element that determines the size of migration data sets is e-mail storage. If e-mail is stored centrally, data sets will be smaller. If e-mail is stored locally, such as offline-storage files, data sets will be larger. Mobile users will typically have larger data sets than workstation users. You should perform tests and inventory the network to determine the average data set size in your organization. @@ -123,7 +123,7 @@ When trying to determine how much disk space you will need, consider the followi - **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You do not need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration. -- **User system settings** Five megabytes is usually adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB. +- **User system settings** Five megabytes is adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB. ## Related topics diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 02c53344c8..9bb6d2ba32 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -16,7 +16,7 @@ ms.topic: article # Hard-Link Migration Store -A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this is why it is best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios. +A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this functionality is what makes *hard-link migration store* best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios. ## In this topic @@ -50,7 +50,7 @@ You can use a hard-link migration store when your planned migration meets both o - You are upgrading the operating system on the same volume of the computer. -You cannot use a hard-link migration store if your planned migration includes any of the following: +You cannot use a hard-link migration store if your planned migration includes any of the following tasks: - You are migrating data from one computer to a second computer. @@ -62,7 +62,7 @@ You cannot use a hard-link migration store if your planned migration includes an The hard-link migration store is created using the command-line option, **/hardlink**, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario. -When you create a hard link, you give an existing file an additional path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These are two paths to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file. +When you create a hard link, you give an existing file one more path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These two paths relate to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file. > [!NOTE] > A hard link can only be created for a file on the same volume. If you copy a hard-link migration store to another drive or external device, the files, and not the links, are copied, as in a non-compressed migration-store scenario. @@ -76,11 +76,11 @@ As a best practice, we recommend that you delete the hard-link migration store a > [!IMPORTANT] > Using the **/c** option will force the Loadstate tool to continue applying files when non-fatal errors occur. If you use the **/c** option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss. -Keeping the hard-link migration store can result in additional disk space being consumed or problems with some applications for the following reasons: +Keeping the hard-link migration store can result in extra disk space being consumed or problems with some applications for the following reasons: - Applications reporting file-system statistics, for example, space used and free space, might incorrectly report these statistics while the hard-link migration store is present. The file may be reported twice because of the two paths that reference that file. -- A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up additional disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files. +- A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up more disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files. - Editing the file by using different paths simultaneously may result in data corruption. @@ -131,7 +131,7 @@ The drive you specify on the command line for the hard-link migration store is i ### Location Modifications -Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes. +Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This impact is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes. ### Migrating Encrypting File System (EFS) Certificates and Files diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index 8165a6d8c3..c6f264b11d 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -17,27 +17,27 @@ ms.topic: article # Identify Operating System Settings -When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following: +When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following parameters: -- **Apperance.** +- **Appearance.** - This includes items such as wallpaper, colors, sounds, and the location of the taskbar. + The appearance factor includes items such as wallpaper, colors, sounds, and the location of the taskbar. - **Action.** - This includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it. + The action factor includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it. - **Internet.** - These are the settings that let you connect to the Internet and control how your browser operates. This includes items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings. + The Internet factor includes the settings that let you connect to the Internet and control how your browser operates. The settings include items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings. - **Mail.** - This includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts. + The mail factor includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts. -To help you decide which settings to migrate, you should consider any previous migration experiences as well as the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of. +To help you decide which settings to migrate, you should consider any previous migration experiences and the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of. -You should migrate any settings that users need to get their jobs done, those that make the work environment comfortable, and those that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider that users can spend a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process. +You should migrate any settings that users need to get their jobs done, those settings that make the work environment comfortable, and those settings that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider the factor of users spending a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process. **Note**   For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md). diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 37fb5cbc81..5034c08b18 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -48,7 +48,7 @@ Before you run the **ScanState** command, note the following: - Unless otherwise noted, you can use each option only once when running a tool on the command line. -- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration. +- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any extra configuration. - The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible. @@ -142,7 +142,7 @@ USMT provides several options that you can use to analyze problems that occur du | **/l:**[*Path*]*FileName* | Specifies the location and name of the ScanState log.

You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then the log will be created in the current directory. You can use the **/v** option to adjust the amount of output.

If you run the **ScanState** or **LoadState** commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /**l: scan.log** command. | | **/v:***<VerbosityLevel>* | **(Verbosity)**

Enables verbose output in the ScanState log file. The default value is 0.

You can set the *VerbosityLevel* to one of the following levels:

  • **0** - Only the default errors and warnings are enabled.
  • **1** - Enables verbose output.
  • **4** - Enables error and status output.
  • **5** - Enables verbose and status output.
  • **8** - Enables error output to a debugger.
  • **9** - Enables verbose output to a debugger.
  • **12** - Enables error and status output to a debugger.
  • **13** - Enables verbose, status, and debugger output.

For example:
`scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml`| | /**progress**:[*Path*]*FileName* | Creates the optional progress log. You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* will be created in the current directory.

For example:
`scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log` | -| **/c** | When this option is specified, the **ScanState** command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the **ScanState** command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the **/c** option, the **ScanState** command will exit on the first error.

You can use the new <**ErrorControl**> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /**c** command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /**genconfig** option now generates a sample <**ErrorControl**> section that is enabled by specifying error messages and desired behaviors in the Config.xml file. | +| **/c** | When this option is specified, the **ScanState** command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the **ScanState** command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the **/c** option, the **ScanState** command will exit on the first error.

You can use the new <**ErrorControl**> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This advantage in the Config.xml file enables the /**c** command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /**genconfig** option now generates a sample <**ErrorControl**> section that is enabled by specifying error messages and desired behaviors in the Config.xml file. | | **/r:***<TimesToRetry>* | **(Retry)**

Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

While storing the user state, the **/r** option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. | | **/w:***<SecondsBeforeRetry>* | **(Wait)**

Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. | | **/p:***<pathToFile>* | When the **ScanState** command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
`Scanstate.exe C:\MigrationLocation [additional parameters]`
`/p:"C:\MigrationStoreSize.xml"`

For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).

To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the **/p** option, without specifying *"pathtoafile"*, in USMT. If you specify only the **/p** option, the storage space estimations are created in the same manner as with USMT3.x releases. | @@ -156,7 +156,7 @@ By default, all users are migrated. The only way to specify which users to inclu |-----|-----| | /**all** | Migrates all of the users on the computer.

USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /**ue** or /**uel** options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /**all** option, you cannot also use the /**ui**, /**ue** or /**uel** options. | | /**ui**:*<DomainName>*\*<UserName>*
or
/**ui**:*<ComputerName>*\*<LocalUserName>* | **(User include)**

Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /**ue** or /**uel** options. You can specify multiple /**ui** options, but you cannot use the /**ui** option with the /**all** option. *DomainName* and *UserName* can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.
**Note**
If a user is specified for inclusion with the /**ui** option, and also is specified to be excluded with either the /**ue** or /**uel** options, the user will be included in the migration.

For example:
  • To include only User2 from the Fabrikam domain, type:
    `/ue:*\* /ui:fabrikam\user2`
  • To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:
    `/uel:30 /ui:fabrikam\*`
    In this example, a user account from the Contoso domain that was last modified two months ago will not be migrated.

For more examples, see the descriptions of the /**ue** and /**ui** options in this table. | -| /**uel**:*<NumberOfDays>*
or
/**uel**:*<YYYY/MM/DD>*
or
**/uel:0** | **(User exclude based on last logon)**

Migrates the users that logged on to the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The /**uel** option acts as an include rule. For example, the **/uel:30** option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

You can specify a number of days or you can specify a date. You cannot use this option with the /**all** option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged on to another computer, that logon instance is not considered by USMT.
**Note**
The /**uel** option is not valid in offline migrations.
  • **/uel:0** migrates any users who are currently logged on.
  • **/uel:90** migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
  • **/uel:1** migrates users whose account has been modified within the last 24 hours.
  • **/uel:2002/1/15** migrates users who have logged on or been modified January 15, 2002 or afterwards.

For example:
`scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0` | +| /**uel**:*<NumberOfDays>*
or
/**uel**:*<YYYY/MM/DD>*
or
**/uel:0** | **(User exclude based on last logon)**

Migrates the users that logged on to the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The /**uel** option acts as an include rule. For example, the **/uel:30** option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

You can specify the number of days or you can specify a date. You cannot use this option with the /**all** option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has signed in to another computer, that sign-in instance is not considered by USMT.
**Note**
The /**uel** option is not valid in offline migrations.
  • **/uel:0** migrates any users who are currently logged on.
  • **/uel:90** migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
  • **/uel:1** migrates users whose account has been modified within the last 24 hours.
  • **/uel:2002/1/15** migrates users who have logged on or been modified January 15, 2002 or afterwards.

For example:
`scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0` | | /**ue**:*<DomainName>*\*<UserName>*
-or-

/**ue**:*<ComputerName>*\*<LocalUserName>* | **(User exclude)**

Excludes the specified users from the migration. You can specify multiple /**ue** options. You cannot use this option with the /**all** option. *<DomainName>* and *<UserName>* can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

For example:
`scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1` | ## How to Use /ui and /ue @@ -184,7 +184,7 @@ The /**uel** option takes precedence over the /**ue** option. If a user has logg |--- |--- | |Include only User2 from the Fabrikam domain and exclude all other users.|`/ue:*\* /ui:fabrikam\user2`| |Include only the local user named User1 and exclude all other users.|`/ue:*\* /ui:user1`| -|Include only the domain users from Contoso, except Contoso\User1.|This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:
  • On the **ScanState** command line, type: `/ue:*\* /ui:contoso\*`
  • On the **LoadState** command line, type: `/ue:contoso\user1`
| +|Include only the domain users from Contoso, except Contoso\User1.|This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following commands:
  • On the **ScanState** command line, type: `/ue:*\* /ui:contoso\*`
  • On the **LoadState** command line, type: `/ue:contoso\user1`
| |Include only local (non-domain) users.|`/ue:*\* /ui:%computername%\*`| ## Encrypted File Options diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index f5afeaa069..468776c419 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -1,6 +1,6 @@ --- title: XML File Requirements (Windows 10) -description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration urlid. +description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration URL ID. ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f ms.reviewer: manager: laurawi @@ -19,20 +19,20 @@ ms.topic: article When creating custom .xml files, note the following requirements: -- **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file: +- **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file: ``` xml ``` -- **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file: +- **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file: ``` xml ``` -- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax: +- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the Config.xml file defines the components by the display name and the migration URL ID. For example, specify the following syntax: ``` xml My Application diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index 19d405b786..b36419cb21 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -49,7 +49,7 @@ When you activate a computer running Windows 10, the following information is s - Volume serial number (hashed) of the hard disk drive - The result of the activation check - This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: + This result includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: - The activation exploit’s identifier - The activation exploit’s current state, such as cleaned or quarantined @@ -63,7 +63,7 @@ Standard computer information is also sent, but your computer’s IP address is ## Use of information Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. -For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). +For more information, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). ## See also diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 91d2d8540b..d5d2c105b5 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -17,7 +17,7 @@ ms.topic: article # Introduction to VAMT -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012. +The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. > [!NOTE] > VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. @@ -34,20 +34,20 @@ The Volume Activation Management Tool (VAMT) enables network administrators and You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: - **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. +- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. ## Managing Key Management Service (KMS) Activation -In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.\ +In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 and Microsoft Office 2010.\ VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. ## Enterprise Environment -VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. +VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. ![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg) -In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. +In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have extra firewall protection. The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. ## VAMT User Interface @@ -60,7 +60,7 @@ VAMT provides a single, graphical user interface for managing activations, and f - **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. - **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. +- **Monitoring activation status.** You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. - **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. - **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index e1e2f2151e..6c96637ddf 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -1,6 +1,6 @@ --- title: Manage Activations (Windows 10) -description: Learn how to manage activations and how to activate a client computer by using a variety of activation methods. +description: Learn how to manage activations and how to activate a client computer by using various activation methods. ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c ms.reviewer: manager: laurawi @@ -17,7 +17,7 @@ ms.topic: article # Manage Activations -This section describes how to activate a client computer, by using a variety of activation methods. +This section describes how to activate a client computer, by using various activation methods. ## In this Section @@ -25,7 +25,7 @@ This section describes how to activate a client computer, by using a variety of |------|------------| |[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | |[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. | -|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). | +|[Perform KMS Activation](kms-activation-vamt.md) |Describes how to perform volume activation using the Key Management Service (KMS). | |[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | |[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | |[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index d3b906680d..3e9a42c319 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -17,7 +17,7 @@ ms.topic: article # Scenario 2: Proxy Activation -In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario: +In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups that are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario: ![VAMT MAK proxy activation scenario.](images/dep-win8-l-vamt-makproxyactivationscenario.jpg) @@ -45,9 +45,9 @@ In this scenario, the Volume Activation Management Tool (VAMT) is used to activa 2. To open the **Discover Products** dialog box, click **Discover products** in the right-side pane. 3. In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query: - To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a". - - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that both IPv4 and IPv6addressing are supported. + - To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Both IPv4 and IPv6addressing are supported. - To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a". - - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks. + - To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without extra checks. 4. Click **Search**. The **Finding Computers** window appears and displays the search progress as the computers are located. @@ -70,9 +70,9 @@ You can sort the list of products so that it is easier to find the computers tha To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: - To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. -- To select computers which are not listed consecutively, hold down the **Ctrl** ley and select each computer for which you want to collect the status information. +- To select computers that are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. **To collect status information from the selected computers** -- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**. +- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to sign in to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**. - VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. **Note** @@ -91,9 +91,9 @@ To collect the status from select computers in the database, you can select comp 1. In the left-side pane, in the **Products** node click the product that you want to install keys onto. 2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and Filter the List of Computers](#step-5-sort-and-filter-the-list-of-computers). -3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. +3. In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. 4. Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box. -5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time. +5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing an MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Only one key can be installed at a time. 6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. The same status appears under the **Status of Last Action** column in the product list view in the center pane. diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index ef45dc1c96..da420e7365 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -25,9 +25,9 @@ This section provides step-by-step instructions on implementing the Volume Activ |------|------------| |[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | |[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. | -|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | +|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | -## Related topics +## Related articles - [Introduction to VAMT](introduction-vamt.md)     diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 70d738e262..1a4195b593 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -18,16 +18,16 @@ ms.collection: highpri # Windows 10 deployment scenarios and tools -To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. +To successfully deploy the Windows 10 operating system and applications for your organization, you must know about the available tools to help with the process. In this article, you will learn about the most commonly used tools for Windows 10 deployment. -Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution. +Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these tools are not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution. -In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations +In this article, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations ## Windows Assessment and Deployment Kit -Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). +Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more information, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). ![figure 1.](images/win-10-adk-select.png) @@ -43,7 +43,7 @@ DISM services online and offline images. For example, with DISM you can install Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess ``` -In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is: +In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is: ``` syntax Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All @@ -67,9 +67,9 @@ Occasionally, we find that customers are wary of USMT because they believe it re USMT includes several command-line tools, the most important of which are ScanState and LoadState: -- **ScanState.exe.** This performs the user-state backup. -- **LoadState.exe.** This performs the user-state restore. -- **UsmtUtils.exe.** This supplements the functionality in ScanState.exe and LoadState.exe. +- **ScanState.exe.** This tool performs the user-state backup. +- **LoadState.exe.** This tool performs the user-state restore. +- **UsmtUtils.exe.** This tool supplements the functionality in ScanState.exe and LoadState.exe. In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates: @@ -85,20 +85,20 @@ USMT supports capturing data and settings from Windows Vista and later, and rest By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings: -- Folders from each profile, including those from user profiles as well as shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. -- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*. +- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. +- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv,dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*. - **Note**   - The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default. + > [!NOTE] + > The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default. - Operating system component settings - Application settings -These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more details on what USMT migrates, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more information on the USMT overall, see the [USMT technical reference](./usmt/usmt-reference.md). +These settings are the ones migrated by the default MigUser.xml and MigApp.xml templates. For more information on what USMT migrates, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more information on the USMT overall, see the [USMT technical reference](./usmt/usmt-reference.md). ### Windows Imaging and Configuration Designer -Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image. +Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This tool is useful for setting up new devices, without the need for re-imaging the device with a custom image. ![figure 4.](images/windows-icd.png) @@ -108,7 +108,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/ ### Windows System Image Manager (Windows SIM) -Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall. +Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall. ![figure 7.](images/mdt-11-fig07.png) @@ -168,7 +168,7 @@ In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/wind ### Trivial File Transfer Protocol (TFTP) configuration -In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—was not user friendly. In Windows Server 2012, this has become much easier to do as it can be configured as a setting. +In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so — editing the registry — was not user friendly. In Windows Server 2012, this modification in settings has become much easier to do as it can be configured as a setting. Also, there are a few new features related to TFTP performance: @@ -210,7 +210,7 @@ The SCM console showing a baseline configuration for a fictional client's comput ## Microsoft Desktop Optimization Pack -MDOP is a suite of technologies available to Software Assurance customers through an additional subscription. +MDOP is a suite of technologies available to Software Assurance customers through another subscription. The following components are included in the MDOP suite: @@ -267,29 +267,29 @@ With UEFI, you can benefit from: - **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. - **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. - **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. -- **CPU-independent architecture.** Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. +- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. - **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. - **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. - **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader. ### Versions -UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later. +UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later. ### Hardware support for UEFI In regard to UEFI, hardware is divided into four device classes: -- **Class 0 devices.** This is the UEFI definition for a BIOS, or non-UEFI, device. -- **Class 1 devices.** These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. -- **Class 2 devices.** These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. -- **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS. +- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device. +- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. +- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. +- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS. ### Windows support for UEFI Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers. -With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system. +With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This limitation means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system. ### How UEFI is changing operating system deployment @@ -297,12 +297,12 @@ There are many things that affect operating system deployment as soon as you run - Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. - When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. -- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB. +- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. - UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit). For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources. -## Related topics +## Related articles [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md) \ No newline at end of file From 332f1f3c3fc28244ab93489814c9b2db8e1d3d19 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 20 Jan 2022 12:05:37 +0530 Subject: [PATCH 11/68] Acrolinx issues fixed --- ...abase-management-strategies-and-deployment.md | 16 ++++++++-------- ...rotection-considerations-for-windows-to-go.md | 6 +++--- .../using-the-sdbinstexe-command-line-tool.md | 2 +- .../deployment/planning/using-the-sua-wizard.md | 4 ++-- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index fae3bcf0a8..29b77be77b 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -49,7 +49,7 @@ Microsoft provides general recommends the following remedies for improving the m - **Define your resources responsible for addressing questions and enforcing your standards** - Ensure you determine who will be responsible for staying current with the technology and standards that are related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, you must ensure that someone in your organization stays current with the relevant technology. + Ensure you determine who will be responsible for staying current with the technology and standards that are related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, ensure that someone in your organization stays current with the relevant technology. ## Strategies for Deploying Your Compatibility Fixes @@ -64,7 +64,7 @@ Determine which method best meets your organization's deployment needs. ### Deploying Fixes as Part of an Application-Installation Package -One strategy to deploy compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this is the most straightforward method of deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications. +One strategy to deploy compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this method is the most straightforward one for deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications. If the following considerations apply to your organization, you should avoid this strategy and instead consider using a centralized compatibility-fix database, as described in the next section. @@ -74,7 +74,7 @@ If the following considerations apply to your organization, you should avoid thi - **Will you be able to track which applications are installed on which computer?** - You might determine that your initial set of compatibility fixes is not comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the additional issues. If you deployed the initial set by using the application-installation package, you will be required to locate each client computer that is running the application and replace the compatibility fix. + You might determine that your initial set of compatibility fixes is not comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the other issues. If you deployed the initial set by using the application-installation package, you will be required to locate each client computer that is running the application and replace the compatibility fix. ### Deploying Fixes Through a Centralized Compatibility-Fix Database @@ -82,23 +82,23 @@ The other recommended strategy for deploying compatibility fixes into your organ This approach tends to work best for organizations that have a well-developed deployment infrastructure in place, with centralized ownership of the process. We recommend that you consider the following before using this approach: -- Does your organization have the tools required to deploy and update a compatibility-fix database for all of the effected computers? +- Does your organization have the tools required to deploy and update a compatibility-fix database for all of the affected computers? If you intend to manage a centralized compatibility-fix database, you must verify that your organization has the required tools to deploy and update all of the affected computers in your organization. - Do you have centralized resources that can manage and update the centralized compatibility-fix database? - You must ensure that you have identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers. + Ensure that you have identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers. ### Merging Centralized Compatibility-Fix Databases -If you decide to use the centralized compatibility-fix database deployment strategy, you can merge any of your individual compatibility-fix databases. This enables you to create a single custom compatibility-fix database that can be used to search for and determine whether Windows® should apply a fix to a specific executable (.exe) file. We recommend merging your databases based on the following process. +If you decide to use the centralized compatibility-fix database deployment strategy, you can merge any of your individual compatibility-fix databases. This provision enables you to create a single custom compatibility-fix database that can be used to search for and determine whether Windows® should apply a fix to a specific executable (.exe) file. We recommend merging your databases based on the following process. **To merge your custom-compatibility databases** 1. Verify that your application-compatibility testers are performing their tests on computers with the latest version of your compatibility-fix database. For example, Custom DB1. -2. If the tester determines that an application requires an additional compatibility fix that is not a part of the original compatibility-fix database, he or she must create a new custom compatibility database with all of the required information for that single fix. For example, Custom DB2. +2. If the tester determines that an application requires an extra compatibility fix that is not a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2. 3. The tester applies the new Custom DB2 information to the application and then tests for both the functionality and integration, to ensure that the compatibility issues are addressed. @@ -128,7 +128,7 @@ In order to meet the two requirements above, we recommend that you use one of th You can package your .sib file and a custom deployment script into a file with the .msi extension, and then deploy the .msi file into your organization. > [!IMPORTANT] - > You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be: + > Ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be: >`msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal)` diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index a40bab3ece..4bfd9b2dd9 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -32,12 +32,12 @@ One of the most important requirements to consider when you plan your Windows To As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement. -If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). +If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This result is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). ## BitLocker -We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace, this helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. +We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. @@ -51,7 +51,7 @@ If you are using a host computer running Windows 7 that has BitLocker enabled, ## Disk discovery and data leakage -We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an Auto-Play prompt will not be displayed to the user. This reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. +We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive will not appear in Windows Explorer and an Auto-Play prompt will not be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index 46307344ea..02820bf6da 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -63,7 +63,7 @@ The following table describes the available command-line options. |Option|Description| |--- |--- | |-?|Displays the Help for the Sdbinst.exe tool.

For example,
`sdbinst.exe -?`| -|-p|Allows SDBs installation with Patches.

For example,
`sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb`| +|-p|Allows SDBs' installation with Patches.

For example,
`sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb`| |-q|Does a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).

For example,
`sdbinst.exe -q`| |-u *filepath*|Does an uninstallation of the specified database.

For example,
`sdbinst.exe -u C:\example.sdb`| |-g *GUID*|Specifies the customized database to uninstall by a globally unique identifier (GUID).

For example,
`sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3`| diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index bcbda77946..015122670a 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -34,7 +34,7 @@ For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool. ## Testing an Application by Using the SUA Wizard -You must install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. You must also install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard. +Install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard. The following flowchart shows the process of using the SUA Wizard. @@ -76,7 +76,7 @@ The following flowchart shows the process of using the SUA Wizard. The SUA Wizard closes the issue as resolved on the local computer. - If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md). + If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md). ## Related articles [SUA User's Guide](sua-users-guide.md) From cc0bad2918b2bacdeb0f6e64990923fc82fa90ff Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 20 Jan 2022 13:35:08 +0530 Subject: [PATCH 12/68] Acrolinx issues fixed --- .../deployment/planning/sua-users-guide.md | 2 +- .../planning/using-the-sua-wizard.md | 30 +++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index 83926ee905..e8e6f31b30 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -40,7 +40,7 @@ You can use SUA in either of the following ways: |Topic|Description| |--- |--- | -|[Using the SUA Wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.| +|[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.| |[Using the SUA Tool](using-the-sua-tool.md)|By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.| diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index 015122670a..63fe07dfd7 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -1,6 +1,6 @@ --- -title: Using the SUA Wizard (Windows 10) -description: The Standard User Analyzer (SUA) Wizard, although it does not offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. +title: Using the SUA wizard (Windows 10) +description: The Standard User Analyzer (SUA) wizard, although it does not offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c ms.reviewer: manager: laurawi @@ -15,7 +15,7 @@ ms.date: 04/19/2017 ms.topic: article --- -# Using the SUA Wizard +# Using the SUA wizard **Applies to** @@ -27,30 +27,30 @@ ms.topic: article - Windows Server 2012 - Windows Server 2008 R2 -The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. +The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md). -## Testing an Application by Using the SUA Wizard +## Testing an Application by Using the SUA wizard -Install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard. +Install Application Verifier before you can use the SUA wizard. If Application Verifier is not installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard. -The following flowchart shows the process of using the SUA Wizard. +The following flowchart shows the process of using the SUA wizard. ![act sua wizard flowchart.](images/dep-win8-l-act-suawizardflowchart.jpg) -**To test an application by using the SUA Wizard** +**To test an application by using the SUA wizard** -1. On the computer where the SUA Wizard is installed, sign in by using a non-administrator account. +1. On the computer where the SUA wizard is installed, sign in by using a non-administrator account. -2. Run the Standard User Analyzer Wizard. +2. Run the Standard User Analyzer wizard. 3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application. 4. Click **Launch**. - If you are prompted, elevate your permissions. The SUA Wizard may require elevation of permissions to correctly diagnose the application. + If you are prompted, elevate your permissions. The SUA wizard may require elevation of permissions to correctly diagnose the application. If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning. @@ -58,11 +58,11 @@ The following flowchart shows the process of using the SUA Wizard. 6. After you finish testing, exit the application. - The SUA Wizard displays a message that asks whether the application ran without any issues. + The SUA wizard displays a message that asks whether the application ran without any issues. 7. Click **No**. - The SUA Wizard shows a list of potential remedies that you might use to fix the application. + The SUA wizard shows a list of potential remedies that you might use to fix the application. 8. Select the fixes that you want to apply, and then click **Launch**. @@ -70,11 +70,11 @@ The following flowchart shows the process of using the SUA Wizard. 9. Test the application again, and after you finish testing, exit the application. - The SUA Wizard displays a message that asks whether the application ran without any issues. + The SUA wizard displays a message that asks whether the application ran without any issues. 10. If the application ran correctly, click **Yes**. - The SUA Wizard closes the issue as resolved on the local computer. + The SUA wizard closes the issue as resolved on the local computer. If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md). From 4cd66bf706bc149717552613573ed5bab5199b75 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 20 Jan 2022 15:16:54 +0530 Subject: [PATCH 13/68] Resolved suggestions --- ...ix-information-sent-to-microsoft-during-activation-client.md | 1 + windows/deployment/windows-deployment-scenarios-and-tools.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index b36419cb21..58c3926442 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -1,5 +1,6 @@ --- title: Appendix Information sent to Microsoft during activation (Windows 10) +description: Learn about the information sent to Microsoft during activation. ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 ms.reviewer: manager: laurawi diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 1a4195b593..84d317c451 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -138,7 +138,7 @@ Windows PE is a “Lite” version of Windows 10 and was created to act as a dep The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box. -![figure 7.](images/mdt-11-fig09.png) +![Figure no. 7.](images/mdt-11-fig09.png) A machine booted with the Windows ADK default Windows PE boot image. From 2455056eb6ad50ae6cf15af3514861a37a89a84d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 20 Jan 2022 15:20:19 +0530 Subject: [PATCH 14/68] Update appendix-information-sent-to-microsoft-during-activation-client.md --- ...dix-information-sent-to-microsoft-during-activation-client.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index 58c3926442..e67fd3d3d5 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -5,7 +5,6 @@ ms.assetid: 4bfff495-07d0-4385-86e3-7a077cbd64b8 ms.reviewer: manager: laurawi ms.author: greglin -description: keywords: vamt, volume activation, activation, windows activation ms.prod: w10 ms.mktglfcycl: deploy From b6390b76a97cdf39018aa4c54709626365f81c83 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 20 Jan 2022 16:56:37 +0530 Subject: [PATCH 15/68] Update import-export-vamt-data.md --- .../volume-activation/import-export-vamt-data.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 502813e80e..68bf78eeba 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -1,6 +1,6 @@ --- -title: Import and Export VAMT Data (Windows 10) -description: Learn how to use the Volume Activation Management Tool (VAMT) to import product-activation data from a .cilx or .cil file into SQL Server. +title: Import and Export Volume Activation Management Tool (VAMT) Data (Windows 10) +description: Learn how to use the VAMT to import product-activation data from a .cilx or .cil file into SQL Server. ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f ms.reviewer: manager: laurawi @@ -15,15 +15,15 @@ ms.date: 04/25/2017 ms.topic: article --- -# Import and Export VAMT Data +# Import and Export Volume Activation Management Tool (VAMT) Data You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. You can import data or export data during the following scenarios: - Import and merge data from previous versions of VAMT. -- Export data to use to perform proxy activations. +- Export data to perform proxy activations. **Warning**   -Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported. +Editing a .cilx file through an application other than VAMT can corrupt the .cilx file; and this method is not supported. ## Import VAMT Data @@ -37,7 +37,7 @@ Editing a .cilx file using an application other than VAMT can corrupt the .cilx Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file: 1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products. -2. If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export. +2. If you want to export only part of the data in a product list, in the product-list view in the center pane, select the products you want to export. 3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box. 4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file. 5. Under **Export options**, select one of the following data-type options: @@ -47,6 +47,6 @@ Exporting VAMT data from a non-Internet-connected VAMT host computer is the firs 6. If you have selected products to export, select the **Export selected product rows only** check box. 7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. -## Related topics +## Related articles - [Perform Proxy Activation](proxy-activation-vamt.md) From 49bcc34ac86b6de75242b67c77f1630c714e519b Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 25 Jan 2022 22:06:46 +0530 Subject: [PATCH 16/68] Update whats-new-windows-10-version-21H1.md --- .../whats-new-windows-10-version-21H1.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index 06aade74c5..62cf673267 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -24,7 +24,7 @@ This article lists new and updated features and content that is of interest to I Windows 10, version 21H1 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H1-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), 21H1 is serviced for 18 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions. -For details on how to update your device, or the devices in your organization, see [How to get the Windows 10 May 2021 Update](https://blogs.windows.com/windowsexperience/?p=175674). Devices running Windows 10, versions 2004 and 20H2 have the ability to update quickly to version 21H1 via an enablement package. For more details, see [Feature Update through Windows 10, version 21H1 Enablement Package](https://support.microsoft.com/help/5000736). +For details on how to update your device, or the devices in your organization, see [How to get the Windows 10 May 2021 Update](https://blogs.windows.com/windowsexperience/?p=175674). Devices running Windows 10, versions 2004 and 20H2, have the ability to update quickly to version 21H1 via an enablement package. For more information, see [Feature Update through Windows 10, version 21H1 Enablement Package](https://support.microsoft.com/help/5000736). ## Servicing @@ -42,13 +42,13 @@ A new [resolved issues](/mem/autopilot/resolved-issues) article is available tha A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action). -Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). +Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information,, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). ### Windows Assessment and Deployment Toolkit (ADK) -There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). +There's no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). ## Device management @@ -74,7 +74,7 @@ The new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) ## General fixes -See the [Windows Insider blog](https://blogs.windows.com/windows-insider/2021/02/17/releasing-windows-10-build-19042-844-20h2-to-beta-and-release-preview-channels/) for more information. +For more information on the general fixes, see the [Windows Insider blog](https://blogs.windows.com/windows-insider/2021/02/17/releasing-windows-10-build-19042-844-20h2-to-beta-and-release-preview-channels/). This release includes the following enhancements and issues fixed: @@ -88,7 +88,7 @@ This release includes the following enhancements and issues fixed: - an issue that might cause video playback to flicker when rendering on certain low-latency capable monitors. - an issue that sometimes prevents the input of strings into the Input Method Editor (IME). - an issue that exhausts resources because Desktop Windows Manager (DWM) leaks handles and virtual memory in Remote Desktop sessions. -- a stop error that occurs at start up. +- a stop error that occurs at the start. - an issue that might delay a Windows Hello for Business (WHfB) Certificate Trust deployment when you open the Settings-> Accounts-> Sign-in Options page. - an issue that might prevent some keyboard keys from working, such as the home, Ctrl, or left arrow keys when you set the Japanese IME input mode to Kana. - removed the history of previously used pictures from a user account profile. @@ -104,8 +104,8 @@ This release includes the following enhancements and issues fixed: - an issue that prevents wevtutil from parsing an XML file. - failure to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes. - We added support for using the new Chromium-based Microsoft Edge as the assigned access single kiosk app. Now, you can also customize a breakout key sequence for single app kiosks. For more information, see Configure Microsoft Edge kiosk mode. -- User Datagram Protocol (UDP) broadcast packets that are larger than the maximum transmission unit (MTU). Devices that receive these packets discard them because the checksum is not valid. -- the WinHTTP AutoProxy service does not comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically. +- User Datagram Protocol (UDP) broadcast packets that are larger than the maximum transmission unit (MTU). Devices that receive these packets discard them because the checksum isn't valid. +- the WinHTTP AutoProxy service doesn't comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically. - We improved the ability of the WinHTTP Web Proxy Auto-Discovery Service to ignore invalid Web Proxy Auto-Discovery Protocol (WPAD) URLs that the Dynamic Host Configuration Protocol (DHCP) server returns. - We displayed the proper Envelope media type as a selectable output paper type for Universal Print queues. - We ended the display of a random paper size for a printer when it uses the Microsoft Internet Printing Protocol (IPP) Class Driver. @@ -122,7 +122,7 @@ This release includes the following enhancements and issues fixed: * Default value = 1; enables the log. * Value other than 1; disables the log. - If this key does not exist, it will be created automatically. + If this key doesn't exist, it will be created automatically. To take effect, any change to **dfslog/RootShareAcquireSuccessEvent** in the registry requires that you restart the DFSN service. - We updated the Open Mobile Alliance (OMA) Device Management (DM) sync protocol by adding a check-in reason for requests from the client to the server. The check-in reason will allow the mobile device management (MDM) service to make better decisions about sync sessions. With this change, the OMA-DM service must negotiate a protocol version of 4.0 with the Windows OMA-DM client. - We turned off token binding by default in Windows Internet (WinINet). @@ -137,4 +137,4 @@ This release includes the following enhancements and issues fixed: [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
From c451f4c8eb50c0bc3331f09a68475cd1b8ae0192 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 25 Jan 2022 22:28:22 +0530 Subject: [PATCH 17/68] updates --- .../includes/configure-additional-search-engines-shortdesc.md | 2 +- .../includes/configure-kiosk-mode-shortdesc.md | 2 +- .../includes/provision-favorites-shortdesc.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md index 873d33a2f0..8b7bc5ad00 100644 --- a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md +++ b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md @@ -9,4 +9,4 @@ ms.prod: edge ms.topic: include --- -By default, users can set a default search engine in the Microsoft Edge browser, using the Set default search engine policy. With this policy, you can configure up to five more search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. +Users can set a default search engine in the Microsoft Edge browser, using the Set default search engine policy. With this policy, the users can configure up to five more search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. diff --git a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md index c76de7864b..f2bddfe2b7 100644 --- a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md +++ b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md @@ -9,7 +9,7 @@ ms.prod: edge ms.topic: include --- -For the Microsoft Edge browser, configure a behavior that is to be exhibited in kiosk mode with assigned access. This behavior configuration is for Microsoft Edge as a single-app or as one of many apps running on the kiosk device. +Configure a behavior to be displayed by the Microsoft Edge browser in kiosk mode with assigned access. This behavior configuration is for Microsoft Edge as a single-app or as one of many apps running on the kiosk device. You can facilitate the following functionalities in the Microsoft Edge browser: - Execution of InPrivate full screen diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md index 77281a67f6..79fca42087 100644 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ b/windows/client-management/includes/provision-favorites-shortdesc.md @@ -9,11 +9,11 @@ ms.prod: edge ms.topic: include --- -By default, you can customize the Favorites list in the Microsoft Edge browser. Whatever you customize becomes the standard list. +You can customize the Favorites list in the Microsoft Edge browser. Whatever you customize becomes the standard list. > [!NOTE] > The standard list of favorites can include folders. The favorites that you add also become part of this standard list. -Once your customized Favorites list appears in the Microsoft Edge browser, you cannot customize it again, such as adding folders for organizing, and adding or removing any of the favorites configured. +Once your customized Favorites list appears in the Microsoft Edge browser, you can't customize it again, such as adding folders for organizing, and adding or removing any of the favorites configured. From ee369e88ff1fb45646d758c2be1ed1ca069adbc4 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Tue, 25 Jan 2022 09:18:42 -0800 Subject: [PATCH 18/68] Revert "Delete appv-create-a-package-accelerator-with-powershell.md" This reverts commit eca7661e5574728be0d2cfc797d463b7b0153fc5. --- ...e-a-package-accelerator-with-powershell.md | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md new file mode 100644 index 0000000000..2583a8e7d4 --- /dev/null +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -0,0 +1,51 @@ +--- +title: How to create a package accelerator by using Windows PowerShell (Windows 10/11) +description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. +author: greg-lindsay +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +ms.date: 07/10/2018 +ms.reviewer: +manager: dansimp +ms.author: greglin +ms.topic: article +--- +# How to create a package accelerator by using Windows PowerShell + +[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] + +App-V Package Accelerators automatically sequence large, complex applications. Also, when you apply an App-V Package Accelerator, you don't have to manually install an application to create the virtualized package. + +## Create a package accelerator + +1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). +2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. +3. Ensure you have the .Apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +4. Enter the **New-AppvPackageAccelerator** cmdlet. + + The following parameters are required to use the package accelerator cmdlet: + + - *InstalledFilesPath* specifies the application installation path. + - *Installer* specifies the path to the application installer media. + - *InputPackagePath* specifies the path to the.appv package. + - *Path* specifies the output directory for the package. + + The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: + + ```PowerShell + New-AppvPackageAccelerator -InputPackagePath -Installer -Path + ``` + + You can also use the following optional parameter with the **New-AppvPackageAccelerator** cmdlet: + + - *AcceleratorDescriptionFile* specifies the path to user-created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be included in the package created by the package accelerator. + + + + + +## Related articles + +- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) From f3374156614d5f07fa3c80064bb76a49b18e94b8 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Tue, 25 Jan 2022 09:23:44 -0800 Subject: [PATCH 19/68] Update appv-create-a-package-accelerator-with-powershell.md undo changes --- .../appv-create-a-package-accelerator-with-powershell.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index 2583a8e7d4..79b713f591 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md). 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. -3. Ensure you have the .Apps package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. +3. Make sure that you have the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference. 4. Enter the **New-AppvPackageAccelerator** cmdlet. The following parameters are required to use the package accelerator cmdlet: - *InstalledFilesPath* specifies the application installation path. - *Installer* specifies the path to the application installer media. - - *InputPackagePath* specifies the path to the.appv package. + - *InputPackagePath* specifies the path to the .appv package. - *Path* specifies the output directory for the package. - The following example cmdlet shows how you can create a package accelerator with .app package and the installation media: + The following example cmdlet shows how you can create a package accelerator with an .appv package and the installation media: ```PowerShell New-AppvPackageAccelerator -InputPackagePath -Installer -Path @@ -46,6 +46,6 @@ App-V Package Accelerators automatically sequence large, complex applications. A -## Related articles +## Related topics - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) From d809a4ec8d8f0f1396e9a3aaa1dbad12def4f4c1 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 13:27:02 +0530 Subject: [PATCH 20/68] resolved Acrolinx check failures --- .../configure-additional-search-engines-shortdesc.md | 8 +++++++- .../includes/configure-kiosk-mode-shortdesc.md | 7 ++++++- .../includes/provision-favorites-shortdesc.md | 12 +++++++----- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md index 8b7bc5ad00..cd9e9d9751 100644 --- a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md +++ b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md @@ -9,4 +9,10 @@ ms.prod: edge ms.topic: include --- -Users can set a default search engine in the Microsoft Edge browser, using the Set default search engine policy. With this policy, the users can configure up to five more search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. +The Set default search engine policy enables the users to: + +- Set a default search engine +- Configure up to five more search engines, and set any one of them as the default + +If you previously enabled this policy and now want to disable it, doing so results in deletion of all the configured search engines + diff --git a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md index f2bddfe2b7..8397ff7c18 100644 --- a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md +++ b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md @@ -9,7 +9,12 @@ ms.prod: edge ms.topic: include --- -Configure a behavior to be displayed by the Microsoft Edge browser in kiosk mode with assigned access. This behavior configuration is for Microsoft Edge as a single-app or as one of many apps running on the kiosk device. +You can define a behavior for the Microsoft Edge browser, which it shall display when part of many applications running on a kiosk device. + +> [!NOTE] +> You can define the browser's behavior only if you have the assigned access privileges. + +You can also define a behavior when Microsoft Edge serves as a single application. You can facilitate the following functionalities in the Microsoft Edge browser: - Execution of InPrivate full screen diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md index 79fca42087..1798b33e43 100644 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ b/windows/client-management/includes/provision-favorites-shortdesc.md @@ -9,11 +9,13 @@ ms.prod: edge ms.topic: include --- -You can customize the Favorites list in the Microsoft Edge browser. Whatever you customize becomes the standard list. +You can customize the Favorites list in the Microsoft Edge browser. Customization of the favorites list includes: -> [!NOTE] -> The standard list of favorites can include folders. +- Creating a standard list + - This standard list includes: + - Folders (which you can add) + - the list of favorites that you manually add, after creating the standard list -The favorites that you add also become part of this standard list. +This customized favorite is the final version. -Once your customized Favorites list appears in the Microsoft Edge browser, you can't customize it again, such as adding folders for organizing, and adding or removing any of the favorites configured. +You can't add folders again for organizing, and adding or removing any of the favorites configured. From 575edbd89e4b3a7cf37d0af054d6d092720fb3bb Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 13:31:50 +0530 Subject: [PATCH 21/68] resolved Acrolinx check failure --- .../client-management/includes/provision-favorites-shortdesc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md index 1798b33e43..2ddbc5c6d7 100644 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ b/windows/client-management/includes/provision-favorites-shortdesc.md @@ -18,4 +18,4 @@ You can customize the Favorites list in the Microsoft Edge browser. Customizatio This customized favorite is the final version. -You can't add folders again for organizing, and adding or removing any of the favorites configured. + From fc90ef4fd07c6d68f517cfeeab0195b7bf8366f8 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 13:43:50 +0530 Subject: [PATCH 22/68] resolved Acrolinx check failure --- .../mdm/push-notification-windows-mdm.md | 26 +++++++++---------- .../mdm/tenantlockdown-csp.md | 4 +-- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index 0b8ad9e938..43c7d7baf5 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -28,27 +28,27 @@ Because a device may not always be connected to the internet, WNS supports cachi The following restrictions are related to push notifications and WNS: -- Push for device management uses raw push notifications. This restriction means that these raw push notifications do not support or utilize push notification payloads. -- Receipt of push notifications are sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. -- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It is strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server will not attempt to use a ChannelURI that has expired. -- Push is not a replacement for having a polling schedule. +- Push for device management uses raw push notifications. This restriction means that these raw push notifications don't support or utilize push notification payloads. +- Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. +- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server won't attempt to use a ChannelURI that has expired. +- Push isn't a replacement for having a polling schedule. - WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. - On Windows 10, version 1511 as well as Windows 8 and 8.1, MDM Push may fail to renew the WNS Push channel automatically causing it to expire. It can also potentially hang when setting the PFN for the channel. - To workaround this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue. + To work around this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue. - On Windows 10, version 1511, we use the following retry logic for the DMClient: - - If ExpiryTime is greater than 15 days a schedule is set for when 15 days are left. - - If ExpiryTime is between now and 15 days a schedule set for 4 +/- 1 hours from now. - - If ExpiryTime has passed a schedule is set for 1 day +/- 4 hours from now. + - If ExpiryTime is greater than 15 days, a schedule is set for when 15 days are left. + - If ExpiryTime is between now and 15 days, a schedule set for 4 +/- 1 hours from now. + - If ExpiryTime has passed, a schedule is set for 1 day +/- 4 hours from now. -- On Windows 10, version 1607, we check for network connectivity before retrying. We do not check for internet connectivity. If network connectivity is not available we will skip the retry and set schedule for 4+/-1 hours to try again. +- On Windows 10, version 1607, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, we'll skip the retry and set schedule for 4+/-1 hours to try again. ## Get WNS credentials and PFN for MDM push notification -To get a PFN and WNS credentials, you must create an Microsoft Store app. +To get a PFN and WNS credentials, you must create a Microsoft Store app. 1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. @@ -68,8 +68,8 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app. 6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page. ![mdm push notification6.](images/push-notification6.png) -7. In the **Application Registration Portal** page, you will see the properties for the app that you created, such as: - - Application Id +7. In the **Application Registration Portal** page, you'll see the properties for the app that you created, such as: + - Application ID - Application Secrets - Microsoft Store Package SID, Application Identity, and Publisher. @@ -80,6 +80,6 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app. 11. From the left nav, expand **App management** and then click **App identity**. ![mdm push notification10.](images/push-notification10.png) -12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app. +12. In the **App identity** page, you'll see the **Package Family Name (PFN)** of your app.   diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index af816d6d88..6f4815ab07 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -33,11 +33,11 @@ The root node. **RequireNetworkInOOBE** Specifies whether to require a network connection during the out-of-box experience (OOBE) at first sign in. -When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option. +When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There's no "skip for now" option. Value type is bool. Supported operations are Get and Replace. - True - Require network in OOBE - False - No network connection requirement in OOBE -Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account. +Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they're required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There's no option to skip the network connection and create a local account. From abb34bdde2d96d78f0139bf87dc8de6a25a551b8 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 15:43:21 +0530 Subject: [PATCH 23/68] enhanced Acrolinx score --- ...ix-database-management-strategies-and-deployment.md | 6 +++--- windows/deployment/planning/sua-users-guide.md | 2 +- windows/deployment/planning/using-the-sua-wizard.md | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index 29b77be77b..1d9fa5aab2 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -74,7 +74,7 @@ If the following considerations apply to your organization, you should avoid thi - **Will you be able to track which applications are installed on which computer?** - You might determine that your initial set of compatibility fixes is not comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the other issues. If you deployed the initial set by using the application-installation package, you will be required to locate each client computer that is running the application and replace the compatibility fix. + You might determine that your initial set of compatibility fixes isn't comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the other issues. If you deployed the initial set by using the application-installation package, you'll be required to locate each client computer that is running the application and replace the compatibility fix. ### Deploying Fixes Through a Centralized Compatibility-Fix Database @@ -88,7 +88,7 @@ This approach tends to work best for organizations that have a well-developed de - Do you have centralized resources that can manage and update the centralized compatibility-fix database? - Ensure that you have identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers. + Ensure that you've identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers. ### Merging Centralized Compatibility-Fix Databases @@ -98,7 +98,7 @@ If you decide to use the centralized compatibility-fix database deployment strat 1. Verify that your application-compatibility testers are performing their tests on computers with the latest version of your compatibility-fix database. For example, Custom DB1. -2. If the tester determines that an application requires an extra compatibility fix that is not a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2. +2. If the tester determines that an application requires an extra compatibility fix that isn't a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2. 3. The tester applies the new Custom DB2 information to the application and then tests for both the functionality and integration, to ensure that the compatibility issues are addressed. diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index e8e6f31b30..3019bfd486 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -40,7 +40,7 @@ You can use SUA in either of the following ways: |Topic|Description| |--- |--- | -|[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.| +|[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.| |[Using the SUA Tool](using-the-sua-tool.md)|By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.| diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index 63fe07dfd7..dbea2d8bec 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -1,6 +1,6 @@ --- title: Using the SUA wizard (Windows 10) -description: The Standard User Analyzer (SUA) wizard, although it does not offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. +description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c ms.reviewer: manager: laurawi @@ -27,14 +27,14 @@ ms.topic: article - Windows Server 2012 - Windows Server 2008 R2 -The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions. +The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions. For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md). ## Testing an Application by Using the SUA wizard -Install Application Verifier before you can use the SUA wizard. If Application Verifier is not installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard. +Install Application Verifier before you can use the SUA wizard. If Application Verifier isn't installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard. The following flowchart shows the process of using the SUA wizard. @@ -50,7 +50,7 @@ The following flowchart shows the process of using the SUA wizard. 4. Click **Launch**. - If you are prompted, elevate your permissions. The SUA wizard may require elevation of permissions to correctly diagnose the application. + If you're prompted, elevate your permissions. The SUA wizard may require elevation of permissions to correctly diagnose the application. If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning. @@ -76,7 +76,7 @@ The following flowchart shows the process of using the SUA wizard. The SUA wizard closes the issue as resolved on the local computer. - If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md). + If the remedies don't fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies don't fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md). ## Related articles [SUA User's Guide](sua-users-guide.md) From 2046b4163b5b6b4bd3f7fbf980baf98c7a9c15ed Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 18:14:09 +0530 Subject: [PATCH 24/68] enhanced Acrolinx scores to fix failures --- ...ection-considerations-for-windows-to-go.md | 14 ++-- ...ndows-to-go-frequently-asked-questions.yml | 78 +++++++++---------- ...t-to-microsoft-during-activation-client.md | 14 ++-- .../import-export-vamt-data.md | 4 +- .../manage-activations-vamt.md | 6 +- .../volume-activation/vamt-step-by-step.md | 4 +- .../windows-deployment-scenarios-and-tools.md | 42 +++++----- 7 files changed, 81 insertions(+), 81 deletions(-) diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index 4bfd9b2dd9..ed4fe7d457 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -30,37 +30,37 @@ One of the most important requirements to consider when you plan your Windows To ## Backup and restore -As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement. +When you don't save data on the Windows To Go drive, you don't need for a backup and restore solution for Windows To Go. If you're saving data on the drive and aren't using folder redirection and offline files, you should back up all of your data to a network location such as cloud storage or a network share, after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement. If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This result is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). ## BitLocker -We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. +We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) can't be used by BitLocker to protect the drive. Instead, you'll be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. **Tip**   -If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) +If the Windows To Go Creator wizard isn't able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-) -If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode. +When you use a host computer running Windows 7 that has BitLocker enabled, suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker isn't suspended first, the next boot of the computer is in recovery mode. ## Disk discovery and data leakage -We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive will not appear in Windows Explorer and an Auto-Play prompt will not be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. +We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive won't appear in Windows Explorer and an Auto-Play prompt won't be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. -To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. +To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It's recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)). ## Security certifications for Windows To Go -Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following articles. +Windows to Go is a core capability of Windows when it's deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following articles. - [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index a912d623b5..ec5e722d45 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -22,7 +22,7 @@ summary: | - Windows 10 > [!IMPORTANT] - > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. The following list identifies some commonly asked questions about Windows To Go. @@ -50,7 +50,7 @@ summary: | - [Why isn't my computer booting from USB?](#why-isn-t-my-computer-booting-from-usb-) - - [What happens if I remove my Windows To Go drive while it is running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-is-running-) + - [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-is-running-) - [Can I use BitLocker to protect my Windows To Go drive?](#can-i-use-bitlocker-to-protect-my-windows-to-go-drive-) @@ -102,7 +102,7 @@ summary: | - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) - - [I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) + - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) @@ -138,7 +138,7 @@ sections: - A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys - You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. + You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you're creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process. - question: | Is Windows To Go supported on both USB 2.0 and USB 3.0 drives? @@ -153,7 +153,7 @@ sections: - question: | How do I identify a USB 3.0 port? answer: | - USB 3.0 ports are usually marked blue or carry a SS marking on the side. + USB 3.0 ports are usually marked blue or carry an SS marking on the side. - question: | Does Windows To Go run faster on a USB 3.0 port? @@ -191,7 +191,7 @@ sections: If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually. - To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you do not know which key to use to enter firmware setup.) + To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you don't know which key to use to enter firmware setup.) After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first. @@ -213,14 +213,14 @@ sections: 2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs. - 3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port. + 3. If the computer isn't booting from a USB 3.0 port, try to boot from a USB 2.0 port. If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support. - question: | - What happens if I remove my Windows To Go drive while it is running? + What happens if I remove my Windows To Go drive while it's running? answer: | - If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. + If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive isn't reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds. **Warning**   You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive. @@ -230,28 +230,28 @@ sections: - question: | Can I use BitLocker to protect my Windows To Go drive? answer: | - Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace. + Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you'll be prompted to enter this password every time you use the Windows To Go workspace. - question: | Why can't I enable BitLocker from Windows To Go Creator? answer: | - Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types. + Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three subfolders for fixed, operating system and removable data drive types. - When you are using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation: + When you're using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation: 1. **Control use of BitLocker on removable drives** - If this setting is disabled BitLocker cannot be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive. + If this setting is disabled BitLocker can't be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive. 2. **Configure use of smart cards on removable data drives** - If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you have not already signed on using your smart card credentials before starting the Windows To Go Creator wizard. + If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you haven't already signed on using your smart card credentials before starting the Windows To Go Creator wizard. 3. **Configure use of passwords for removable data drives** - If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection is not available, the Windows To Go Creator wizard will fail to enable BitLocker. + If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection isn't available, the Windows To Go Creator wizard will fail to enable BitLocker. - Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. + Additionally, the Windows To Go Creator will disable the BitLocker option if the drive doesn't have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go. - question: | What power states does Windows To Go support? @@ -261,7 +261,7 @@ sections: - question: | Why is hibernation disabled in Windows To Go? answer: | - When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). + When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you're confident that you'll only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc). - question: | Does Windows To Go support crash dump analysis? @@ -273,7 +273,7 @@ sections: answer: | Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on. - If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported. + If you have configured a dual boot computer with a Windows operating system and another operating system, it might work occasionally and fail occasionally. Using this configuration is unsupported. - question: | I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not? @@ -281,14 +281,14 @@ sections: Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter. **Warning**   - It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. + It's strongly recommended that you don't plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. - question: | I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not? answer: | - Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. + Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you're booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. **Warning**   It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. @@ -323,7 +323,7 @@ sections: - question: | Do I need to activate Windows To Go every time I roam? answer: | - No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days. + No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace won't need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine won't need to be activated again until the activation validity interval has passed. In a KMS configuration, the activation validity interval is 180 days. - question: | Can I use all Windows features on Windows To Go? @@ -338,22 +338,22 @@ sections: - question: | Does Windows To Go work slower than standard Windows? answer: | - If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. + If you're using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you're booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds. - question: | If I lose my Windows To Go drive, will my data be safe? answer: | - Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. + Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user won't be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive. - question: | Can I boot Windows To Go on a Mac? answer: | - We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac. + We're committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers aren't certified for use with Windows 7 or later, using Windows To Go isn't supported on a Mac. - question: | Are there any APIs that allow applications to identify a Windows To Go workspace? answer: | - Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device. + Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true, it means that the operating system was booted from an external USB device. Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment. @@ -367,17 +367,17 @@ sections: - question: | Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive? answer: | - No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace. + No, use of Windows Recovery Environment isn't supported on Windows To Go. It's recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should reprovision the workspace. - question: | Why won't Windows To Go work on a computer running Windows XP or Windows Vista? answer: | - Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. + Actually it might. If you've purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you've configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports. - question: | Why does the operating system on the host computer matter? answer: | - It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. + It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer can't boot from USB there's no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected. - question: | My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go? @@ -386,17 +386,17 @@ sections: You can reset the BitLocker system measurements to incorporate the new boot order using the following steps: - 1. Log on to the host computer using an account with administrator privileges. + 1. Sign in to the host computer using an account with administrator privileges. 2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. 3. Click **Suspend Protection** for the operating system drive. - A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive. + A message is displayed, informing you that your data won't be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive. 4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki. - 5. Restart the computer again and then log on to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.) + 5. Restart the computer again and then sign in to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.) 6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**. @@ -405,41 +405,41 @@ sections: The host computer will now be able to be booted from a USB drive without triggering recovery mode. > [!NOTE] - > The default BitLocker protection profile in Windows 8 or later does not monitor the boot order. + > The default BitLocker protection profile in Windows 8 or later doesn't monitor the boot order. - question: | - I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it? + I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it? answer: | Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps: 1. Open a command prompt with full administrator permissions. > [!NOTE] - > If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. + > If your user account is a member of the Administrators group, but isn't the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. 2. Start the [diskpart](/windows-server/administration/windows-commands/diskpart) command interpreter, by typing `diskpart` at the command prompt. - 3. Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available. + 3. Use the `select disk` command to identify the drive. If you don't know the drive number, use the `list` command to display the list of disks available. 4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive. - question: | Why do I keep on getting the message "Installing devices…" when I boot Windows To Go? answer: | - One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. + One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers that aren't present on the new configuration. In general, this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. - In certain cases, third party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. + In certain cases, third-party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs that don't support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. - This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers. + This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs that require conflicting drivers. - question: | How do I upgrade the operating system on my Windows To Go drive? answer: | - There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version. + There's no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be reimaged with a new version of Windows in order to transition to the new operating system version. additionalContent: | diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index e67fd3d3d5..992cec996b 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -33,13 +33,13 @@ ms.topic: article When you activate a computer running Windows 10, the following information is sent to Microsoft: -- The Microsoft product code (a five-digit code that identifies the Windows product you are activating) +- The Microsoft product code (a five-digit code that identifies the Windows product you're activating) - A channel ID or site code that identifies how the Windows product was originally obtained For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer. - The date of installation and whether the installation was successful -- Information that helps confirm that your Windows product key has not been altered +- Information that helps confirm that your Windows product key hasn't been altered - Computer make and model - Version information for the operating system and software - Region and language settings @@ -51,18 +51,18 @@ When you activate a computer running Windows 10, the following information is s This result includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled: - - The activation exploit’s identifier - - The activation exploit’s current state, such as cleaned or quarantined + - The activation exploits’ identifier + - The activation exploits’ current state, such as cleaned or quarantined - Computer manufacturer’s identification - - The activation exploit’s file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit + - The activation exploits’ file name and hash apart from a hash of related software components that may indicate the presence of an activation exploit - The name and a hash of the contents of your computer’s startup instructions file - If your Windows license is on a subscription basis, information about how your subscription works -Standard computer information is also sent, but your computer’s IP address is only retained temporarily. +Standard computer information is also sent, but your computer’s IP address is only kept temporarily. ## Use of information -Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. +Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft doesn't use the information to contact individual consumers. For more information, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879). ## See also diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 68bf78eeba..d79250faa8 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -23,7 +23,7 @@ You can import data or export data during the following scenarios: - Export data to perform proxy activations. **Warning**   -Editing a .cilx file through an application other than VAMT can corrupt the .cilx file; and this method is not supported. +Editing a .cilx file through an application other than VAMT can corrupt the .cilx file; and this method isn't supported. ## Import VAMT Data @@ -44,7 +44,7 @@ Exporting VAMT data from a non-Internet-connected VAMT host computer is the firs - Export products and product keys - Export products only - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked. -6. If you have selected products to export, select the **Export selected product rows only** check box. +6. If you've selected products to export, select the **Export selected product rows only** check box. 7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. ## Related articles diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index 6c96637ddf..78091384e8 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -24,11 +24,11 @@ This section describes how to activate a client computer, by using various activ |Topic |Description | |------|------------| |[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. | -|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. | +|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that don't have Internet access. | |[Perform KMS Activation](kms-activation-vamt.md) |Describes how to perform volume activation using the Key Management Service (KMS). | |[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | -|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | -|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | +|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to activate an Active Directory forest, online. | +|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that isn't connected to the Internet. | diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index da420e7365..bf81a8a5ad 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -17,14 +17,14 @@ ms.topic: article # VAMT Step-by-Step Scenarios -This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started. +This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; it describes here some of the most common to get you started. ## In this Section |Topic |Description | |------|------------| |[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. | -|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. | +|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers—the first one with Internet access and a second computer within an isolated workgroup—as proxies to perform MAK volume activation for workgroup computers that don't have Internet access. | |[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. | ## Related articles diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index 84d317c451..1a62df47e7 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -18,9 +18,9 @@ ms.collection: highpri # Windows 10 deployment scenarios and tools -To successfully deploy the Windows 10 operating system and applications for your organization, you must know about the available tools to help with the process. In this article, you will learn about the most commonly used tools for Windows 10 deployment. +To successfully deploy the Windows 10 operating system and applications for your organization, you must know about the available tools to help with the process. In this article, you'll learn about the most commonly used tools for Windows 10 deployment. -Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these tools are not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution. +Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), Volume Activation Management Tool (VAMT), User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these tools aren't a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution. In this article, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations @@ -61,7 +61,7 @@ For more information on DISM, see [DISM technical reference](/windows-hardware/m USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Deployment Toolkit (MDT) and System Center 2012 R2 Configuration Manager use USMT as part of the operating system deployment process. **Note**   -Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you will learn below, using USMT is not difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it is easy to use. With MDT, you do nothing at all and USMT just works. +Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you'll learn later, using USMT isn't difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it's easy to use. With MDT, you do nothing at all and USMT just works. @@ -75,7 +75,7 @@ In addition to these tools, there are also XML templates that manage which data - **Migration templates.** The default templates in USMT. - **Custom templates.** Custom templates that you create. -- **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates. +- **Config template.** An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates. ![figure 3.](images/mdt-11-fig06.png) @@ -86,7 +86,7 @@ USMT supports capturing data and settings from Windows Vista and later, and rest By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings: - Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated. -- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv,dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*. +- Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*. > [!NOTE] > The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default. @@ -98,7 +98,7 @@ These settings are the ones migrated by the default MigUser.xml and MigApp.xml t ### Windows Imaging and Configuration Designer -Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This tool is useful for setting up new devices, without the need for re-imaging the device with a custom image. +Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This tool is useful for setting up new devices, without the need for reimaging the device with a custom image. ![figure 4.](images/windows-icd.png) @@ -118,7 +118,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht ### Volume Activation Management Tool (VAMT) -If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy. +If you don’t use KMS, manage your MAKs centrally with the Volume Activation Management Tool (VAMT). Use this tool to install and manage product keys throughout the organization. VAMT can also activate on behalf of clients without Internet access, acting as a MAK proxy. ![figure 6.](images/mdt-11-fig08.png) @@ -142,12 +142,12 @@ The key thing to know about Windows PE is that, like the operating system, it ne A machine booted with the Windows ADK default Windows PE boot image. -For more details on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro). +For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro). ## Windows Recovery Environment -Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE. +Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE. ![figure 8.](images/mdt-11-fig10.png) @@ -158,17 +158,17 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows- ## Windows Deployment Services -Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker. +Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you'll use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker. ![figure 9.](images/mdt-11-fig11.png) Windows Deployment Services using multicast to deploy three machines. -In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11)) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you will use them instead. In WDS, it is possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management. +In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11)) can be configured for stand-alone mode or for Active Directory integration. The Active Directory integration mode is the best option, in most scenarios. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you'll use them instead. In WDS, it's possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management. ### Trivial File Transfer Protocol (TFTP) configuration -In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so — editing the registry — was not user friendly. In Windows Server 2012, this modification in settings has become much easier to do as it can be configured as a setting. +In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—wasn't user friendly. In Windows Server 2012, this modification in settings has become much easier to do as it can be configured as a setting. Also, there are a few new features related to TFTP performance: @@ -248,14 +248,14 @@ For more information on WSUS, see the [Windows Server Update Services Overview]( ## Unified Extensible Firmware Interface -For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. **UEFI** is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment. +For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment. ### Introduction to UEFI BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including: - 16-bit code -- 1 MB address space +- 1-MB address space - Poor performance on ROM initialization - MBR maximum bootable disk size of 2.2 TB @@ -264,13 +264,13 @@ As the replacement to BIOS, UEFI has many features that Windows can and will use With UEFI, you can benefit from: - **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks. -- **Faster boot time.** UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. +- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate. - **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start. - **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS. - **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS. -- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. +- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment. - **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors. -- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader. +- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader. ### Versions @@ -283,22 +283,22 @@ In regard to UEFI, hardware is divided into four device classes: - **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device. - **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured. - **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available. -- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS. +- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS. ### Windows support for UEFI Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers. -With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This limitation means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system. +With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI doesn't support cross-platform boot. This limitation means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system. ### How UEFI is changing operating system deployment There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices: - Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS. -- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. +- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa. - When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB. -- UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit). +- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit). For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources. From 4efc42cb405a5e0066ae18ba84526a13a6e3922c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 18:28:08 +0530 Subject: [PATCH 25/68] Update windows-to-go-frequently-asked-questions.yml --- .../planning/windows-to-go-frequently-asked-questions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index ec5e722d45..62e665f800 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -50,7 +50,7 @@ summary: | - [Why isn't my computer booting from USB?](#why-isn-t-my-computer-booting-from-usb-) - - [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-is-running-) + - [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-s-running-) - [Can I use BitLocker to protect my Windows To Go drive?](#can-i-use-bitlocker-to-protect-my-windows-to-go-drive-) From e9aa58a0b9f6b4e0d9175def096307fdd15db577 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 18:33:58 +0530 Subject: [PATCH 26/68] Update windows-to-go-frequently-asked-questions.yml --- .../planning/windows-to-go-frequently-asked-questions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 62e665f800..9721c8da6e 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -102,7 +102,7 @@ summary: | - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) - - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) + - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it--why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) From 38e920b3ecb1b7d63ab86072146edcbcda0ee5f1 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 27 Jan 2022 18:41:36 +0530 Subject: [PATCH 27/68] Update windows-to-go-frequently-asked-questions.yml --- .../planning/windows-to-go-frequently-asked-questions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 9721c8da6e..62e665f800 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -102,7 +102,7 @@ summary: | - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) - - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it--why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) + - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) From dbd766686e0cda7b71345fbf2612a687bd3251c2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 28 Jan 2022 09:53:21 +0530 Subject: [PATCH 28/68] Update windows-to-go-frequently-asked-questions.yml --- .../planning/windows-to-go-frequently-asked-questions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 62e665f800..4de6a56139 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -102,7 +102,7 @@ summary: | - [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-) - - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-) + - [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-it-doesn-t-have-a-drive-letter-assigned-and-how-can-i-fix-it-) - [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-) From f4750619b3bce921f8654014f64ba92d6991d825 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 28 Jan 2022 18:46:20 +0530 Subject: [PATCH 29/68] Acrolinx enhancement --- education/windows/autopilot-reset.md | 23 +-- education/windows/change-history-edu.md | 6 +- education/windows/change-to-pro-education.md | 26 ++-- .../windows/chromebook-migration-guide.md | 126 ++++++++--------- .../configure-windows-for-education.md | 22 +-- .../deploy-windows-10-in-a-school-district.md | 132 +++++++++--------- .../windows/deploy-windows-10-in-a-school.md | 110 +++++++-------- ...se-management-strategies-and-deployment.md | 2 +- 8 files changed, 226 insertions(+), 221 deletions(-) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index c0ac95e03e..41d85135d0 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -19,7 +19,12 @@ manager: dansimp - Windows 10, version 1709 -IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. +IT admins or technical teachers can use Autopilot Reset to: + - Quickly remove personal files, apps, and settings, + - Reset Windows 10 devices from the lock screen anytime, and + - Apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. + +With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), you must: @@ -30,7 +35,7 @@ To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), yo To use Autopilot Reset, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre). -**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It is a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident. +**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It's a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident. You can set the policy using one of these methods: @@ -49,11 +54,11 @@ You can set the policy using one of these methods: - Set up School PCs app - Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: + Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Ensure you're running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: - Reach out to your device manufacturer. - - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version. + - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you're using another MDM provider, check the documentation for the MDM provider to confirm the OS version. - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709. @@ -72,9 +77,9 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png) - This will open up a custom login screen for Autopilot Reset. The screen serves two purposes: + This will open up a custom sign-in screen for Autopilot Reset. The screen serves two purposes: - 1. Confirm/verify that the end user has the right to trigger Autopilot Reset + 1. Confirm/verify that the end user has the right to trigger Autopilot Reset. 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process. @@ -93,7 +98,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo - Connects to Wi-Fi. - - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device. + - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will reapply the original provisioning package on the device. - Is returned to a known good managed state, connected to Azure AD and MDM. @@ -105,7 +110,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo ## Troubleshoot Autopilot Reset -Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. +Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. You'll see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: @@ -113,7 +118,7 @@ To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/man reagentc /enable ``` -If Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. +If Autopilot Reset fails after enabling WinRE, or if you're unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. ## Related topics diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index aafc6c622f..e977b03d61 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -85,14 +85,14 @@ New or changed topic | Description | New or changed topic | Description | | --- | ---- | -| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. | +| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt in to a free switch to Windows 10 Pro Education. | | [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. | ## RELEASE: Windows 10, version 1703 (Creators Update) | New or changed topic | Description| | --- | --- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. | | [Microsoft Education documentation and resources](/education) | New. Find links to more content for IT admins, teachers, students, and education app developers. | | [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. | | [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Updated the screenshots and related instructions to reflect the current UI and experience. | @@ -111,7 +111,7 @@ New or changed topic | Description | New or changed topic | Description | | --- | --- | -| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). | +| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). | ## November 2016 diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index ea30225b3e..a936025d6f 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -17,7 +17,7 @@ manager: dansimp # Change to Windows 10 Pro Education from Windows 10 Pro Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. -If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt-in to a free change to Windows 10 Pro Education depending on your scenario. +If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt in to a free change to Windows 10 Pro Education depending on your scenario. - [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](./s-mode-switch-to-edu.md) To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance. @@ -43,7 +43,7 @@ For more info about Windows 10 default settings and recommendations for educatio ## Change from Windows 10 Pro to Windows 10 Pro Education -For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free change through the Microsoft Store for Education. +For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt in to a free change through the Microsoft Store for Education. In this scenario: @@ -73,7 +73,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f ### Change using Windows Configuration Designer You can use Windows Configuration Designer to create a provisioning package that you can use to change the Windows edition for your device(s). [Install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) to create a provisioning package. -1. In Windows Configuration Designer, select **Provision desktop devices** to open the simple editor and create a provisioning package for Windows desktop editions. +1. In Windows Configuration Designer, select **Provision desktop devices** to open the editor and create a provisioning package for Windows desktop editions. 2. In the **Set up device** page, enter the MAK license key in the **Enter product key** field to change to Windows 10 Pro Education. **Figure 2** - Enter the license key @@ -98,8 +98,8 @@ Academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Educ When you change to Windows 10 Pro Education, you get the following benefits: -- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. +- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit doesn't include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. The Windows 10 Pro Education program doesn't have a limitation on the number of licenses an organization can have. - **Roll back options to Windows 10 Pro** - When a user leaves the domain or you turn off the setting to automatically change to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. @@ -108,7 +108,7 @@ When you change to Windows 10 Pro Education, you get the following benefits: ### Change using Microsoft Store for Education -Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the change. The change will only apply to Windows 10 Pro devices. +Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you can't select which users will receive the change. The change will only apply to Windows 10 Pro devices. **To turn on the automatic change to Windows 10 Pro Education** @@ -134,7 +134,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi 8. Click **Change now** in the **changing your device to Windows 10 Pro Education for free** page in the Microsoft Store. - You will see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device. + You'll see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device. 9. Click **Close** in the **Success** window. @@ -148,7 +148,7 @@ So what will users experience? How will they change their devices? ### For existing Azure AD joined devices Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. -### For new devices that are not Azure AD joined +### For new devices that aren't Azure AD joined Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition. #### Step 1: Join users’ devices to Azure AD @@ -224,7 +224,7 @@ If there are any problems with the Windows 10 Pro Education license or the acti In some instances, users may experience problems with the Windows 10 Pro Education change. The most common problems that users may experience are as follows: -- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) is not activated. +- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) isn't activated. - The Windows 10 Pro Education change has lapsed or has been removed. Use the following figures to help you troubleshoot when users experience these common problems: @@ -234,7 +234,7 @@ Use the following figures to help you troubleshoot when users experience these c Windows 10 activated and subscription active

-**Figure 11** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education change is active. +**Figure 11** - Illustrates a device on which the existing operating system isn't activated, but the Windows 10 Pro Education change is active. Windows 10 not activated and subscription active

@@ -245,7 +245,7 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined **To determine if a device is Azure AD joined** -1. Open a command prompt and type the following: +1. Open a command prompt and type the following command: ``` dsregcmd /status @@ -280,7 +280,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change **To roll back Windows 10 Pro Education to Windows 10 Pro** -1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change. +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change. 2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link. 3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**. @@ -288,7 +288,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change ![Revert to Windows 10 Pro.](images/msfe_manage_reverttowin10pro.png) -4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. +4. You'll be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. 5. Click **Close** in the **Success** page. All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic changes again, you can do this by selecting **change to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education. diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 66569c4674..65b576133c 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -1,6 +1,6 @@ --- title: Chromebook migration guide (Windows 10) -description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. +description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA ms.reviewer: manager: dansimp @@ -22,23 +22,23 @@ ms.date: 10/13/2017 - Windows 10 -In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. +In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You'll learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You'll then learn the best method to perform the migration by using automated deployment and migration tools. ## Plan Chromebook migration Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. -In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. +In the planning portion of this guide, you'll identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you'll have a list of information you need to collect and what you need to do with the information. You'll be ready to perform your Chromebook migration. ## Plan for app migration or replacement -App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. +App migration or replacement is an essential part of your Chromebook migration. In this section, you'll plan how you'll migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you'll have a list of the active Chrome OS apps and the Windows app counterparts. **Identify the apps currently in use on Chromebook devices** -Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). +Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You'll create a list of apps that are currently in use (also called an app portfolio). > [!NOTE] > The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. @@ -63,7 +63,7 @@ Record the following information about each app in your app portfolio: - App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low) -Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. +Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you've determined what you will do with the higher priority apps. ### @@ -85,13 +85,13 @@ Table 1. Google App replacements -It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. +It may be that you'll decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. **Find the same or similar apps in the Microsoft Store** In many instances, software vendors will create a version of their app for multiple platforms. You can search the Microsoft Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. -In other instances, the offline app does not have a version written for the Microsoft Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. +In other instances, the offline app doesn't have a version written for the Microsoft Store or isn't a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher doesn't have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. Record the Windows app that replaces the Chromebook app in your app portfolio. @@ -99,20 +99,20 @@ Record the Windows app that replaces the Chromebook app in your app portfolio. **Perform app compatibility testing for web apps** -The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. +The majority of Chromebook apps are web apps. Because you can't run native offline Chromebook apps on a Windows device, there's no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. ## Plan for migration of user and device settings -Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. +Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You've also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom. -In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. +In this section, you'll identify the user and device configuration settings for your Chromebook users and devices. Then you'll prioritize these settings to focus on the configuration settings that are essential to your educational institution. -At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. +At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you've few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. **Identify Google Admin Console settings to migrate** @@ -122,17 +122,17 @@ You use the Google Admin Console (as shown in Figure 1) to manage user and devic Figure 1. Google Admin Console -Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. +Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you'll migrate to Windows. Table 2. Settings in the Device Management node in the Google Admin Console |Section |Settings | |---------|---------| |Network |

These settings configure the network connections for Chromebook devices and include the following settings categories:

  • **Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.

  • **Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.

  • **VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.

  • **Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.

    | -|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
    • **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
    • **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
    • **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
    • **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
    • **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider. | -|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
      • **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
      • **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
      • **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
      • **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices
      • **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices. | +|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
        • **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
        • **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
        • **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
        • **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You'll need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
        • **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You'll need this token if you plan to manage Android devices by using another MDM provider. | +|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
          • **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
          • **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
          • **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
          • **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you'll need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you'll need to manage your Windows devices
          • **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you've identified that will run on Windows devices. | -Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. +Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you'll migrate to Windows. Table 3. Settings in the Security node in the Google Admin Console @@ -146,13 +146,13 @@ Table 3. Settings in the Security node in the Google Admin Console **Identify locally-configured settings to migrate** -In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). +In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you'll migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). ![figure 2.](images/fig2-locallyconfig.png) -Figure 2. Locally-configured settings on Chromebook +Figure 2. Locally configured settings on Chromebook -Table 4. Locally-configured settings +Table 4. Locally configured settings | Section | Settings | |------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -183,30 +183,30 @@ Also, as a part of this planning process, consider settings that may not be curr **Prioritize settings to migrate** -After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. +After you've collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. -Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. +Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that aren't necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. ## Plan for email migration -Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration. +Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you'll migrate and the best time to perform the migration. Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes). **Identify the list of user mailboxes to migrate** -In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff. +With regard to creating the list of users you'll migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case, you would only need to migrate faculty and staff. -Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. +Also, when you perform a migration, it's a great time to verify that all user mailboxes are active. In many environments, there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process. **Identify companion devices that access Google Apps Gmail** -In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. +In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You'll need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. -After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. +After you've identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254). @@ -219,13 +219,13 @@ Ensure that you communicate the time the migration will occur to your users well ## Plan for cloud storage migration -Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process. +Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You'll need to plan how to migrate your cloud storage as a part of the Chromebook migration process. -In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. +In this section, you'll create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. **Identify cloud storage services currently in use** -Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following: +Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following details: - Name of the cloud storage service @@ -235,7 +235,7 @@ Typically, most Chromebook users use Google Drive for cloud storage services bec - Approximate storage currently in use per user -Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. +Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there's no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. **Optimize cloud storage services migration plan** @@ -245,7 +245,7 @@ Consider the following to help optimize your cloud storage services migration pl - **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate. -- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage. +- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (haven't been accessed for some period of time). Eliminate or archive these files so that they don't consume cloud storage. - **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs. @@ -254,15 +254,15 @@ Record your optimization changes in your cloud storage services migration plan. ## Plan for cloud services migration -Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. +Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You've planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. -In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. +In this section, you'll create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. ### **Identify cloud services currently in use** -You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: +You've already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following details about each service: - Cloud service name @@ -274,9 +274,9 @@ You have already identified the individual cloud services that are currently in One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features. -Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: +Here's a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: -- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. +- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016), then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. - **Online apps offer better document compatibility.** Microsoft Office apps (such as Word and Excel for the web) provide the highest level of compatibility with Microsoft Office documents. The Office apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office app from any device with Internet connectivity. @@ -288,7 +288,7 @@ Review the list of existing cloud services that you created in the [Identify clo **Prioritize cloud services** -After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. +After you've created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority. @@ -298,7 +298,7 @@ Focus on the migration of higher priority cloud services first and put less effo **Select cloud services migration strategy** -When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time. +When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you'll want to select a migration strategy that introduces a number of small changes over a period of time. Consider the following when you create your cloud services migration strategy: @@ -306,11 +306,11 @@ Consider the following when you create your cloud services migration strategy: - **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks. -- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use. +- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it's more reliable or intuitive for them to use. - **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms. -- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years. +- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they're probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions don't preserve data between semesters or academic years. - **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. @@ -319,7 +319,7 @@ Consider the following when you create your cloud services migration strategy: You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks. -In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. +In this section, you'll select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. ### @@ -329,17 +329,17 @@ What decisions need to be made about Windows device deployment? You just put the For each classroom that has Chromebook devices, select a combination of the following device deployment strategies: -- **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices. +- **Deploy one classroom at a time.** In most cases, you'll want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you've deployed the devices. -- **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. +- **Deploy based on curriculum.** Deploy the Windows devices after you've confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. -- **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. +- **Deploy side-by-side.** In some instances, you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. - **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices. -- **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. +- **Deploy after the migration of user and device settings.** Ensure that you've identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. - If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration. + If you ensure that Windows devices closely mirror the Chromebook device configuration, you'll ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you'll deploy your new Windows devices in a secure configuration. Record the combination of Windows device deployment strategies that you selected. @@ -347,7 +347,7 @@ Record the combination of Windows device deployment strategies that you selected **Plan for AD DS and Azure AD services** -The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services. +The next decision you'll need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you'll manage your users, apps, and devices and if you'll use Office 365 and other Azure-based cloud services. In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD. @@ -362,13 +362,13 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid |Use Microsoft Endpoint Manager for management|✔️||✔️| |Use Group Policy for management|✔️||✔️| |Have devices that are domain-joined|✔️||✔️| -|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️| +|Allow faculty and students to Bring Your Own Device (BYOD) which aren't domain-joined||✔️|✔️| ### **Plan device, user, and app management** -You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle. +You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you'll only deploy the device once, but you'll manage the device throughout the remainder of the device's lifecycle. Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device. @@ -384,11 +384,11 @@ Table 6. Device, user, and app management products and technologies |Deploy software updates during operating system deployment|||✔️||✔️|| |Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️| |Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️|| -|Support devices that are not domain-joined|✔️|||✔️|✔️|| +|Support devices that aren't domain-joined|✔️|||✔️|✔️|| |Use on-premises resources|✔️|✔️|✔️||✔️|| |Use cloud-based services||||✔️||| -You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. +You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances, you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. Record the device, user, and app management products and technologies that you selected. @@ -402,19 +402,19 @@ Examine each of the following network infrastructure technologies and services a - **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements. - However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. + However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you'll need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. - **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices. - If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices. + If you plan to run Chromebook and Windows devices side by side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices. - **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices. - If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices. + If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side by side, then you need to ensure that Wi-Fi network can support the number of devices. - **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices. - However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices. + However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side by side, then you need to ensure that your Internet connection can support the number of devices. For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources: @@ -426,16 +426,16 @@ Examine each of the following network infrastructure technologies and services a - **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices. - If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. + If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side by side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide. ## Perform Chromebook migration -Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created. +Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you've created. -In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. +In this section, you'll perform the necessary steps for the Chromebook device migration. You'll perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important. @@ -444,7 +444,7 @@ You must perform some of the steps in this section in a specific sequence. Each The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. -It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. +It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. Table 7. Network infrastructure products and technologies and deployment resources @@ -459,11 +459,11 @@ If you use network infrastructure products and technologies from other vendors, ## Perform AD DS and Azure AD services deployment or remediation -It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. +It's important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. -Table 8. AD DS, Azure AD and deployment resources +Table 8. AD DS, Azure AD, and deployment resources |Product or technology|Resources| |--- |--- | @@ -475,7 +475,7 @@ If you decided not to migrate to AD DS or Azure AD as a part of the migration, o ## Prepare device, user, and app management systems -In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. +In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you'll use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You'll use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. @@ -547,7 +547,7 @@ Alternatively, if you want to migrate to Office 365 from: ## Perform cloud storage migration -In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. +In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you'll use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. Manually migrate the cloud storage migration by using the following steps: diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 27b3806af5..18a0661d81 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -20,24 +20,24 @@ manager: dansimp - Windows 10 -Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). +Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). -In Windows 10, version 1703 (Creators Update), it is straightforward to configure Windows to be education ready. +In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready. | Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | | --- | --- | --- | --- | --- | --- | | **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set | | **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set | -| **Cortana** | **AllowCortana** | Disables Cortana

            * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

            See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

            See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | +| **Cortana** | **AllowCortana** | Disables Cortana

            * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

            See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

            See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. | | **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set | | **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | -| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

            * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set | +| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

            * Any app can detect Windows is running in an education-ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set | ## Recommended configuration -It is easy to be education ready when using Microsoft products. We recommend the following configuration: +It's easy to be education ready when using Microsoft products. We recommend the following configuration: 1. Use an Office 365 Education tenant. @@ -55,9 +55,9 @@ It is easy to be education ready when using Microsoft products. We recommend the * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD. * Manually Azure AD join the PC during the Windows device setup experience. 3. Enroll the PCs in MDM. - * If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False. + * If you've activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False. 4. Ensure that needed assistive technology apps can be used. - * If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. + * If you have students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. 4. Distribute the PCs to students. @@ -77,7 +77,7 @@ You can set all the education compliance areas through both provisioning and man - [Intune for Education](/intune-education/available-settings) ## AllowCortana -**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). +**AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). > [!NOTE] > See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. @@ -109,7 +109,7 @@ Set **Computer Configuration > Administrative Templates > Windows Components > S ![Set AllowCortana to No in Windows Configuration Designer.](images/allowcortana_wcd.png) ## SetEduPolicies -**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). +**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). Use one of these methods to set this policy. @@ -126,11 +126,11 @@ Use one of these methods to set this policy. ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png) ### Group Policy -**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). +**SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For example: -- Open PowerShell as an administrator and enter the following: +- Open PowerShell as an administrator and enter the following command: ``` $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 2c43aa28c6..ba986f6e8a 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -20,18 +20,18 @@ manager: dansimp - Windows 10 -This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system. +This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for district deployment -Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district. +Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you'll manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district. > [!NOTE] > This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). ### Plan a typical district configuration -As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. +As part of preparing for your district deployment, you need to plan your district configuration— the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. > [!div class="mx-imgBorder"] > ![Typical district configuration for this guide.](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") @@ -132,9 +132,9 @@ For more information about Office 365 Education features and an FAQ, go to [Offi ### How to configure a district -Now that you have the plan (blueprint) for your district and individual schools and classrooms, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. +Now that you have the plan (blueprint) for your district and individual schools and classrooms, you’re ready to learn about the tools you'll use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. -The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). +The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments. @@ -142,7 +142,7 @@ This guide focuses on LTI deployments to deploy the reference device. You can us MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. -LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article. +LTI performs deployment from a *deployment share*—a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article. The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. @@ -152,19 +152,19 @@ The configuration process requires the following devices: * **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device. -* **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices. +* **Reference devices.** These are the devices that you'll use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices. - You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all). + You'll have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all). * **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. -* **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. +* **Student devices.** The students will use these devices. You'll use the admin device deploy (or upgrade) Windows 10 and apps to them. The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4: 1. Prepare the admin device for use, which includes installing the Windows ADK, MDT, and the Configuration Manager console. -2. On the admin device, create and configure the Office 365 Education subscription that you will use for the district’s classrooms. +2. On the admin device, create and configure the Office 365 Education subscription that you'll use for the district’s classrooms. 3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). @@ -217,7 +217,7 @@ Some constraints exist in these scenarios. As you select the deployment and mana * You can use Group Policy or Intune to manage configuration settings on a device but not both. * You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both. -* You cannot manage multiple users on a device with Intune if the device is AD DS domain joined. +* You can't manage multiple users on a device with Intune if the device is AD DS domain joined. Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district. @@ -228,7 +228,7 @@ To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpo |Method|Description| |--- |--- | |MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
            Select this method when you:
          • Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
          • Don’t have an existing AD DS infrastructure.
          • Need to manage devices regardless of where they are (on or off premises).
            The advantages of this method are that:
          • You can deploy Windows 10 operating systems
          • You can manage device drivers during initial deployment.
          • You can deploy Windows desktop apps (during initial deployment)
          • It doesn’t require an AD DS infrastructure.
          • It doesn’t have additional infrastructure requirements.
          • MDT doesn’t incur additional cost: it’s a free tool.
          • You can deploy Windows 10 operating systems to institution-owned and personal devices.
            The disadvantages of this method are that it:
          • Can’t manage applications throughout entire application life cycle (by itself).
          • Can’t manage software updates for Windows 10 and apps (by itself).
          • Doesn’t provide antivirus and malware protection (by itself).
          • Has limited scaling to large numbers of users and devices.| -|Microsoft Endpoint Configuration Manager|
          • Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
          • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
            Select this method when you:
          • Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
          • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
          • Typically deploy Windows 10 to on-premises devices.
            The advantages of this method are that:
          • You can deploy Windows 10 operating systems.
          • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
          • You can manage software updates for Windows 10 and apps.
          • You can manage antivirus and malware protection.
          • It scales to large number of users and devices.
            The disadvantages of this method are that it:
          • Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
          • Can deploy Windows 10 only to domain-joined (institution-owned devices).
          • Requires an AD DS infrastructure (if the institution does not have AD DS already).| +|Microsoft Endpoint Configuration Manager|
          • Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
          • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
            Select this method when you:
          • Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
          • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
          • Typically deploy Windows 10 to on-premises devices.
            The advantages of this method are that:
          • You can deploy Windows 10 operating systems.
          • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
          • You can manage software updates for Windows 10 and apps.
          • You can manage antivirus and malware protection.
          • It scales to large number of users and devices.
            The disadvantages of this method are that it:
          • Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution doesn't have Configuration Manager already).
          • Can deploy Windows 10 only to domain-joined (institution-owned devices).
          • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).| *Table 2. Deployment methods* @@ -249,8 +249,8 @@ For a district, there are many ways to manage the configuration setting for user |Method|Description| |--- |--- | -|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.
            Select this method when you
          • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
          • Want more granular control of device and user settings.
          • Have an existing AD DS infrastructure.
          • Typically manage on-premises devices.
          • Can manage a required setting only by using Group Policy.
            The advantages of this method include:
          • No cost beyond the AD DS infrastructure.
          • A larger number of settings (compared to Intune).
            The disadvantages of this method are that it:
          • Can only manage domain-joined (institution-owned devices).
          • Requires an AD DS infrastructure (if the institution does not have AD DS already).
          • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
          • Has rudimentary app management capabilities.
          • Cannot deploy Windows 10 operating systems.| -|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
            Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
            Select this method when you:
          • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
          • Don’t need granular control over device and user settings (compared to Group Policy).
          • Don’t have an existing AD DS infrastructure.
          • Need to manage devices regardless of where they are (on or off premises).
          • Want to provide application management for the entire application life cycle.
          • Can manage a required setting only by using Intune.
            The advantages of this method are that:
          • You can manage institution-owned and personal devices.
          • It doesn’t require that devices be domain joined.
          • It doesn’t require any on-premises infrastructure.
          • It can manage devices regardless of their location (on or off premises).
            The disadvantages of this method are that it:
          • Carries an additional cost for Intune subscription licenses.
          • Doesn’t offer granular control over device and user settings (compared to Group Policy).
          • Cannot deploy Windows 10 operating systems.| +|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.
            Select this method when you
          • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
          • Want more granular control of device and user settings.
          • Have an existing AD DS infrastructure.
          • Typically manage on-premises devices.
          • Can manage a required setting only by using Group Policy.
            The advantages of this method include:
          • No cost beyond the AD DS infrastructure.
          • A larger number of settings (compared to Intune).
            The disadvantages of this method are that it:
          • Can only manage domain-joined (institution-owned devices).
          • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
          • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
          • Has rudimentary app management capabilities.
          • Can't deploy Windows 10 operating systems.| +|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
            Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
            Select this method when you:
          • Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
          • Don’t need granular control over device and user settings (compared to Group Policy).
          • Don’t have an existing AD DS infrastructure.
          • Need to manage devices regardless of where they are (on or off premises).
          • Want to provide application management for the entire application life cycle.
          • Can manage a required setting only by using Intune.
            The advantages of this method are that:
          • You can manage institution-owned and personal devices.
          • It doesn’t require that devices be domain joined.
          • It doesn’t require any on-premises infrastructure.
          • It can manage devices regardless of their location (on or off premises).
            The disadvantages of this method are that it:
          • Carries an additional cost for Intune subscription licenses.
          • Doesn’t offer granular control over device and user settings (compared to Group Policy).
          • Can't deploy Windows 10 operating systems.| *Table 4. Configuration setting management methods* @@ -271,9 +271,9 @@ Use the information in Table 6 to determine which combination of app and update |Selection|Management method| |--- |--- | -|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
          • Selected Configuration Manager to deploy Windows 10.
          • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
          • Want to manage AD DS domain-joined devices.
          • Have an existing AD DS infrastructure.
          • Typically manage on-premises devices.
          • Want to deploy operating systems.
          • Want to provide application management for the entire application life cycle.
            The advantages of this method are that:
          • You can deploy Windows 10 operating systems.
          • You can manage applications throughout the entire application life cycle.
          • You can manage software updates for Windows 10 and apps.
          • You can manage antivirus and malware protection.
          • It scales to large numbers of users and devices.
            The disadvantages of this method are that it:
          • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
          • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
          • Can only manage domain-joined (institution-owned devices).
          • Requires an AD DS infrastructure (if the institution does not have AD DS already).
          • Typically manages on-premises devices (unless devices through VPN or DirectAccess).| -|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
            Select this method when you:
          • Selected MDT only to deploy Windows 10.
          • Want to manage institution-owned and personal devices that are not domain joined.
          • Want to manage Azure AD domain-joined devices.
          • Need to manage devices regardless of where they are (on or off premises).
          • Want to provide application management for the entire application life cycle.
            The advantages of this method are that:
          • You can manage institution-owned and personal devices.
          • It doesn’t require that devices be domain joined.
          • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
          • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
            The disadvantages of this method are that it:
          • Carries an additional cost for Intune subscription licenses.
          • Cannot deploy Windows 10 operating systems.| -|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
            Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
            Select this method when you:
          • Selected Microsoft Endpoint Manager to deploy Windows 10.
          • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
          • Want to manage domain-joined devices.
          • Want to manage Azure AD domain-joined devices.
          • Have an existing AD DS infrastructure.
          • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
          • Want to provide application management for the entire application life cycle.
            The advantages of this method are that:
          • You can deploy operating systems.
          • You can manage applications throughout the entire application life cycle.
          • You can scale to large numbers of users and devices.
          • You can support institution-owned and personal devices.
          • It doesn’t require that devices be domain joined.
          • It can manage devices regardless of their location (on or off premises).
            The disadvantages of this method are that it:
          • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
          • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
          • Carries an additional cost for Intune subscription licenses.
          • Requires an AD DS infrastructure (if the institution does not have AD DS already).| +|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune. Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
          • Selected Configuration Manager to deploy Windows 10.
          • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
          • Want to manage AD DS domain-joined devices.
          • Have an existing AD DS infrastructure.
          • Typically manage on-premises devices.
          • Want to deploy operating systems.
          • Want to provide application management for the entire application life cycle.
            The advantages of this method are that:
          • You can deploy Windows 10 operating systems.
          • You can manage applications throughout the entire application life cycle.
          • You can manage software updates for Windows 10 and apps.
          • You can manage antivirus and malware protection.
          • It scales to large numbers of users and devices.
            The disadvantages of this method are that it:
          • Carries an additional cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
          • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
          • Can only manage domain-joined (institution-owned devices).
          • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
          • Typically manages on-premises devices (unless devices through VPN or DirectAccess).| +|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
            Select this method when you:
          • Selected MDT only to deploy Windows 10.
          • Want to manage institution-owned and personal devices that aren't domain joined.
          • Want to manage Azure AD domain-joined devices.
          • Need to manage devices regardless of where they are (on or off premises).
          • Want to provide application management for the entire application life cycle.
            The advantages of this method are that:
          • You can manage institution-owned and personal devices.
          • It doesn’t require that devices be domain joined.
          • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
          • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
            The disadvantages of this method are that it:
          • Carries an additional cost for Intune subscription licenses.
          • Can't deploy Windows 10 operating systems.| +|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
            Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
            Select this method when you:
          • Selected Microsoft Endpoint Manager to deploy Windows 10.
          • Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
          • Want to manage domain-joined devices.
          • Want to manage Azure AD domain-joined devices.
          • Have an existing AD DS infrastructure.
          • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
          • Want to provide application management for the entire application life cycle.
            The advantages of this method are that:
          • You can deploy operating systems.
          • You can manage applications throughout the entire application life cycle.
          • You can scale to large numbers of users and devices.
          • You can support institution-owned and personal devices.
          • It doesn’t require that devices be domain joined.
          • It can manage devices regardless of their location (on or off premises).
            The disadvantages of this method are that it:
          • Carries an additional cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
          • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
          • Carries an additional cost for Intune subscription licenses.
          • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).| *Table 6. App and update management products* @@ -288,7 +288,7 @@ Record the app and update management methods that you selected in Table 7. *Table 7. App and update management methods selected* #### Summary -In this section, you selected the methods that you will use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you will use to manage configuration settings. Finally, you selected the methods that you will use to manage Windows desktop apps, Microsoft Store apps, and software updates. +In this section, you selected the methods that you'll use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you'll use to manage configuration settings. Finally, you selected the methods that you'll use to manage Windows desktop apps, Microsoft Store apps, and software updates. ## Prepare the admin device @@ -307,7 +307,7 @@ For more information about installing the Windows ADK, see [Step 2-2: Install Wi ### Install MDT -Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It is a free tool available directly from Microsoft. +Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It's a free tool available directly from Microsoft. You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. > [!NOTE] @@ -345,7 +345,7 @@ For more information, see [Enable Configuration Manager Console Integration for #### Summary -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you'll configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. ## Create and configure Office 365 @@ -363,8 +363,8 @@ Complete the following steps to select the appropriate Office 365 Education lice |Plan |Advantages |Disadvantages | |----- |----------- |------------- | - |Office 365 Education |
            • Less expensive than Microsoft 365 Apps for enterprise
            • Can be run from any device
            • No installation necessary
            |
            • Must have an Internet connection to use it
            • Does not support all the features found in Microsoft 365 Apps for enterprise
            | - |Microsoft 365 Apps for enterprise |
            • Only requires an Internet connection every 30 days (for activation)
            • Supports the full set of Office features
            • Can be installed on five devices per user (there is no limit to the number of devices on which you can run Office apps online)
            |
            • Requires installation
            • More expensive than Office 365 Education
            | + |Office 365 Education |
            • Less expensive than Microsoft 365 Apps for enterprise
            • Can be run from any device
            • No installation necessary
            |
            • Must have an Internet connection to use it
            • Doesn't support all the features found in Microsoft 365 Apps for enterprise
            | + |Microsoft 365 Apps for enterprise |
            • Only requires an Internet connection every 30 days (for activation)
            • Supports the full set of Office features
            • Can be installed on five devices per user (there's no limit to the number of devices on which you can run Office apps online)
            |
            • Requires installation
            • More expensive than Office 365 Education
            | *Table 8. Comparison of standard and Microsoft 365 Apps for enterprise plans* @@ -385,7 +385,7 @@ Complete the following steps to select the appropriate Office 365 Education lice *Table 9. Office 365 Education license plans needed for the classroom* -You will use the Office 365 Education license plan information you record in Table 9 in [Create user accounts in Office 365](#create-user-accounts-in-office-365) later in this guide. +You'll use the Office 365 Education license plan information you record in Table 9 in [Create user accounts in Office 365](#create-user-accounts-in-office-365) later in this guide. ### Create a new Office 365 Education subscription @@ -408,7 +408,7 @@ To create a new Office 365 Education subscription for use in the classroom, use 2. On the **Get started** page, in **Enter your school email address**, type your school email address, and then click **Sign up**. - You will receive an email in your school email account. + You'll receive an email in your school email account. 3. Click the hyperlink in the email in your school email account. 4. On the **One last thing** page, complete your user information, and then click **Start**. @@ -418,7 +418,7 @@ The wizard creates your new Office 365 Education subscription, and you’re auto ### Add domains and subdomains -Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. +Now that you've created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. #### To add additional domains and subdomains @@ -444,9 +444,9 @@ To make it easier for faculty and students to join your Office 365 Education sub Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: * If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. -* If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. +* If an Office 365 tenant with that domain name (contoso.edu) doesn't exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. -You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365. +You'll always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365. > [!NOTE] > You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. @@ -465,7 +465,7 @@ By default, all new Office 365 Education subscriptions have automatic tenant joi ### Disable automatic licensing -To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. +To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that don't require administrative approval. > [!NOTE] > By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. @@ -485,7 +485,7 @@ When you create your Office 365 subscription, you create an Office 365 tenant th Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access). -The following Azure AD Premium features are not in Azure AD Basic: +The following Azure AD Premium features aren't in Azure AD Basic: * Allow designated users to manage group membership * Dynamic group membership based on user metadata @@ -498,7 +498,7 @@ The following Azure AD Premium features are not in Azure AD Basic: You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. -You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. +You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process. For more information about: @@ -507,7 +507,7 @@ For more information about: #### Summary -You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. +You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365. ## Select an Office 365 user account–creation method @@ -565,7 +565,7 @@ Before you deploy AD DS and Azure AD synchronization, determine where you want t You can deploy the Azure AD Connect tool: -- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. +- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises that has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. > [!div class="mx-imgBorder"] > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") @@ -595,7 +595,7 @@ In this synchronization model (illustrated in Figure 7), you run Azure AD Connec 4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features). -Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. +Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. ### Verify synchronization @@ -649,7 +649,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T ### Create a source file that contains the user and group accounts -After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 13 lists the source file format for the bulk import methods. +After you've selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 13 lists the source file format for the bulk import methods. |Method |Source file format | |-------|-------------------| @@ -682,7 +682,7 @@ You can bulk-import user and group accounts directly into Office 365, reducing t ### Create user accounts in Office 365 -Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. +Now that you've created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. > [!NOTE] > If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. @@ -726,7 +726,7 @@ For information about creating email distribution groups, see [Create a Microsof #### Summary -You have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. +You've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. ## Assign user licenses for Azure AD Premium @@ -749,7 +749,7 @@ This section shows you how to create a Microsoft Store for Business portal and c ### Create and configure your Microsoft Store for Business portal -To create and configure your Microsoft Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator. +To create and configure your Microsoft Store for Business portal, use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator. #### To create and configure a Microsoft Store for Business portal @@ -779,7 +779,7 @@ After you create the Microsoft Store for Business portal, configure it by using ### Find, acquire, and distribute apps in the portal -Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Microsoft Store for Business. +Now that you've created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you'll add to your portal. You do this from the **Inventory** page in Microsoft Store for Business. > [!NOTE] > Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business. @@ -794,14 +794,14 @@ At the end of this section, you should have a properly configured Microsoft Stor ## Plan for deployment -You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. +You'll use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you'll use, the approach you'll use to create your Windows 10 images, and the method you'll use to initiate the LTI deployment process. ### Select the operating systems -Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: +Later in the process, you'll import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: -* New devices or refreshing existing devices, you will completely replace the existing operating system on a device with Windows 10. -* Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. +* New devices or refreshing existing devices, you'll completely replace the existing operating system on a device with Windows 10. +* Upgrading existing devices, you'll upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: @@ -819,12 +819,12 @@ Depending on your school’s requirements, you may need any combination of the f For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. +One other consideration is the mix of processor architectures you'll support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you'll need to import both 64-bit and 32-bit versions of the Windows 10 editions listed earlier in this section. > [!NOTE] > On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. -Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. +Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you can't standardize personal devices on a specific operating system version or processor architecture. ### Select an image approach @@ -861,10 +861,10 @@ The first step in preparing for Windows 10 deployment is to configure—that is, |Task|Description| |--- |--- | |1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| -|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
            Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| -|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
            Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
          • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
          • For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.

            If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
            If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
            In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
          • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
          • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).| -|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
            To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
            If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
            This is the preferred method for deploying and managing Windows desktop apps.
            **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
            For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).| -|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
          • Deploy 64-bit Windows 10 Education to devices.
          • Deploy 32-bit Windows 10 Education to devices.
          • Upgrade existing devices to 64-bit Windows 10 Education.
          • Upgrade existing devices to 32-bit Windows 10 Education.

            Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).| +|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't play sounds; without the proper camera driver, the device can't take photos or use video chat.
            Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| +|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
            Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:
          • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
          • For apps that aren't offline licensed, obtain the .appx files from the app software vendor directly.

            If you're unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
            If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
            In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
          • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
          • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).| +|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
            To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
            If you've Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
            This is the preferred method for deploying and managing Windows desktop apps.
            **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
            For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).| +|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
          • Deploy 64-bit Windows 10 Education to devices.
          • Deploy 32-bit Windows 10 Education to devices.
          • Upgrade existing devices to 64-bit Windows 10 Education.
          • Upgrade existing devices to 32-bit Windows 10 Education.

            Again, you'll create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).| |6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
            For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).| *Table 16. Tasks to configure the MDT deployment share* @@ -874,7 +874,7 @@ The first step in preparing for Windows 10 deployment is to configure—that is, > [!NOTE] > If you have already configured your Microsoft Endpoint Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section. -Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you will need to deploy a new infrastructure. +Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you'll need to deploy a new infrastructure. Deploying a new Configuration Manager infrastructure is beyond the scope of this guide, but the following resources can help you deploy a new Configuration Manager infrastructure: @@ -889,7 +889,7 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment). 2. Add the Windows PE boot images, Windows 10 operating systems, and other content. - You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you will use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard. + You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you'll use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard. You can add this content by using Microsoft Endpoint Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager). 3. Add device drivers. @@ -899,7 +899,7 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers). 4. Add Windows apps. - Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that include Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices. + Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you can't capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices. Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications). @@ -921,7 +921,7 @@ You can use Windows Deployment Services in conjunction with MDT to automatically 2. Add LTI boot images (Windows PE images) to Windows Deployment Services. - The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder. + The LTI boot images (.wim files) that you'll add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices). @@ -955,7 +955,7 @@ You can use Windows Deployment Services in conjunction with Configuration Manage #### Summary -Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You have set up and configured Windows Deployment Services for MDT and for Configuration Manager. You have also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you have in your district. +Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You have set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you have in your district. ## Capture the reference image @@ -963,7 +963,7 @@ The reference device is a device that you use as the template for all the other After you deploy Windows 10 and the desktop apps to the reference device, you capture an image of the device (the reference image). You import the reference image to an MDT deployment share or into Configuration Manager. Finally, you create a task sequence to deploy the reference image to faculty and student devices. -You will capture multiple reference images, one for each type of device that you have in your organization. You perform the steps in this section for each image (device) that you have in your district. Use LTI in MDT to automate the deployment and capture of the reference image. +You'll capture multiple reference images, one for each type of device that you have in your organization. You perform the steps in this section for each image (device) that you have in your district. Use LTI in MDT to automate the deployment and capture of the reference image. > [!NOTE] > You can use LTI in MDT or Configuration Manager to automate the deployment and capture of the reference image, but this guide only discusses how to use LTI in MDT to capture the reference image. @@ -1019,7 +1019,7 @@ In most instances, deployments occur without incident. Only in rare occasions do ### Import reference image -After you have captured the reference image (.wim file), import the image into the MDT deployment share or into Configuration Manager (depending on which method you selected to perform Windows 10 deployments). You will deploy the reference image to the student and faculty devices in your district. +After you've captured the reference image (.wim file), import the image into the MDT deployment share or into Configuration Manager (depending on which method you selected to perform Windows 10 deployments). You'll deploy the reference image to the student and faculty devices in your district. Both the Deployment Workbench and the Configuration Manager console have wizards that help you import the reference image. After you import the reference image, you need to create a task sequence that will deploy the reference image. @@ -1030,9 +1030,9 @@ For more information about how to import the reference image into: ### Create a task sequence to deploy the reference image -You created an LTI task sequence in the Deployment Workbench earlier in this process to deploy Windows 10 and your desktop apps to the reference device. Now that you have captured and imported your reference image, you need to create a tasks sequence to deploy it. +You created an LTI task sequence in the Deployment Workbench earlier in this process to deploy Windows 10 and your desktop apps to the reference device. Now that you've captured and imported your reference image, you need to create a tasks sequence to deploy it. -As you might expect, both the Deployment Workbench and the Configuration Manager console have wizards that help you create a starting task sequence. After you create your task sequence, in most instances you will need to customize it to deploy additional apps, device drivers, and other software. +As you might expect, both the Deployment Workbench and the Configuration Manager console have wizards that help you create a starting task sequence. After you create your task sequence, in most instances you'll need to customize it to deploy additional apps, device drivers, and other software. For more information about how to create a task sequence in the: @@ -1044,7 +1044,7 @@ In this section, you customized the MDT deployment share to deploy Windows 10 an ## Prepare for device management -Before you deploy Windows 10 in your district, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. +Before you deploy Windows 10 in your district, you must prepare for device management. You'll deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. You also want to deploy apps and software updates after you deploy Windows 10. You need to manage apps and updates by using Configuration Manager, Intune, or a combination of both (hybrid model). @@ -1055,12 +1055,12 @@ Microsoft has several recommended settings for educational institutions. Table 1 > [!NOTE] > The settings for Intune in Table 17 also apply to the Configuration Manager and Intune management (hybrid) method. -Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. +Use the information in Table 17 to help you determine whether you need to configure the setting and which method you'll use to do so. At the end, you'll have a list of settings that you want to apply to the Windows 10 devices and know which management method you'll use to configure the settings. |Recommendation|Description| |--- |--- | -|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
            **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
            **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
            ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.| -|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
            **Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
            **Intune**. Not available.| +|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
            **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
            **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
            ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.| +|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
            **Group Policy**. Create a Local Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
            **Intune**. Not available.| |Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.
            **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).
            **Intune**. Not available.| |Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
            **Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?
            **Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.| |Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
            **Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
            **Intune**. Not available.| @@ -1108,7 +1108,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/ If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section. -You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages. +You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that aren't enrolled in Intune or that another solution manages. For more information about how to configure Intune to manage your apps, see the following resources: @@ -1212,7 +1212,7 @@ After you have deployed Windows 10, the devices are almost ready for use. First, 3. Copy the printer drivers to a USB drive. -4. On a device, use the same account you used to set up Windows 10 in the [Prepare for deployment](#prepare-for-deployment) section to log on to the device. +4. On a device, use the same account you used to set up Windows 10 in the [Prepare for deployment](#prepare-for-deployment) section to sign in to the device. 5. Plug the USB drive into the device. @@ -1234,7 +1234,7 @@ As a final quality control step, verify the device configuration to ensure that * All Windows desktop apps are properly installed and updated. * Printers are properly configured. -When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. +When you've verified that the first device is properly configured, you can move to the next device and perform the same steps. #### Summary @@ -1262,7 +1262,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour |Install new or update existing Microsoft Store apps used in the curriculum.
            Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
            You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration.
            For more information, see:
          • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
          • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️| |Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
            For more information about how to:
          • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)
          • Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️| |Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
            For more information about how to:
          • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
          • Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️| -|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
            For more information about how to:
          • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
          • Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️| +|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you don't have an on-premises AD DS infrastructure).
            For more information about how to:
          • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
          • Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️| |Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
            For more information about how to:
          • Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
          • Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️| |Create or modify security groups, and manage group membership in Office 365.
            For more information about how to:
          • Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)
          • Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️| |Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
            For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️| @@ -1272,7 +1272,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour #### Summary -You have now identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your district and individual school configuration should match the typical school configuration you saw in the [Plan a typical district configuration](#plan-a-typical-district-configuration) section. By performing these maintenance tasks, you help ensure that your district as a whole stays secure and is configured as you specified. +You've now identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your district and individual school configuration should match the typical school configuration you saw in the [Plan a typical district configuration](#plan-a-typical-district-configuration) section. By performing these maintenance tasks, you help ensure that your district as a whole stays secure and is configured as you specified. ## Related topics diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index c0e52a36d6..8371a48a48 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -20,11 +20,11 @@ manager: dansimp - Windows 10 -This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system. +This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for school deployment -Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. As with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. +Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. As with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you'll configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. ### Plan a typical school configuration @@ -86,15 +86,15 @@ For more information about Office 365 Education features and a FAQ, go to [Offic ## How to configure a school -Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. +Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you'll use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. -The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). +The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments. MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. -LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. +LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Endpoint Manager](/mem/), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. @@ -102,12 +102,12 @@ The configuration process requires the following devices: - **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device. - **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. -- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. +- **Student devices.** The students will use these devices. You'll use the admin device deploy (or upgrade) Windows 10 and apps to them. The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3: 1. Prepare the admin device for use, which includes installing the Windows ADK and MDT. -2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school. +2. On the admin device, create and configure the Office 365 Education subscription that you'll use for each classroom in the school. 3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). 4. On the admin device, create and configure a Microsoft Store for Business portal. 5. On the admin device, prepare for management of the Windows 10 devices after deployment. @@ -118,7 +118,7 @@ The high-level process for deploying and configuring devices within individual c *Figure 3. How school configuration works* -Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide. +Each of the steps illustrated in Figure 3 directly corresponds to the remaining high-level sections in this guide. ### Summary @@ -161,7 +161,7 @@ For more information about how to create a deployment share, see [Step 3-1: Crea ### Summary -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process. +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you'll configure and use later in the LTI deployment process. ## Create and configure Office 365 @@ -182,8 +182,8 @@ Complete the following steps to select the appropriate Office 365 Education lice --- | Plan | Advantages | Disadvantages | | --- | --- | --- | -| Standard | - Less expensive than Microsoft 365 Apps for enterprise
            - Can be run from any device
            - No installation necessary | - Must have an Internet connection to use it
            - Does not support all the features found in Microsoft 365 Apps for enterprise | -| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
            - Supports full set of Office features | - Requires installation
            - Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online) | +| Standard | - Less expensive than Microsoft 365 Apps for enterprise
            - Can be run from any device
            - No installation necessary | - Must have an Internet connection to use it
            - Doesn't support all the features found in Microsoft 365 Apps for enterprise | +| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
            - Supports full set of Office features | - Requires installation
            - Can be installed on only five devices per user (there's no limit to the number of devices on which you can run Office apps online) | --- @@ -207,7 +207,7 @@ The best user experience is to run Microsoft 365 Apps for enterprise or use nati --- -You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide. +You'll use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide. ### Create a new Office 365 Education subscription @@ -220,18 +220,18 @@ To create a new Office 365 Education subscription for use in the classroom, use 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. - If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window. Your options: + If you've already used your current sign-in account to create a new Office 365 subscription, you'll be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window. Your options: - In Microsoft Edge, select Ctrl+Shift+N. Or, select **More actions** > **New InPrivate window**. - In Internet Explorer, select Ctrl+Shift+P. Or, select **Settings** > **Safety** > **InPrivate Browsing**. -2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account. +2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You'll receive an email in your school email account. 3. Click the hyperlink in the email in your school email account. -4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription. +4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you're automatically signed in as the administrative user you specified when you created the subscription. ### Add domains and subdomains -Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has `contoso.edu` as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. +Now that you've created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has `contoso.edu` as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. #### To add additional domains and subdomains @@ -252,9 +252,9 @@ To make it easier for faculty and students to join your Office 365 Education sub Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: - If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. -- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. +- If an Office 365 tenant with that domain name (contoso.edu) doesn't exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. -You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. +You'll always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. > [!NOTE] > You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. @@ -276,7 +276,7 @@ All new Office 365 Education subscriptions have automatic tenant join enabled by ### Disable automatic licensing -To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. +To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that don't require administrative approval. > [!NOTE] > By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. @@ -299,11 +299,11 @@ When you create your Office 365 subscription, you create an Office 365 tenant th Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access). -The Azure AD Premium features that are not in Azure AD Basic include: +The Azure AD Premium features that aren't in Azure AD Basic include: - Allow designated users to manage group membership - Dynamic group membership based on user metadata -- Multifactor authentication (MFA) +- Multi-factor authentication (MFA) - Identify cloud apps that your users run - Automatic enrollment in a mobile device management (MDM) system (such as Intune) - Self-service recovery of BitLocker @@ -313,7 +313,7 @@ The Azure AD Premium features that are not in Azure AD Basic include: You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. -You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. +You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process. For more information, see: @@ -321,12 +321,12 @@ For more information, see: - [Sign up for Azure Active Directory Premium](/azure/active-directory/fundamentals/active-directory-get-started-premium) ### Summary -You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. +You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365. ## Select an Office 365 user account–creation method -Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: +Now that you have an Office 365 subscription, you need to determine how you'll create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: - **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain. - **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain. @@ -338,7 +338,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 4, the > [!NOTE] > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [LDAP synchronization with Azure Active Directory](/azure/active-directory/fundamentals/sync-ldap). -:::image type="content" source="images/deploy-win-10-school-figure4.png" alt-text="See the automatic synchronization between Active Directory Directory Services and Azure AD."::: +:::image type="content" source="images/deploy-win-10-school-figure4.png" alt-text="See the automatic synchronization between Active Directory Services and Azure AD."::: *Figure 4. Automatic synchronization between AD DS and Azure AD* @@ -374,7 +374,7 @@ Before you deploy AD DS and Azure AD synchronization, you need to determine wher You can deploy the Azure AD Connect tool by using one of the following methods: -- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. +- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises that have the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. :::image type="content" source="images/deploy-win-10-school-figure6.png" alt-text="Azure AD Connect runs on-premises and uses a virtual machine."::: @@ -399,7 +399,7 @@ In this synchronization model (illustrated in Figure 6), you run Azure AD Connec 3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-select-installation). 4. Configure Azure AD Connect features based on your institution’s requirements. For more information, see [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis). -Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. +Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. ### Verify synchronization @@ -447,7 +447,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T ### Create a source file that contains the user and group accounts -After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. +After you've selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. *Table 6. Source file format for each bulk import method* @@ -483,7 +483,7 @@ You can bulk-import user and group accounts directly into Office 365, reducing t ### Create user accounts in Office 365 -Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. +Now that you've created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). @@ -517,13 +517,13 @@ Microsoft Exchange Online uses an email distribution group as a single email rec You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. > [!NOTE] -> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. +> Office 365 can take some time to complete the Exchange Online creation process. You'll have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. For information about how to create security groups, see [Create a group in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/create-groups). ### Summary -Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. +Now, you've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. ## Assign user licenses for Azure AD Premium @@ -582,7 +582,7 @@ After you create the Microsoft Store for Business portal, configure it by using ### Find, acquire, and distribute apps in the portal -Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Microsoft Store for Business. +Now that you've created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you'll add to your portal. You do this by using the Inventory page in Microsoft Store for Business. > [!NOTE] > Your educational institution can now use a credit card to pay for apps in Microsoft Store for Business. @@ -597,14 +597,14 @@ At the end of this section, you should have a properly configured Microsoft Stor ## Plan for deployment -You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. +You'll use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you'll use, the approach you'll use to create your Windows 10 images, and the method you'll use to initiate the LTI deployment process. ### Select the operating systems -Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. If: +Later in the process, you'll import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. If: -- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10. -- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. +- New devices or refreshing existing devices, you'll complete replace the existing operating system on a device with Windows 10. +- Upgrading existing devices, you'll upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: @@ -620,12 +620,12 @@ Depending on your school’s requirements, you may need any combination of the f > [!NOTE] > Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features are not available in Windows 10 Home. -One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. +One other consideration is the mix of processor architectures you'll support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you'll need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. > [!NOTE] > On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. -Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). You cannot standardize personal devices on a specific operating system version or processor architecture. +Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). You can't standardize personal devices on a specific operating system version or processor architecture. ### Select an image approach @@ -668,10 +668,10 @@ The first step in preparation for Windows 10 deployment is to configure—that i | Task | Description | | --- | --- | | **1. Import operating systems** | Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench). | -| **2. Import device drives** | Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

            Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). | -| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

            Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

            If you have Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

            In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:

            - Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10).
            - Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | -| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

            To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).

            If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

            You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

            For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | -| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:

            - Deploy Windows 10 Education 64-bit to devices.
            - Deploy Windows 10 Education 32-bit to devices.
            - Upgrade existing devices to Windows 10 Education 64-bit.
            - Upgrade existing devices to Windows 10 Education 32-bit.

            Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). | +| **2. Import device drives** | Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't play sounds; without the proper camera driver, the device can't take photos or use video chat.

            Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). | +| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

            Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files from the app software vendor directly. If you're unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

            If you've Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

            In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:

            - Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10).
            - Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | +| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

            To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).

            If you've Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

            You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

            For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | +| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:

            - Deploy Windows 10 Education 64-bit to devices.
            - Deploy Windows 10 Education 32-bit to devices.
            - Upgrade existing devices to Windows 10 Education 64-bit.
            - Upgrade existing devices to Windows 10 Education 32-bit.

            Again, you'll create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). | | **6. Update the deployment share.** | Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

            For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).| --- @@ -692,7 +692,7 @@ You can use Windows Deployment Services with MDT to automatically initiate boot 2. Add LTI boot images (Windows PE images) to Windows Deployment Services. - The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices). + The LTI boot images (.wim files) that you'll add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices). ### Summary @@ -700,7 +700,7 @@ Now, Windows Deployment Services is ready to initiate the LTI deployment process ## Prepare for device management -Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. +Before you deploy Windows 10 in your institution, you must prepare for device management. You'll deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. ### Select the management method @@ -713,23 +713,23 @@ For a school, there are many ways to manage devices. Table 10 lists the methods --- | Method | Description | | --- | --- | -| **Group Policy** | Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:

            - Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
            - Want more granular control of device and user settings.
            - Have an existing AD DS infrastructure.
            - Typically manage on-premises devices.
            - Can manage a required setting only by using Group Policy.

            The advantages of this method include:

            - No cost beyond the AD DS infrastructure.
            - A larger number of settings.

            The disadvantages of this method are:

            - Can only manage domain-joined (institution-owned devices).
            - Requires an AD DS infrastructure (if the institution does not have AD DS already).
            - Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess). | -| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10 and other operating systems, such as iOS/iPadOS, macOS, and Android. Intune is a subscription-based cloud service that integrates with Microsoft 365 and Azure AD.

            Select this method when you:

            - Want to manage institution-owned and personal devices (does not require that the device be domain joined).
            - Don’t require the level of granular control over device and user settings (compared to Group Policy).
            - Don’t have an existing AD DS infrastructure.
            - Need to manage devices regardless of where they are (on or off premises).
            - Can manage a required setting only by using Intune.

            The advantages of this method are:

            - You can manage institution-owned and personal devices.
            - It doesn’t require that devices be domain joined.
            - It doesn’t require any on-premises infrastructure.
            - It can manage devices regardless of their location (on or off premises).

            The disadvantages of this method are:

            - Carries an additional cost for subscription.
            - Doesn’t have a granular level control over device and user settings (compared to Group Policy). | +| **Group Policy** | Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:

            - Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
            - Want more granular control of device and user settings.
            - Have an existing AD DS infrastructure.
            - Typically manage on-premises devices.
            - Can manage a required setting only by using Group Policy.

            The advantages of this method include:

            - No cost beyond the AD DS infrastructure.
            - A larger number of settings.

            The disadvantages of this method are:

            - Can only manage domain-joined (institution-owned devices).
            - Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
            - Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess). | +| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10 and other operating systems, such as iOS/iPadOS, macOS, and Android. Intune is a subscription-based cloud service that integrates with Microsoft 365 and Azure AD.

            Select this method when you:

            - Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
            - Don’t require the level of granular control over device and user settings (compared to Group Policy).
            - Don’t have an existing AD DS infrastructure.
            - Need to manage devices regardless of where they are (on or off premises).
            - Can manage a required setting only by using Intune.

            The advantages of this method are:

            - You can manage institution-owned and personal devices.
            - It doesn’t require that devices be domain joined.
            - It doesn’t require any on-premises infrastructure.
            - It can manage devices regardless of their location (on or off premises).

            The disadvantages of this method are:

            - Carries an additional cost for subscription.
            - Doesn’t have a granular level control over device and user settings (compared to Group Policy). | --- ### Select Microsoft-recommended settings -Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. +Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you'll use to do so. At the end, you'll have a list of settings that you want to apply to the Windows 10 devices and know which management method you'll use to configure the settings. *Table 11. Recommended settings for educational institutions* --- | Recommendation | Description | | --- | --- | -| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

            Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

            **Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

            **Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. | +| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

            Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

            **Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

            **Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. | | **Restrict local administrator accounts on the devices** | Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

            **Group Policy**: Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732525(v=ws.11)).

            **Intune**: Not available | -| **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

            **Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).

            **Intune**: Not available. | +| **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

            **Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You'll specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).

            **Intune**: Not available. | | **Control Microsoft Store access** | You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.

            **Group Policy**: You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP).

            **Intune**: You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. | | **Use of Remote Desktop connections to devices** | Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

            **Group Policy**: You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

            **Intune**: Not available. | | **Use of camera** | A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

            **Group Policy**: Not available.

            **Intune**: You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. | @@ -742,7 +742,7 @@ Microsoft has several recommended settings for educational institutions. Table 1 ### Configure settings by using Group Policy -Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. +Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You'll configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. For more information about Group Policy, see [Group Policy Planning and Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)). @@ -754,7 +754,7 @@ For more information about Group Policy, see [Group Policy Planning and Deployme ### Configure settings by using Intune -Now, you’re ready to configure settings using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. +Now, you’re ready to configure settings using Intune. The steps in this section assume that you have an Office 365 subscription. You'll configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. For more information about Intune, see [Documentation for Microsoft Intune](/mem/intune/). @@ -842,7 +842,7 @@ As a final quality control step, verify the device configuration to ensure that - All Windows desktop apps are properly installed and updated. - Printers are properly configured. -When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. +When you've verified that the first device is properly configured, you can move to the next device and perform the same steps. ### Summary @@ -850,7 +850,7 @@ You prepared the devices for deployment by verifying that they have adequate sys ## Maintain Windows devices and Office 365 -After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: +After the initial deployment, you'll need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: - **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware. - **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students. @@ -866,7 +866,7 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour | Verify that Windows Update is active and current with operating system and software updates.

            For more information about completing this task, see:

            - Intune: See [Keep Windows PCs up to date with software updates in Microsoft Intune](https://www.microsoft.com/en-us/insidetrack/keeping-windows-10-devices-up-to-date-with-microsoft-intune-and-windows-update-for-business)
            - Group Policy: See [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb)
            - Windows Server Update Services (WSUS): See [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services)
            - Neither Intune, Group Policy, or WSUS: See [Update Windows](https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a). | ✔️ | ✔️ | ✔️ | | Verify that Windows Defender is active and current with malware Security intelligence.

            For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection) and [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)). | ✔️ | ✔️ | ✔️ | | Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

            For more information about completing this task, see [Protect my PC from viruses](https://support.microsoft.com/windows/protect-my-pc-from-viruses-b2025ed1-02d5-1e87-ba5f-71999008e026). | ✔️ | ✔️ | ✔️ | -| Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

            For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/). | | ✔️ | ✔️ | +| Verify that you're using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

            For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/). | | ✔️ | ✔️ | | Refresh the operating system and apps on devices.

            For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. | | ✔️ | ✔️ | | Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.

            For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. | | ✔️ | ✔️ | | Install new or update existing Microsoft Store apps that are used in the curriculum.

            Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.

            You can also deploy Microsoft Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. | | ✔️ | ✔️ | @@ -880,7 +880,7 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour ### Summary -Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By running these maintenance tasks, you help ensure that your school stays secure and is configured as you specified. +Now, you've identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By running these maintenance tasks, you help ensure that your school stays secure and is configured as you specified. ## Related resources diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index 1d9fa5aab2..c2d154430c 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -98,7 +98,7 @@ If you decide to use the centralized compatibility-fix database deployment strat 1. Verify that your application-compatibility testers are performing their tests on computers with the latest version of your compatibility-fix database. For example, Custom DB1. -2. If the tester determines that an application requires an extra compatibility fix that isn't a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2. +2. If the tester determines that an application requires an extra compatibility fix that isn'9t a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2. 3. The tester applies the new Custom DB2 information to the application and then tests for both the functionality and integration, to ensure that the compatibility issues are addressed. From 6f632cba51fd0db9795b3125ecb1f87d59180876 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 7 Feb 2022 16:16:14 +0530 Subject: [PATCH 30/68] Revert "Acrolinx enhancement" This reverts commit f4750619b3bce921f8654014f64ba92d6991d825. --- education/windows/autopilot-reset.md | 23 ++- education/windows/change-history-edu.md | 6 +- education/windows/change-to-pro-education.md | 26 ++-- .../windows/chromebook-migration-guide.md | 126 ++++++++--------- .../configure-windows-for-education.md | 22 +-- .../deploy-windows-10-in-a-school-district.md | 132 +++++++++--------- .../windows/deploy-windows-10-in-a-school.md | 110 +++++++-------- ...se-management-strategies-and-deployment.md | 2 +- 8 files changed, 221 insertions(+), 226 deletions(-) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 41d85135d0..c0ac95e03e 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -19,12 +19,7 @@ manager: dansimp - Windows 10, version 1709 -IT admins or technical teachers can use Autopilot Reset to: - - Quickly remove personal files, apps, and settings, - - Reset Windows 10 devices from the lock screen anytime, and - - Apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. - -With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. +IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), you must: @@ -35,7 +30,7 @@ To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), yo To use Autopilot Reset, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre). -**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It's a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident. +**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It is a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident. You can set the policy using one of these methods: @@ -54,11 +49,11 @@ You can set the policy using one of these methods: - Set up School PCs app - Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Ensure you're running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: + Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: - Reach out to your device manufacturer. - - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you're using another MDM provider, check the documentation for the MDM provider to confirm the OS version. + - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version. - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709. @@ -77,9 +72,9 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png) - This will open up a custom sign-in screen for Autopilot Reset. The screen serves two purposes: + This will open up a custom login screen for Autopilot Reset. The screen serves two purposes: - 1. Confirm/verify that the end user has the right to trigger Autopilot Reset. + 1. Confirm/verify that the end user has the right to trigger Autopilot Reset 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process. @@ -98,7 +93,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo - Connects to Wi-Fi. - - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will reapply the original provisioning package on the device. + - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device. - Is returned to a known good managed state, connected to Azure AD and MDM. @@ -110,7 +105,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo ## Troubleshoot Autopilot Reset -Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. You'll see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. +Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: @@ -118,7 +113,7 @@ To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/man reagentc /enable ``` -If Autopilot Reset fails after enabling WinRE, or if you're unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. +If Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. ## Related topics diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index e977b03d61..aafc6c622f 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -85,14 +85,14 @@ New or changed topic | Description | New or changed topic | Description | | --- | ---- | -| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt in to a free switch to Windows 10 Pro Education. | +| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. | | [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. | ## RELEASE: Windows 10, version 1703 (Creators Update) | New or changed topic | Description| | --- | --- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. | | [Microsoft Education documentation and resources](/education) | New. Find links to more content for IT admins, teachers, students, and education app developers. | | [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. | | [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Updated the screenshots and related instructions to reflect the current UI and experience. | @@ -111,7 +111,7 @@ New or changed topic | Description | New or changed topic | Description | | --- | --- | -| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). | +| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). | ## November 2016 diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index a936025d6f..ea30225b3e 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -17,7 +17,7 @@ manager: dansimp # Change to Windows 10 Pro Education from Windows 10 Pro Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. -If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt in to a free change to Windows 10 Pro Education depending on your scenario. +If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt-in to a free change to Windows 10 Pro Education depending on your scenario. - [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](./s-mode-switch-to-edu.md) To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance. @@ -43,7 +43,7 @@ For more info about Windows 10 default settings and recommendations for educatio ## Change from Windows 10 Pro to Windows 10 Pro Education -For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt in to a free change through the Microsoft Store for Education. +For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free change through the Microsoft Store for Education. In this scenario: @@ -73,7 +73,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f ### Change using Windows Configuration Designer You can use Windows Configuration Designer to create a provisioning package that you can use to change the Windows edition for your device(s). [Install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) to create a provisioning package. -1. In Windows Configuration Designer, select **Provision desktop devices** to open the editor and create a provisioning package for Windows desktop editions. +1. In Windows Configuration Designer, select **Provision desktop devices** to open the simple editor and create a provisioning package for Windows desktop editions. 2. In the **Set up device** page, enter the MAK license key in the **Enter product key** field to change to Windows 10 Pro Education. **Figure 2** - Enter the license key @@ -98,8 +98,8 @@ Academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Educ When you change to Windows 10 Pro Education, you get the following benefits: -- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit doesn't include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. The Windows 10 Pro Education program doesn't have a limitation on the number of licenses an organization can have. +- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. - **Roll back options to Windows 10 Pro** - When a user leaves the domain or you turn off the setting to automatically change to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. @@ -108,7 +108,7 @@ When you change to Windows 10 Pro Education, you get the following benefits: ### Change using Microsoft Store for Education -Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you can't select which users will receive the change. The change will only apply to Windows 10 Pro devices. +Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the change. The change will only apply to Windows 10 Pro devices. **To turn on the automatic change to Windows 10 Pro Education** @@ -134,7 +134,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi 8. Click **Change now** in the **changing your device to Windows 10 Pro Education for free** page in the Microsoft Store. - You'll see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device. + You will see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device. 9. Click **Close** in the **Success** window. @@ -148,7 +148,7 @@ So what will users experience? How will they change their devices? ### For existing Azure AD joined devices Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. -### For new devices that aren't Azure AD joined +### For new devices that are not Azure AD joined Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition. #### Step 1: Join users’ devices to Azure AD @@ -224,7 +224,7 @@ If there are any problems with the Windows 10 Pro Education license or the acti In some instances, users may experience problems with the Windows 10 Pro Education change. The most common problems that users may experience are as follows: -- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) isn't activated. +- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) is not activated. - The Windows 10 Pro Education change has lapsed or has been removed. Use the following figures to help you troubleshoot when users experience these common problems: @@ -234,7 +234,7 @@ Use the following figures to help you troubleshoot when users experience these c Windows 10 activated and subscription active

            -**Figure 11** - Illustrates a device on which the existing operating system isn't activated, but the Windows 10 Pro Education change is active. +**Figure 11** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education change is active. Windows 10 not activated and subscription active

            @@ -245,7 +245,7 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined **To determine if a device is Azure AD joined** -1. Open a command prompt and type the following command: +1. Open a command prompt and type the following: ``` dsregcmd /status @@ -280,7 +280,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change **To roll back Windows 10 Pro Education to Windows 10 Pro** -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change. +1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change. 2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link. 3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**. @@ -288,7 +288,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change ![Revert to Windows 10 Pro.](images/msfe_manage_reverttowin10pro.png) -4. You'll be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. +4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. 5. Click **Close** in the **Success** page. All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic changes again, you can do this by selecting **change to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education. diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 65b576133c..66569c4674 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -1,6 +1,6 @@ --- title: Chromebook migration guide (Windows 10) -description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. +description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA ms.reviewer: manager: dansimp @@ -22,23 +22,23 @@ ms.date: 10/13/2017 - Windows 10 -In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You'll learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You'll then learn the best method to perform the migration by using automated deployment and migration tools. +In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. ## Plan Chromebook migration Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. -In the planning portion of this guide, you'll identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you'll have a list of information you need to collect and what you need to do with the information. You'll be ready to perform your Chromebook migration. +In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. ## Plan for app migration or replacement -App migration or replacement is an essential part of your Chromebook migration. In this section, you'll plan how you'll migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you'll have a list of the active Chrome OS apps and the Windows app counterparts. +App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. **Identify the apps currently in use on Chromebook devices** -Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You'll create a list of apps that are currently in use (also called an app portfolio). +Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). > [!NOTE] > The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. @@ -63,7 +63,7 @@ Record the following information about each app in your app portfolio: - App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low) -Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you've determined what you will do with the higher priority apps. +Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. ### @@ -85,13 +85,13 @@ Table 1. Google App replacements -It may be that you'll decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. +It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. **Find the same or similar apps in the Microsoft Store** In many instances, software vendors will create a version of their app for multiple platforms. You can search the Microsoft Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. -In other instances, the offline app doesn't have a version written for the Microsoft Store or isn't a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher doesn't have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. +In other instances, the offline app does not have a version written for the Microsoft Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. Record the Windows app that replaces the Chromebook app in your app portfolio. @@ -99,20 +99,20 @@ Record the Windows app that replaces the Chromebook app in your app portfolio. **Perform app compatibility testing for web apps** -The majority of Chromebook apps are web apps. Because you can't run native offline Chromebook apps on a Windows device, there's no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. +The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. ## Plan for migration of user and device settings -Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You've also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. +Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom. -In this section, you'll identify the user and device configuration settings for your Chromebook users and devices. Then you'll prioritize these settings to focus on the configuration settings that are essential to your educational institution. +In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. -At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you've few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. +At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. **Identify Google Admin Console settings to migrate** @@ -122,17 +122,17 @@ You use the Google Admin Console (as shown in Figure 1) to manage user and devic Figure 1. Google Admin Console -Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you'll migrate to Windows. +Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. Table 2. Settings in the Device Management node in the Google Admin Console |Section |Settings | |---------|---------| |Network |

            These settings configure the network connections for Chromebook devices and include the following settings categories:

            • **Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.

            • **Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.

            • **VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.

            • **Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.

              | -|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
              • **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
              • **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
              • **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
              • **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You'll need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
              • **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You'll need this token if you plan to manage Android devices by using another MDM provider. | -|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                • **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                • **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
                • **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                • **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you'll need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you'll need to manage your Windows devices
                • **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you've identified that will run on Windows devices. | +|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                  • **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
                  • **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
                  • **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
                  • **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
                  • **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider. | +|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                    • **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                    • **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
                    • **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                    • **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices
                    • **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices. | -Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you'll migrate to Windows. +Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. Table 3. Settings in the Security node in the Google Admin Console @@ -146,13 +146,13 @@ Table 3. Settings in the Security node in the Google Admin Console **Identify locally-configured settings to migrate** -In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you'll migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). +In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). ![figure 2.](images/fig2-locallyconfig.png) -Figure 2. Locally configured settings on Chromebook +Figure 2. Locally-configured settings on Chromebook -Table 4. Locally configured settings +Table 4. Locally-configured settings | Section | Settings | |------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -183,30 +183,30 @@ Also, as a part of this planning process, consider settings that may not be curr **Prioritize settings to migrate** -After you've collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. +After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. -Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that aren't necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. +Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. ## Plan for email migration -Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you'll migrate and the best time to perform the migration. +Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration. Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes). **Identify the list of user mailboxes to migrate** -With regard to creating the list of users you'll migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case, you would only need to migrate faculty and staff. +In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff. -Also, when you perform a migration, it's a great time to verify that all user mailboxes are active. In many environments, there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. +Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process. **Identify companion devices that access Google Apps Gmail** -In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You'll need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. +In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. -After you've identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. +After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254). @@ -219,13 +219,13 @@ Ensure that you communicate the time the migration will occur to your users well ## Plan for cloud storage migration -Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You'll need to plan how to migrate your cloud storage as a part of the Chromebook migration process. +Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process. -In this section, you'll create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. +In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. **Identify cloud storage services currently in use** -Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following details: +Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following: - Name of the cloud storage service @@ -235,7 +235,7 @@ Typically, most Chromebook users use Google Drive for cloud storage services bec - Approximate storage currently in use per user -Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there's no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. +Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. **Optimize cloud storage services migration plan** @@ -245,7 +245,7 @@ Consider the following to help optimize your cloud storage services migration pl - **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate. -- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (haven't been accessed for some period of time). Eliminate or archive these files so that they don't consume cloud storage. +- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage. - **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs. @@ -254,15 +254,15 @@ Record your optimization changes in your cloud storage services migration plan. ## Plan for cloud services migration -Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You've planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. +Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. -In this section, you'll create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. +In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. ### **Identify cloud services currently in use** -You've already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following details about each service: +You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: - Cloud service name @@ -274,9 +274,9 @@ You've already identified the individual cloud services that are currently in us One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features. -Here's a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: +Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: -- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016), then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. +- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. - **Online apps offer better document compatibility.** Microsoft Office apps (such as Word and Excel for the web) provide the highest level of compatibility with Microsoft Office documents. The Office apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office app from any device with Internet connectivity. @@ -288,7 +288,7 @@ Review the list of existing cloud services that you created in the [Identify clo **Prioritize cloud services** -After you've created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. +After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority. @@ -298,7 +298,7 @@ Focus on the migration of higher priority cloud services first and put less effo **Select cloud services migration strategy** -When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you'll want to select a migration strategy that introduces a number of small changes over a period of time. +When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time. Consider the following when you create your cloud services migration strategy: @@ -306,11 +306,11 @@ Consider the following when you create your cloud services migration strategy: - **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks. -- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it's more reliable or intuitive for them to use. +- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use. - **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms. -- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they're probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions don't preserve data between semesters or academic years. +- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years. - **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. @@ -319,7 +319,7 @@ Consider the following when you create your cloud services migration strategy: You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks. -In this section, you'll select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. +In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. ### @@ -329,17 +329,17 @@ What decisions need to be made about Windows device deployment? You just put the For each classroom that has Chromebook devices, select a combination of the following device deployment strategies: -- **Deploy one classroom at a time.** In most cases, you'll want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you've deployed the devices. +- **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices. -- **Deploy based on curriculum.** Deploy the Windows devices after you've confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. +- **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. -- **Deploy side-by-side.** In some instances, you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. +- **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. - **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices. -- **Deploy after the migration of user and device settings.** Ensure that you've identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. +- **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. - If you ensure that Windows devices closely mirror the Chromebook device configuration, you'll ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you'll deploy your new Windows devices in a secure configuration. + If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration. Record the combination of Windows device deployment strategies that you selected. @@ -347,7 +347,7 @@ Record the combination of Windows device deployment strategies that you selected **Plan for AD DS and Azure AD services** -The next decision you'll need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you'll manage your users, apps, and devices and if you'll use Office 365 and other Azure-based cloud services. +The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services. In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD. @@ -362,13 +362,13 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid |Use Microsoft Endpoint Manager for management|✔️||✔️| |Use Group Policy for management|✔️||✔️| |Have devices that are domain-joined|✔️||✔️| -|Allow faculty and students to Bring Your Own Device (BYOD) which aren't domain-joined||✔️|✔️| +|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️| ### **Plan device, user, and app management** -You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you'll only deploy the device once, but you'll manage the device throughout the remainder of the device's lifecycle. +You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle. Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device. @@ -384,11 +384,11 @@ Table 6. Device, user, and app management products and technologies |Deploy software updates during operating system deployment|||✔️||✔️|| |Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️| |Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️|| -|Support devices that aren't domain-joined|✔️|||✔️|✔️|| +|Support devices that are not domain-joined|✔️|||✔️|✔️|| |Use on-premises resources|✔️|✔️|✔️||✔️|| |Use cloud-based services||||✔️||| -You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances, you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. +You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. Record the device, user, and app management products and technologies that you selected. @@ -402,19 +402,19 @@ Examine each of the following network infrastructure technologies and services a - **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements. - However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you'll need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. + However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. - **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices. - If you plan to run Chromebook and Windows devices side by side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices. + If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices. - **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices. - If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side by side, then you need to ensure that Wi-Fi network can support the number of devices. + If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices. - **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices. - However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side by side, then you need to ensure that your Internet connection can support the number of devices. + However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices. For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources: @@ -426,16 +426,16 @@ Examine each of the following network infrastructure technologies and services a - **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices. - If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side by side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. + If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide. ## Perform Chromebook migration -Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you've created. +Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created. -In this section, you'll perform the necessary steps for the Chromebook device migration. You'll perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. +In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important. @@ -444,7 +444,7 @@ You must perform some of the steps in this section in a specific sequence. Each The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. -It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. +It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. Table 7. Network infrastructure products and technologies and deployment resources @@ -459,11 +459,11 @@ If you use network infrastructure products and technologies from other vendors, ## Perform AD DS and Azure AD services deployment or remediation -It's important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. +It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. -Table 8. AD DS, Azure AD, and deployment resources +Table 8. AD DS, Azure AD and deployment resources |Product or technology|Resources| |--- |--- | @@ -475,7 +475,7 @@ If you decided not to migrate to AD DS or Azure AD as a part of the migration, o ## Prepare device, user, and app management systems -In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you'll use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You'll use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. +In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. @@ -547,7 +547,7 @@ Alternatively, if you want to migrate to Office 365 from: ## Perform cloud storage migration -In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you'll use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. +In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. Manually migrate the cloud storage migration by using the following steps: diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 18a0661d81..27b3806af5 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -20,24 +20,24 @@ manager: dansimp - Windows 10 -Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). +Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). -In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready. +In Windows 10, version 1703 (Creators Update), it is straightforward to configure Windows to be education ready. | Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | | --- | --- | --- | --- | --- | --- | | **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set | | **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set | -| **Cortana** | **AllowCortana** | Disables Cortana

                      * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

                      See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

                      See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. | +| **Cortana** | **AllowCortana** | Disables Cortana

                      * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

                      See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

                      See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | | **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set | | **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | -| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

                      * Any app can detect Windows is running in an education-ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set | +| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

                      * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set | ## Recommended configuration -It's easy to be education ready when using Microsoft products. We recommend the following configuration: +It is easy to be education ready when using Microsoft products. We recommend the following configuration: 1. Use an Office 365 Education tenant. @@ -55,9 +55,9 @@ It's easy to be education ready when using Microsoft products. We recommend the * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD. * Manually Azure AD join the PC during the Windows device setup experience. 3. Enroll the PCs in MDM. - * If you've activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False. + * If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False. 4. Ensure that needed assistive technology apps can be used. - * If you have students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. + * If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. 4. Distribute the PCs to students. @@ -77,7 +77,7 @@ You can set all the education compliance areas through both provisioning and man - [Intune for Education](/intune-education/available-settings) ## AllowCortana -**AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). +**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). > [!NOTE] > See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. @@ -109,7 +109,7 @@ Set **Computer Configuration > Administrative Templates > Windows Components > S ![Set AllowCortana to No in Windows Configuration Designer.](images/allowcortana_wcd.png) ## SetEduPolicies -**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). +**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). Use one of these methods to set this policy. @@ -126,11 +126,11 @@ Use one of these methods to set this policy. ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png) ### Group Policy -**SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). +**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For example: -- Open PowerShell as an administrator and enter the following command: +- Open PowerShell as an administrator and enter the following: ``` $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index ba986f6e8a..2c43aa28c6 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -20,18 +20,18 @@ manager: dansimp - Windows 10 -This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. +This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for district deployment -Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you'll manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district. +Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district. > [!NOTE] > This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). ### Plan a typical district configuration -As part of preparing for your district deployment, you need to plan your district configuration— the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. +As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. > [!div class="mx-imgBorder"] > ![Typical district configuration for this guide.](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") @@ -132,9 +132,9 @@ For more information about Office 365 Education features and an FAQ, go to [Offi ### How to configure a district -Now that you have the plan (blueprint) for your district and individual schools and classrooms, you’re ready to learn about the tools you'll use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. +Now that you have the plan (blueprint) for your district and individual schools and classrooms, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. -The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). +The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments. @@ -142,7 +142,7 @@ This guide focuses on LTI deployments to deploy the reference device. You can us MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. -LTI performs deployment from a *deployment share*—a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article. +LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article. The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. @@ -152,19 +152,19 @@ The configuration process requires the following devices: * **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device. -* **Reference devices.** These are the devices that you'll use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices. +* **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices. - You'll have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all). + You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all). * **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. -* **Student devices.** The students will use these devices. You'll use the admin device deploy (or upgrade) Windows 10 and apps to them. +* **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4: 1. Prepare the admin device for use, which includes installing the Windows ADK, MDT, and the Configuration Manager console. -2. On the admin device, create and configure the Office 365 Education subscription that you'll use for the district’s classrooms. +2. On the admin device, create and configure the Office 365 Education subscription that you will use for the district’s classrooms. 3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). @@ -217,7 +217,7 @@ Some constraints exist in these scenarios. As you select the deployment and mana * You can use Group Policy or Intune to manage configuration settings on a device but not both. * You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both. -* You can't manage multiple users on a device with Intune if the device is AD DS domain joined. +* You cannot manage multiple users on a device with Intune if the device is AD DS domain joined. Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district. @@ -228,7 +228,7 @@ To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpo |Method|Description| |--- |--- | |MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
                      Select this method when you:
                    • Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
                    • Don’t have an existing AD DS infrastructure.
                    • Need to manage devices regardless of where they are (on or off premises).
                      The advantages of this method are that:
                    • You can deploy Windows 10 operating systems
                    • You can manage device drivers during initial deployment.
                    • You can deploy Windows desktop apps (during initial deployment)
                    • It doesn’t require an AD DS infrastructure.
                    • It doesn’t have additional infrastructure requirements.
                    • MDT doesn’t incur additional cost: it’s a free tool.
                    • You can deploy Windows 10 operating systems to institution-owned and personal devices.
                      The disadvantages of this method are that it:
                    • Can’t manage applications throughout entire application life cycle (by itself).
                    • Can’t manage software updates for Windows 10 and apps (by itself).
                    • Doesn’t provide antivirus and malware protection (by itself).
                    • Has limited scaling to large numbers of users and devices.| -|Microsoft Endpoint Configuration Manager|
                    • Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
                    • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
                      Select this method when you:
                    • Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
                    • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
                    • Typically deploy Windows 10 to on-premises devices.
                      The advantages of this method are that:
                    • You can deploy Windows 10 operating systems.
                    • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
                    • You can manage software updates for Windows 10 and apps.
                    • You can manage antivirus and malware protection.
                    • It scales to large number of users and devices.
                      The disadvantages of this method are that it:
                    • Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution doesn't have Configuration Manager already).
                    • Can deploy Windows 10 only to domain-joined (institution-owned devices).
                    • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).| +|Microsoft Endpoint Configuration Manager|
                    • Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
                    • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
                      Select this method when you:
                    • Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
                    • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
                    • Typically deploy Windows 10 to on-premises devices.
                      The advantages of this method are that:
                    • You can deploy Windows 10 operating systems.
                    • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
                    • You can manage software updates for Windows 10 and apps.
                    • You can manage antivirus and malware protection.
                    • It scales to large number of users and devices.
                      The disadvantages of this method are that it:
                    • Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
                    • Can deploy Windows 10 only to domain-joined (institution-owned devices).
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).| *Table 2. Deployment methods* @@ -249,8 +249,8 @@ For a district, there are many ways to manage the configuration setting for user |Method|Description| |--- |--- | -|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.
                      Select this method when you
                    • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
                    • Want more granular control of device and user settings.
                    • Have an existing AD DS infrastructure.
                    • Typically manage on-premises devices.
                    • Can manage a required setting only by using Group Policy.
                      The advantages of this method include:
                    • No cost beyond the AD DS infrastructure.
                    • A larger number of settings (compared to Intune).
                      The disadvantages of this method are that it:
                    • Can only manage domain-joined (institution-owned devices).
                    • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
                    • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
                    • Has rudimentary app management capabilities.
                    • Can't deploy Windows 10 operating systems.| -|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                      Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
                      Select this method when you:
                    • Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
                    • Don’t need granular control over device and user settings (compared to Group Policy).
                    • Don’t have an existing AD DS infrastructure.
                    • Need to manage devices regardless of where they are (on or off premises).
                    • Want to provide application management for the entire application life cycle.
                    • Can manage a required setting only by using Intune.
                      The advantages of this method are that:
                    • You can manage institution-owned and personal devices.
                    • It doesn’t require that devices be domain joined.
                    • It doesn’t require any on-premises infrastructure.
                    • It can manage devices regardless of their location (on or off premises).
                      The disadvantages of this method are that it:
                    • Carries an additional cost for Intune subscription licenses.
                    • Doesn’t offer granular control over device and user settings (compared to Group Policy).
                    • Can't deploy Windows 10 operating systems.| +|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.
                      Select this method when you
                    • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
                    • Want more granular control of device and user settings.
                    • Have an existing AD DS infrastructure.
                    • Typically manage on-premises devices.
                    • Can manage a required setting only by using Group Policy.
                      The advantages of this method include:
                    • No cost beyond the AD DS infrastructure.
                    • A larger number of settings (compared to Intune).
                      The disadvantages of this method are that it:
                    • Can only manage domain-joined (institution-owned devices).
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                    • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
                    • Has rudimentary app management capabilities.
                    • Cannot deploy Windows 10 operating systems.| +|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                      Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
                      Select this method when you:
                    • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                    • Don’t need granular control over device and user settings (compared to Group Policy).
                    • Don’t have an existing AD DS infrastructure.
                    • Need to manage devices regardless of where they are (on or off premises).
                    • Want to provide application management for the entire application life cycle.
                    • Can manage a required setting only by using Intune.
                      The advantages of this method are that:
                    • You can manage institution-owned and personal devices.
                    • It doesn’t require that devices be domain joined.
                    • It doesn’t require any on-premises infrastructure.
                    • It can manage devices regardless of their location (on or off premises).
                      The disadvantages of this method are that it:
                    • Carries an additional cost for Intune subscription licenses.
                    • Doesn’t offer granular control over device and user settings (compared to Group Policy).
                    • Cannot deploy Windows 10 operating systems.| *Table 4. Configuration setting management methods* @@ -271,9 +271,9 @@ Use the information in Table 6 to determine which combination of app and update |Selection|Management method| |--- |--- | -|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune. Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
                    • Selected Configuration Manager to deploy Windows 10.
                    • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                    • Want to manage AD DS domain-joined devices.
                    • Have an existing AD DS infrastructure.
                    • Typically manage on-premises devices.
                    • Want to deploy operating systems.
                    • Want to provide application management for the entire application life cycle.
                      The advantages of this method are that:
                    • You can deploy Windows 10 operating systems.
                    • You can manage applications throughout the entire application life cycle.
                    • You can manage software updates for Windows 10 and apps.
                    • You can manage antivirus and malware protection.
                    • It scales to large numbers of users and devices.
                      The disadvantages of this method are that it:
                    • Carries an additional cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
                    • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                    • Can only manage domain-joined (institution-owned devices).
                    • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
                    • Typically manages on-premises devices (unless devices through VPN or DirectAccess).| -|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                      Select this method when you:
                    • Selected MDT only to deploy Windows 10.
                    • Want to manage institution-owned and personal devices that aren't domain joined.
                    • Want to manage Azure AD domain-joined devices.
                    • Need to manage devices regardless of where they are (on or off premises).
                    • Want to provide application management for the entire application life cycle.
                      The advantages of this method are that:
                    • You can manage institution-owned and personal devices.
                    • It doesn’t require that devices be domain joined.
                    • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
                    • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
                      The disadvantages of this method are that it:
                    • Carries an additional cost for Intune subscription licenses.
                    • Can't deploy Windows 10 operating systems.| -|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
                      Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
                      Select this method when you:
                    • Selected Microsoft Endpoint Manager to deploy Windows 10.
                    • Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
                    • Want to manage domain-joined devices.
                    • Want to manage Azure AD domain-joined devices.
                    • Have an existing AD DS infrastructure.
                    • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
                    • Want to provide application management for the entire application life cycle.
                      The advantages of this method are that:
                    • You can deploy operating systems.
                    • You can manage applications throughout the entire application life cycle.
                    • You can scale to large numbers of users and devices.
                    • You can support institution-owned and personal devices.
                    • It doesn’t require that devices be domain joined.
                    • It can manage devices regardless of their location (on or off premises).
                      The disadvantages of this method are that it:
                    • Carries an additional cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
                    • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                    • Carries an additional cost for Intune subscription licenses.
                    • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).| +|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
                    • Selected Configuration Manager to deploy Windows 10.
                    • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                    • Want to manage AD DS domain-joined devices.
                    • Have an existing AD DS infrastructure.
                    • Typically manage on-premises devices.
                    • Want to deploy operating systems.
                    • Want to provide application management for the entire application life cycle.
                      The advantages of this method are that:
                    • You can deploy Windows 10 operating systems.
                    • You can manage applications throughout the entire application life cycle.
                    • You can manage software updates for Windows 10 and apps.
                    • You can manage antivirus and malware protection.
                    • It scales to large numbers of users and devices.
                      The disadvantages of this method are that it:
                    • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                    • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                    • Can only manage domain-joined (institution-owned devices).
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                    • Typically manages on-premises devices (unless devices through VPN or DirectAccess).| +|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                      Select this method when you:
                    • Selected MDT only to deploy Windows 10.
                    • Want to manage institution-owned and personal devices that are not domain joined.
                    • Want to manage Azure AD domain-joined devices.
                    • Need to manage devices regardless of where they are (on or off premises).
                    • Want to provide application management for the entire application life cycle.
                      The advantages of this method are that:
                    • You can manage institution-owned and personal devices.
                    • It doesn’t require that devices be domain joined.
                    • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
                    • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
                      The disadvantages of this method are that it:
                    • Carries an additional cost for Intune subscription licenses.
                    • Cannot deploy Windows 10 operating systems.| +|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
                      Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
                      Select this method when you:
                    • Selected Microsoft Endpoint Manager to deploy Windows 10.
                    • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                    • Want to manage domain-joined devices.
                    • Want to manage Azure AD domain-joined devices.
                    • Have an existing AD DS infrastructure.
                    • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
                    • Want to provide application management for the entire application life cycle.
                      The advantages of this method are that:
                    • You can deploy operating systems.
                    • You can manage applications throughout the entire application life cycle.
                    • You can scale to large numbers of users and devices.
                    • You can support institution-owned and personal devices.
                    • It doesn’t require that devices be domain joined.
                    • It can manage devices regardless of their location (on or off premises).
                      The disadvantages of this method are that it:
                    • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                    • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                    • Carries an additional cost for Intune subscription licenses.
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).| *Table 6. App and update management products* @@ -288,7 +288,7 @@ Record the app and update management methods that you selected in Table 7. *Table 7. App and update management methods selected* #### Summary -In this section, you selected the methods that you'll use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you'll use to manage configuration settings. Finally, you selected the methods that you'll use to manage Windows desktop apps, Microsoft Store apps, and software updates. +In this section, you selected the methods that you will use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you will use to manage configuration settings. Finally, you selected the methods that you will use to manage Windows desktop apps, Microsoft Store apps, and software updates. ## Prepare the admin device @@ -307,7 +307,7 @@ For more information about installing the Windows ADK, see [Step 2-2: Install Wi ### Install MDT -Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It's a free tool available directly from Microsoft. +Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It is a free tool available directly from Microsoft. You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. > [!NOTE] @@ -345,7 +345,7 @@ For more information, see [Enable Configuration Manager Console Integration for #### Summary -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you'll configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. ## Create and configure Office 365 @@ -363,8 +363,8 @@ Complete the following steps to select the appropriate Office 365 Education lice |Plan |Advantages |Disadvantages | |----- |----------- |------------- | - |Office 365 Education |
                      • Less expensive than Microsoft 365 Apps for enterprise
                      • Can be run from any device
                      • No installation necessary
                      |
                      • Must have an Internet connection to use it
                      • Doesn't support all the features found in Microsoft 365 Apps for enterprise
                      | - |Microsoft 365 Apps for enterprise |
                      • Only requires an Internet connection every 30 days (for activation)
                      • Supports the full set of Office features
                      • Can be installed on five devices per user (there's no limit to the number of devices on which you can run Office apps online)
                      |
                      • Requires installation
                      • More expensive than Office 365 Education
                      | + |Office 365 Education |
                      • Less expensive than Microsoft 365 Apps for enterprise
                      • Can be run from any device
                      • No installation necessary
                      |
                      • Must have an Internet connection to use it
                      • Does not support all the features found in Microsoft 365 Apps for enterprise
                      | + |Microsoft 365 Apps for enterprise |
                      • Only requires an Internet connection every 30 days (for activation)
                      • Supports the full set of Office features
                      • Can be installed on five devices per user (there is no limit to the number of devices on which you can run Office apps online)
                      |
                      • Requires installation
                      • More expensive than Office 365 Education
                      | *Table 8. Comparison of standard and Microsoft 365 Apps for enterprise plans* @@ -385,7 +385,7 @@ Complete the following steps to select the appropriate Office 365 Education lice *Table 9. Office 365 Education license plans needed for the classroom* -You'll use the Office 365 Education license plan information you record in Table 9 in [Create user accounts in Office 365](#create-user-accounts-in-office-365) later in this guide. +You will use the Office 365 Education license plan information you record in Table 9 in [Create user accounts in Office 365](#create-user-accounts-in-office-365) later in this guide. ### Create a new Office 365 Education subscription @@ -408,7 +408,7 @@ To create a new Office 365 Education subscription for use in the classroom, use 2. On the **Get started** page, in **Enter your school email address**, type your school email address, and then click **Sign up**. - You'll receive an email in your school email account. + You will receive an email in your school email account. 3. Click the hyperlink in the email in your school email account. 4. On the **One last thing** page, complete your user information, and then click **Start**. @@ -418,7 +418,7 @@ The wizard creates your new Office 365 Education subscription, and you’re auto ### Add domains and subdomains -Now that you've created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. +Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. #### To add additional domains and subdomains @@ -444,9 +444,9 @@ To make it easier for faculty and students to join your Office 365 Education sub Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: * If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. -* If an Office 365 tenant with that domain name (contoso.edu) doesn't exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. +* If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. -You'll always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365. +You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365. > [!NOTE] > You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. @@ -465,7 +465,7 @@ By default, all new Office 365 Education subscriptions have automatic tenant joi ### Disable automatic licensing -To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that don't require administrative approval. +To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. > [!NOTE] > By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. @@ -485,7 +485,7 @@ When you create your Office 365 subscription, you create an Office 365 tenant th Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access). -The following Azure AD Premium features aren't in Azure AD Basic: +The following Azure AD Premium features are not in Azure AD Basic: * Allow designated users to manage group membership * Dynamic group membership based on user metadata @@ -498,7 +498,7 @@ The following Azure AD Premium features aren't in Azure AD Basic: You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. -You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process. +You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. For more information about: @@ -507,7 +507,7 @@ For more information about: #### Summary -You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365. +You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. ## Select an Office 365 user account–creation method @@ -565,7 +565,7 @@ Before you deploy AD DS and Azure AD synchronization, determine where you want t You can deploy the Azure AD Connect tool: -- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises that has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. +- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. > [!div class="mx-imgBorder"] > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") @@ -595,7 +595,7 @@ In this synchronization model (illustrated in Figure 7), you run Azure AD Connec 4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features). -Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. +Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. ### Verify synchronization @@ -649,7 +649,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T ### Create a source file that contains the user and group accounts -After you've selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 13 lists the source file format for the bulk import methods. +After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 13 lists the source file format for the bulk import methods. |Method |Source file format | |-------|-------------------| @@ -682,7 +682,7 @@ You can bulk-import user and group accounts directly into Office 365, reducing t ### Create user accounts in Office 365 -Now that you've created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. +Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. > [!NOTE] > If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. @@ -726,7 +726,7 @@ For information about creating email distribution groups, see [Create a Microsof #### Summary -You've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. +You have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. ## Assign user licenses for Azure AD Premium @@ -749,7 +749,7 @@ This section shows you how to create a Microsoft Store for Business portal and c ### Create and configure your Microsoft Store for Business portal -To create and configure your Microsoft Store for Business portal, use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator. +To create and configure your Microsoft Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator. #### To create and configure a Microsoft Store for Business portal @@ -779,7 +779,7 @@ After you create the Microsoft Store for Business portal, configure it by using ### Find, acquire, and distribute apps in the portal -Now that you've created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you'll add to your portal. You do this from the **Inventory** page in Microsoft Store for Business. +Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Microsoft Store for Business. > [!NOTE] > Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business. @@ -794,14 +794,14 @@ At the end of this section, you should have a properly configured Microsoft Stor ## Plan for deployment -You'll use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you'll use, the approach you'll use to create your Windows 10 images, and the method you'll use to initiate the LTI deployment process. +You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. ### Select the operating systems -Later in the process, you'll import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: +Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: -* New devices or refreshing existing devices, you'll completely replace the existing operating system on a device with Windows 10. -* Upgrading existing devices, you'll upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. +* New devices or refreshing existing devices, you will completely replace the existing operating system on a device with Windows 10. +* Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: @@ -819,12 +819,12 @@ Depending on your school’s requirements, you may need any combination of the f For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -One other consideration is the mix of processor architectures you'll support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you'll need to import both 64-bit and 32-bit versions of the Windows 10 editions listed earlier in this section. +One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. > [!NOTE] > On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. -Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you can't standardize personal devices on a specific operating system version or processor architecture. +Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. ### Select an image approach @@ -861,10 +861,10 @@ The first step in preparing for Windows 10 deployment is to configure—that is, |Task|Description| |--- |--- | |1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| -|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't play sounds; without the proper camera driver, the device can't take photos or use video chat.
                      Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| -|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
                      Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:
                    • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
                    • For apps that aren't offline licensed, obtain the .appx files from the app software vendor directly.

                      If you're unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
                      If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
                      In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
                    • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
                    • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).| -|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
                      To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
                      If you've Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
                      This is the preferred method for deploying and managing Windows desktop apps.
                      **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                      For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).| -|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
                    • Deploy 64-bit Windows 10 Education to devices.
                    • Deploy 32-bit Windows 10 Education to devices.
                    • Upgrade existing devices to 64-bit Windows 10 Education.
                    • Upgrade existing devices to 32-bit Windows 10 Education.

                      Again, you'll create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).| +|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
                      Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| +|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
                      Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
                    • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
                    • For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.

                      If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
                      If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
                      In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
                    • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
                    • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).| +|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
                      To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
                      If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
                      This is the preferred method for deploying and managing Windows desktop apps.
                      **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                      For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).| +|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
                    • Deploy 64-bit Windows 10 Education to devices.
                    • Deploy 32-bit Windows 10 Education to devices.
                    • Upgrade existing devices to 64-bit Windows 10 Education.
                    • Upgrade existing devices to 32-bit Windows 10 Education.

                      Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).| |6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
                      For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).| *Table 16. Tasks to configure the MDT deployment share* @@ -874,7 +874,7 @@ The first step in preparing for Windows 10 deployment is to configure—that is, > [!NOTE] > If you have already configured your Microsoft Endpoint Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section. -Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you'll need to deploy a new infrastructure. +Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you will need to deploy a new infrastructure. Deploying a new Configuration Manager infrastructure is beyond the scope of this guide, but the following resources can help you deploy a new Configuration Manager infrastructure: @@ -889,7 +889,7 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment). 2. Add the Windows PE boot images, Windows 10 operating systems, and other content. - You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you'll use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard. + You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you will use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard. You can add this content by using Microsoft Endpoint Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager). 3. Add device drivers. @@ -899,7 +899,7 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers). 4. Add Windows apps. - Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you can't capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices. + Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that include Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices. Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications). @@ -921,7 +921,7 @@ You can use Windows Deployment Services in conjunction with MDT to automatically 2. Add LTI boot images (Windows PE images) to Windows Deployment Services. - The LTI boot images (.wim files) that you'll add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder. + The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices). @@ -955,7 +955,7 @@ You can use Windows Deployment Services in conjunction with Configuration Manage #### Summary -Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You have set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you have in your district. +Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You have set up and configured Windows Deployment Services for MDT and for Configuration Manager. You have also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you have in your district. ## Capture the reference image @@ -963,7 +963,7 @@ The reference device is a device that you use as the template for all the other After you deploy Windows 10 and the desktop apps to the reference device, you capture an image of the device (the reference image). You import the reference image to an MDT deployment share or into Configuration Manager. Finally, you create a task sequence to deploy the reference image to faculty and student devices. -You'll capture multiple reference images, one for each type of device that you have in your organization. You perform the steps in this section for each image (device) that you have in your district. Use LTI in MDT to automate the deployment and capture of the reference image. +You will capture multiple reference images, one for each type of device that you have in your organization. You perform the steps in this section for each image (device) that you have in your district. Use LTI in MDT to automate the deployment and capture of the reference image. > [!NOTE] > You can use LTI in MDT or Configuration Manager to automate the deployment and capture of the reference image, but this guide only discusses how to use LTI in MDT to capture the reference image. @@ -1019,7 +1019,7 @@ In most instances, deployments occur without incident. Only in rare occasions do ### Import reference image -After you've captured the reference image (.wim file), import the image into the MDT deployment share or into Configuration Manager (depending on which method you selected to perform Windows 10 deployments). You'll deploy the reference image to the student and faculty devices in your district. +After you have captured the reference image (.wim file), import the image into the MDT deployment share or into Configuration Manager (depending on which method you selected to perform Windows 10 deployments). You will deploy the reference image to the student and faculty devices in your district. Both the Deployment Workbench and the Configuration Manager console have wizards that help you import the reference image. After you import the reference image, you need to create a task sequence that will deploy the reference image. @@ -1030,9 +1030,9 @@ For more information about how to import the reference image into: ### Create a task sequence to deploy the reference image -You created an LTI task sequence in the Deployment Workbench earlier in this process to deploy Windows 10 and your desktop apps to the reference device. Now that you've captured and imported your reference image, you need to create a tasks sequence to deploy it. +You created an LTI task sequence in the Deployment Workbench earlier in this process to deploy Windows 10 and your desktop apps to the reference device. Now that you have captured and imported your reference image, you need to create a tasks sequence to deploy it. -As you might expect, both the Deployment Workbench and the Configuration Manager console have wizards that help you create a starting task sequence. After you create your task sequence, in most instances you'll need to customize it to deploy additional apps, device drivers, and other software. +As you might expect, both the Deployment Workbench and the Configuration Manager console have wizards that help you create a starting task sequence. After you create your task sequence, in most instances you will need to customize it to deploy additional apps, device drivers, and other software. For more information about how to create a task sequence in the: @@ -1044,7 +1044,7 @@ In this section, you customized the MDT deployment share to deploy Windows 10 an ## Prepare for device management -Before you deploy Windows 10 in your district, you must prepare for device management. You'll deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. +Before you deploy Windows 10 in your district, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. You also want to deploy apps and software updates after you deploy Windows 10. You need to manage apps and updates by using Configuration Manager, Intune, or a combination of both (hybrid model). @@ -1055,12 +1055,12 @@ Microsoft has several recommended settings for educational institutions. Table 1 > [!NOTE] > The settings for Intune in Table 17 also apply to the Configuration Manager and Intune management (hybrid) method. -Use the information in Table 17 to help you determine whether you need to configure the setting and which method you'll use to do so. At the end, you'll have a list of settings that you want to apply to the Windows 10 devices and know which management method you'll use to configure the settings. +Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. |Recommendation|Description| |--- |--- | -|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
                      **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
                      **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
                      ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.| -|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
                      **Group Policy**. Create a Local Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
                      **Intune**. Not available.| +|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
                      **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
                      **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
                      ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.| +|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
                      **Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
                      **Intune**. Not available.| |Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.
                      **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).
                      **Intune**. Not available.| |Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
                      **Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?
                      **Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.| |Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
                      **Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
                      **Intune**. Not available.| @@ -1108,7 +1108,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/ If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section. -You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that aren't enrolled in Intune or that another solution manages. +You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages. For more information about how to configure Intune to manage your apps, see the following resources: @@ -1212,7 +1212,7 @@ After you have deployed Windows 10, the devices are almost ready for use. First, 3. Copy the printer drivers to a USB drive. -4. On a device, use the same account you used to set up Windows 10 in the [Prepare for deployment](#prepare-for-deployment) section to sign in to the device. +4. On a device, use the same account you used to set up Windows 10 in the [Prepare for deployment](#prepare-for-deployment) section to log on to the device. 5. Plug the USB drive into the device. @@ -1234,7 +1234,7 @@ As a final quality control step, verify the device configuration to ensure that * All Windows desktop apps are properly installed and updated. * Printers are properly configured. -When you've verified that the first device is properly configured, you can move to the next device and perform the same steps. +When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. #### Summary @@ -1262,7 +1262,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour |Install new or update existing Microsoft Store apps used in the curriculum.
                      Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                      You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration.
                      For more information, see:
                    • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                    • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️| |Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
                      For more information about how to:
                    • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)
                    • Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️| |Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
                      For more information about how to:
                    • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                    • Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️| -|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you don't have an on-premises AD DS infrastructure).
                      For more information about how to:
                    • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
                    • Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️| +|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
                      For more information about how to:
                    • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
                    • Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️| |Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
                      For more information about how to:
                    • Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
                    • Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️| |Create or modify security groups, and manage group membership in Office 365.
                      For more information about how to:
                    • Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)
                    • Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️| |Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
                      For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️| @@ -1272,7 +1272,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour #### Summary -You've now identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your district and individual school configuration should match the typical school configuration you saw in the [Plan a typical district configuration](#plan-a-typical-district-configuration) section. By performing these maintenance tasks, you help ensure that your district as a whole stays secure and is configured as you specified. +You have now identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your district and individual school configuration should match the typical school configuration you saw in the [Plan a typical district configuration](#plan-a-typical-district-configuration) section. By performing these maintenance tasks, you help ensure that your district as a whole stays secure and is configured as you specified. ## Related topics diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index 8371a48a48..c0e52a36d6 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -20,11 +20,11 @@ manager: dansimp - Windows 10 -This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. +This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for school deployment -Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. As with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you'll configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. +Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. As with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. ### Plan a typical school configuration @@ -86,15 +86,15 @@ For more information about Office 365 Education features and a FAQ, go to [Offic ## How to configure a school -Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you'll use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. +Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. -The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). +The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments. MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. -LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. +LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Endpoint Manager](/mem/), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. @@ -102,12 +102,12 @@ The configuration process requires the following devices: - **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device. - **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. -- **Student devices.** The students will use these devices. You'll use the admin device deploy (or upgrade) Windows 10 and apps to them. +- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3: 1. Prepare the admin device for use, which includes installing the Windows ADK and MDT. -2. On the admin device, create and configure the Office 365 Education subscription that you'll use for each classroom in the school. +2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school. 3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). 4. On the admin device, create and configure a Microsoft Store for Business portal. 5. On the admin device, prepare for management of the Windows 10 devices after deployment. @@ -118,7 +118,7 @@ The high-level process for deploying and configuring devices within individual c *Figure 3. How school configuration works* -Each of the steps illustrated in Figure 3 directly corresponds to the remaining high-level sections in this guide. +Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide. ### Summary @@ -161,7 +161,7 @@ For more information about how to create a deployment share, see [Step 3-1: Crea ### Summary -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you'll configure and use later in the LTI deployment process. +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process. ## Create and configure Office 365 @@ -182,8 +182,8 @@ Complete the following steps to select the appropriate Office 365 Education lice --- | Plan | Advantages | Disadvantages | | --- | --- | --- | -| Standard | - Less expensive than Microsoft 365 Apps for enterprise
                      - Can be run from any device
                      - No installation necessary | - Must have an Internet connection to use it
                      - Doesn't support all the features found in Microsoft 365 Apps for enterprise | -| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
                      - Supports full set of Office features | - Requires installation
                      - Can be installed on only five devices per user (there's no limit to the number of devices on which you can run Office apps online) | +| Standard | - Less expensive than Microsoft 365 Apps for enterprise
                      - Can be run from any device
                      - No installation necessary | - Must have an Internet connection to use it
                      - Does not support all the features found in Microsoft 365 Apps for enterprise | +| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
                      - Supports full set of Office features | - Requires installation
                      - Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online) | --- @@ -207,7 +207,7 @@ The best user experience is to run Microsoft 365 Apps for enterprise or use nati --- -You'll use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide. +You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide. ### Create a new Office 365 Education subscription @@ -220,18 +220,18 @@ To create a new Office 365 Education subscription for use in the classroom, use 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. - If you've already used your current sign-in account to create a new Office 365 subscription, you'll be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window. Your options: + If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window. Your options: - In Microsoft Edge, select Ctrl+Shift+N. Or, select **More actions** > **New InPrivate window**. - In Internet Explorer, select Ctrl+Shift+P. Or, select **Settings** > **Safety** > **InPrivate Browsing**. -2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You'll receive an email in your school email account. +2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account. 3. Click the hyperlink in the email in your school email account. -4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you're automatically signed in as the administrative user you specified when you created the subscription. +4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription. ### Add domains and subdomains -Now that you've created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has `contoso.edu` as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. +Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has `contoso.edu` as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. #### To add additional domains and subdomains @@ -252,9 +252,9 @@ To make it easier for faculty and students to join your Office 365 Education sub Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: - If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. -- If an Office 365 tenant with that domain name (contoso.edu) doesn't exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. +- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. -You'll always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. +You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. > [!NOTE] > You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. @@ -276,7 +276,7 @@ All new Office 365 Education subscriptions have automatic tenant join enabled by ### Disable automatic licensing -To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that don't require administrative approval. +To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. > [!NOTE] > By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. @@ -299,11 +299,11 @@ When you create your Office 365 subscription, you create an Office 365 tenant th Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access). -The Azure AD Premium features that aren't in Azure AD Basic include: +The Azure AD Premium features that are not in Azure AD Basic include: - Allow designated users to manage group membership - Dynamic group membership based on user metadata -- Multi-factor authentication (MFA) +- Multifactor authentication (MFA) - Identify cloud apps that your users run - Automatic enrollment in a mobile device management (MDM) system (such as Intune) - Self-service recovery of BitLocker @@ -313,7 +313,7 @@ The Azure AD Premium features that aren't in Azure AD Basic include: You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. -You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process. +You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. For more information, see: @@ -321,12 +321,12 @@ For more information, see: - [Sign up for Azure Active Directory Premium](/azure/active-directory/fundamentals/active-directory-get-started-premium) ### Summary -You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365. +You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. ## Select an Office 365 user account–creation method -Now that you have an Office 365 subscription, you need to determine how you'll create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: +Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: - **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain. - **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain. @@ -338,7 +338,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 4, the > [!NOTE] > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [LDAP synchronization with Azure Active Directory](/azure/active-directory/fundamentals/sync-ldap). -:::image type="content" source="images/deploy-win-10-school-figure4.png" alt-text="See the automatic synchronization between Active Directory Services and Azure AD."::: +:::image type="content" source="images/deploy-win-10-school-figure4.png" alt-text="See the automatic synchronization between Active Directory Directory Services and Azure AD."::: *Figure 4. Automatic synchronization between AD DS and Azure AD* @@ -374,7 +374,7 @@ Before you deploy AD DS and Azure AD synchronization, you need to determine wher You can deploy the Azure AD Connect tool by using one of the following methods: -- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises that have the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. +- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. :::image type="content" source="images/deploy-win-10-school-figure6.png" alt-text="Azure AD Connect runs on-premises and uses a virtual machine."::: @@ -399,7 +399,7 @@ In this synchronization model (illustrated in Figure 6), you run Azure AD Connec 3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-select-installation). 4. Configure Azure AD Connect features based on your institution’s requirements. For more information, see [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis). -Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. +Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. ### Verify synchronization @@ -447,7 +447,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T ### Create a source file that contains the user and group accounts -After you've selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. +After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. *Table 6. Source file format for each bulk import method* @@ -483,7 +483,7 @@ You can bulk-import user and group accounts directly into Office 365, reducing t ### Create user accounts in Office 365 -Now that you've created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. +Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). @@ -517,13 +517,13 @@ Microsoft Exchange Online uses an email distribution group as a single email rec You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. > [!NOTE] -> Office 365 can take some time to complete the Exchange Online creation process. You'll have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. +> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. For information about how to create security groups, see [Create a group in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/create-groups). ### Summary -Now, you've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. +Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. ## Assign user licenses for Azure AD Premium @@ -582,7 +582,7 @@ After you create the Microsoft Store for Business portal, configure it by using ### Find, acquire, and distribute apps in the portal -Now that you've created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you'll add to your portal. You do this by using the Inventory page in Microsoft Store for Business. +Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Microsoft Store for Business. > [!NOTE] > Your educational institution can now use a credit card to pay for apps in Microsoft Store for Business. @@ -597,14 +597,14 @@ At the end of this section, you should have a properly configured Microsoft Stor ## Plan for deployment -You'll use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you'll use, the approach you'll use to create your Windows 10 images, and the method you'll use to initiate the LTI deployment process. +You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. ### Select the operating systems -Later in the process, you'll import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. If: +Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. If: -- New devices or refreshing existing devices, you'll complete replace the existing operating system on a device with Windows 10. -- Upgrading existing devices, you'll upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. +- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10. +- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: @@ -620,12 +620,12 @@ Depending on your school’s requirements, you may need any combination of the f > [!NOTE] > Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features are not available in Windows 10 Home. -One other consideration is the mix of processor architectures you'll support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you'll need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. +One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. > [!NOTE] > On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. -Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). You can't standardize personal devices on a specific operating system version or processor architecture. +Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). You cannot standardize personal devices on a specific operating system version or processor architecture. ### Select an image approach @@ -668,10 +668,10 @@ The first step in preparation for Windows 10 deployment is to configure—that i | Task | Description | | --- | --- | | **1. Import operating systems** | Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench). | -| **2. Import device drives** | Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't play sounds; without the proper camera driver, the device can't take photos or use video chat.

                      Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). | -| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

                      Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files from the app software vendor directly. If you're unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

                      If you've Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

                      In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:

                      - Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10).
                      - Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | -| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

                      To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).

                      If you've Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

                      You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

                      For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | -| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:

                      - Deploy Windows 10 Education 64-bit to devices.
                      - Deploy Windows 10 Education 32-bit to devices.
                      - Upgrade existing devices to Windows 10 Education 64-bit.
                      - Upgrade existing devices to Windows 10 Education 32-bit.

                      Again, you'll create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). | +| **2. Import device drives** | Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

                      Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). | +| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

                      Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

                      If you have Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

                      In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:

                      - Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10).
                      - Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | +| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

                      To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).

                      If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

                      You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

                      For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | +| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:

                      - Deploy Windows 10 Education 64-bit to devices.
                      - Deploy Windows 10 Education 32-bit to devices.
                      - Upgrade existing devices to Windows 10 Education 64-bit.
                      - Upgrade existing devices to Windows 10 Education 32-bit.

                      Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). | | **6. Update the deployment share.** | Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

                      For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).| --- @@ -692,7 +692,7 @@ You can use Windows Deployment Services with MDT to automatically initiate boot 2. Add LTI boot images (Windows PE images) to Windows Deployment Services. - The LTI boot images (.wim files) that you'll add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices). + The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices). ### Summary @@ -700,7 +700,7 @@ Now, Windows Deployment Services is ready to initiate the LTI deployment process ## Prepare for device management -Before you deploy Windows 10 in your institution, you must prepare for device management. You'll deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. +Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. ### Select the management method @@ -713,23 +713,23 @@ For a school, there are many ways to manage devices. Table 10 lists the methods --- | Method | Description | | --- | --- | -| **Group Policy** | Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:

                      - Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                      - Want more granular control of device and user settings.
                      - Have an existing AD DS infrastructure.
                      - Typically manage on-premises devices.
                      - Can manage a required setting only by using Group Policy.

                      The advantages of this method include:

                      - No cost beyond the AD DS infrastructure.
                      - A larger number of settings.

                      The disadvantages of this method are:

                      - Can only manage domain-joined (institution-owned devices).
                      - Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
                      - Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess). | -| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10 and other operating systems, such as iOS/iPadOS, macOS, and Android. Intune is a subscription-based cloud service that integrates with Microsoft 365 and Azure AD.

                      Select this method when you:

                      - Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
                      - Don’t require the level of granular control over device and user settings (compared to Group Policy).
                      - Don’t have an existing AD DS infrastructure.
                      - Need to manage devices regardless of where they are (on or off premises).
                      - Can manage a required setting only by using Intune.

                      The advantages of this method are:

                      - You can manage institution-owned and personal devices.
                      - It doesn’t require that devices be domain joined.
                      - It doesn’t require any on-premises infrastructure.
                      - It can manage devices regardless of their location (on or off premises).

                      The disadvantages of this method are:

                      - Carries an additional cost for subscription.
                      - Doesn’t have a granular level control over device and user settings (compared to Group Policy). | +| **Group Policy** | Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:

                      - Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                      - Want more granular control of device and user settings.
                      - Have an existing AD DS infrastructure.
                      - Typically manage on-premises devices.
                      - Can manage a required setting only by using Group Policy.

                      The advantages of this method include:

                      - No cost beyond the AD DS infrastructure.
                      - A larger number of settings.

                      The disadvantages of this method are:

                      - Can only manage domain-joined (institution-owned devices).
                      - Requires an AD DS infrastructure (if the institution does not have AD DS already).
                      - Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess). | +| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10 and other operating systems, such as iOS/iPadOS, macOS, and Android. Intune is a subscription-based cloud service that integrates with Microsoft 365 and Azure AD.

                      Select this method when you:

                      - Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                      - Don’t require the level of granular control over device and user settings (compared to Group Policy).
                      - Don’t have an existing AD DS infrastructure.
                      - Need to manage devices regardless of where they are (on or off premises).
                      - Can manage a required setting only by using Intune.

                      The advantages of this method are:

                      - You can manage institution-owned and personal devices.
                      - It doesn’t require that devices be domain joined.
                      - It doesn’t require any on-premises infrastructure.
                      - It can manage devices regardless of their location (on or off premises).

                      The disadvantages of this method are:

                      - Carries an additional cost for subscription.
                      - Doesn’t have a granular level control over device and user settings (compared to Group Policy). | --- ### Select Microsoft-recommended settings -Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you'll use to do so. At the end, you'll have a list of settings that you want to apply to the Windows 10 devices and know which management method you'll use to configure the settings. +Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. *Table 11. Recommended settings for educational institutions* --- | Recommendation | Description | | --- | --- | -| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

                      Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

                      **Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

                      **Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. | +| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

                      Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

                      **Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

                      **Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. | | **Restrict local administrator accounts on the devices** | Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

                      **Group Policy**: Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732525(v=ws.11)).

                      **Intune**: Not available | -| **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

                      **Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You'll specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).

                      **Intune**: Not available. | +| **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

                      **Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).

                      **Intune**: Not available. | | **Control Microsoft Store access** | You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.

                      **Group Policy**: You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP).

                      **Intune**: You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. | | **Use of Remote Desktop connections to devices** | Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

                      **Group Policy**: You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

                      **Intune**: Not available. | | **Use of camera** | A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

                      **Group Policy**: Not available.

                      **Intune**: You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. | @@ -742,7 +742,7 @@ Microsoft has several recommended settings for educational institutions. Table 1 ### Configure settings by using Group Policy -Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You'll configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. +Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. For more information about Group Policy, see [Group Policy Planning and Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)). @@ -754,7 +754,7 @@ For more information about Group Policy, see [Group Policy Planning and Deployme ### Configure settings by using Intune -Now, you’re ready to configure settings using Intune. The steps in this section assume that you have an Office 365 subscription. You'll configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. +Now, you’re ready to configure settings using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. For more information about Intune, see [Documentation for Microsoft Intune](/mem/intune/). @@ -842,7 +842,7 @@ As a final quality control step, verify the device configuration to ensure that - All Windows desktop apps are properly installed and updated. - Printers are properly configured. -When you've verified that the first device is properly configured, you can move to the next device and perform the same steps. +When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. ### Summary @@ -850,7 +850,7 @@ You prepared the devices for deployment by verifying that they have adequate sys ## Maintain Windows devices and Office 365 -After the initial deployment, you'll need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: +After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: - **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware. - **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students. @@ -866,7 +866,7 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour | Verify that Windows Update is active and current with operating system and software updates.

                      For more information about completing this task, see:

                      - Intune: See [Keep Windows PCs up to date with software updates in Microsoft Intune](https://www.microsoft.com/en-us/insidetrack/keeping-windows-10-devices-up-to-date-with-microsoft-intune-and-windows-update-for-business)
                      - Group Policy: See [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb)
                      - Windows Server Update Services (WSUS): See [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services)
                      - Neither Intune, Group Policy, or WSUS: See [Update Windows](https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a). | ✔️ | ✔️ | ✔️ | | Verify that Windows Defender is active and current with malware Security intelligence.

                      For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection) and [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)). | ✔️ | ✔️ | ✔️ | | Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

                      For more information about completing this task, see [Protect my PC from viruses](https://support.microsoft.com/windows/protect-my-pc-from-viruses-b2025ed1-02d5-1e87-ba5f-71999008e026). | ✔️ | ✔️ | ✔️ | -| Verify that you're using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

                      For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/). | | ✔️ | ✔️ | +| Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

                      For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/). | | ✔️ | ✔️ | | Refresh the operating system and apps on devices.

                      For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. | | ✔️ | ✔️ | | Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.

                      For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. | | ✔️ | ✔️ | | Install new or update existing Microsoft Store apps that are used in the curriculum.

                      Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.

                      You can also deploy Microsoft Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. | | ✔️ | ✔️ | @@ -880,7 +880,7 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour ### Summary -Now, you've identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By running these maintenance tasks, you help ensure that your school stays secure and is configured as you specified. +Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By running these maintenance tasks, you help ensure that your school stays secure and is configured as you specified. ## Related resources diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index c2d154430c..1d9fa5aab2 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -98,7 +98,7 @@ If you decide to use the centralized compatibility-fix database deployment strat 1. Verify that your application-compatibility testers are performing their tests on computers with the latest version of your compatibility-fix database. For example, Custom DB1. -2. If the tester determines that an application requires an extra compatibility fix that isn'9t a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2. +2. If the tester determines that an application requires an extra compatibility fix that isn't a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2. 3. The tester applies the new Custom DB2 information to the application and then tests for both the functionality and integration, to ensure that the compatibility issues are addressed. From d3a88193b6f73a56b02289c939ca466654be8759 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 8 Feb 2022 18:20:49 +0530 Subject: [PATCH 31/68] Acrolinx score enhancement --- education/windows/autopilot-reset.md | 18 +- education/windows/change-history-edu.md | 10 +- education/windows/change-to-pro-education.md | 42 ++-- .../windows/chromebook-migration-guide.md | 134 ++++++------ .../configure-windows-for-education.md | 34 +-- .../deploy-windows-10-in-a-school-district.md | 196 +++++++++--------- 6 files changed, 217 insertions(+), 217 deletions(-) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index c0ac95e03e..5e41713a4b 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -19,7 +19,7 @@ manager: dansimp - Windows 10, version 1709 -IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. +IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state. To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), you must: @@ -30,7 +30,7 @@ To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), yo To use Autopilot Reset, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre). -**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It is a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident. +**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It's a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This setting ensures that Autopilot Reset isn't triggered by accident. You can set the policy using one of these methods: @@ -49,11 +49,11 @@ You can set the policy using one of these methods: - Set up School PCs app - Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: + Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you're running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: - Reach out to your device manufacturer. - - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version. + - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you're using another MDM provider, check the documentation for the MDM provider to confirm the OS version. - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709. @@ -72,7 +72,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png) - This will open up a custom login screen for Autopilot Reset. The screen serves two purposes: + This keystroke will open up a custom sign-in screen for Autopilot Reset. The screen serves two purposes: 1. Confirm/verify that the end user has the right to trigger Autopilot Reset @@ -93,7 +93,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo - Connects to Wi-Fi. - - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device. + - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will reapply the original provisioning package on the device. - Is returned to a known good managed state, connected to Azure AD and MDM. @@ -105,7 +105,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo ## Troubleshoot Autopilot Reset -Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. +Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. You'll see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: @@ -113,8 +113,8 @@ To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/man reagentc /enable ``` -If Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance. +If Autopilot Reset fails after enabling WinRE, or if you're unable to enable WinRE, kindly contact [Microsoft Support](https://support.microsoft.com) for assistance. -## Related topics +## Related articles [Set up Windows devices for education](set-up-windows-10.md) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index aafc6c622f..9a828c6755 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -42,7 +42,7 @@ New or changed topic | Description | [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the list of device manufacturers. | | [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | | [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | -| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a note that the Alt+F4 key combination for enabling students to exit the test is disabled in Windows 10, version 1703 (Creators Update) and later. Also added additional info about the Ctrl+Alt+Del key combination. | +| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a note that the Alt+F4 key combination for enabling students to exit the test is disabled in Windows 10, version 1703 (Creators Update) and later. Also added more information about the Ctrl+Alt+Del key combination. | ## RELEASE: Windows 10, version 1709 (Fall Creators Update) @@ -62,7 +62,7 @@ New or changed topic | Description | New or changed topic | Description | | --- | ---- | -| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. | +| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on various Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. | | [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. | ## July 2017 @@ -85,16 +85,16 @@ New or changed topic | Description | New or changed topic | Description | | --- | ---- | -| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. | +| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt in to a free switch to Windows 10 Pro Education. | | [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. | ## RELEASE: Windows 10, version 1703 (Creators Update) | New or changed topic | Description| | --- | --- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. | | [Microsoft Education documentation and resources](/education) | New. Find links to more content for IT admins, teachers, students, and education app developers. | -| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. | +| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school. | | [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Updated the screenshots and related instructions to reflect the current UI and experience. | | [Set up Windows devices for education](set-up-windows-10.md) | Updated for Windows 10, version 1703. | | Set up School PCs app:
                      [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
                      [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Describes the school-specific settings and policies that Set up School PC configures. Also provides step-by-step instructions for using the latest version of the app to create a provisioning package that you can use to set up student PCs. | diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index ea30225b3e..9d165c8892 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -17,7 +17,7 @@ manager: dansimp # Change to Windows 10 Pro Education from Windows 10 Pro Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. -If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt-in to a free change to Windows 10 Pro Education depending on your scenario. +If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt in to a free change to Windows 10 Pro Education depending on your scenario. - [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](./s-mode-switch-to-edu.md) To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance. @@ -43,7 +43,7 @@ For more info about Windows 10 default settings and recommendations for educatio ## Change from Windows 10 Pro to Windows 10 Pro Education -For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free change through the Microsoft Store for Education. +For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt in to a free change through the Microsoft Store for Education. In this scenario: @@ -51,7 +51,7 @@ In this scenario: - Any device that joins the Azure AD will change automatically to Windows 10 Pro Education. - The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro). -See [change using Microsoft Store for Education](#change-using-microsoft-store-for-education) for details on how to do this. +See [change using Microsoft Store for Education](#change-using-microsoft-store-for-education) for details on how to turn on the change. ### Change using Intune for Education @@ -98,8 +98,8 @@ Academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Educ When you change to Windows 10 Pro Education, you get the following benefits: -- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. +- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit doesn't include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. The Windows 10 Pro Education program doesn't have a limitation on the number of licenses an organization can have. - **Roll back options to Windows 10 Pro** - When a user leaves the domain or you turn off the setting to automatically change to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. @@ -108,13 +108,13 @@ When you change to Windows 10 Pro Education, you get the following benefits: ### Change using Microsoft Store for Education -Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the change. The change will only apply to Windows 10 Pro devices. +Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you can't select which users will receive the change. The change will only apply to Windows 10 Pro devices. **To turn on the automatic change to Windows 10 Pro Education** 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account. - If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use. + If you're signing into the Microsoft Store for Education for the first time, you'll be prompted to accept the Microsoft Store for Education Terms of Use. 2. Click **Manage** from the top menu and then select the **Benefits tile**. 3. In the **Benefits** tile, look for the **Change to Windows 10 Pro Education for free** link and then click it. @@ -130,11 +130,11 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi A confirmation window pops up to let you know that an email has been sent to you to enable the change. 6. Close the confirmation window and check the email to proceed to the next step. -7. In the email, click the link to **Change to Windows 10 Pro Education**. Once you click the link, this will take you back to the Microsoft Store for Education portal. +7. In the email, click the link to **Change to Windows 10 Pro Education**. Once you click the link, you are taken back to the Microsoft Store for Education portal. 8. Click **Change now** in the **changing your device to Windows 10 Pro Education for free** page in the Microsoft Store. - You will see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device. + You'll see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device. 9. Click **Close** in the **Success** window. @@ -146,7 +146,7 @@ Enabling the automatic change also triggers an email message notifying all globa So what will users experience? How will they change their devices? ### For existing Azure AD joined devices -Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. +Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No other steps are needed. ### For new devices that are not Azure AD joined Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition. @@ -197,7 +197,7 @@ If the Windows device is running Windows 10, version 1703, follow these steps. ![Select the option to join the device to Azure Active Directory.](images/settings_setupworkorschoolaccount_2.png) -4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD. +4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. The device is joined with the school's Azure AD. 5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD. **Figure 8** - Verify the device connected to Azure AD @@ -207,7 +207,7 @@ If the Windows device is running Windows 10, version 1703, follow these steps. #### Step 2: Sign in using Azure AD account -Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device. +Once the device is joined to your Azure AD subscription, users will sign in by using their Azure AD account. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device. #### Step 3: Verify that Pro Education edition is enabled @@ -224,7 +224,7 @@ If there are any problems with the Windows 10 Pro Education license or the acti In some instances, users may experience problems with the Windows 10 Pro Education change. The most common problems that users may experience are as follows: -- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) is not activated. +- The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) isn't activated. - The Windows 10 Pro Education change has lapsed or has been removed. Use the following figures to help you troubleshoot when users experience these common problems: @@ -234,7 +234,7 @@ Use the following figures to help you troubleshoot when users experience these c Windows 10 activated and subscription active

                      -**Figure 11** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education change is active. +**Figure 11** - Illustrates a device on which the existing operating system isn't activated, but the Windows 10 Pro Education change is active. Windows 10 not activated and subscription active

                      @@ -245,7 +245,7 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined **To determine if a device is Azure AD joined** -1. Open a command prompt and type the following: +1. Open a command prompt and type the following command: ``` dsregcmd /status @@ -268,19 +268,19 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined ### Roll back Windows 10 Pro Education to Windows 10 Pro -If your organization has the Windows 10 Pro to Windows 10 Pro Education change enabled, and you decide to roll back to Windows 10 Pro or to cancel the change, you can do this by: +If your organization has the Windows 10 Pro to Windows 10 Pro Education change enabled, and you decide to roll back to Windows 10 Pro or to cancel the change, perform the following task: -- Logging into Microsoft Store for Education page and turning off the automatic change. +- Log into Microsoft Store for Education page and turning off the automatic change. - Selecting the link to turn off the automatic change from the notification email sent to all global administrators. -Once the automatic change to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were changed will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was changed may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a change was enabled and then turned off will never see their device change from Windows 10 Pro. +Once the automatic change to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were changed will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. Therefore, users whose device was changed may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a change was enabled and then turned off will never see their device change from Windows 10 Pro. > [!NOTE] -> Devices that were changed from mode to Windows 10 Pro Education cannot roll back to Windows 10 Pro Education S mode. +> Devices that were changed from mode to Windows 10 Pro Education can't roll back to Windows 10 Pro Education S mode. **To roll back Windows 10 Pro Education to Windows 10 Pro** -1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change. +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change. 2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link. 3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**. @@ -288,7 +288,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change ![Revert to Windows 10 Pro.](images/msfe_manage_reverttowin10pro.png) -4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. +4. You'll be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**. 5. Click **Close** in the **Success** page. All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic changes again, you can do this by selecting **change to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education. diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 66569c4674..16213a16b3 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -1,6 +1,6 @@ --- title: Chromebook migration guide (Windows 10) -description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. +description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA ms.reviewer: manager: dansimp @@ -22,23 +22,23 @@ ms.date: 10/13/2017 - Windows 10 -In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. +In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You'll learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You'll then learn the best method to perform the migration by using automated deployment and migration tools. ## Plan Chromebook migration Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. -In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. +In the planning portion of this guide, you'll identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you'll have a list of information you need to collect and what you need to do with the information. You'll be ready to perform your Chromebook migration. ## Plan for app migration or replacement -App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. +App migration or replacement is an essential part of your Chromebook migration. In this section, you'll plan how you'll migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you'll have a list of the active Chrome OS apps and the Windows app counterparts. **Identify the apps currently in use on Chromebook devices** -Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). +Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You'll create a list of apps that are currently in use (also called an app portfolio). > [!NOTE] > The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. @@ -63,7 +63,7 @@ Record the following information about each app in your app portfolio: - App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low) -Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. +Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you've determined what you'll do with the higher priority apps. ### @@ -85,13 +85,13 @@ Table 1. Google App replacements -It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. +It may be that you'll decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. **Find the same or similar apps in the Microsoft Store** In many instances, software vendors will create a version of their app for multiple platforms. You can search the Microsoft Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. -In other instances, the offline app does not have a version written for the Microsoft Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. +In other instances, the offline app doesn't have a version written for the Microsoft Store or isn't a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher doesn't have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. Record the Windows app that replaces the Chromebook app in your app portfolio. @@ -99,20 +99,20 @@ Record the Windows app that replaces the Chromebook app in your app portfolio. **Perform app compatibility testing for web apps** -The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. +Most of the Chromebook apps are web apps. Because you can't run native offline Chromebook apps on a Windows device, there's no reason to perform app compatibility testing for offline Chromebook apps. However, you may have many web apps that will run on both platforms. Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. ## Plan for migration of user and device settings -Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. +Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You've also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom. -In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. +In this section, you'll identify the user and device configuration settings for your Chromebook users and devices. Then you'll prioritize these settings to focus on the configuration settings that are essential to your educational institution. -At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. +At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, and a level of priority for each setting. You may discover at the end of this section that you've few or no higher priority settings to be migrated. If so, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. **Identify Google Admin Console settings to migrate** @@ -122,17 +122,17 @@ You use the Google Admin Console (as shown in Figure 1) to manage user and devic Figure 1. Google Admin Console -Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. +Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you'll migrate to Windows. Table 2. Settings in the Device Management node in the Google Admin Console |Section |Settings | |---------|---------| |Network |

                      These settings configure the network connections for Chromebook devices and include the following settings categories:

                      • **Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.

                      • **Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.

                      • **VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.

                      • **Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.

                        | -|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                        • **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
                        • **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
                        • **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
                        • **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
                        • **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider. | -|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                          • **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                          • **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
                          • **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                          • **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices
                          • **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices. | +|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                            • **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
                            • **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
                            • **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
                            • **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You'll need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
                            • **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You'll need this token if you plan to manage Android devices by using another MDM provider. | +|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                              • **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                              • **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
                              • **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                              • **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you'll need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you'll need to manage your Windows devices
                              • **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you've identified that will run on Windows devices. | -Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. +Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you'll migrate to Windows. Table 3. Settings in the Security node in the Google Admin Console @@ -146,11 +146,11 @@ Table 3. Settings in the Security node in the Google Admin Console **Identify locally-configured settings to migrate** -In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). +In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you'll migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). ![figure 2.](images/fig2-locallyconfig.png) -Figure 2. Locally-configured settings on Chromebook +Figure 2. Locally configured settings on Chromebook Table 4. Locally-configured settings @@ -183,32 +183,32 @@ Also, as a part of this planning process, consider settings that may not be curr **Prioritize settings to migrate** -After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. +After you've collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. -Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. +Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that aren't necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. ## Plan for email migration -Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration. +Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you'll migrate and the best time to perform the migration. Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes). **Identify the list of user mailboxes to migrate** -In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff. +With regard to creating the list of users you'll migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case, you would only need to migrate faculty and staff. -Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. +Also, when you perform a migration, it's a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process. **Identify companion devices that access Google Apps Gmail** -In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. +In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You'll need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. -After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. +After you've identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. -In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254). +In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify these credentials on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254). **Identify the optimal timing for the migration** @@ -219,13 +219,13 @@ Ensure that you communicate the time the migration will occur to your users well ## Plan for cloud storage migration -Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process. +Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You'll need to plan how to migrate your cloud storage as a part of the Chromebook migration process. -In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. +In this section, you'll create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. **Identify cloud storage services currently in use** -Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following: +Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following details: - Name of the cloud storage service @@ -235,7 +235,7 @@ Typically, most Chromebook users use Google Drive for cloud storage services bec - Approximate storage currently in use per user -Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. +Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there's no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. **Optimize cloud storage services migration plan** @@ -245,24 +245,24 @@ Consider the following to help optimize your cloud storage services migration pl - **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate. -- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage. +- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (haven't been accessed for some period of time). Eliminate or archive these files so that they don't consume cloud storage. -- **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs. +- **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This standardization will help reduce management complexity, support time, and typically will reduce cloud storage costs. Record your optimization changes in your cloud storage services migration plan. ## Plan for cloud services migration -Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. +Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You've planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. -In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. +In this section, you'll create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. ### **Identify cloud services currently in use** -You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: +You've already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: - Cloud service name @@ -274,9 +274,9 @@ You have already identified the individual cloud services that are currently in One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features. -Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: +Here's a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: -- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. +- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016), then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. - **Online apps offer better document compatibility.** Microsoft Office apps (such as Word and Excel for the web) provide the highest level of compatibility with Microsoft Office documents. The Office apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office app from any device with Internet connectivity. @@ -288,7 +288,7 @@ Review the list of existing cloud services that you created in the [Identify clo **Prioritize cloud services** -After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. +After you've created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority. @@ -298,48 +298,48 @@ Focus on the migration of higher priority cloud services first and put less effo **Select cloud services migration strategy** -When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time. +When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you'll want to select a migration strategy that introduces many small changes over a period of time. Consider the following when you create your cloud services migration strategy: - **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses. -- **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks. +- **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This option gives users a familiar method to perform their day-to-day tasks. -- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use. +- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it's more reliable or intuitive for them to use. - **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms. -- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years. +- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This migration will ensure you've minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they're probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions don't preserve data between semesters or academic years. -- **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. +- **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This overlap operation allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. The tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. ## Plan for Windows device deployment You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks. -In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. +In this section, you'll select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. ### **Select a Windows device deployment strategy** -What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies. +What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That approach is correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies. For each classroom that has Chromebook devices, select a combination of the following device deployment strategies: -- **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices. +- **Deploy one classroom at a time.** In most cases, you'll want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you've deployed the devices. -- **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. +- **Deploy based on curriculum.** Deploy the Windows devices after you've confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. -- **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. +- **Deploy side-by-side.** In some instances, you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This method helps prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. -- **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices. +- **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this arrangement provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices. -- **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. +- **Deploy after the migration of user and device settings.** Ensure that you've identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. - If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration. + If you ensure that Windows devices closely mirror the Chromebook device configuration, you'll ease user learning curve and create a sense of familiarity. Also, when you've the settings ready to be applied to the devices, it helps ensure you'll deploy your new Windows devices in a secure configuration. Record the combination of Windows device deployment strategies that you selected. @@ -347,7 +347,7 @@ Record the combination of Windows device deployment strategies that you selected **Plan for AD DS and Azure AD services** -The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services. +The next decision you'll need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you'll manage your users, apps, and devices and if you'll use Office 365 and other Azure-based cloud services. In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD. @@ -362,13 +362,13 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid |Use Microsoft Endpoint Manager for management|✔️||✔️| |Use Group Policy for management|✔️||✔️| |Have devices that are domain-joined|✔️||✔️| -|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️| +|Allow faculty and students to Bring Your Own Device (BYOD) which aren't domain-joined||✔️|✔️| ### **Plan device, user, and app management** -You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle. +You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you'll only deploy the device once, but you'll manage the device throughout the remainder of the device's lifecycle. Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device. @@ -384,11 +384,11 @@ Table 6. Device, user, and app management products and technologies |Deploy software updates during operating system deployment|||✔️||✔️|| |Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️| |Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️|| -|Support devices that are not domain-joined|✔️|||✔️|✔️|| +|Support devices that aren't domain-joined|✔️|||✔️|✔️|| |Use on-premises resources|✔️|✔️|✔️||✔️|| |Use cloud-based services||||✔️||| -You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. +You can use Configuration Manager and Intune with each other to provide features from both products and technologies. In some instances, you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. Record the device, user, and app management products and technologies that you selected. @@ -402,7 +402,7 @@ Examine each of the following network infrastructure technologies and services a - **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements. - However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. + However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you'll need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. - **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices. @@ -412,7 +412,7 @@ Examine each of the following network infrastructure technologies and services a If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices. -- **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices. +- **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This consumption behavior means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices. However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices. @@ -424,7 +424,7 @@ Examine each of the following network infrastructure technologies and services a - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://go.microsoft.com/fwlink/p/?LinkId=690257) -- **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices. +- **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This condition means that your existing power outlets should support the same number of Windows devices. If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. @@ -433,9 +433,9 @@ At the end of this process, you may determine that no network infrastructure rem ## Perform Chromebook migration -Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created. +Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you've created. -In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. +In this section, you'll perform the necessary steps for the Chromebook device migration. You'll perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important. @@ -444,7 +444,7 @@ You must perform some of the steps in this section in a specific sequence. Each The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. -It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. +It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. Table 7. Network infrastructure products and technologies and deployment resources @@ -459,7 +459,7 @@ If you use network infrastructure products and technologies from other vendors, ## Perform AD DS and Azure AD services deployment or remediation -It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. +It's important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. @@ -475,7 +475,7 @@ If you decided not to migrate to AD DS or Azure AD as a part of the migration, o ## Prepare device, user, and app management systems -In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. +In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you'll use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You'll use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. @@ -547,7 +547,7 @@ Alternatively, if you want to migrate to Office 365 from: ## Perform cloud storage migration -In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. +In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you'll use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. Manually migrate the cloud storage migration by using the following steps: @@ -561,7 +561,7 @@ Manually migrate the cloud storage migration by using the following steps: 5. Optionally uninstall the Google Drive app. -There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors. +There are also many software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors. ## Perform cloud services migration @@ -570,7 +570,7 @@ In the [Plan for cloud services migration](#plan-cloud-services)section, you ide Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected. -There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors. +There are also many software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors. ## Perform Windows device deployment diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 27b3806af5..6d0c2694a5 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -1,6 +1,6 @@ --- title: Windows 10 configuration recommendations for education customers -description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. +description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school. keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations, accessibility, assistive technology ms.mktglfcycl: plan ms.sitesec: library @@ -20,24 +20,24 @@ manager: dansimp - Windows 10 -Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). +Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). -We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). +We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). -In Windows 10, version 1703 (Creators Update), it is straightforward to configure Windows to be education ready. +In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready. -| Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | +| Area | How to configure | What this area does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | | --- | --- | --- | --- | --- | --- | -| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set | -| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set | +| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This feature is already set | This feature is already set | The policy must be set | +| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This feature is already set | This feature is already set | The policy must be set | | **Cortana** | **AllowCortana** | Disables Cortana

                                * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

                                See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

                                See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | -| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set | +| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This feature is already set | This feature is already set | The policy must be set | | **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | -| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

                                * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set | +| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

                                * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This feature is already set | This feature is already set | The policy must be set | ## Recommended configuration -It is easy to be education ready when using Microsoft products. We recommend the following configuration: +It's easy to be education ready when using Microsoft products. We recommend the following configuration: 1. Use an Office 365 Education tenant. @@ -49,15 +49,15 @@ It is easy to be education ready when using Microsoft products. We recommend the 3. On PCs running Windows 10, version 1703: 1. Provision the PC using one of these methods: - * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - This will automatically set both **SetEduPolicies** to True and **AllowCortana** to False. + * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False. * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False. 2. Join the PC to Azure Active Directory. * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD. * Manually Azure AD join the PC during the Windows device setup experience. 3. Enroll the PCs in MDM. - * If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False. + * If you've activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False. 4. Ensure that needed assistive technology apps can be used. - * If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. + * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. 4. Distribute the PCs to students. @@ -77,7 +77,7 @@ You can set all the education compliance areas through both provisioning and man - [Intune for Education](/intune-education/available-settings) ## AllowCortana -**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). +**AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). > [!NOTE] > See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. @@ -109,7 +109,7 @@ Set **Computer Configuration > Administrative Templates > Windows Components > S ![Set AllowCortana to No in Windows Configuration Designer.](images/allowcortana_wcd.png) ## SetEduPolicies -**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). +**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp). Use one of these methods to set this policy. @@ -126,7 +126,7 @@ Use one of these methods to set this policy. ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png) ### Group Policy -**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). +**SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For example: @@ -158,7 +158,7 @@ Provide an ad-free experience that is a safer, more private search option for K To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps: 1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590). -2. Domain join the Windows 10 PCs to your Azure AD tenant (this is the same as your Office 365 tenant). +2. Domain join the Windows 10 PCs to your Azure AD tenant (this tenant is the same as your Office 365 tenant). 3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic. 4. Have students sign in with their Azure AD identity, which is the same as your Office 365 identity, to use the PC. > [!NOTE] diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 2c43aa28c6..fe3ad12137 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -20,11 +20,11 @@ manager: dansimp - Windows 10 -This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system. +This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for district deployment -Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district. +Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you'll manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district. > [!NOTE] > This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). @@ -81,7 +81,7 @@ This district configuration has the following characteristics: * The devices use Azure AD in Office 365 Education for identity management. -* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity). +* If you've on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity). * Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices. @@ -132,9 +132,9 @@ For more information about Office 365 Education features and an FAQ, go to [Offi ### How to configure a district -Now that you have the plan (blueprint) for your district and individual schools and classrooms, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. +Now that you've the plan (blueprint) for your district and individual schools and classrooms, you’re ready to learn about the tools you'll use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. -The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). +The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments. @@ -142,7 +142,7 @@ This guide focuses on LTI deployments to deploy the reference device. You can us MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. -LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article. +LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article. The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. @@ -150,23 +150,23 @@ ZTI performs fully automated deployments using Configuration Manager and MDT. Al The configuration process requires the following devices: -* **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device. +* **Admin device.** This device is the one you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device. -* **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices. +* **Reference devices.** These devices are the ones that you'll use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices. - You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all). + You'll have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all). -* **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. +* **Faculty and staff devices.** These devices are the ones that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. -* **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. +* **Student devices.** The students will use these devices. You'll use the admin device deploy (or upgrade) Windows 10 and apps to them. The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4: 1. Prepare the admin device for use, which includes installing the Windows ADK, MDT, and the Configuration Manager console. -2. On the admin device, create and configure the Office 365 Education subscription that you will use for the district’s classrooms. +2. On the admin device, create and configure the Office 365 Education subscription that you'll use for the district’s classrooms. -3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). +3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you've an on premises AD DS configuration). 4. On the admin device, create and configure a Microsoft Store for Business portal. @@ -217,7 +217,7 @@ Some constraints exist in these scenarios. As you select the deployment and mana * You can use Group Policy or Intune to manage configuration settings on a device but not both. * You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both. -* You cannot manage multiple users on a device with Intune if the device is AD DS domain joined. +* You can't manage multiple users on a device with Intune if the device is AD DS domain joined. Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district. @@ -227,8 +227,8 @@ To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpo |Method|Description| |--- |--- | -|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
                                Select this method when you:
                              • Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
                              • Don’t have an existing AD DS infrastructure.
                              • Need to manage devices regardless of where they are (on or off premises).
                                The advantages of this method are that:
                              • You can deploy Windows 10 operating systems
                              • You can manage device drivers during initial deployment.
                              • You can deploy Windows desktop apps (during initial deployment)
                              • It doesn’t require an AD DS infrastructure.
                              • It doesn’t have additional infrastructure requirements.
                              • MDT doesn’t incur additional cost: it’s a free tool.
                              • You can deploy Windows 10 operating systems to institution-owned and personal devices.
                                The disadvantages of this method are that it:
                              • Can’t manage applications throughout entire application life cycle (by itself).
                              • Can’t manage software updates for Windows 10 and apps (by itself).
                              • Doesn’t provide antivirus and malware protection (by itself).
                              • Has limited scaling to large numbers of users and devices.| -|Microsoft Endpoint Configuration Manager|
                              • Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
                              • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
                                Select this method when you:
                              • Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
                              • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
                              • Typically deploy Windows 10 to on-premises devices.
                                The advantages of this method are that:
                              • You can deploy Windows 10 operating systems.
                              • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
                              • You can manage software updates for Windows 10 and apps.
                              • You can manage antivirus and malware protection.
                              • It scales to large number of users and devices.
                                The disadvantages of this method are that it:
                              • Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
                              • Can deploy Windows 10 only to domain-joined (institution-owned devices).
                              • Requires an AD DS infrastructure (if the institution does not have AD DS already).| +|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
                                Select this method when you:
                              • Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
                              • Don’t have an existing AD DS infrastructure.
                              • Need to manage devices regardless of where they are (on or off premises).
                                The advantages of this method are that:
                              • You can deploy Windows 10 operating systems
                              • You can manage device drivers during initial deployment.
                              • You can deploy Windows desktop apps (during initial deployment)
                              • It doesn’t require an AD DS infrastructure.
                              • It doesn’t have extra infrastructure requirements.
                              • MDT doesn’t incur extra cost: it’s a free tool.
                              • You can deploy Windows 10 operating systems to institution-owned and personal devices.
                                The disadvantages of this method are that it:
                              • Can’t manage applications throughout entire application life cycle (by itself).
                              • Can’t manage software updates for Windows 10 and apps (by itself).
                              • Doesn’t provide antivirus and malware protection (by itself).
                              • Has limited scaling to large numbers of users and devices.| +|Microsoft Endpoint Configuration Manager|
                              • Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
                              • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
                                Select this method when you:
                              • Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
                              • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
                              • Typically deploy Windows 10 to on-premises devices.
                                The advantages of this method are that:
                              • You can deploy Windows 10 operating systems.
                              • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
                              • You can manage software updates for Windows 10 and apps.
                              • You can manage antivirus and malware protection.
                              • It scales to large number of users and devices.
                                The disadvantages of this method are that it:
                              • Carries an extra cost for Microsoft Endpoint Manager server licenses (if the institution doesn't have Configuration Manager already).
                              • Can deploy Windows 10 only to domain-joined (institution-owned devices).
                              • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).| *Table 2. Deployment methods* @@ -243,14 +243,14 @@ Record the deployment methods you selected in Table 3. ### Select the configuration setting management methods -If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, maintaining an identical configuration on every device will become virtually impossible as the number of devices in the district increases. +If you've only one device to configure, manually configuring that one device is tedious but possible. When you've multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, maintaining an identical configuration on every device will become impossible as the number of devices in the district increases. For a district, there are many ways to manage the configuration setting for users and devices. Table 4 lists the methods that this guide describes and recommends. Use this information to determine which combination of configuration setting management methods is right for your institution. |Method|Description| |--- |--- | -|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.
                                Select this method when you
                              • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
                              • Want more granular control of device and user settings.
                              • Have an existing AD DS infrastructure.
                              • Typically manage on-premises devices.
                              • Can manage a required setting only by using Group Policy.
                                The advantages of this method include:
                              • No cost beyond the AD DS infrastructure.
                              • A larger number of settings (compared to Intune).
                                The disadvantages of this method are that it:
                              • Can only manage domain-joined (institution-owned devices).
                              • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                              • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
                              • Has rudimentary app management capabilities.
                              • Cannot deploy Windows 10 operating systems.| -|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                                Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
                                Select this method when you:
                              • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                              • Don’t need granular control over device and user settings (compared to Group Policy).
                              • Don’t have an existing AD DS infrastructure.
                              • Need to manage devices regardless of where they are (on or off premises).
                              • Want to provide application management for the entire application life cycle.
                              • Can manage a required setting only by using Intune.
                                The advantages of this method are that:
                              • You can manage institution-owned and personal devices.
                              • It doesn’t require that devices be domain joined.
                              • It doesn’t require any on-premises infrastructure.
                              • It can manage devices regardless of their location (on or off premises).
                                The disadvantages of this method are that it:
                              • Carries an additional cost for Intune subscription licenses.
                              • Doesn’t offer granular control over device and user settings (compared to Group Policy).
                              • Cannot deploy Windows 10 operating systems.| +|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.
                                Select this method when you
                              • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
                              • Want more granular control of device and user settings.
                              • Have an existing AD DS infrastructure.
                              • Typically manage on-premises devices.
                              • Can manage a required setting only by using Group Policy.
                                The advantages of this method include:
                              • No cost beyond the AD DS infrastructure.
                              • A larger number of settings (compared to Intune).
                                The disadvantages of this method are that it:
                              • Can only manage domain-joined (institution-owned devices).
                              • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
                              • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
                              • Has rudimentary app management capabilities.
                              • can't deploy Windows 10 operating systems.| +|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                                Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
                                Select this method when you:
                              • Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
                              • Don’t need granular control over device and user settings (compared to Group Policy).
                              • Don’t have an existing AD DS infrastructure.
                              • Need to manage devices regardless of where they are (on or off premises).
                              • Want to provide application management for the entire application life cycle.
                              • Can manage a required setting only by using Intune.
                                The advantages of this method are that:
                              • You can manage institution-owned and personal devices.
                              • It doesn’t require that devices be domain joined.
                              • It doesn’t require any on-premises infrastructure.
                              • It can manage devices regardless of their location (on or off premises).
                                The disadvantages of this method are that it:
                              • Carries an extra cost for Intune subscription licenses.
                              • Doesn’t offer granular control over device and user settings (compared to Group Policy).
                              • can't deploy Windows 10 operating systems.| *Table 4. Configuration setting management methods* @@ -271,9 +271,9 @@ Use the information in Table 6 to determine which combination of app and update |Selection|Management method| |--- |--- | -|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
                              • Selected Configuration Manager to deploy Windows 10.
                              • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                              • Want to manage AD DS domain-joined devices.
                              • Have an existing AD DS infrastructure.
                              • Typically manage on-premises devices.
                              • Want to deploy operating systems.
                              • Want to provide application management for the entire application life cycle.
                                The advantages of this method are that:
                              • You can deploy Windows 10 operating systems.
                              • You can manage applications throughout the entire application life cycle.
                              • You can manage software updates for Windows 10 and apps.
                              • You can manage antivirus and malware protection.
                              • It scales to large numbers of users and devices.
                                The disadvantages of this method are that it:
                              • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                              • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                              • Can only manage domain-joined (institution-owned devices).
                              • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                              • Typically manages on-premises devices (unless devices through VPN or DirectAccess).| -|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                                Select this method when you:
                              • Selected MDT only to deploy Windows 10.
                              • Want to manage institution-owned and personal devices that are not domain joined.
                              • Want to manage Azure AD domain-joined devices.
                              • Need to manage devices regardless of where they are (on or off premises).
                              • Want to provide application management for the entire application life cycle.
                                The advantages of this method are that:
                              • You can manage institution-owned and personal devices.
                              • It doesn’t require that devices be domain joined.
                              • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
                              • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
                                The disadvantages of this method are that it:
                              • Carries an additional cost for Intune subscription licenses.
                              • Cannot deploy Windows 10 operating systems.| -|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
                                Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
                                Select this method when you:
                              • Selected Microsoft Endpoint Manager to deploy Windows 10.
                              • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                              • Want to manage domain-joined devices.
                              • Want to manage Azure AD domain-joined devices.
                              • Have an existing AD DS infrastructure.
                              • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
                              • Want to provide application management for the entire application life cycle.
                                The advantages of this method are that:
                              • You can deploy operating systems.
                              • You can manage applications throughout the entire application life cycle.
                              • You can scale to large numbers of users and devices.
                              • You can support institution-owned and personal devices.
                              • It doesn’t require that devices be domain joined.
                              • It can manage devices regardless of their location (on or off premises).
                                The disadvantages of this method are that it:
                              • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                              • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                              • Carries an additional cost for Intune subscription licenses.
                              • Requires an AD DS infrastructure (if the institution does not have AD DS already).| +|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
                              • Selected Configuration Manager to deploy Windows 10.
                              • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                              • Want to manage AD DS domain-joined devices.
                              • Have an existing AD DS infrastructure.
                              • Typically manage on-premises devices.
                              • Want to deploy operating systems.
                              • Want to provide application management for the entire application life cycle.
                                The advantages of this method are that:
                              • You can deploy Windows 10 operating systems.
                              • You can manage applications throughout the entire application life cycle.
                              • You can manage software updates for Windows 10 and apps.
                              • You can manage antivirus and malware protection.
                              • It scales to large numbers of users and devices.
                                The disadvantages of this method are that it:
                              • Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
                              • Carries an extra cost for Windows Server licenses and the corresponding server hardware.
                              • Can only manage domain-joined (institution-owned devices).
                              • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
                              • Typically manages on-premises devices (unless devices through VPN or DirectAccess).| +|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                                Select this method when you:
                              • Selected MDT only to deploy Windows 10.
                              • Want to manage institution-owned and personal devices that aren't domain joined.
                              • Want to manage Azure AD domain-joined devices.
                              • Need to manage devices regardless of where they are (on or off premises).
                              • Want to provide application management for the entire application life cycle.
                                The advantages of this method are that:
                              • You can manage institution-owned and personal devices.
                              • It doesn’t require that devices be domain joined.
                              • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
                              • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
                                The disadvantages of this method are that it:
                              • Carries an extra cost for Intune subscription licenses.
                              • can't deploy Windows 10 operating systems.| +|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
                                Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
                                Select this method when you:
                              • Selected Microsoft Endpoint Manager to deploy Windows 10.
                              • Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
                              • Want to manage domain-joined devices.
                              • Want to manage Azure AD domain-joined devices.
                              • Have an existing AD DS infrastructure.
                              • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
                              • Want to provide application management for the entire application life cycle.
                                The advantages of this method are that:
                              • You can deploy operating systems.
                              • You can manage applications throughout the entire application life cycle.
                              • You can scale to large numbers of users and devices.
                              • You can support institution-owned and personal devices.
                              • It doesn’t require that devices be domain joined.
                              • It can manage devices regardless of their location (on or off premises).
                                The disadvantages of this method are that it:
                              • Carries an extra cost for Configuration Manager server licenses (if the institution doesn't have Configuration Manager already).
                              • Carries an extra cost for Windows Server licenses and the corresponding server hardware.
                              • Carries an extra cost for Intune subscription licenses.
                              • Requires an AD DS infrastructure (if the institution doesn't have AD DS already).| *Table 6. App and update management products* @@ -288,7 +288,7 @@ Record the app and update management methods that you selected in Table 7. *Table 7. App and update management methods selected* #### Summary -In this section, you selected the methods that you will use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you will use to manage configuration settings. Finally, you selected the methods that you will use to manage Windows desktop apps, Microsoft Store apps, and software updates. +In this section, you selected the methods that you'll use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you'll use to manage configuration settings. Finally, you selected the methods that you'll use to manage Windows desktop apps, Microsoft Store apps, and software updates. ## Prepare the admin device @@ -307,7 +307,7 @@ For more information about installing the Windows ADK, see [Step 2-2: Install Wi ### Install MDT -Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It is a free tool available directly from Microsoft. +Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It's a free tool available directly from Microsoft. You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. > [!NOTE] @@ -345,7 +345,7 @@ For more information, see [Enable Configuration Manager Console Integration for #### Summary -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you'll configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. ## Create and configure Office 365 @@ -363,8 +363,8 @@ Complete the following steps to select the appropriate Office 365 Education lice |Plan |Advantages |Disadvantages | |----- |----------- |------------- | - |Office 365 Education |
                                • Less expensive than Microsoft 365 Apps for enterprise
                                • Can be run from any device
                                • No installation necessary
                                |
                                • Must have an Internet connection to use it
                                • Does not support all the features found in Microsoft 365 Apps for enterprise
                                | - |Microsoft 365 Apps for enterprise |
                                • Only requires an Internet connection every 30 days (for activation)
                                • Supports the full set of Office features
                                • Can be installed on five devices per user (there is no limit to the number of devices on which you can run Office apps online)
                                |
                                • Requires installation
                                • More expensive than Office 365 Education
                                | + |Office 365 Education |
                                • Less expensive than Microsoft 365 Apps for enterprise
                                • Can be run from any device
                                • No installation necessary
                                |
                                • Must have an Internet connection to use it
                                • Doesn't support all the features found in Microsoft 365 Apps for enterprise
                                | + |Microsoft 365 Apps for enterprise |
                                • Only requires an Internet connection every 30 days (for activation)
                                • Supports the full set of Office features
                                • Can be installed on five devices per user (there's no limit to the number of devices on which you can run Office apps online)
                                |
                                • Requires installation
                                • More expensive than Office 365 Education
                                | *Table 8. Comparison of standard and Microsoft 365 Apps for enterprise plans* @@ -385,7 +385,7 @@ Complete the following steps to select the appropriate Office 365 Education lice *Table 9. Office 365 Education license plans needed for the classroom* -You will use the Office 365 Education license plan information you record in Table 9 in [Create user accounts in Office 365](#create-user-accounts-in-office-365) later in this guide. +You'll use the Office 365 Education license plan information you record in Table 9 in [Create user accounts in Office 365](#create-user-accounts-in-office-365) later in this guide. ### Create a new Office 365 Education subscription @@ -399,7 +399,7 @@ To create a new Office 365 Education subscription for use in the classroom, use 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. > [!NOTE] - > If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods: + > If you've already used your current sign-in account to create a new Office 365 subscription, you'll be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods: > > - In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap More actions), and then click or tap New InPrivate window. > @@ -408,7 +408,7 @@ To create a new Office 365 Education subscription for use in the classroom, use 2. On the **Get started** page, in **Enter your school email address**, type your school email address, and then click **Sign up**. - You will receive an email in your school email account. + You'll receive an email in your school email account. 3. Click the hyperlink in the email in your school email account. 4. On the **One last thing** page, complete your user information, and then click **Start**. @@ -418,9 +418,9 @@ The wizard creates your new Office 365 Education subscription, and you’re auto ### Add domains and subdomains -Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. +Now that you've created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you've subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. -#### To add additional domains and subdomains +#### To add more domains and subdomains 1. In the admin center, in the list view, click **DOMAINS**. @@ -444,12 +444,12 @@ To make it easier for faculty and students to join your Office 365 Education sub Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: * If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. -* If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. +* If an Office 365 tenant with that domain name (contoso.edu) doesn't exist, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. -You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365. +You'll always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365. > [!NOTE] -> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. +> You can't merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up). @@ -465,7 +465,7 @@ By default, all new Office 365 Education subscriptions have automatic tenant joi ### Disable automatic licensing -To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. +To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that don't require administrative approval. > [!NOTE] > By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. @@ -485,7 +485,7 @@ When you create your Office 365 subscription, you create an Office 365 tenant th Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access). -The following Azure AD Premium features are not in Azure AD Basic: +The following Azure AD Premium features aren't in Azure AD Basic: * Allow designated users to manage group membership * Dynamic group membership based on user metadata @@ -498,7 +498,7 @@ The following Azure AD Premium features are not in Azure AD Basic: You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. -You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. +You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process. For more information about: @@ -507,18 +507,18 @@ For more information about: #### Summary -You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. +You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365. ## Select an Office 365 user account–creation method -Now that you have an Office 365 subscription, you must determine how you’ll create your Office 365 user accounts. Use one of the following methods to make your decision: +Now that you've an Office 365 subscription, you must determine how you’ll create your Office 365 user accounts. Use one of the following methods to make your decision: -* Method 1: Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain. +* Method 1: Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you've an on-premises AD DS domain. * Method 2: Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain. ### Method 1: Automatic synchronization between AD DS and Azure AD -In this method, you have an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. +In this method, you've an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. > [!NOTE] > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)). @@ -532,7 +532,7 @@ For more information about how to perform this step, see the [Integrate on-premi ### Method 2: Bulk import into Azure AD from a .csv file -In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. +In this method, you've no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. > [!div class="mx-imgBorder"] > ![Bulk import into Azure AD from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") @@ -557,7 +557,7 @@ In this section, you selected the method for creating user accounts in your Offi You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. > [!NOTE] -> If your institution does not have an on-premises AD DS domain, you can skip this section. +> If your institution doesn't have an on-premises AD DS domain, you can skip this section. ### Select a synchronization model @@ -565,7 +565,7 @@ Before you deploy AD DS and Azure AD synchronization, determine where you want t You can deploy the Azure AD Connect tool: -- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. +- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. > [!div class="mx-imgBorder"] > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") @@ -595,7 +595,7 @@ In this synchronization model (illustrated in Figure 7), you run Azure AD Connec 4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features). -Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. +Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. ### Verify synchronization @@ -622,7 +622,7 @@ Azure AD Connect should start synchronization immediately. Depending on the numb The list of security group members should mirror the group membership for the corresponding security group in AD DS. 8. Close the browser. -Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium. +Now that you've verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium. #### Summary @@ -649,7 +649,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T ### Create a source file that contains the user and group accounts -After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 13 lists the source file format for the bulk import methods. +After you've selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 13 lists the source file format for the bulk import methods. |Method |Source file format | |-------|-------------------| @@ -674,7 +674,7 @@ For more information about how to import user accounts into AD DS by using: #### Summary -In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts into AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide. +In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts into AD DS. If you've Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide. ## Bulk-import user and group accounts into Office 365 @@ -682,12 +682,12 @@ You can bulk-import user and group accounts directly into Office 365, reducing t ### Create user accounts in Office 365 -Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. +Now that you've created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. > [!NOTE] > If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. -You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). +You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you've many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 9. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts. @@ -719,14 +719,14 @@ Microsoft Exchange Online uses an email distribution group as a single email rec You can create email distribution groups based on job role (such as teacher, administration, or student) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. > [!NOTE] -> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps. +> Office 365 can take some time to complete the Exchange Online creation process. You'll have to wait until the creation process ends before you can perform the following steps. For information about creating email distribution groups, see [Create a Microsoft 365 group in the admin center](/microsoft-365/admin/create-groups/create-groups). #### Summary -You have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. +You've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. ## Assign user licenses for Azure AD Premium @@ -749,7 +749,7 @@ This section shows you how to create a Microsoft Store for Business portal and c ### Create and configure your Microsoft Store for Business portal -To create and configure your Microsoft Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator. +To create and configure your Microsoft Store for Business portal, use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator. #### To create and configure a Microsoft Store for Business portal @@ -769,17 +769,17 @@ After you create the Microsoft Store for Business portal, configure it by using |--------------|----------------------------| |Account information |Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Management Portal. For more information, see [Update Microsoft Store for Business account settings](/microsoft-store/update-microsoft-store-for-business-account-settings).| |Device Guard signing |Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).| -|LOB publishers |Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps).| +|LOB publishers |Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps).| |Management tools |Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool).| |Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see the “Licensing model: online and offline licenses” section in [Apps in Microsoft Store for Business](/microsoft-store/apps-in-microsoft-store-for-business#licensing-model).| -|Permissions |Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business).| +|Permissions |Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you've previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business).| |Private store |Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store).| *Table 14. Menu selections to configure Microsoft Store for Business settings* ### Find, acquire, and distribute apps in the portal -Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Microsoft Store for Business. +Now that you've created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you'll add to your portal. You do this task from the **Inventory** page in Microsoft Store for Business. > [!NOTE] > Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business. @@ -790,18 +790,18 @@ For more information about how to find, acquire, and distribute apps in the port #### Summary -At the end of this section, you should have a properly configured Microsoft Store for Business portal. You have also found and acquired your apps from Microsoft Store. Finally, you should have deployed all your Microsoft Store apps to your users. Now, you’re ready to deploy Microsoft Store apps to your users. +At the end of this section, you should have a properly configured Microsoft Store for Business portal. You've also found and acquired your apps from Microsoft Store. Finally, you should have deployed all your Microsoft Store apps to your users. Now, you’re ready to deploy Microsoft Store apps to your users. ## Plan for deployment -You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. +You'll use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you'll use, the approach you'll use to create your Windows 10 images, and the method you'll use to initiate the LTI deployment process. ### Select the operating systems -Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: +Later in the process, you'll import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: -* New devices or refreshing existing devices, you will completely replace the existing operating system on a device with Windows 10. -* Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. +* New devices or refreshing existing devices, you'll completely replace the existing operating system on a device with Windows 10. +* Upgrading existing devices, you'll upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: @@ -819,12 +819,12 @@ Depending on your school’s requirements, you may need any combination of the f For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. +One other consideration is the mix of processor architectures you'll support. If you can, support only 64-bit versions of Windows 10. If you've devices that can run only 32-bit versions of Windows 10, you'll need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. > [!NOTE] > On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. -Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. +Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you can't standardize personal devices on a specific operating system version or processor architecture. ### Select an image approach @@ -842,7 +842,7 @@ The LTI deployment process is highly automated: it requires minimal information |Method|Description and reason to select this method| |--- |--- | |Windows Deployment Services|This method:
                              • Uses diskless booting to initiate LTI and ZTI deployments.
                              • Works only with devices that support PXE boot.
                              • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                              • Deploys images more slowly than when you use local media.
                              • Requires that you deploy a Windows Deployment Services server.

                                Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.| -|Bootable media|This method:
                              • Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
                              • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                              • Deploys images more slowly than when using local media.
                              • Requires no additional infrastructure.

                                Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.| +|Bootable media|This method:
                              • Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
                              • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                              • Deploys images more slowly than when using local media.
                              • Requires no extra infrastructure.

                                Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.| |Deployment media|This method:
                              • Initiates LTI or ZTI deployment by booting from a local USB hard disk.
                              • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
                              • Deploys images more quickly than network-based methods do.
                              • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).

                                Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk. *Table 15. Methods to initiate LTI and ZTI deployments* @@ -861,10 +861,10 @@ The first step in preparing for Windows 10 deployment is to configure—that is, |Task|Description| |--- |--- | |1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| -|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
                                Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| -|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
                                Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
                              • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
                              • For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.

                                If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
                                If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
                                In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
                              • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
                              • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).| -|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
                                To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
                                If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
                                This is the preferred method for deploying and managing Windows desktop apps.
                                **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                                For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).| -|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
                              • Deploy 64-bit Windows 10 Education to devices.
                              • Deploy 32-bit Windows 10 Education to devices.
                              • Upgrade existing devices to 64-bit Windows 10 Education.
                              • Upgrade existing devices to 32-bit Windows 10 Education.

                                Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).| +|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't play sounds; without the proper camera driver, the device can't take photos or use video chat.
                                Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| +|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
                                Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:
                              • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
                              • For apps that aren't offline licensed, obtain the .appx files from the app software vendor directly.

                                If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
                                If you've Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
                                In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
                              • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
                              • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).| +|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you've sufficient licenses for them.
                                To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
                                If you've Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
                                This is the preferred method for deploying and managing Windows desktop apps.
                                **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                                For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).| +|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
                              • Deploy 64-bit Windows 10 Education to devices.
                              • Deploy 32-bit Windows 10 Education to devices.
                              • Upgrade existing devices to 64-bit Windows 10 Education.
                              • Upgrade existing devices to 32-bit Windows 10 Education.

                                Again, you'll create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).| |6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
                                For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).| *Table 16. Tasks to configure the MDT deployment share* @@ -872,9 +872,9 @@ The first step in preparing for Windows 10 deployment is to configure—that is, ### Configure Microsoft Endpoint Configuration Manager > [!NOTE] -> If you have already configured your Microsoft Endpoint Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section. +> If you've already configured your Microsoft Endpoint Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section. -Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you will need to deploy a new infrastructure. +Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you'll need to deploy a new infrastructure. Deploying a new Configuration Manager infrastructure is beyond the scope of this guide, but the following resources can help you deploy a new Configuration Manager infrastructure: @@ -889,17 +889,17 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment). 2. Add the Windows PE boot images, Windows 10 operating systems, and other content. - You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you will use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard. + You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you'll use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard. You can add this content by using Microsoft Endpoint Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager). 3. Add device drivers. - You must add device drivers for the different device types in your district. For example, if you have a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device. + You must add device drivers for the different device types in your district. For example, if you've a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device. Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers). 4. Add Windows apps. - Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that include Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices. + Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you can't capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices. Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications). @@ -921,14 +921,14 @@ You can use Windows Deployment Services in conjunction with MDT to automatically 2. Add LTI boot images (Windows PE images) to Windows Deployment Services. - The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder. + The LTI boot images (.wim files) that you'll add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices). ### Configure Windows Deployment Services for Microsoft Endpoint Configuration Manager > [!NOTE] -> If you have already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next. +> If you've already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next. You can use Windows Deployment Services in conjunction with Configuration Manager to automatically initiate boot images on target devices. These boot images are Windows PE images that you use to boot the target devices, and then initiate Windows 10, app, and device driver deployment. @@ -955,7 +955,7 @@ You can use Windows Deployment Services in conjunction with Configuration Manage #### Summary -Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You have set up and configured Windows Deployment Services for MDT and for Configuration Manager. You have also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you have in your district. +Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You've set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you've in your district. ## Capture the reference image @@ -963,7 +963,7 @@ The reference device is a device that you use as the template for all the other After you deploy Windows 10 and the desktop apps to the reference device, you capture an image of the device (the reference image). You import the reference image to an MDT deployment share or into Configuration Manager. Finally, you create a task sequence to deploy the reference image to faculty and student devices. -You will capture multiple reference images, one for each type of device that you have in your organization. You perform the steps in this section for each image (device) that you have in your district. Use LTI in MDT to automate the deployment and capture of the reference image. +You'll capture multiple reference images, one for each type of device that you've in your organization. You perform the steps in this section for each image (device) that you've in your district. Use LTI in MDT to automate the deployment and capture of the reference image. > [!NOTE] > You can use LTI in MDT or Configuration Manager to automate the deployment and capture of the reference image, but this guide only discusses how to use LTI in MDT to capture the reference image. @@ -991,7 +991,7 @@ You initially configured the MDT deployment share in the [Configure the MDT depl A *selection profile* lets you select specific device drivers. For example, if you want to deploy the device drivers for a Surface Pro 4 device, you can create a selection profile that contains only the Surface Pro 4 device drivers. - First, in the Out-of-Box Drivers node in the Deployment Workbench, create a folder that will contain your device drivers. Next, import the device drivers into the folder you just created. Finally, create the selection profile and specify the folder that contains the device drivers. For more information, see the following resources: + First, in the Out-of-Box Drivers node in the Deployment Workbench, create a folder that will contain your device drivers. Next, import the device drivers into the folder you created. Finally, create the selection profile and specify the folder that contains the device drivers. For more information, see the following resources: * [Create Folders to Organize Device Drivers for LTI Deployments](/mem/configmgr/mdt/use-the-mdt#CreateFolderstoOrganizeDeviceDriversforLTIDeployments) * [Create Selection Profiles to Select the Device Drivers for LTI Deployments](/mem/configmgr/mdt/use-the-mdt#CreateSelectionProfilestoSelecttheDeviceDriversforLTIDeployments) @@ -1019,7 +1019,7 @@ In most instances, deployments occur without incident. Only in rare occasions do ### Import reference image -After you have captured the reference image (.wim file), import the image into the MDT deployment share or into Configuration Manager (depending on which method you selected to perform Windows 10 deployments). You will deploy the reference image to the student and faculty devices in your district. +After you've captured the reference image (.wim file), import the image into the MDT deployment share or into Configuration Manager (depending on which method you selected to perform Windows 10 deployments). You'll deploy the reference image to the student and faculty devices in your district. Both the Deployment Workbench and the Configuration Manager console have wizards that help you import the reference image. After you import the reference image, you need to create a task sequence that will deploy the reference image. @@ -1030,9 +1030,9 @@ For more information about how to import the reference image into: ### Create a task sequence to deploy the reference image -You created an LTI task sequence in the Deployment Workbench earlier in this process to deploy Windows 10 and your desktop apps to the reference device. Now that you have captured and imported your reference image, you need to create a tasks sequence to deploy it. +You created an LTI task sequence in the Deployment Workbench earlier in this process to deploy Windows 10 and your desktop apps to the reference device. Now that you've captured and imported your reference image, you need to create a tasks sequence to deploy it. -As you might expect, both the Deployment Workbench and the Configuration Manager console have wizards that help you create a starting task sequence. After you create your task sequence, in most instances you will need to customize it to deploy additional apps, device drivers, and other software. +As you might expect, both the Deployment Workbench and the Configuration Manager console have wizards that help you create a starting task sequence. After you create your task sequence, in most instances you'll need to customize it to deploy more apps, device drivers, and other software. For more information about how to create a task sequence in the: @@ -1044,7 +1044,7 @@ In this section, you customized the MDT deployment share to deploy Windows 10 an ## Prepare for device management -Before you deploy Windows 10 in your district, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. +Before you deploy Windows 10 in your district, you must prepare for device management. You'll deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. You also want to deploy apps and software updates after you deploy Windows 10. You need to manage apps and updates by using Configuration Manager, Intune, or a combination of both (hybrid model). @@ -1055,17 +1055,17 @@ Microsoft has several recommended settings for educational institutions. Table 1 > [!NOTE] > The settings for Intune in Table 17 also apply to the Configuration Manager and Intune management (hybrid) method. -Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. +Use the information in Table 17 to help you determine whether you need to configure the setting and which method you'll use to do so. At the end, you'll have a list of settings that you want to apply to the Windows 10 devices and know which management method you'll use to configure the settings. |Recommendation|Description| |--- |--- | -|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
                                **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
                                **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
                                ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.| -|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
                                **Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
                                **Intune**. Not available.| +|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
                                **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
                                **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
                                ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.| +|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
                                **Group Policy**. Create a Local Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
                                **Intune**. Not available.| |Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.
                                **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).
                                **Intune**. Not available.| |Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
                                **Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?
                                **Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.| |Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
                                **Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
                                **Intune**. Not available.| |Use of camera|A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
                                **Group policy**. Not available.
                                **Intune**. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.| -|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
                                **Group policy**. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)).
                                **Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.| +|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
                                **Group policy**. To disable the Sound Recorder app, use the don't allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)).
                                **Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.| |Use of screen capture|Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
                                **Group policy**. Not available.
                                **Intune**. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.| |Use of location services|Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
                                **Group policy**. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.
                                **Intune**. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.| |Changing wallpaper|Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.
                                **Group policy**. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.
                                **Intune**. Not available.| @@ -1076,7 +1076,7 @@ Use the information in Table 17 to help you determine whether you need to config ### Configure settings by using Group Policy -Now, you’re ready to use Group Policy to configure settings. The steps in this section assume that you have an AD DS infrastructure. Here, you configure the Group Policy settings you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. +Now, you’re ready to use Group Policy to configure settings. The steps in this section assume that you've an AD DS infrastructure. Here, you configure the Group Policy settings you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. For more information about Group Policy, see [Group Policy Planning and Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)). @@ -1090,7 +1090,7 @@ For more information about Group Policy, see [Group Policy Planning and Deployme ### Configure settings by using Intune -Now, you’re ready to use Intune to configure settings. The steps in this section assume that you have an Office 365 subscription. Here, you configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. +Now, you’re ready to use Intune to configure settings. The steps in this section assume that you've an Office 365 subscription. Here, you configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. For more information about Intune, see [Microsoft Intune Documentation](/intune/). @@ -1108,7 +1108,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/ If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section. -You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages. +You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that aren't enrolled in Intune or that another solution manages. For more information about how to configure Intune to manage your apps, see the following resources: @@ -1199,7 +1199,7 @@ In most instances, deployments occur without incident. Only in rare occasions do ### Set up printers -After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to [Verify deployment](#verify-deployment). +After you've deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to [Verify deployment](#verify-deployment). > [!NOTE] > If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to [Verify deployment](#verify-deployment). @@ -1212,7 +1212,7 @@ After you have deployed Windows 10, the devices are almost ready for use. First, 3. Copy the printer drivers to a USB drive. -4. On a device, use the same account you used to set up Windows 10 in the [Prepare for deployment](#prepare-for-deployment) section to log on to the device. +4. On a device, use the same account you used to set up Windows 10 in the [Prepare for deployment](#prepare-for-deployment) section to sign in to the device. 5. Plug the USB drive into the device. @@ -1234,7 +1234,7 @@ As a final quality control step, verify the device configuration to ensure that * All Windows desktop apps are properly installed and updated. * Printers are properly configured. -When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. +When you've verified that the first device is properly configured, you can move to the next device and perform the same steps. #### Summary @@ -1252,7 +1252,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour |Task and resources|Monthly|New semester or academic year|As required| |--- |--- |--- |--- | -|Verify that Windows Update is active and current with operating system and software updates.
                                For more information about completing this task when you have:
                              • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
                              • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
                              • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
                                Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️| +|Verify that Windows Update is active and current with operating system and software updates.
                                For more information about completing this task when you've:
                              • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
                              • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
                              • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
                                Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️| |Verify that Windows Defender is active and current with malware Security intelligence.
                                For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|✔️|✔️|✔️| |Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
                                For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️| |Download and approve updates for Windows 10, apps, device driver, and other software.
                                For more information, see:
                              • [Manage updates by using Intune](#manage-updates-by-using-intune)
                              • [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️| @@ -1260,9 +1260,9 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour |Refresh the operating system and apps on devices.
                                For more information about completing this task, see the following resources:
                              • [Prepare for deployment](#prepare-for-deployment)
                              • [Capture the reference image](#capture-the-reference-image)
                              • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️| |Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
                                For more information, see:
                              • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                              • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️| |Install new or update existing Microsoft Store apps used in the curriculum.
                                Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                                You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration.
                                For more information, see:
                              • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                              • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️| -|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
                                For more information about how to:
                              • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)
                              • Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️| -|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
                                For more information about how to:
                              • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                              • Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️| -|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
                                For more information about how to:
                              • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
                              • Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️| +|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you've an on-premises AD DS infrastructure).
                                For more information about how to:
                              • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)
                              • Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️| +|Add new accounts (and corresponding licenses) to AD DS (if you've an on-premises AD DS infrastructure).
                                For more information about how to:
                              • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                              • Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️| +|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you don't have an on-premises AD DS infrastructure).
                                For more information about how to:
                              • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
                              • Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️| |Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
                                For more information about how to:
                              • Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
                              • Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️| |Create or modify security groups, and manage group membership in Office 365.
                                For more information about how to:
                              • Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)
                              • Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️| |Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
                                For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️| @@ -1272,7 +1272,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour #### Summary -You have now identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your district and individual school configuration should match the typical school configuration you saw in the [Plan a typical district configuration](#plan-a-typical-district-configuration) section. By performing these maintenance tasks, you help ensure that your district as a whole stays secure and is configured as you specified. +You've now identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your district and individual school configuration should match the typical school configuration you saw in the [Plan a typical district configuration](#plan-a-typical-district-configuration) section. By performing these maintenance tasks, you help ensure that your district as a whole stays secure and is configured as you specified. ## Related topics From 5a409e96f7f4e0ca26dc4af2d6a0c770f83e0148 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 9 Feb 2022 20:12:51 +0530 Subject: [PATCH 32/68] Acrolinx score enhancement --- .../windows/deploy-windows-10-in-a-school.md | 148 +++++++++--------- .../windows/edu-deployment-recommendations.md | 20 +-- .../education-scenarios-store-for-business.md | 4 +- education/windows/s-mode-switch-to-edu.md | 4 +- .../set-up-school-pcs-azure-ad-join.md | 8 +- .../set-up-school-pcs-provisioning-package.md | 28 ++-- .../set-up-students-pcs-to-join-domain.md | 6 +- .../windows/set-up-students-pcs-with-apps.md | 2 +- .../windows/take-a-test-app-technical.md | 18 +-- education/windows/take-a-test-multiple-pcs.md | 22 +-- education/windows/teacher-get-minecraft.md | 14 +- education/windows/test-windows10s-for-edu.md | 54 +++---- ...indows-editions-for-education-customers.md | 8 +- 13 files changed, 168 insertions(+), 168 deletions(-) diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index c0e52a36d6..e5d5bbf665 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -20,11 +20,11 @@ manager: dansimp - Windows 10 -This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system. +This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system. ## Prepare for school deployment -Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. As with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. +Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. As with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you'll configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. ### Plan a typical school configuration @@ -58,7 +58,7 @@ This school configuration has the following characteristics: > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. - The devices use Azure AD in Office 365 Education for identity management. -- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity). +- If you've on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity). - Use [Intune](/mem/intune/), [Set up Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/set-up), or Group Policy in AD DS to manage devices. - Each device supports a one-student-per-device or multiple-students-per-device scenario. - The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical. @@ -86,15 +86,15 @@ For more information about Office 365 Education features and a FAQ, go to [Offic ## How to configure a school -Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. +Now that you've the plan (blueprint) for your classroom, you’re ready to learn about the tools you'll use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. -The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). +The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments. MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. -LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. +LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Endpoint Manager](/mem/), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. @@ -102,13 +102,13 @@ The configuration process requires the following devices: - **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device. - **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. -- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. +- **Student devices.** The students will use these devices. You'll use the admin device deploy (or upgrade) Windows 10 and apps to them. The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3: 1. Prepare the admin device for use, which includes installing the Windows ADK and MDT. -2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school. -3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). +2. On the admin device, create and configure the Office 365 Education subscription that you'll use for each classroom in the school. +3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you've an on premises AD DS configuration). 4. On the admin device, create and configure a Microsoft Store for Business portal. 5. On the admin device, prepare for management of the Windows 10 devices after deployment. 6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10. @@ -161,7 +161,7 @@ For more information about how to create a deployment share, see [Step 3-1: Crea ### Summary -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process. +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you'll configure and use later in the LTI deployment process. ## Create and configure Office 365 @@ -182,8 +182,8 @@ Complete the following steps to select the appropriate Office 365 Education lice --- | Plan | Advantages | Disadvantages | | --- | --- | --- | -| Standard | - Less expensive than Microsoft 365 Apps for enterprise
                                - Can be run from any device
                                - No installation necessary | - Must have an Internet connection to use it
                                - Does not support all the features found in Microsoft 365 Apps for enterprise | -| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
                                - Supports full set of Office features | - Requires installation
                                - Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online) | +| Standard | - Less expensive than Microsoft 365 Apps for enterprise
                                - Can be run from any device
                                - No installation necessary | - Must have an Internet connection to use it
                                - Doesn't support all the features found in Microsoft 365 Apps for enterprise | +| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
                                - Supports full set of Office features | - Requires installation
                                - Can be installed on only five devices per user (there's no limit to the number of devices on which you can run Office apps online) | --- @@ -207,7 +207,7 @@ The best user experience is to run Microsoft 365 Apps for enterprise or use nati --- -You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide. +You'll use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide. ### Create a new Office 365 Education subscription @@ -220,20 +220,20 @@ To create a new Office 365 Education subscription for use in the classroom, use 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. - If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window. Your options: + If you've already used your current sign-in account to create a new Office 365 subscription, you'll be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window. Your options: - In Microsoft Edge, select Ctrl+Shift+N. Or, select **More actions** > **New InPrivate window**. - In Internet Explorer, select Ctrl+Shift+P. Or, select **Settings** > **Safety** > **InPrivate Browsing**. -2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account. +2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You'll receive an email in your school email account. 3. Click the hyperlink in the email in your school email account. -4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription. +4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you're automatically signed in as the administrative user you specified when you created the subscription. ### Add domains and subdomains -Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has `contoso.edu` as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. +Now that you've created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has `contoso.edu` as the primary domain name but you've subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. -#### To add additional domains and subdomains +#### To add more domains and subdomains 1. In the admin center, in the list view, click **DOMAINS**. 2. In the details pane, above the list of domains, on the menu bar, click **Add domain**. @@ -252,12 +252,12 @@ To make it easier for faculty and students to join your Office 365 Education sub Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: - If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. -- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. +- If an Office 365 tenant with that domain name (contoso.edu) doesn't exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. -You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. +You'll always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. > [!NOTE] -> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. +> You can't merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up#how-can-i-prevent-students-from-joining-my-existing-office-365-tenant). @@ -276,7 +276,7 @@ All new Office 365 Education subscriptions have automatic tenant join enabled by ### Disable automatic licensing -To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. +To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that don't require administrative approval. > [!NOTE] > By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. @@ -299,7 +299,7 @@ When you create your Office 365 subscription, you create an Office 365 tenant th Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access). -The Azure AD Premium features that are not in Azure AD Basic include: +The Azure AD Premium features that aren't in Azure AD Basic include: - Allow designated users to manage group membership - Dynamic group membership based on user metadata @@ -313,7 +313,7 @@ The Azure AD Premium features that are not in Azure AD Basic include: You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. -You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. +You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process. For more information, see: @@ -321,19 +321,19 @@ For more information, see: - [Sign up for Azure Active Directory Premium](/azure/active-directory/fundamentals/active-directory-get-started-premium) ### Summary -You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. +You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365. ## Select an Office 365 user account–creation method -Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: +Now that you've an Office 365 subscription, you need to determine how you'll create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: -- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain. +- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you've an on-premises AD DS domain. - **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain. ### Method 1: Automatic synchronization between AD DS and Azure AD -In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. +In this method, you've an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. > [!NOTE] > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [LDAP synchronization with Azure Active Directory](/azure/active-directory/fundamentals/sync-ldap). @@ -346,7 +346,7 @@ For more information about how to perform this step, see the [Integrate on-premi ### Method 2: Bulk import into Azure AD from a .csv file -In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a `.csv` file with the student information from your source, and then manually import the information directly into Azure AD. The `.csv` file must be in the format that Office 365 specifies. +In this method, you've no on-premises AD DS domain. As shown in Figure 5, you manually prepare a `.csv` file with the student information from your source, and then manually import the information directly into Azure AD. The `.csv` file must be in the format that Office 365 specifies. :::image type="content" source="images/deploy-win-10-school-figure5.png" alt-text="Create a csv file with student information, and import the csv file into Azure AD."::: @@ -366,7 +366,7 @@ In this section, you selected the method for creating user accounts in your Offi You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. > [!NOTE] -> If your institution does not have an on-premises AD DS domain, you can skip this section. +> If your institution doesn't have an on-premises AD DS domain, you can skip this section. ### Select synchronization model @@ -374,13 +374,13 @@ Before you deploy AD DS and Azure AD synchronization, you need to determine wher You can deploy the Azure AD Connect tool by using one of the following methods: -- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. +- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises, which have the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. :::image type="content" source="images/deploy-win-10-school-figure6.png" alt-text="Azure AD Connect runs on-premises and uses a virtual machine."::: *Figure 6. Azure AD Connect on premises* -- **In Azure**: As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. +- **In Azure**: As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. :::image type="content" source="images/deploy-win-10-school-figure7.png" alt-text="Azure AD Connect runs on a VM in Azure AD, and uses a VPN gateway on-premises."::: @@ -399,7 +399,7 @@ In this synchronization model (illustrated in Figure 6), you run Azure AD Connec 3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-select-installation). 4. Configure Azure AD Connect features based on your institution’s requirements. For more information, see [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis). -Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. +Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. ### Verify synchronization @@ -417,7 +417,7 @@ Azure AD Connect should start synchronization immediately. Depending on the numb 8. The list of security group members should mirror the group membership for the corresponding security group in AD DS. 9. Close the browser. -Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium. +Now that you've verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium. ### Summary @@ -447,7 +447,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T ### Create a source file that contains the user and group accounts -After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. +After you've selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. *Table 6. Source file format for each bulk import method* @@ -475,7 +475,7 @@ For more information about how to import user accounts into AD DS by using: ### Summary -In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide. +In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you've Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide. ## Bulk-import user accounts into Office 365 @@ -483,9 +483,9 @@ You can bulk-import user and group accounts directly into Office 365, reducing t ### Create user accounts in Office 365 -Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. +Now that you've created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. -You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). +You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you've many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts. @@ -517,13 +517,13 @@ Microsoft Exchange Online uses an email distribution group as a single email rec You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. > [!NOTE] -> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. +> Office 365 can take some time to complete the Exchange Online creation process. You'll have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. For information about how to create security groups, see [Create a group in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/create-groups). ### Summary -Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. +Now, you've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. ## Assign user licenses for Azure AD Premium @@ -572,17 +572,17 @@ After you create the Microsoft Store for Business portal, configure it by using |---|---| | Account information | Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure portal. For more information, see [Update Microsoft Store for Business account settings](/microsoft-store/update-microsoft-store-for-business-account-settings).| | Device Guard signing | Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). | -| LOB publishers | Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps). | +| LOB publishers | Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps). | | Management tools | Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool). | | Offline licensing | Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](/microsoft-store/apps-in-microsoft-store-for-business#licensing-model). | -| Permissions | Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business). | +| Permissions | Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you've previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business). | | Private store | Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store). | --- ### Find, acquire, and distribute apps in the portal -Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Microsoft Store for Business. +Now that you've created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you'll add to your portal. You do this task by using the Inventory page in Microsoft Store for Business. > [!NOTE] > Your educational institution can now use a credit card to pay for apps in Microsoft Store for Business. @@ -593,18 +593,18 @@ For more information about how to find, acquire, and distribute apps in the port ### Summary -At the end of this section, you should have a properly configured Microsoft Store for Business portal. You have also found and acquired your apps from Microsoft Store. Finally, you should have deployed all your Microsoft Store apps to your users. Now, you’re ready to deploy Microsoft Store apps to your users. +At the end of this section, you should have a properly configured Microsoft Store for Business portal. You've also found and acquired your apps from Microsoft Store. Finally, you should have deployed all your Microsoft Store apps to your users. Now, you’re ready to deploy Microsoft Store apps to your users. ## Plan for deployment -You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. +You'll use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you'll use, the approach you'll use to create your Windows 10 images, and the method you'll use to initiate the LTI deployment process. ### Select the operating systems -Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. If: +Later in the process, you'll import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. If: -- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10. -- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. +- New devices or refreshing existing devices, you'll complete replace the existing operating system on a device with Windows 10. +- Upgrading existing devices, you'll upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: @@ -618,14 +618,14 @@ Depending on your school’s requirements, you may need any combination of the f - **Windows 10 Pro Education**. Use this operating system to upgrade existing eligible institution-owned devices running Windows 10 Pro Education, version 1903 or later, to Windows 10 Education using [subscription activation](/windows/deployment/windows-10-subscription-activation). > [!NOTE] -> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features are not available in Windows 10 Home. +> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features aren't available in Windows 10 Home. -One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. +One other consideration is the mix of processor architectures you'll support. If you can, support only 64-bit versions of Windows 10. If you've devices that can run only 32-bit versions of Windows 10, you'll need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. > [!NOTE] > On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. -Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). You cannot standardize personal devices on a specific operating system version or processor architecture. +Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). You can't standardize personal devices on a specific operating system version or processor architecture. ### Select an image approach @@ -645,7 +645,7 @@ The MDT deployment process is highly automated, requiring minimal information to | Method | Description and reason to select this method | | --- | --- | | **Windows Deployment Services** | This method:

                                - Uses diskless booting to initiate MDT deployment
                                - Works only with devices that support PXE boot.
                                - Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                                -Deploys images more slowly than when using local media.
                                - Requires that you deploy a Windows Deployment Services server.

                                Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server. | -| **Bootable media** | This method:

                                - Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
                                - Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                                - Deploys images more slowly than when using local media.
                                - Requires no additional infrastructure.

                                Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. | +| **Bootable media** | This method:

                                - Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
                                - Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                                - Deploys images more slowly than when using local media.
                                - Requires no extra infrastructure.

                                Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. | | **MDT deployment media** | This method:

                                - Initiates MDT deployment by booting from a local USB hard disk.
                                - Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
                                - Deploys images more quickly than network-based methods do.
                                - Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).

                                Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk. | --- @@ -668,10 +668,10 @@ The first step in preparation for Windows 10 deployment is to configure—that i | Task | Description | | --- | --- | | **1. Import operating systems** | Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench). | -| **2. Import device drives** | Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

                                Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). | -| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

                                Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

                                If you have Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

                                In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:

                                - Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10).
                                - Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | -| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

                                To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).

                                If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

                                You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

                                For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | -| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:

                                - Deploy Windows 10 Education 64-bit to devices.
                                - Deploy Windows 10 Education 32-bit to devices.
                                - Upgrade existing devices to Windows 10 Education 64-bit.
                                - Upgrade existing devices to Windows 10 Education 32-bit.

                                Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). | +| **2. Import device drives** | Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't play sounds; without the proper camera driver, the device can't take photos or use video chat.

                                Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). | +| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

                                Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files from the app software vendor directly. If you're unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

                                If you've Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This method is the preferred one for deploying and managing Microsoft Store apps.

                                In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:

                                - Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10).
                                - Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | +| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you've sufficient licenses for them.

                                To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).

                                If you've Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This method is the preferred one for deploying and managing Windows desktop apps.

                                You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

                                For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | +| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:

                                - Deploy Windows 10 Education 64-bit to devices.
                                - Deploy Windows 10 Education 32-bit to devices.
                                - Upgrade existing devices to Windows 10 Education 64-bit.
                                - Upgrade existing devices to Windows 10 Education 32-bit.

                                Again, you'll create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). | | **6. Update the deployment share.** | Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

                                For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).| --- @@ -692,19 +692,19 @@ You can use Windows Deployment Services with MDT to automatically initiate boot 2. Add LTI boot images (Windows PE images) to Windows Deployment Services. - The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices). + The LTI boot images (.wim files) that you'll add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices). ### Summary -Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution. +Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You've set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution. ## Prepare for device management -Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. +Before you deploy Windows 10 in your institution, you must prepare for device management. You'll deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. ### Select the management method -If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is difficult as the number of devices in the school increases. +If you've only one device to configure, manually configuring that one device is tedious but possible. When you've multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is difficult as the number of devices in the school increases. For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution. @@ -713,23 +713,23 @@ For a school, there are many ways to manage devices. Table 10 lists the methods --- | Method | Description | | --- | --- | -| **Group Policy** | Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:

                                - Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                                - Want more granular control of device and user settings.
                                - Have an existing AD DS infrastructure.
                                - Typically manage on-premises devices.
                                - Can manage a required setting only by using Group Policy.

                                The advantages of this method include:

                                - No cost beyond the AD DS infrastructure.
                                - A larger number of settings.

                                The disadvantages of this method are:

                                - Can only manage domain-joined (institution-owned devices).
                                - Requires an AD DS infrastructure (if the institution does not have AD DS already).
                                - Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess). | -| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10 and other operating systems, such as iOS/iPadOS, macOS, and Android. Intune is a subscription-based cloud service that integrates with Microsoft 365 and Azure AD.

                                Select this method when you:

                                - Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                                - Don’t require the level of granular control over device and user settings (compared to Group Policy).
                                - Don’t have an existing AD DS infrastructure.
                                - Need to manage devices regardless of where they are (on or off premises).
                                - Can manage a required setting only by using Intune.

                                The advantages of this method are:

                                - You can manage institution-owned and personal devices.
                                - It doesn’t require that devices be domain joined.
                                - It doesn’t require any on-premises infrastructure.
                                - It can manage devices regardless of their location (on or off premises).

                                The disadvantages of this method are:

                                - Carries an additional cost for subscription.
                                - Doesn’t have a granular level control over device and user settings (compared to Group Policy). | +| **Group Policy** | Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:

                                - Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                                - Want more granular control of device and user settings.
                                - Have an existing AD DS infrastructure.
                                - Typically manage on-premises devices.
                                - Can manage a required setting only by using Group Policy.

                                The advantages of this method include:

                                - No cost beyond the AD DS infrastructure.
                                - A larger number of settings.

                                The disadvantages of this method are:

                                - Can only manage domain-joined (institution-owned devices).
                                - Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
                                - Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess). | +| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10 and other operating systems, such as iOS/iPadOS, macOS, and Android. Intune is a subscription-based cloud service that integrates with Microsoft 365 and Azure AD.

                                Select this method when you:

                                - Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
                                - Don’t require the level of granular control over device and user settings (compared to Group Policy).
                                - Don’t have an existing AD DS infrastructure.
                                - Need to manage devices regardless of where they are (on or off premises).
                                - Can manage a required setting only by using Intune.

                                The advantages of this method are:

                                - You can manage institution-owned and personal devices.
                                - It doesn’t require that devices be domain joined.
                                - It doesn’t require any on-premises infrastructure.
                                - It can manage devices regardless of their location (on or off premises).

                                The disadvantages of this method are:

                                - Carries an extra cost for subscription.
                                - Doesn’t have a granular level control over device and user settings (compared to Group Policy). | --- ### Select Microsoft-recommended settings -Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. +Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you'll use to do so. At the end, you'll have a list of settings that you want to apply to the Windows 10 devices and know which management method you'll use to configure the settings. *Table 11. Recommended settings for educational institutions* --- | Recommendation | Description | | --- | --- | -| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

                                Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

                                **Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

                                **Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. | +| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

                                Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

                                **Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

                                **Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. | | **Restrict local administrator accounts on the devices** | Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

                                **Group Policy**: Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732525(v=ws.11)).

                                **Intune**: Not available | -| **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

                                **Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).

                                **Intune**: Not available. | +| **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

                                **Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You'll specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).

                                **Intune**: Not available. | | **Control Microsoft Store access** | You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.

                                **Group Policy**: You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP).

                                **Intune**: You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. | | **Use of Remote Desktop connections to devices** | Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

                                **Group Policy**: You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

                                **Intune**: Not available. | | **Use of camera** | A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

                                **Group Policy**: Not available.

                                **Intune**: You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. | @@ -742,7 +742,7 @@ Microsoft has several recommended settings for educational institutions. Table 1 ### Configure settings by using Group Policy -Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. +Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you've an AD DS infrastructure. You'll configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. For more information about Group Policy, see [Group Policy Planning and Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)). @@ -754,13 +754,13 @@ For more information about Group Policy, see [Group Policy Planning and Deployme ### Configure settings by using Intune -Now, you’re ready to configure settings using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. +Now, you’re ready to configure settings using Intune. The steps in this section assume that you've an Office 365 subscription. You'll configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. For more information about Intune, see [Documentation for Microsoft Intune](/mem/intune/). #### To configure Intune settings -1. Check your Intune licensing. If you have a Microsoft 365 subscription, you may already have Intune. For more information, see [Microsoft Intune licensing](/mem/intune/fundamentals/licenses). +1. Check your Intune licensing. If you've a Microsoft 365 subscription, you may already have Intune. For more information, see [Microsoft Intune licensing](/mem/intune/fundamentals/licenses). 2. Enroll devices in Microsoft Intune. For more information on your enrollment options, see [Intune enrollment methods for Windows devices](/mem/intune/enrollment/windows-enrollment-methods). 3. Configure the [compliance settings](/mem/intune/protect/device-compliance-get-started) and [configuration settings](/mem/intune/configuration/device-profiles) that meet your school system's needs. 4. Use the reporting features in Intune to monitor devices. For more information, see [Intune reports](/mem/intune/fundamentals/reports). @@ -814,7 +814,7 @@ In most instances, deployments occur without incident. Only in rare occasions do ### Set up printers -After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section. +After you've deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section. > [!NOTE] > If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section. @@ -832,7 +832,7 @@ After you have deployed Windows 10, the devices are almost ready for use. First, ### Verify deployment -As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following: +As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following requirements: - The device can connect to the Internet and view the appropriate web content in Microsoft Edge. - Windows Update is active and current with software updates. @@ -842,7 +842,7 @@ As a final quality control step, verify the device configuration to ensure that - All Windows desktop apps are properly installed and updated. - Printers are properly configured. -When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. +When you've verified that the first device is properly configured, you can move to the next device and perform the same steps. ### Summary @@ -850,7 +850,7 @@ You prepared the devices for deployment by verifying that they have adequate sys ## Maintain Windows devices and Office 365 -After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: +After the initial deployment, you'll need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: - **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware. - **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students. @@ -866,7 +866,7 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour | Verify that Windows Update is active and current with operating system and software updates.

                                For more information about completing this task, see:

                                - Intune: See [Keep Windows PCs up to date with software updates in Microsoft Intune](https://www.microsoft.com/en-us/insidetrack/keeping-windows-10-devices-up-to-date-with-microsoft-intune-and-windows-update-for-business)
                                - Group Policy: See [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb)
                                - Windows Server Update Services (WSUS): See [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services)
                                - Neither Intune, Group Policy, or WSUS: See [Update Windows](https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a). | ✔️ | ✔️ | ✔️ | | Verify that Windows Defender is active and current with malware Security intelligence.

                                For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection) and [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)). | ✔️ | ✔️ | ✔️ | | Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

                                For more information about completing this task, see [Protect my PC from viruses](https://support.microsoft.com/windows/protect-my-pc-from-viruses-b2025ed1-02d5-1e87-ba5f-71999008e026). | ✔️ | ✔️ | ✔️ | -| Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

                                For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/). | | ✔️ | ✔️ | +| Verify that you're using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

                                For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/). | | ✔️ | ✔️ | | Refresh the operating system and apps on devices.

                                For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. | | ✔️ | ✔️ | | Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.

                                For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. | | ✔️ | ✔️ | | Install new or update existing Microsoft Store apps that are used in the curriculum.

                                Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.

                                You can also deploy Microsoft Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. | | ✔️ | ✔️ | @@ -880,7 +880,7 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour ### Summary -Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By running these maintenance tasks, you help ensure that your school stays secure and is configured as you specified. +Now, you've identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By running these maintenance tasks, you help ensure that your school stays secure and is configured as you specified. ## Related resources diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 03a761c858..85f9441c0c 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -1,6 +1,6 @@ --- title: Deployment recommendations for school IT administrators -description: Provides guidance on ways to customize the OS privacy settings, as well as some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. +description: Provides guidance on ways to customize the OS privacy settings, and some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft. keywords: Windows 10 deployment, recommendations, privacy settings, school ms.mktglfcycl: plan ms.sitesec: library @@ -19,9 +19,9 @@ ms.prod: w10 - Windows 10 -Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we’d like you to be aware of. Also see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) for more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search. +Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, and some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we’d like you to be aware of. For more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). -We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). +We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). ## Deployment best practices @@ -33,7 +33,7 @@ Keep these best practices in mind when deploying any edition of Windows 10 in sc * IT administrators, school officials, and teachers should also consider ratings when picking apps from the Microsoft Store. -* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. +* If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. ## Windows 10 Contacts privacy settings @@ -63,7 +63,7 @@ To turn off access to contacts for all apps on individual Windows devices: 3. Turn off **Let apps access my contacts**. -For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To do this: +For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To turn off the setting: 1. Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**. @@ -75,7 +75,7 @@ If you want to allow only certain apps to have access to contacts, you can use t ![Choose apps with access to contacts.](images/win10_settings_privacy_contacts_apps.png) -The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts. +The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you've installed and which of these apps access contacts. To allow only certain apps to have access to contacts, you can: @@ -94,7 +94,7 @@ The Skype app replaces the integration of Skype features into Skype video and Me With the Xbox app, students can use their Xbox profiles to play and make progress on their games using their Windows-based device. They can also unlock achievements and show off to their friends with game clips and screenshots. The Xbox app requires a Microsoft account, which is a personal account. -Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox are not manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories. +Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox aren't manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories. If the school allows the use of personal or Microsoft account in addition to organization accounts, we also recommend that IT administrators inform parents and students that they can optionally remove any identifying information from the directories by: @@ -123,13 +123,13 @@ To manage and edit your profile in the Skype UWP app, follow these steps: 4. Review the information in each section and click **Edit profile** in either or both the **Personal information** and **Contact details** sections to change the information being shared. You can also remove the checks in the **Profile settings** section to change settings on discoverability, notifications, and staying in touch. -5. If you do not wish the name to be included, edit the fields and replace the fields with **XXX**. +5. If you don't wish the name to be included, edit the fields and replace the fields with **XXX**. 6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up. ![Skype profile icon.](images/skype_uwp_manageprofilepic.png) - * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**). + * To take a new picture, click the camera icon in the pop-up window. To upload a new picture, click the three dots (**...**). * You can also change the visibility of the profile picture between public (everyone) or for contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**. @@ -148,7 +148,7 @@ If you want to delete either (or both) the Skype and the Xbox accounts, here’s To delete a Skype account, you can follow the instructions here: [How do I close my Skype account?](https://go.microsoft.com/fwlink/?LinkId=816515) -If you need help deleting the account, you can contact Skype customer service by going to the [Skype support request page](https://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you’ve signed in, you can: +If you need help with deleting the account, you can contact Skype customer service by going to the [Skype support request page](https://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you’ve signed in, you can: 1. Select a help topic (**Account and Password**) 2. Select a related problem (**Deleting an account**) diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index f4ea0cf4ef..7909586e9b 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -151,7 +151,7 @@ For info on how to distribute **Minecraft: Education Edition**, see [For teacher Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**. -### Purchase additional licenses +### Purchase more licenses Applies to: IT admins and teachers You can manage current app licenses, or purchase more licenses for apps in **Apps & software**. @@ -164,7 +164,7 @@ You'll have a summary of current license availability. **Minecraft: Education Edition subscriptions** -Similarly, you can purchase additional subscriptions of **Minecraft: Education Edition** through Microsoft Store for Business. Find **Minecraft: Education Edition** in your inventory and use the previous steps for purchasing additional app licenses. +Similarly, you can purchase more subscriptions of **Minecraft: Education Edition** through Microsoft Store for Business. Find **Minecraft: Education Edition** in your inventory and use the previous steps for purchasing more app licenses. ## Manage order history Applies to: IT admins and teachers diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index 96f9d8e6e5..cb2e995ef3 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -15,11 +15,11 @@ author: dansimp --- # Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode -The S mode switch motion enables users to switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode. This gives users access to the Microsoft Store for Education as well as other Education offers. +The S mode switch motion enables users to switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode. This gives users access to the Microsoft Store for Education and to other Education offers. ## Benefits of Windows 10 Pro in S mode for Education -S mode is an enhanced security mode of Windows 10 – streamlined for security and superior performance. With Windows 10 in S mode, everyone can download and install Microsoft-verified apps from the Microsoft Store for Education – this keep devices running fast and secure day in and day out. +S mode is an enhanced security mode of Windows 10 – streamlined for security and superior performance. With Windows 10 in S mode, everyone can download and install Microsoft-verified apps from the Microsoft Store for Education – this mode keeps devices running fast and secure day in and day out. - **Microsoft-verified security** - It reduces risk of malware and exploitations that harm students and educators, because only Microsoft-verified apps can be installed. - **Performance that lasts** - Provides all-day battery life to keep students on task and not tripping over cords. Also, verified apps won’t degrade device performance over time. diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 02198518ca..f1a4be1df2 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -50,7 +50,7 @@ option, select the teachers and IT staff to allow them to connect to Azure AD. ![Select the users you want to let join devices to Azure AD.](images/suspc-enable-shared-pc-1807.png) -You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff. +You can also create an account that holds the exclusive rights to join devices. When a student PC has to be set up, provide the account credentials to the appropriate teachers or staff. ## All Device Settings @@ -59,10 +59,10 @@ The following table describes each setting within **Device Settings**. | Setting | Description | |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Users may join devices to Azure AD | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. | -| Additional local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant additional local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. | -| Users may register their devices with Azure AD | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you are enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you. | +| More local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. | +| Users may register their devices with Azure AD | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you're enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you. | | Require Multi-Factor Authentication to join devices | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication. | -| Maximum number of devices per user | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before additional ones are added. | +| Maximum number of devices per user | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before more devices are added. | | Users may sync settings and enterprise app data | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Azure AD Premium are permitted to select specific users to allow. | ## Clear Azure AD tokens diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index adc21bf1b4..328e6c3c68 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -31,17 +31,17 @@ For a more detailed look at the policies, see the Windows article [Set up shared |Policy name|Default value|Description| |---------|---------|---------| -|Enable Shared PC mode|True| Configures the PCs so they are in shared PC mode.| -|Set education policies | True | School-optimized settings are applied to the PCs so that they are appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](./configure-windows-for-education.md). | +|Enable Shared PC mode|True| Configures the PCs so they're in shared PC mode.| +|Set education policies | True | School-optimized settings are applied to the PCs so that they're appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](./configure-windows-for-education.md). | |Account Model| Only guest, Domain-joined only, or Domain-joined and guest |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. | -|Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they have not signed in within the number of days specified by inactive threshold policy. | +|Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they haven't signed in within the number of days specified by inactive threshold policy. | |Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | -|Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and does not delete accounts. | +|Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and doesn't delete accounts. | |Enable account manager | True | Enables automatic account management. | -|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account has not signed in, it will be deleted. +|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted. |Kiosk Mode AMUID | Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. | |Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. | -|Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy does not prevent students from saving on the PCs local hard drive. | +|Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive. | |Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. | |Max page file size in MB| 1024| Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.| |Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. | @@ -67,12 +67,12 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client | Update power policy for cart restarts | 1 - Configured | Skips all restart checks to ensure that the reboot will happen at the scheduled install time. | | Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days. | | Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device | -| Allow developer unlock | Disabled | Students cannot unlock the PC and use it in developer mode | -| Allow Cortana | Disabled | Cortana is not allowed on the device. | -| Allow manual MDM unenrollment | Disabled | Students cannot remove the mobile device manager from their device. | -| Settings page visibility | Enabled | Specific pages in the System Settings app are not visible or accessible to students. | -| Allow add provisioning package | Disabled | Students cannot add and upload new provisioning packages to their device. | -| Allow remove provisioning package | Disabled | Students cannot remove packages that you've uploaded to their device, including the Set up School PCs app | +| Allow developer unlock | Disabled | Students can't unlock the PC and use it in developer mode | +| Allow Cortana | Disabled | Cortana isn't allowed on the device. | +| Allow manual MDM unenrollment | Disabled | Students can't remove the mobile device manager from their device. | +| Settings page visibility | Enabled | Specific pages in the System Settings app aren't visible or accessible to students. | +| Allow add provisioning package | Disabled | Students can't add and upload new provisioning packages to their device. | +| Allow remove provisioning package | Disabled | Students can't remove packages that you've uploaded to their device, including the Set up School PCs app | | Start Layout | Enabled | Lets you specify the Start layout for users and prevents them from changing the configuration. | | Import Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. | | Allow pinned folder downloads | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the Downloads shortcut on the Start menu visible to students. | @@ -84,7 +84,7 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client | Updates Windows | Nightly | Sets Windows to update on a nightly basis. | ## Apps uninstalled from Windows 10 devices -Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device. ALl apps uninstalled from Windows 10 devices include: +Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. ALl apps uninstalled from Windows 10 devices include: * Mixed Reality Viewer @@ -111,7 +111,7 @@ The time it takes to install a package on a device depends on the: * Strength of network connection * Number of policies and apps within the package -* Additional configurations made to the device +* Other configurations made to the device Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes pre-installed apps, through CleanPC, will take much longer to provision. diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 328b2f80a1..27782bf2e2 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -29,12 +29,12 @@ Follow the steps in [Provision PCs with common settings for initial deployment ( 1. In the **Account Management** step: > [!WARNING] - > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: + > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you'll have to reimage the device and start over. As a best practice, we recommend: > - Use a least-privileged domain account to join the device to the domain. > - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. > - [Use Group Policy to delete the temporary administrator account](/archive/blogs/canitpro/group-policy-creating-a-standard-local-admin-account) after the device is enrolled in Active Directory. -2. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**. +2. After you're done with the wizard, don't click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**. 3. Find the **SharedPC** settings group. - Set **EnableSharedPCMode** to **TRUE** to configure the PC for shared use. 4. (Optional) To configure the PC for secure testing, follow these steps. @@ -58,7 +58,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment ( 5. To configure other settings to make Windows education ready, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) and follow the guidance on what settings you can set using Windows Configuration Designer. 6. Follow the steps to [build a package](/windows/configuration/provisioning-packages/provisioning-create-package#build-package). - - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). + - You'll see the file path for your provisioning package. By default, this path is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). - Copy the provisioning package to a USB drive. > [!IMPORTANT] diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index f0bb65fa78..30b657f9b6 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -223,5 +223,5 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac - Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Isn't Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)   \ No newline at end of file diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index b20485075a..365fa77274 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -23,13 +23,13 @@ manager: dansimp Take a Test is an app that locks down the PC and displays an online assessment web page. -Whether you are a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments +Whether you're a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This environment means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](/windows/uwp/apps-for-education/take-a-test-api). ## PC lockdown for assessment - When the assessment page initiates lock down, the student’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The lockdown process is atomic, which means that if any part of the lockdown operation fails, the app will not be above lock and won't have any of the policies applied. + When the assessment page initiates lock down, the student’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The lockdown process is atomic, which means that if any part of the lockdown operation fails, the app won't be above lock and won't have any of the policies applied. When running above the lock screen: - The app runs full screen with no chrome @@ -49,19 +49,19 @@ When Take a Test is running, the following MDM policies are applied to lock down | AllowToasts | Disables toast notifications from being shown | 0 | | AllowAppStoreAutoUpdate | Disables automatic updates for Microsoft Store apps that are installed on the PC | 0 | | AllowDeviceDiscovery | Disables UI for screen sharing | 0 | -| AllowInput Panel | Disables the onscreen keyboard which will disable auto-fill | 0 | +| AllowInput Panel | Disables the onscreen keyboard, which will disable auto-fill | 0 | | AllowCortana | Disables Cortana functionality | 0 | | AllowAutoupdate | Disables Windows Update from starting OS updates | 5 | ## Group Policy -To ensure Take a Test activates correctly, make sure the following Group Policy are not configured on the PC. +To ensure Take a Test activates correctly, make sure the following Group Policy aren't configured on the PC. | Functionality | Group Policy path | Policy | | --- | --- | --- | -| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Do not Require CTRL+ALT+DEL | +| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Don't Require CTRL+ALT+DEL | | Disable lock screen notifications | Computer Configuration\Administrative Templates\System\Logon | Turn off app notifications on the lock screen | -| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Do not display the lock screen | +| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Don't display the lock screen | | Disable UAC | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | User Account Control: Run all administrators in Admin Approval Mode | | Disable local workstation | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Lock Computer | @@ -75,7 +75,7 @@ When Take a Test is running, the following functionality is available to student - Full screen mode is compatible -- The student can press Alt+Tab when locked down. This results in the student being able to switch between the following: +- The student can press Alt+Tab when locked down. This key press results in the student being able to switch between the following elements: - Take a Test - Assistive technology that may be running @@ -101,8 +101,8 @@ Starting with Windows 10, version 1709 (Fall Creators Update), assessments can n When permissive mode is triggered in lockdown mode, Take a Test transitions from lockdown mode to running windows mode on the user's desktop. The student can then run allowed apps during the test. -When running tests in this mode, keep the following in mind: -- Permissive mode is not supported in kiosk mode (dedicated test account). +When running tests in this mode, keep the following points in mind: +- Permissive mode isn't supported in kiosk mode (dedicated test account). - Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode. See [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info. diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 10e2d2f7e0..f394215cda 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -30,12 +30,12 @@ To configure a dedicated test account on multiple PCs, select any of the followi - [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education) - [Mobile device management (MDM) or Microsoft Endpoint Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager) - [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer) -- [Group Policy to deploy a scheduled task that runs a Powershell script](#create-a-scheduled-task-in-group-policy) +- [Group Policy to deploy a scheduled task that runs a PowerShell script](#create-a-scheduled-task-in-group-policy) ### Set up a test account in the Set up School PCs app If you want to set up a test account using the Set up School PCs app, configure the settings in the **Set up the Take a Test app** page in the Set up School PCs app. Follow the instructions in [Use the Set up School PCs app](use-set-up-school-pcs-app.md) to configure the test-taking account and create a provisioning package. -If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test. +If you set up Take a Test, the **Take a Test** button is added on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test. **Figure 1** - Configure Take a Test in the Set up School PCs app @@ -62,7 +62,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow ![Add information about the test profile.](images/i4e_takeatestprofile_newtestaccount.png) - After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account. + After you save the test profile, you'll see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account. 4. In the test account page, click **Groups**. @@ -130,7 +130,7 @@ To set up a test account through Windows Configuration Designer, follow these st 1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). 2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account. - 1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**. + 1. After you're done with the wizard, don't click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**. 2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**. 3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up. @@ -150,13 +150,13 @@ To set up a test account through Windows Configuration Designer, follow these st 3. Follow the steps to [build a package](/windows/configuration/provisioning-packages/provisioning-create-package#build-package). - - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). + - You'll see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). - Copy the provisioning package to a USB drive. 4. Follow the steps in [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to apply the package that you created. ### Set up a tester account in Group Policy -To set up a tester account using Group Policy, first create a Powershell script that configures the tester account and assessment URL, and then create a scheduled task to run the script. +To set up a tester account using Group Policy, first create a PowerShell script that configures the tester account and assessment URL, and then create a scheduled task to run the script. #### Create a PowerShell script This sample PowerShell script configures the tester account and the assessment URL. Edit the sample to: @@ -209,9 +209,9 @@ Anything hosted on the web can be presented in a locked down manner, not just as 1. Create the link to the test using schema activation. - Create a link using a web UI - For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers. + For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this option for teachers. - To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link). + To get started, navigate to: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link). - Create a link using schema activation @@ -245,17 +245,17 @@ One of the ways you can present content in a locked down manner is by embedding If you exclude these parameters, the default behavior is disabled. - For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps. + For tests that utilize the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that aren't allowed to run during lockdown. The test web application may lock down the device once you've closed the apps. > [!NOTE] > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters. -3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters. +3. To enable permissive mode, don't include `enforceLockdown` in the schema parameters. See [Permissive mode](take-a-test-app-technical.md#permissive-mode) and [Secure Browser API Specification](https://github.com/SmarterApp/SB_BIRT/blob/master/irp/doc/req/SecureBrowserAPIspecification.md) for more info. ### Create a shortcut for the test link -You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps: +You can also distribute the test link by creating a shortcut. To create the shortcut, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps: 1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**. 2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**. diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 6f0d1d4341..009e47065c 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -29,7 +29,7 @@ To get started, go to https://education.minecraft.net/ and select **GET STARTED* ## Try Minecraft: Education Edition for Free -Minecraft: Education Edition is available for anyone to try for free! The free trial is fully-functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing. +Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing. To learn more and get started, go to https://education.minecraft.net/ and select **GET STARTED**. @@ -47,7 +47,7 @@ As a teacher, you may purchase subscription licenses for you and your students d You can purchase individual Minecraft: Education Edition subscriptions for you and other teachers and students directly in the Microsoft Store for Education. -To purchase individual Minecraft: Education Edition subscriptions (i.e. direct purchase): +To purchase individual Minecraft: Education Edition subscriptions (that is, direct purchase): 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your Office 365 account. 2. Click on [Minecraft: Education Edition](https://educationstore.microsoft.com/en-us/store/details/minecraft-education-edition/9nblggh4r2r6) (or use Search the Store to find it) @@ -116,7 +116,7 @@ Students will receive an email with a link that will install the app on their PC ![My Library for example student.](images/minecraft-my-library.png) ### Download for others -Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: +Download for others allows teachers or IT admins to download packages that they can install on student PCs. This option will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: - You have administrative permissions to install apps on the PC. - You want to install this app on each of your student's Windows 10 (at least version 1511) PCs. - Your students share Windows 10 computers, but sign in with their own Windows account. @@ -126,7 +126,7 @@ Download for others allows teachers or IT admins to download a packages that the - Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition. #### Check for updates -Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps. +Minecraft: Education Edition won't install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps. **To check for app updates** 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). @@ -147,7 +147,7 @@ You'll download a .zip file, extract the files, and then use one of the files to ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png) -2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. +2. **Extract files**. Find the .zip file that you downloaded and extract the files. This downloaded location is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. 4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**. 5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install. @@ -163,10 +163,10 @@ If you ran **InstallMinecraftEducationEdition.bat** and Minecraft: Education Edi | App won't install. | AppLocker is configured and preventing app installs. | Contact IT Admin. | | App won't install. | Policy prevents users from installing apps on the PC. | Contact IT Admin. | | Script starts, but stops quickly. | Policy prevents scripts from running on the PC. | Contact IT Admin. | -| App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app will not be available.| Restart PC.
                                Run **InstallMinecraftEducationEdition.bat** again.
                                If a restart doesn't work, contact your IT Admin. | +| App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app won't be available.| Restart PC.
                                Run **InstallMinecraftEducationEdition.bat** again.
                                If a restart doesn't work, contact your IT Admin. | -If you are still having trouble installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799757). +If you're still having trouble installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799757). ## Related topics diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index e81f1a2194..87443100ce 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -19,23 +19,23 @@ manager: dansimp **Applies to:** - Devices running Windows 10, version 1709: Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, Windows 10 Enterprise -The Windows 10 in S mode self-installer will allow you to test Windows 10 in S mode on a variety of individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license[1](#footnote1). Please test Windows 10 in S mode on a variety of devices in your school and share your feedback with us. +The Windows 10 in S mode self-installer will allow you to test Windows 10 in S mode on various individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license[1](#footnote1). Test Windows 10 in S mode on various devices in your school and share your feedback with us. Windows 10 in S mode is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education[2](#footnote2). -Windows 10 in S mode is different from other editions of Windows 10 as everything that runs on the device is verified by Microsoft for security and performance. Therefore, Windows 10 in S mode works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 in S mode, your existing applications and settings will be deleted and you will only be able to install apps from the Microsoft Store. +Windows 10 in S mode is different from other editions of Windows 10 as everything that runs on the device is verified by Microsoft for security and performance. Therefore, Windows 10 in S mode works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps can't be changed. When you install Windows 10 in S mode, your existing applications and settings will be deleted and you'll only be able to install apps from the Microsoft Store. -**Configuring Windows 10 in S mode for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). +**Configuring Windows 10 in S mode for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these configurations, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). **Installing Office 365 for Windows 10 in S mode (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store. -As we finalize development of Office 365 for Windows 10 in S mode (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they are installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 in S mode](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f). +As we finalize development of Office 365 for Windows 10 in S mode (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they're installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 in S mode](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f). ## Before you install Windows 10 in S mode ### Important information -Before you install Windows 10 in S mode, be aware that non-Microsoft Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 in S mode: +Before you install Windows 10 in S mode, be aware that non-Microsoft Store apps won't work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 in S mode: * Is intended for education customers to test compatibility with existing hardware * May not work with some device drivers, which may not yet be ready for Windows 10 in S mode and may cause some loss in functionality * May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function @@ -44,7 +44,7 @@ Before you install Windows 10 in S mode, be aware that non-Microsoft Store apps > [!WARNING] > You can install Windows 10 in S mode on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 in S mode on Windows 10 Home devices as you won't be able to activate it. -* Will not run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased +* Won't run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased Due to these reasons, we recommend that you use the installation tool and avoid doing a clean install from an ISO media. @@ -55,11 +55,11 @@ Before you install Windows 10 in S mode on your existing Windows 10 Pro, Windows * Install the latest Windows Update. - To do this, go to **Settings > Update & security > Windows Update**. + To do this task, go to **Settings > Update & security > Windows Update**. * Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 in S mode. - See [Create a recovery drive](#create-a-recovery-drive) for information on how to do this. + For more information on how to create the system backup, see [Create a recovery drive](#create-a-recovery-drive). ## Supported devices @@ -69,7 +69,7 @@ The Windows 10 in S mode install will install and activate on the following edit * Windows 10 Education * Windows 10 Enterprise -Other Windows 10 editions cannot be activated and are not supported. If your device is not running one of these supported Windows 10 editions, do not proceed with using the Windows 10 in S mode installer. Windows 10 N editions and running in virtual machines are not supported by the Windows 10 in S mode installer. +Other Windows 10 editions can't be activated and aren't supported. If your device isn't running one of these supported Windows 10 editions, don't proceed with using the Windows 10 in S mode installer. Windows 10-N editions and running in virtual machines aren't supported by the Windows 10 in S mode installer. ### Preparing your device to install drivers @@ -109,23 +109,23 @@ Back up all your data before installing Windows 10 in S mode. Only personal file ## Domain join -Windows 10 in S mode does not support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts: +Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts: - Local administrator - Microsoft Account (MSA) administrator - Azure Active Directory administrator > [!WARNING] -> If you don't have one of these administrator accounts accessible before migration, you will not be able to log in to your device after migrating to Windows 10 in S mode. +> If you don't have one of these administrator accounts accessible before migration, you'll not be able to log in to your device after migrating to Windows 10 in S mode. We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 in S mode in case you run into this issue. ## Installing Office applications -After installing Windows 10 in S mode, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 in S mode (Education preview). You must have an Office license to activate the applications once they are installed. +After installing Windows 10 in S mode, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 in S mode (Education preview). You must have an Office license to activate the applications once they're installed. ## Switch to previously installed Windows 10 editions -If Windows 10 in S mode is not right for you, you can switch to the Windows 10 edition previously installed on your device(s). +If Windows 10 in S mode isn't right for you, you can switch to the Windows 10 edition previously installed on your device(s). * Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 in S mode](change-to-pro-education.md). * If you try Windows 10 in S mode and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10). @@ -140,21 +140,21 @@ To create a recovery drive, follow these steps. 2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then click **Next**. 3. Connect a USB drive to your PC, select it, and then select **Next > Create**. - A lot of files need to be copied to the recovery drive so this might take a while. + Many files need to be copied to the recovery drive; so this process might take a while. 4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link and then select **Delete**. If not, select **Finish**. ### Go back to your previous edition of Windows 10 -Alternatively, for a period of 10 days after you install Windows 10 in S mode, you have the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This will keep your personal files, but it will remove installed apps as well as any changes you made to **Settings**. +Alternatively, for 10 days after you install Windows 10 in S mode, you've the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This revert operation will keep your personal files, but it will remove installed apps and any changes you made to **Settings**. To go back, you need to: * Keep everything in the windows.old and $windows.~bt folders after the upgrade. * Remove any user accounts you added after the upgrade. -If going back is not available: -* Check if you can restore your PC to factory settings. This will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**. -* If you have a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install. +If going back isn't available: +* Check if you can restore your PC to factory settings. This restoration will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**. +* If you've a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install. After going back to your previous edition of Windows 10, you may receive the following message when launching Win32 apps: @@ -162,7 +162,7 @@ After going back to your previous edition of Windows 10, you may receive the fol If you see this message, follow these steps to stop receiving the message: -1. If you have BitLocker enabled, disable it first in the Control Panel. Go to **Manage BitLocker** and select **Turn off BitLocker**. +1. If you've BitLocker enabled, disable it first in the Control Panel. Go to **Manage BitLocker** and select **Turn off BitLocker**. 2. Open Windows **Settings** and go to **Update & security > Recovery**. 3. In the **Recovery** page, find **Advanced startup** and select **Restart now** to start your PC. 4. After restarting, in the **Choose an option** page, select **Troubleshoot**. @@ -171,7 +171,7 @@ If you see this message, follow these steps to stop receiving the message: 7. Once you've accessed UEFI, look for the menu item labeled **Security** or **Security Settings** and navigate to it. 8. Look for an option called **Secure boot configuration**, **Secure boot**, or **UEFI Boot**. If you can't find one of these options, check the **Boot** menu. 9. Disable the secure boot/UEFI boot option. -10. Save your settings and then exit UEFI. This will restart your PC. +10. Save your settings and then exit UEFI. This exit action will restart your PC. 11. After Windows is done booting up, confirm that you no longer see the message. > [!NOTE] @@ -195,7 +195,7 @@ To use an installation media to reinstall Windows 10, follow these steps. If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again. 8. Select **Install now**. -9. On the **Enter the product key to active Windows** page, enter a product key if you have one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/help/12440/windows-10-activation). +9. On the **Enter the product key to active Windows** page, enter a product key if you've one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/help/12440/windows-10-activation). 10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**. 11. On the **Which type of installation do you want?** page, select **Custom**. 12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions. @@ -213,16 +213,16 @@ When you're ready, you can download the Windows 10 in S mode installer by clicki After you install Windows 10 in S mode, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages** select **Add a language** to add a new language or select an existing language and set it as the default. ## Terms and Conditions -Because you’re installing Windows 10 in S mode on a running version of Windows 10, you have already accepted the Windows 10 Terms and Conditions. You are not required to accept it again and the Windows 10 installer doesn’t show a Terms and Conditions page during installation. +Because you’re installing Windows 10 in S mode on a running version of Windows 10, you've already accepted the Windows 10 Terms and Conditions. you'ren't required to accept it again and the Windows 10 installer doesn’t show a Terms and Conditions page during installation. ## Support -Thank you for testing Windows 10 in S mode. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 in S mode on existing devices with an eligible operating system. If you are having difficulty installing or running Windows 10 in S mode, use the Windows **Feedback Hub** to report your experience to Microsoft. This is the best way to help improve Windows 10 in S mode with your feedback. +Thank you for testing Windows 10 in S mode. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 in S mode on existing devices with an eligible operating system. If you're having difficulty installing or running Windows 10 in S mode, use the Windows **Feedback Hub** to report your experience to Microsoft. This feedback is the best way to help improve Windows 10 in S mode with your feedback. Common support questions for the Windows 10 in S mode test program: * **How do I activate if I don't have a Windows 10 in S mode product key?** - As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 in S mode and it will automatically activate. Testing Windows 10 in S mode on a device running Windows 10 Home is not recommended and supported at this time. + As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 in S mode and it will automatically activate. Testing Windows 10 in S mode on a device running Windows 10 Home isn't recommended and supported at this time. * **Will my OEM help me run Windows 10 in S mode?** @@ -234,11 +234,11 @@ Common support questions for the Windows 10 in S mode test program: * **What if I want to move from Windows 10 in S mode to Windows 10 Pro?** - If you want to discontinue using Windows 10 in S mode, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you are testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store. + If you want to discontinue using Windows 10 in S mode, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you're testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store. For help with activation issues, click on the appropriate link below for support options. -* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you are seeking commercial support to contact our commercial support team. -* If you do not have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/contactus/) website and choose a support option. +* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you're seeking commercial support to contact our commercial support team. +* If you don't have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/contactus/) website and choose a support option.

                                1 Internet access fees may apply.
                                diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index f64a279787..48018ebd1d 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -22,7 +22,7 @@ manager: dansimp Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](https://go.microsoft.com/fwlink/?LinkId=822619) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). -Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows-10.md), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). +Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows-10.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments. @@ -35,7 +35,7 @@ For Cortana[1](#footnote1): - If you're using new devices with version 1703 or later, Cortana is turned on by default. - If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled. -You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). +You can use the **AllowCortana** policy to turn off Cortana. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 or newer versions that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future). @@ -54,9 +54,9 @@ For Cortana1: - If you're using new devices with version 1703 or later, Cortana is turned on by default. - If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled. -You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). +You can use the **AllowCortana** policy to turn off Cortana. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). -Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you do not have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628). +Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you don't have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628). Customers who deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](/windows/configuration/manage-tips-and-suggestions) and apply desired settings for your environment. From 3968477bfb9bf13185a1d03aac37116680bd5a63 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 11 Feb 2022 13:14:57 +0530 Subject: [PATCH 33/68] fixed warnings and suggestions --- education/windows/edu-deployment-recommendations.md | 2 +- education/windows/school-get-minecraft.md | 12 ++++++------ .../windows/set-up-students-pcs-to-join-domain.md | 2 +- education/windows/teacher-get-minecraft.md | 8 ++++---- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 85f9441c0c..fb2c72d34b 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -127,7 +127,7 @@ To manage and edit your profile in the Skype UWP app, follow these steps: 6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up. - ![Skype profile icon.](images/skype_uwp_manageprofilepic.png) + ![The icon for Skype profile.](images/skype_uwp_manageprofilepic.png) * To take a new picture, click the camera icon in the pop-up window. To upload a new picture, click the three dots (**...**). diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 38b068d300..cecd19a97a 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -70,7 +70,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft). -If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](./education-scenarios-store-for-business.md#purchase-additional-licenses). +If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](./education-scenarios-store-for-business.md#purchase-more-licenses). ### Minecraft: Education Edition - volume licensing Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: @@ -117,7 +117,7 @@ After you've finished the purchase, you can find your invoice by checking **Mine 4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf. - ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-invoice-bills.png) + ![Minecraft: The page displaying details of the Education Edition app with view bills link highlighted.](images/mcee-invoice-bills.png) The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. @@ -158,7 +158,7 @@ For Minecraft: Education Edition, you can use auto assign subscription to contro -Or- - ![Minecraft Education Edition product page with auto assign control highlighted.](images/mcee-auto-assign-bd.png) + ![The page of the Minecraft Education Edition product with auto assign control highlighted.](images/mcee-auto-assign-bd.png) 3. Slide the **Auto assign subscription** or click **Turn off auto assign subscription**. @@ -225,11 +225,11 @@ Minecraft: Education Edition will not install if there are updates pending for o 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). 2. Click the account button, and then click **Downloads and updates**. - ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) + ![Microsoft Store app displaying access to My Library.](images/minecraft-private-store.png) 3. Click **Check for updates**, and install all available updates. - ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png) + ![Microsoft Store app displaying the navigation path to My Library.](images/mc-check-for-updates.png) 4. Restart the computer before installing Minecraft: Education Edition. @@ -238,7 +238,7 @@ You'll download a .zip file, extract the files, and then use one of the files to 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png) + ![Microsoft Store app page showing access to My Library.](images/mc-dnld-others-teacher.png) 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 27782bf2e2..cbad40867b 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -1,6 +1,6 @@ --- title: Set up student PCs to join domain -description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. +description: Learn how to use Configuration Designer to provision student devices to join Active Directory. keywords: school, student PC setup, Windows Configuration Designer ms.prod: w10 ms.mktglfcycl: plan diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 009e47065c..8d9850ce64 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -109,7 +109,7 @@ Students will receive an email with a link that will install the app on their PC After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. - ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) + ![Microsoft Store app directing the navigation to My Library.](images/minecraft-private-store.png) When students click **My Library** they'll find apps assigned to them. @@ -132,11 +132,11 @@ Minecraft: Education Edition won't install if there are updates pending for othe 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). 2. Click the account button, and then click **Downloads and updates**. - ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) + ![Microsoft Store app displaying the navigation to the My Library option.](images/minecraft-private-store.png) 3. Click **Check for updates**, and install all available updates. - ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png) + ![Microsoft Store app directing the navigation to the My Library submenu item.](images/mc-check-for-updates.png) 4. Restart the computer before installing Minecraft: Education Edition. @@ -145,7 +145,7 @@ You'll download a .zip file, extract the files, and then use one of the files to 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png) + ![Microsoft Store app depicting the navigation path to the My Library option.](images/mc-dnld-others-teacher.png) 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This downloaded location is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. From 6d7a30f8119d34ef0c7997f8e4f6a7897f554772 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 11 Feb 2022 19:34:43 +0530 Subject: [PATCH 34/68] Acrolinx score --- .../app-v/appv-about-appv.md | 6 +- ...ation-publishing-and-client-interaction.md | 134 +++++++++--------- .../app-v/appv-auto-batch-sequencing.md | 8 +- .../app-v/appv-auto-batch-updating.md | 8 +- .../app-v/appv-auto-provision-a-vm.md | 2 +- .../app-v/appv-capacity-planning.md | 36 ++--- .../appv-client-configuration-settings.md | 18 +-- ...pv-connection-group-virtual-environment.md | 10 +- ...e-created-in-a-previous-version-of-appv.md | 10 +- .../appv-create-a-package-accelerator.md | 4 +- ...g-and-managing-virtualized-applications.md | 22 +-- ...ploying-microsoft-office-2013-with-appv.md | 36 ++--- ...ploying-microsoft-office-2016-with-appv.md | 34 ++--- 13 files changed, 165 insertions(+), 163 deletions(-) diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md index 83fd92e681..1dd3aaa6a8 100644 --- a/windows/application-management/app-v/appv-about-appv.md +++ b/windows/application-management/app-v/appv-about-appv.md @@ -27,8 +27,8 @@ Previous versions of the App-V Sequencer required manual sequencing and updating Using the automatic sequencer to package your apps gives you the following benefits: * **Automatic virtual machine (VM) sequencing environment provisioning**. To learn more, see [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md). -* **Package batch-sequencing**. This means that multiple apps can be sequenced at the same time, in a single group. To learn more, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md). -* **Package batch-updating**. This means that multiple apps can be updated at the same time, in a single group. To learn more, see [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md). +* **Package batch-sequencing**. This benefit denotes that multiple apps can be sequenced at the same time, in a single group. To learn more, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md). +* **Package batch-updating**. This benefit denotes that multiple apps can be updated at the same time, in a single group. To learn more, see [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md). ### Updates to the App-V project template @@ -36,7 +36,7 @@ Starting with Windows 10, version 1703, you can now save an App-V project templa ### Automatically clean up unpublished App-V packages from the App-V client -Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. To learn more, see [Automatically clean up unpublished packages on the App-V client](../app-v/appv-auto-clean-unpublished-packages.md). +Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up more storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. To learn more, see [Automatically clean up unpublished packages on the App-V client](../app-v/appv-auto-clean-unpublished-packages.md). ## What's new in App-V in Windows 10, version 1607 diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index 0c949d9dd5..9a59078548 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -67,9 +67,9 @@ The App-V Client performs tasks to keep virtual applications running properly an | Copy on Write (COW) Local | %LocalAppData%\Microsoft\AppV\Client\VFS| Writeable non-roaming location for package modification.| | Machine Registry | HKLM\Software\Microsoft\AppV| Contains package state information, including VReg for machine or globally published packages (Machine hive).| | User Registry | HKCU\Software\Microsoft\AppV| Contains user package state information including VReg.| -| User Registry Classes | HKCU\Software\Classes\AppV| Contains additional user package state information.| +| User Registry Classes | HKCU\Software\Classes\AppV| Contains more user package state information.| -Additional details for the table are provided in the section below and throughout the document. +More details for the table are provided in the section below and throughout the document. ### Package store @@ -92,10 +92,10 @@ If the App-V Client is configured in Shared Content Store mode, no data is writt ### Package catalogs -The App-V Client manages the following two file-based locations: +The App-V Client manages the following file-based locations: - **Catalogs (user and machine).** -- **Registry locations**—depends on how the package is targeted for publishing. There is a Catalog (data store) for the computer, and a catalog for each individual user. The Machine catalog stores global information applicable to all users or any specific user, and the User catalog stores information applicable to a specific user. The catalog is a collection of Dynamic Configurations and manifest files; there is discrete data for both file and registry per package version. +- **Registry locations**—depends on how the package is targeted for publishing. There's a Catalog (data store) for the computer, and a catalog for each individual user. The Machine catalog stores global information applicable to all users or any specific user, and the User catalog stores information applicable to a specific user. The catalog is a collection of Dynamic Configurations and manifest files; there's discrete data for both file and registry per package version. ### Machine catalog @@ -103,8 +103,8 @@ The locations described in this table can be found in the %programdata%\Microsof | | Location | |:---|:---| -|**Description**|Stores package documents that are available to users on the machine when packages are added and published. However, if a package is “global” at publishing time, the integrations are available to all users.

                                If a package is non-global, the integrations are published only for specific users, but there are still global resources that are modified and visible to anyone on the client computer (such as when the package directory is in a shared disk location).

                                If a package is available to a user on the computer (global or non-global), the manifest is stored in the Machine Catalog. When a package is published globally, there is a Dynamic Configuration file, stored in the Machine Catalog; therefore, the determination of whether a package is global is defined according to whether there is a policy file (UserDeploymentConfiguration file) in the Machine Catalog.| -|**Default storage location**|%programdata%\Microsoft\AppV\Client\Catalog\

                                This location is not the same as the Package Store location. The Package Store is the golden or pristine copy of the package files.| +|**Description**|Stores package documents that are available to users on the machine when packages are added and published. However, if a package is “global” at publishing time, the integrations are available to all users.

                                If a package is non-global, the integrations are published only for specific users, but there are still global resources that are modified and visible to anyone on the client computer (such as when the package directory is in a shared disk location).

                                If a package is available to a user on the computer (global or non-global), the manifest is stored in the Machine Catalog. When a package is published globally, there's a Dynamic Configuration file, stored in the Machine Catalog; therefore, the determination of whether a package is global is defined according to whether there's a policy file (UserDeploymentConfiguration file) in the Machine Catalog.| +|**Default storage location**|%programdata%\Microsoft\AppV\Client\Catalog\

                                This location isn't the same as the Package Store location. The Package Store is the golden or pristine copy of the package files.| |**Files in the machine catalog**|- Manifest.xml
                                - DeploymentConfiguration.xml
                                - UserManifest.xml (Globally Published Package)
                                - UserDeploymentConfiguration.xml (Globally Published Package)| |**Additional machine catalog location, used when the package is part of a connection group**|The following location is in addition to the specific package location mentioned previously as the default storage location:

                                %programdata%\Microsoft\AppV\Client\Catalog\PackageGroups\ConGroupGUID\ConGroupVerGUID| |**Additional files in the machine catalog when the package is part of a connection group**|- PackageGroupDescriptor.xml
                                - UserPackageGroupDescriptor.xml (globally published Connection Group)| @@ -115,7 +115,7 @@ The locations described in this table can be found in the appdata\roaming\Micros || Location | |:---|:---| -|**Description**|Created during the publishing process. Contains information used for publishing the package, and for making sure that a package is provisioned to a specific user at launch. Created in a roaming location and includes user-specific publishing information.

                                When a package is published for a user, the policy file is stored in the User Catalog. At the same time, a copy of the manifest is also stored in the User Catalog. When a package entitlement is removed for a user, the relevant package files are removed from the User Catalog. Looking at the user catalog, an administrator can view the presence of a Dynamic Configuration file, which indicates that the package is entitled for that user.

                                For roaming users, the User Catalog needs to be in a roaming or shared location to preserve the legacy App-V behavior of targeting users by default. Entitlement and policy are tied to a user, not a computer, so they should roam with the user once they are provisioned.| +|**Description**|Created during the publishing process. Contains information used for publishing the package, and for making sure that a package is provisioned to a specific user at launch. Created in a roaming location and includes user-specific publishing information.

                                When a package is published for a user, the policy file is stored in the User Catalog. At the same time, a copy of the manifest is also stored in the User Catalog. When a package entitlement is removed for a user, the relevant package files are removed from the User Catalog. Looking at the user catalog, an administrator can view the presence of a Dynamic Configuration file, which indicates that the package is entitled for that user.

                                For roaming users, the User Catalog needs to be in a roaming or shared location to preserve the legacy App-V behavior of targeting users by default. Entitlement and policy are tied to a user, not a computer, so they should roam with the user once they're provisioned.| |**Default storage location**|appdata\roaming\Microsoft\AppV\Client\Catalog\Packages\PkgGUID\VerGUID| |**Files in the user catalog**|- UserManifest.xml
                                - DynamicConfiguration.xml or UserDeploymentConfiguration.xml| |**Additional user catalog location, used when the package is part of a connection group**|The following location is in addition to the specific package location mentioned above:

                                appdata\roaming\Microsoft\AppV\Client\Catalog\PackageGroups\PkgGroupGUID\PkgGroupVerGUID| @@ -135,7 +135,7 @@ The COW Roaming location described above stores changes to files and directories ### COW local -The COW Local location is similar to the roaming location, but the directories and files are not roamed to other computers, even if roaming support has been configured. The COW Local location described above stores changes applicable to typical windows and not the %AppData% location. The directories listed will vary but there will be two locations for any typical Windows locations (for example, Common AppData and Common AppDataS). The **S** signifies the restricted location when the virtual service requests the change as a different elevated user from the signed-in users. The non-**S** location stores user-based changes. +The COW Local location is similar to the roaming location, but the directories and files aren't roamed to other computers, even if roaming support has been configured. The COW Local location described above stores changes applicable to typical windows and not the %AppData% location. The directories listed will vary but there will be two locations for any typical Windows locations (for example, Common AppData and Common AppDataS). The **S** signifies the restricted location when the virtual service requests the change as a different elevated user from the signed-in users. The non-**S** location stores user-based changes. ## Package registry @@ -151,15 +151,15 @@ When the first application from the package is launched on the client, the clien When connection groups are present, the previous process of staging the registry holds true, but instead of having one hive file to process, there are more than one. The files are processed in the order in which they appear in the connection group XML, with the first writer winning any conflicts. -The staged registry persists the same way as in the single package case. Staged user registry data remains for the connection group until it is disabled; staged machine registry data is removed on connection group removal. +The staged registry persists the same way as in the single package case. Staged user registry data remains for the connection group until it's disabled; staged machine registry data is removed on connection group removal. ### Virtual registry -The purpose of the virtual registry (VREG) is to provide a single merged view of the package registry and the native registry to applications. It also provides copy-on-write (COW) functionality—that is, any changes made to the registry from the context of a virtual process are made to a separate COW location. This means that the VREG must combine up to three separate registry locations into a single view based on the populated locations in the **registry COW** > **package** > **native**. When a request is made for a registry data it will locate in order until it finds the data it was requesting. Meaning if there is a value stored in a COW location it will not proceed to other locations, however, if there is no data in the COW location it will proceed to the Package and then Native location until it finds the appropriate data. +The purpose of the virtual registry (VREG) is to provide a single merged view of the package registry and the native registry to applications. It also provides copy-on-write (COW) functionality—that is, any changes made to the registry from the context of a virtual process are made to a separate COW location. This functionality means that the VREG must combine up to three separate registry locations into a single view based on the populated locations in the **registry COW** > **package** > **native**. When a request is made for a registry data it will locate in order until it finds the data it was requesting. Meaning if there's a value stored in a COW location it will not proceed to other locations, however, if there's no data in the COW location it will proceed to the Package and then Native location until it finds the appropriate data. ### Registry locations -There are two package registry locations and two connection group locations where the App-V Client stores registry information, depending on whether the Package is published individually or as part of a connection group. There are three COW locations for packages and three for connection groups, which are created and managed by the VREG. Settings for packages and connection groups are not shared: +There are two package registry locations and two connection group locations where the App-V Client stores registry information, depending on whether the Package is published individually or as part of a connection group. There are three COW locations for packages and three for connection groups, which are created and managed by the VREG. Settings for packages and connection groups aren't shared: #### Single Package VReg @@ -207,7 +207,7 @@ The following locations are configured as pass-through locations by default: - HKEY\_CURRENT\_USER\\SOFTWARE\\Policies -The purpose of pass-through keys is to ensure that a virtual application does not write registry data in the VReg that is required for non-virtual applications for successful operation or integration. The Policies key ensures that Group Policy-based settings set by the administrator are utilized and not per package settings. The AppModel key is required for integration with Windows Modern UI-based applications. Administers ideally should not modify any of the default pass-through keys, but in some instances, the admin may need to add additional pass-through keys to adjust application behavior. +The purpose of pass-through keys is to ensure that a virtual application doesn't write registry data in the VReg that is required for non-virtual applications for successful operation or integration. The Policies key ensures that Group Policy-based settings set by the administrator are utilized and not per package settings. The AppModel key is required for integration with Windows Modern UI-based applications. Administers ideally shouldn't modify any of the default pass-through keys, but in some instances, the admin may need to add more pass-through keys to adjust application behavior. ## App-V package store behavior @@ -233,7 +233,7 @@ The App-V Client can be configured to change the default behavior of streaming. |PackageSourceRoot|The root override where packages should be streamed from| |SharedContentStoreMode|Enables the use of Shared Content Store for VDI scenarios| -These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors in streaming packages that it's particularly important to understand: +These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors in streaming packages that is important to understand: - Background Streaming - Optimized Streaming @@ -241,7 +241,7 @@ These settings affect the behavior of streaming App-V package assets to the clie ### Background streaming -The Windows PowerShell cmdlet **Get-AppvClientConfiguration** can be used to determine the current mode for background streaming with the AutoLoad setting and modified with either the **Set-AppvClientConfiguration** cmdlet or from the registry (HKLM\\SOFTWARE\\Microsoft\\AppV\\ClientStreaming key). Background streaming is a default setting where the Autoload setting is set to download previously used packages. The behavior based on default setting (value=1) downloads App-V data blocks in the background after the application has been launched. This setting can either be disabled altogether (value=0) or enabled for all packages (value=2), regardless of whether they have been launched. +The Windows PowerShell cmdlet **Get-AppvClientConfiguration** can be used to determine the current mode for background streaming with the AutoLoad setting and modified with either the **Set-AppvClientConfiguration** cmdlet or from the registry (HKLM\\SOFTWARE\\Microsoft\\AppV\\ClientStreaming key). Background streaming is a default setting where the Autoload setting is set to download previously used packages. The behavior based on default setting (value=1) downloads App-V data blocks in the background after the application has been launched. This setting can either be disabled altogether (value=0) or enabled for all packages (value=2), regardless of whether they've been launched. ### Optimized streaming @@ -249,7 +249,7 @@ App-V packages can be configured with a primary feature block during sequencing. ### Stream faults -After the initial stream of any publishing data and the primary feature block, requests for additional files perform stream faults. These blocks of data are downloaded to the package store on an as-needed basis. This allows a user to download only a small part of the package, typically enough to launch the package and run normal tasks. All other blocks are downloaded when a user initiates an operation that requires data not currently in the package store. +After the initial stream of any publishing data and the primary feature block, requests for more files perform stream faults. These blocks of data are downloaded to the package store on an as-needed basis. This flexibility allows a user to download only a small part of the package, typically enough to launch the package and run normal tasks. All other blocks are downloaded when a user initiates an operation that requires data not currently in the package store. ### Package upgrades @@ -257,11 +257,11 @@ App-V Packages require updating throughout the lifecycle of the application. App ### Package removal -The App-V Client's behavior when packages are removed depends on the package removal method. Using an App-V full infrastructure to unpublish the application, the user catalog files (machine catalog for globally published applications) are removed, but the package store location and COW locations remain. When the **Remove-AppVClientPackge** Windows PowerShell cmdlet is used to remove an App-V Package, the package store location is cleaned. Remember that unpublishing an App-V Package from the Management Server does not perform a Remove operation. Neither operation will remove the Package Store package files. +The App-V Client's behavior when packages are removed depends on the package removal method. Using an App-V full infrastructure to unpublish the application, the user catalog files (machine catalog for globally published applications) are removed, but the package store location and COW locations remain. When the **Remove-AppVClientPackge** Windows PowerShell cmdlet is used to remove an App-V Package, the package store location is cleaned. Remember that unpublishing an App-V Package from the Management Server doesn't perform a Remove operation. Neither operation will remove the Package Store package files. ## Roaming registry and data -App-V is able to provide a near-native experience when roaming, depending on how the application being used is written. By default, App-V roams AppData that is stored in the roaming location, based on the roaming configuration of the operating system. Other locations for storage of file-based data do not roam from computer to computer, since they are in locations that are not roamed. +App-V is able to provide a near-native experience when roaming, depending on how the application being used is written. By default, App-V roams AppData that is stored in the roaming location, based on the roaming configuration of the operating system. Other locations for storage of file-based data don't roam from computer to computer, since they're in locations that aren't roamed. ### Roaming requirements and user catalog data storage @@ -270,7 +270,7 @@ App-V stores data, which represents the state of the user’s catalog, in the fo - Files under %appdata%\\Microsoft\\AppV\\Client\\Catalog - Registry settings under HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages -Together, these files and registry settings represent the user’s catalog, so either both must be roamed, or neither must be roamed for a given user. App-V does not support roaming %AppData%, but not roaming the user’s profile (registry), or vice versa. +Together, these files and registry settings represent the user’s catalog, so either both must be roamed, or neither must be roamed for a given user. App-V doesn't support roaming %AppData%, but not roaming the user’s profile (registry), or vice versa. >[!NOTE] >The **Repair-AppvClientPackage** cmdlet doesn't repair the publishing state of packages where the user’s App-V state under HKEY_CURRENT_USER is missing or mismatched with the data in %appdata%. @@ -281,8 +281,8 @@ App-V registry roaming falls into two scenarios, as shown in the following table |Scenario|Description| |---|---| -|Applications that are run as standard users|When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This presents as two distinct paths:

                                - HKLM's location is HKCU\SOFTWARE\Classes\AppV\Client\Packages\\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE
                                - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\REGISTRY\USER\\{UserSID}\SOFTWARE

                                The locations are enabled for roaming based on the operating system settings.| -|Applications that are run with elevation|When an application is launched with elevation:

                                - HKLM data is stored in the HKLM hive on the local computer
                                - HKCU data is stored in the User Registry location

                                In this scenario, these settings are not roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following locations:

                                - HKLM's location is HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\{UserSID}\REGISTRY\MACHINE\SOFTWARE
                                - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\Registry\User\\{UserSID}\SOFTWARE| +|Applications that are run as standard users|When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This scenario presents two distinct paths:

                                - HKLM's location is HKCU\SOFTWARE\Classes\AppV\Client\Packages\\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE
                                - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\REGISTRY\USER\\{UserSID}\SOFTWARE

                                The locations are enabled for roaming based on the operating system settings.| +|Applications that are run with elevation|When an application is launched with elevation:

                                - HKLM data is stored in the HKLM hive on the local computer
                                - HKCU data is stored in the User Registry location

                                In this scenario, these settings aren't roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following locations:

                                - HKLM's location is HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\{UserSID}\REGISTRY\MACHINE\SOFTWARE
                                - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\Registry\User\\{UserSID}\SOFTWARE| ### App-V and folder redirection @@ -290,7 +290,7 @@ App-V supports folder redirection of the roaming AppData folder (%AppData%). Whe A typical package has several locations mapped in the user’s backing store for settings in both AppData\\Local and AppData\\Roaming. These locations are the Copy on Write locations that are stored per user in the user’s profile, and that are used to store changes made to the package VFS directories and to protect the default package VFS. -The following table shows local and roaming locations when folder redirection has not been implemented. +The following table shows local and roaming locations when folder redirection hasn't been implemented. | VFS directory in package | Mapped location of backing store | |---|---| @@ -310,13 +310,13 @@ The following table shows local and roaming locations when folder redirection ha | appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\appv\_ROOT | | AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\\<GUID>\AppData | -The current App-V Client VFS driver can't write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. Here's what happens during the process: +The current App-V Client VFS driver can't write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to more machines, where the process will be repeated. Here's what happens during the process: 1. During publishing or virtual environment startup, the App-V Client detects the location of the AppData directory. 2. If the roaming AppData path is local or no AppData\\Roaming location is mapped, nothing happens. -3. If the roaming AppData path is not local, the VFS AppData directory is mapped to the local AppData directory. +3. If the roaming AppData path isn't local, the VFS AppData directory is mapped to the local AppData directory. -This process solves the problem of a non-local %AppData% that is not supported by the App-V Client VFS driver. However, the data stored in this new location is not roamed with folder redirection. All changes during the running of the application happen to the local AppData location and must be copied to the redirected location. The process does the following things: +This process solves the problem of a non-local %AppData% that isn't supported by the App-V Client VFS driver. However, the data stored in this new location isn't roamed with folder redirection. All changes during the running of the application happen to the local AppData location and must be copied to the redirected location. The process does the following things: 1. Shuts down the App-V application, which also shuts down the virtual environment. 2. Compresses the local cache of the roaming AppData location and store it in a .zip file. @@ -324,7 +324,7 @@ This process solves the problem of a non-local %AppData% that is not supported b 4. Records the time stamp in the HKEY\_CURRENT\_USER\\Software\\Microsoft\\AppV\\Client\\Packages\\<GUID>\\AppDataTime registry as the last known AppData time stamp. 5. Calls the folder redirection process to evaluate and initiate the .zip file uploaded to the roaming AppData directory. -The time stamp is used to determine a “last writer wins” scenario if there is a conflict and is used to optimize the download of the data when the App-V application is published, or the virtual environment is started. Folder redirection will make the data available from any other clients covered by the supporting policy and will initiate the process of storing the AppData\\Roaming data to the local AppData location on the client. Here's what happens during the process: +The time stamp is used to determine a “last writer wins” scenario if there's a conflict and is used to optimize the download of the data when the App-V application is published, or the virtual environment is started. Folder redirection will make the data available from any other clients covered by the supporting policy and will initiate the process of storing the AppData\\Roaming data to the local AppData location on the client. Here's what happens during the process: 1. The user starts an application, which also starts the virtual environment. 2. The application’s virtual environment checks for the most recent time stamped .zip file, if present. @@ -334,7 +334,7 @@ The time stamp is used to determine a “last writer wins” scenario if there i 6. After the .zip file is successfully extracted, the local cache of the roaming AppData directory is renamed and the new data moved into place. 7. The renamed directory is deleted and the application opens with the most recently saved roaming AppData data. -This completes the successful roaming of application settings that are present in AppData\\Roaming locations. The only other condition that must be addressed is a package repair operation. The process does the following things: +This process completes the successful roaming of application settings that are present in AppData\\Roaming locations. The only other condition that must be addressed is a package repair operation. The process does the following things: 1. During repair, detects if the path to the user’s roaming AppData directory isn't local. 2. Maps the non-local roaming AppData path targets, recreating the expected roaming and local AppData locations. @@ -344,7 +344,7 @@ This process will recreate both the local and network locations for AppData and ## App-V Client application lifecycle management -In an App-V Full Infrastructure, after applications are sequenced they are managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client. +In an App-V Full Infrastructure, after applications are sequenced, they're managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client. This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/download/details.aspx?id=38177). @@ -357,7 +357,7 @@ The publishing refresh process comprises several smaller operations that are per - **Add-AppVPublishingServer** configures the client with an App-V Publishing Server that provides App-V packages. - **Set-AppVPublishingServer** modifies the current settings for the App-V Publishing Server. - **Set-AppVClientConfiguration** modifies the currents settings for the App-V Client. -- **Sync-AppVPublishingServer** initiates an App-V Publishing Refresh process manually. This is also utilized in the scheduled tasks created during configuration of the publishing server. +- **Sync-AppVPublishingServer** initiates an App-V Publishing Refresh process manually. This process is also utilized in the scheduled tasks created during configuration of the publishing server. The following sections will elaborate what goes on during the publishing refresh process. @@ -365,7 +365,7 @@ The following sections will elaborate what goes on during the publishing refresh Adding an App-V package to the client is the first step of the publishing refresh process. The end result is the same as the **Add-AppVClientPackage** cmdlet in Windows PowerShell, except the publishing refresh add process contacts the configured publishing server and passes a high-level list of applications back to the client to pull more detailed information, rather than just doing a single package add operation. -The process then configures the client for package or connection group additions or updates, then accesses the appv file. Next, the contents of the appv file are expanded and placed on the local operating system in the appropriate locations. The following is a detailed workflow of the process, assuming the package is configured for Fault Streaming. +The process then configures the client for package or connection group additions or updates, then accesses the appv file. Next, the contents of the appv file are expanded and placed on the local operating system in the appropriate locations. The following steps are a detailed workflow of the process, assuming the package is configured for Fault Streaming. #### How to add an App-V package @@ -373,9 +373,9 @@ The process then configures the client for package or connection group additions 1. The App-V Client makes an HTTP connection and requests a list of applications based on the target. The Publishing refresh process supports targeting machines or users. - 2. The App-V Publishing Server uses the identity of the initiating target, user or machine, and queries the database for a list of entitled applications. The list of applications is provided as an XML response, which the client uses to send additional requests to the server for more information on a per-package basis. + 2. The App-V Publishing Server uses the identity of the initiating target, user or machine, and queries the database for a list of entitled applications. The list of applications is provided as an XML response, which the client uses to send more requests to the server for more information on a per-package basis. -2. The Publishing Agent on the App-V Client will evaluate any connection groups that are unpublished or disabled, since package version updates that are part of the connection group cannot be processed. +2. The Publishing Agent on the App-V Client will evaluate any connection groups that are unpublished or disabled, since package version updates that are part of the connection group can't be processed. 3. Configure the packages by identifying the **Add** or **Update** operations. @@ -389,7 +389,7 @@ The process then configures the client for package or connection group additions - Portable Executable Headers (PE Headers): Targets of extension points that contain the base information about the image need on disk, accessed directly or through file types. - Scripts: Download scripts directory for use throughout the publishing process. - 4. Populate the Package store by doing the following: + 4. Populate the Package store by performing the following sub-steps: 1. Create sparse files on disk that represent the extracted package for any directories listed. @@ -409,7 +409,7 @@ The process then configures the client for package or connection group additions 4. Configure Connection Groups by adding and enabling or disabling. -5. Remove objects that are not published to the target (user or machine). +5. Remove objects that aren't published to the target (user or machine). > [!NOTE] >This will not perform a package deletion but rather remove integration points for the specific target (user or machine) and remove user catalog files (machine catalog files for globally published). @@ -421,7 +421,7 @@ The process then configures the client for package or connection group additions > [!NOTE] >This condition occurs as a product of removal without unpublishing with background addition of the package. -This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user). +This process completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user). ![Package add file and registry data.](images/packageaddfileandregistrydata.png) @@ -452,7 +452,7 @@ During the Publishing Refresh operation, the specific publishing operation, **Pu 3. Run scripts targeted for publishing timing. -Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details. +Publishing an App-V Package that is part of a Connection Group is similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details. ![package add file and registry data - global.](images/packageaddfileandregistrydata-global.png) @@ -460,7 +460,7 @@ Publishing an App-V Package that is part of a Connection Group is very similar t ### Application launch -After the Publishing Refresh process, the user launches and then relaunches an App-V application. The App-V Client checks the path to the user catalog for files created during publishing. After establishing rights to launch the package, the App-V Client creates a virtual environment, begins streaming any necessary data, and applies the appropriate manifest and deployment configuration files during virtual environment creation. Once the virtual environment created and configured for the specific package and application, the application starts. This might seem like a lot, but the process in action is actually quite fast, and is optimized to minimize network traffic. +After the Publishing Refresh process, the user launches and then relaunches an App-V application. The App-V Client checks the path to the user catalog for files created during publishing. After establishing rights to launch the package, the App-V Client creates a virtual environment, begins streaming any necessary data, and applies the appropriate manifest and deployment configuration files during virtual environment creation. Once the virtual environment created and configured for the specific package and application, the application starts. This might seem like a lot, but the process in action is fast, and is optimized to minimize network traffic. #### How to launch App-V applications @@ -471,11 +471,13 @@ After the Publishing Refresh process, the user launches and then relaunches an A - **UserDeploymentConfiguration.xml** - **UserManifest.xml** -3. If the files are present, the application is entitled for that specific user and the application will start the process for launch. There is no network traffic at this point. +3. If the files are present, the application is entitled for that specific user and the application will start the process for launch. There's no network traffic at this point. 4. Next, the App-V Client checks that the path for the package registered for the App-V Client service is found in the registry. -5. Upon finding the path to the package store, the virtual environment is created. If this is the first launch, the Primary Feature Block downloads if present. +5. Upon finding the path to the package store, the virtual environment is created. + + If this process execution is the first launch, the Primary Feature Block downloads if present. 6. After downloading, the App-V Client service consumes the manifest and deployment configuration files to configure the virtual environment and all App-V subsystems are loaded. @@ -487,7 +489,7 @@ After the Publishing Refresh process, the user launches and then relaunches an A ### Upgrading an App-V package -The current version of App-V's package upgrade process differs from the older versions in its storage optimization. App-V supports multiple versions of the same package on a machine entitled to different users. Package versions can be added at any time, as the package store and catalogs are updated with the new resources. During an upgrade in the new version, only new files are added to the new version store location, and hard links are created for unchanged files. This reduces overall storage by only presenting the file on one disk location, then projecting it into all folders with a file location entry on the disk. +The current version of App-V's package upgrade process differs from the older versions in its storage optimization. App-V supports multiple versions of the same package on a machine entitled to different users. Package versions can be added at any time, as the package store and catalogs are updated with the new resources. During an upgrade in the new version, only new files are added to the new version store location, and hard links are created for unchanged files. Such results reduce overall storage by only presenting the file on one disk location, then projecting it into all folders with a file location entry on the disk. #### How to upgrade an App-V package @@ -521,7 +523,7 @@ If you try to upgrade a package that is currently in use, the upgrade task is pl | Task type | Applicable rule | |---|---| -| User-based tasks, such as publishing a package to a user | The pending task will be performed after the user logs off and then logs back on. | +| User-based tasks, such as publishing a package to a user | The pending task will be performed after the user signs out and then signs back in. | | Globally based tasks, such as enabling a connection group globally | The pending task will be performed when the computer is shut down and then restarted. | When a task is placed in a pending state, the App-V Client also generates a registry key for the pending task, as follows: @@ -542,19 +544,19 @@ Use the following example scenarios as a guide for updating packages. | Scenario | Requirements | |---|---| -| App-V package is not in use when you try to upgrade | None of the following components of the package can be in use: virtual application, COM server, or shell extensions.

                                The administrator publishes a newer version of the package and the upgrade works the next time a component or application inside the package is launched. The new version of the package is streamed and ran. | -| App-V package is in use when the administrator publishes a newer version of the package | The App-V Client sets the operation to "pending," which means that it is queued and will be carried out later when the package is not in use.

                                If the package application is in use, the user shuts down the virtual application, after which the upgrade can occur.

                                If the package has shell extensions, which are permanently loaded by Windows Explorer, the user won't be able to sign in. Users must sign off and then sign back in to initiate the App-V package upgrade.| +| App-V package isn't in use when you try to upgrade | None of the following components of the package can be in use: virtual application, COM server, or shell extensions.

                                The administrator publishes a newer version of the package and the upgrade works the next time a component or application inside the package is launched. The new version of the package is streamed and ran. | +| App-V package is in use when the administrator publishes a newer version of the package | The App-V Client sets the operation to "pending," which means that it's queued and will be carried out later when the package isn't in use.

                                If the package application is in use, the user shuts down the virtual application, after which the upgrade can occur.

                                If the package has shell extensions, which are permanently loaded by Windows Explorer, the user won't be able to sign in. Users must sign off and then sign back in to initiate the App-V package upgrade.| ### Global vs. user publishing -App-V Packages can be published in one of two ways; as user, which entitles an App-V package to a specific user or group of users, or as global, which entitles the App-V package to the entire machine for all users of the machine. Once a package upgrade has been pended and the App-V package is not in use, consider the two types of publishing: +App-V Packages can be published in one of two ways; as user, which entitles an App-V package to a specific user or group of users, or as global, which entitles the App-V package to the entire machine for all users of the machine. Once a package upgrade has been pended and the App-V package isn't in use, consider the two types of publishing: - Global publishing is when the application is published to a machine; all users on that machine can use it. The upgrade will happen when the App-V Client Service starts, which effectively means a machine restart. -- User publishing is when the application is published to a user. If there are multiple users on the machine, the application can be published to a subset of the users. The upgrade will happen when the user signs in or when it is published again (periodically, ConfigMgr Policy refresh and evaluation, or an App-V periodic publishing/refresh, or explicitly through Windows PowerShell commands). +- User publishing is when the application is published to a user. If there are multiple users on the machine, the application can be published to a subset of the users. The upgrade will happen when the user signs in or when it's published again (periodically, ConfigMgr Policy refresh and evaluation, or an App-V periodic publishing/refresh, or explicitly through Windows PowerShell commands). ### Removing an App-V package -Removing App-V applications in a Full Infrastructure is an unpublish operation and does not perform a package removal. The process is the same as the publish process above, but instead of adding the removal process reverses the changes that have been made for App-V Packages. +Removing App-V applications in a Full Infrastructure is an unpublish operation and doesn't perform a package removal. The process is the same as the publish process above, but instead of adding the removal process reverses the changes that have been made for App-V Packages. ### Repairing an App-V package @@ -577,12 +579,12 @@ When App-V applications are published to a computer with the App-V Client, some - Backup and Restore: Existing native application data and registry (such as FTA registrations) are backed up during publishing. 1. App-V packages are given ownership based on the last integrated package where the ownership is passed to the newest published App-V application. - 2. Ownership transfers from one App-V package to another when the owning App-V package is unpublished. This will not initiate a restore of the data or registry. + 2. Ownership transfers from one App-V package to another when the owning App-V package is unpublished. This transfer won't initiate a restore of the data or registry. 3. Restore the backed-up data when the last package is unpublished or removed on a per-extension point basis. ### Extension points -The App-V publishing files (manifest and dynamic configuration) provide several extension points to integrate the application with the local operating system. These extension points perform typical application installation tasks, such as placing shortcuts, creating file type associations, and registering components. As these are virtualized applications that are not installed in the same manner a traditional application, there are some differences. The following is a list of extension points covered in this section: +The App-V publishing files (manifest and dynamic configuration) provide several extension points to integrate the application with the local operating system. These extension points perform typical application installation tasks, such as placing shortcuts, creating file type associations, and registering components. As these are virtualized applications that aren't installed in the same manner a traditional application, there are some differences. The following is a list of extension points covered in this section: - Shortcuts - File type associations @@ -598,7 +600,7 @@ The App-V publishing files (manifest and dynamic configuration) provide several The shortcut is one of the basic elements of integration with the OS and is the interface for direct user launch of an App-V application. During the publishing and unpublishing of App-V applications. -From the package manifest and dynamic configuration XML files, the path to a specific application executable can be found in a section like the following: +From the package manifest and dynamic configuration XML files, the path to a specific application executable can be found in a section as shown in the following example: ```XML @@ -618,7 +620,7 @@ As mentioned previously, the App-V shortcuts are placed by default in the user ### File type associations -Users can use file type invocations or open a file with a specifically registered extension (.docx) to start an App-V application because the App-V Client manages the local operating system File Type Associations during publishing. File type associations are present in the manifest and dynamic configuration files, as shown in the following example: +Users can use file type invocations or open a file with a registered extension (.docx) to start an App-V application because the App-V Client manages the local operating system File Type Associations during publishing. File type associations are present in the manifest and dynamic configuration files, as shown in the following example: ```XML @@ -665,7 +667,7 @@ Users can use file type invocations or open a file with a specifically registere ### Shell extensions -Shell extensions are embedded in the package automatically during the sequencing process. When the package is published globally, the shell extension gives users the same functionality as if the application were locally installed. The application requires no additional setup or configuration on the client to enable the shell extension functionality. +Shell extensions are embedded in the package automatically during the sequencing process. When the package is published globally, the shell extension gives users the same functionality as if the application were locally installed. The application requires no extra setup or configuration on the client to enable the shell extension functionality. #### Requirements for using shell extensions @@ -679,10 +681,10 @@ The following table displays the supported shell extensions. | Handler | Description | |---|---| -| Context menu handler | Adds menu items to the context menu. It is called before the context menu is displayed. | +| Context menu handler | Adds menu items to the context menu. it's called before the context menu is displayed. | | Drag-and-drop handler | Controls the action upon right-click drag-and-drop and modifies the context menu that appears. | | Drop target handler | Controls the action after a data object is dragged-and-dropped over a drop target, such as a file.| -| Data object handler| Controls the action after a file is copied to the clipboard or dragged-and-dropped over a drop target. It can provide additional clipboard formats to the drop target.| +| Data object handler| Controls the action after a file is copied to the clipboard or dragged-and-dropped over a drop target. It can provide more clipboard formats to the drop target.| | Property sheet handler| Replaces or adds pages to the property sheet dialog box of an object.| | Infotip handler| Allows retrieving flags and infotip information for an item and displaying it inside a popup tooltip upon mouse-hover.| | Column handler| Allows creating and displaying custom columns in Windows Explorer *Details view*. It can be used to extend sorting and grouping.| @@ -690,7 +692,7 @@ The following table displays the supported shell extensions. ### COM -The App-V Client supports publishing applications with support for COM integration and virtualization. COM integration allows the App-V Client to register COM objects on the local operating system and virtualization of the objects. For the purposes of this document, the integration of COM objects requires additional detail. +The App-V Client supports publishing applications with support for COM integration and virtualization. COM integration allows the App-V Client to register COM objects on the local operating system and virtualization of the objects. For the purposes of this document, the integration of COM objects requires more details. App-V supports registering COM objects from the package to the local operating system with two process types: Out-of-process and In-process. Registering COM objects is accomplished with one or a combination of multiple modes of operation for a specific App-V package that includes Off, Isolated, and Integrated. Integrated mode is configured for either the Out-of-process or In-process type. Configuration of COM modes and types is accomplished with dynamic configuration files (deploymentconfig.xml or userconfig.xml). @@ -698,9 +700,9 @@ For details on App-V integration, see [Microsoft Application Virtualization 5.0 ### Software clients and application capabilities -App-V supports specific software clients and application capabilities extension points to register virtualized applications with the operating system's software client. This means users can select default programs for operations like email, instant messaging, and using the media player. This operation is performed in the control panel with **Set Program Access** and **Computer Defaults**, and is configured during sequencing in the manifest or dynamic configuration files. Application capabilities are only supported when the App-V applications are published globally. +App-V supports specific software clients and application capabilities extension points to register virtualized applications with the operating system's software client. This specific support means users can select default programs for operations like email, instant messaging, and using the media player. This operation is performed in the control panel with **Set Program Access** and **Computer Defaults**, and is configured during sequencing in the manifest or dynamic configuration files. Application capabilities are only supported when the App-V applications are published globally. -The following is an example of software client registration of an App-V-based mail client. +The following example illustrates a software client registration of an App-V-based mail client. ```XML @@ -752,23 +754,23 @@ The following is an example of software client registration of an App-V-based ma Virtual applications don't always specifically utilize file type invocation. For, example, in an application that supports embedding a mailto: link inside a document or web page, the user selects the link expecting to access their registered mail client. App-V supports URL Protocol handlers that can be registered on a per-package basis with the local operating system. During sequencing, the URL Protocol handlers are automatically added to the package. -For situations where there is more than one application that could register the specific URL Protocol handler, the dynamic configuration files can be utilized to modify the behavior and suppress or disable this feature for an application that should not be the primary application launched. +For situations where there's more than one application that could register the specific URL Protocol handler, the dynamic configuration files can be utilized to modify the behavior and suppress or disable this feature for an application that shouldn't be the primary application launched. ### AppPath -The AppPath extension point supports calling App-V applications directly from the operating system. Administrators can provide access to App-V applications from operating system commands or scripts without calling the specific path to the executable from either the Run or Start Screen, depending on the operating system. It therefore avoids modifying the system path environment variable on all systems, as it is accomplished during publishing. +The AppPath extension point supports calling App-V applications directly from the operating system. Administrators can provide access to App-V applications from operating system commands or scripts without calling the specific path to the executable from either the Run or Start Screen, depending on the operating system. It therefore avoids modifying the system path environment variable on all systems, as it's accomplished during publishing. -The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For additional information on AppPath review: [App Paths - A Virtual Application Extension in App-V 5.0](/archive/blogs/virtualworld/app-paths-a-virtual-application-extension-in-app-v-5-0). +The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For more information on AppPath review: [App Paths - A Virtual Application Extension in App-V 5.0](/archive/blogs/virtualworld/app-paths-a-virtual-application-extension-in-app-v-5-0). ### Virtual application -This subsystem provides a list of applications captured during sequencing which is usually consumed by other App-V components. Integration of extension points belonging to a specific application can be disabled using dynamic configuration files. For example, if a package contains two applications, you can disable all extension points belonging to one application to only allow integration of extension points for the other application. +This subsystem provides a list of applications captured during sequencing which is consumed by other App-V components. Integration of extension points belonging to a specific application can be disabled using dynamic configuration files. For example, if a package contains two applications, you can disable all extension points belonging to one application to only allow integration of extension points for the other application. ### Extension point rules -The previously described extension points are integrated into the operating system based on how the packages has been published. Global publishing places extension points in public machine locations, where user publishing places extension points in user locations. For example, a shortcut created on the desktop and published globally will result in the file data for the shortcut (%Public%\\Desktop) and the registry data (HKLM\\Software\\Classes). The same shortcut would have file data (%UserProfile%\\Desktop) and registry data (HKCU\\Software\\Classes). +The previously described extension points are integrated into the operating system based on how the packages have been published. Global publishing places extension points in public machine locations, where user publishing places extension points in user locations. For example, a shortcut created on the desktop and published globally will result in the file data for the shortcut (%Public%\\Desktop) and the registry data (HKLM\\Software\\Classes). The same shortcut would have file data (%UserProfile%\\Desktop) and registry data (HKCU\\Software\\Classes). -Extension points are not all published the same way, where some extension points will require global publishing and others require sequencing on the specific operating system and architecture where they are delivered. Below is a table that describes these two key rules. +Extension points aren't all published the same way, where some extension points will require global publishing and others require sequencing on the specific operating system and architecture where they're delivered. Below is a table that describes these two key rules. |Virtual Extension|Requires target OS sequencing|Requires global publishing| |---|:---:|:---:| @@ -791,7 +793,7 @@ Extension points are not all published the same way, where some extension points ## Dynamic configuration processing -Deploying App-V packages to a single machine or user is very simple. However, as organizations deploy App-V applications across business lines and geographic and political boundaries, it becomes impossible to sequence all applications with the same settings. App-V was designed to overcome this problem by capturing specific settings and configurations during sequencing in the Manifest file while also supporting modification with Dynamic Configuration files. +Deploying App-V packages to a single machine or user is simple. However, as organizations deploy App-V applications across business lines and geographic and political boundaries, it becomes impossible to sequence all applications with the same settings. App-V was designed to overcome this problem by capturing specific settings and configurations during sequencing in the Manifest file while also supporting modification with Dynamic Configuration files. App-V dynamic configuration lets you specify a package policy at either the machine or user levels. Sequencing engineers can use Dynamic Configuration files to modify the configuration of a package post-sequencing to address the needs of individual groups of users or machines. In some instances, it may be necessary to modify the application to provide proper functionality within the App-V environment. For example, you may need to modify the \_\*config.xml files to allow certain actions to be performed at a specified time while executing the application, like disabling a mailto extension to prevent a virtualized application from overwriting that extension from another application. @@ -799,7 +801,7 @@ App-V packages contain the Manifest file inside of the App-V Package file, which ### Examples of dynamic configuration files -The following example shows the combination of the Manifest, Deployment Configuration, and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is show the combination of the files only, not to be a complete description of the specific categories available in each file. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760). +The following example shows the combination of the Manifest, Deployment Configuration, and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is to show the combination of the files only, not to be a complete description of the specific categories available in each file. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760). #### Manifest @@ -871,7 +873,7 @@ The following example shows the combination of the Manifest, Deployment Configur App-V supports automatic packaging of side-by-side assemblies during sequencing and deployment on the client during virtual application publishing. App-V also supports capturing side-by-side assemblies during sequencing for assemblies not present on the sequencing machine. For assemblies consisting of Visual C++ (Version 8 and newer) or MSXML run-time, the Sequencer will automatically detect and capture these dependencies even if they weren't installed during monitoring. -The side-by-side assemblies feature removes the limitations of previous versions of App-V, where the App-V Sequencer did not capture assemblies already present on the sequencing workstation, and privatized the assemblies, which limited it to one bit version per package. This behavior resulted in App-V applications being deployed to clients missing the required side-by-side assemblies, which led to application launch failures. This forced the packaging process to document and ensure that all assemblies required for packages were locally installed on the user’s client operating system. This task was both a management and implementation challenge due to the number of assemblies and the lack of application documentation for the required dependencies. +The side-by-side assemblies feature removes the limitations of previous versions of App-V, where the App-V Sequencer didn't capture assemblies already present on the sequencing workstation, and privatized the assemblies, which limited it to a bit version per package. This behavior resulted in App-V applications being deployed to clients missing the required side-by-side assemblies, which led to application launch failures. This failure forced the packaging process to document and ensure that all assemblies required for packages were locally installed on the user’s client operating system. This task was both a management and implementation challenge due to the number of assemblies and the lack of application documentation for the required dependencies. Side-by-side assembly support in App-V has the following features: @@ -885,13 +887,13 @@ Side-by-side assembly support in App-V has the following features: During publishing of an App-V package with side-by-side assemblies, the App-V Client will check for the presence of the assembly on the machine. If it doesn't detect an assembly, the client will deploy the assembly to the machine. Packages that are part of connection groups will rely on the side-by-side assembly installations in the base packages, as the connection groups don't contain any information about assembly installation. >[!NOTE] ->Unpublishing or removing a package with an assembly does not remove the assemblies for that package. +>Unpublishing or removing a package with an assembly doesn't remove the assemblies for that package. ## Client logging The App-V Client logs information to the Windows Event log in standard ETW format. The specific App-V events can be found in the event viewer under **Applications and Services Logs\\Microsoft\\AppV\\Client**. -There are three specific categories of events recorded: +There're three specific categories of events recorded: - **Admin** logs events for configurations applied to the App-V Client and also contains the primary warnings and errors. - **Operational** logs the general App-V execution and usage of individual components, creating an audit log of the App-V Client's completed App-V operations. diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index 7875e506a1..724879e39c 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -18,7 +18,7 @@ ms.topic: article Sequencing multiple apps at the same time requires you to install and start Microsoft Application Virtualization Sequencer (App-V Sequencer), and to install the necessary apps to collect any changes made to the operating system during the installation and building of the App-V package. -Starting with Windows 10 version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios: +Starting with Windows 10 version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This automatic customization load is applicable to all of the sequencing scenarios: - Using the **New-BatchAppVSequencerPackages** cmdlet - Using the App-V Sequencer interface @@ -39,7 +39,7 @@ Sequencing multiple apps at the same time requires that you create a **ConfigFil - ``````. The name of the app you're adding to the package. - ``````. The file path to the folder with the app installer. - - ``````. The file name for the app executable. This will typically be an .exe or .msi file. + - ``````. The file name for the app executable. This file will typically be an .exe or .msi file. - ``````. The command-line options required for the app installation. - ``````. The maximum amount of time, in minutes, that the cmdlet should wait for sequencing to complete. You can enter a different value for each app, based on the size and complexity of the app itself. - ``````. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based sequencing, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. @@ -83,11 +83,11 @@ New-BatchAppVSequencerPackages –ConfigFile –VMName ``` is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch sequencing, and `````` is the full path to where the sequenced packages should be copied. -The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After completing sequencing and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. +The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After the sequencing and package creation for the first app on the VM is completed, the package is copied from the VM to the Host computer, specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. ### Review the log files -There are 3 types of log files that occur when you sequence multiple apps at the same time: +There are three types of log files that occur when you sequence multiple apps at the same time: - **New-BatchAppVSequencerPackages-<*time_stamp*>.txt**. Located in the %temp%\AutoSequencer\Logs directory. This log contains info about the sequencing activities for each app, such as "Copying installer to VM," "Scheduling sequencing task," and so on. Additionally, if an app times out, this log contains the failure along with the checkpoint for troubleshooting the problem. - **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps. diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 3ce6b6faac..ca2fc70a1d 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -35,7 +35,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile* - ``````. The name of the app you're adding to the package. - ``````. The file path to the folder with the app installer. - - ``````. The file name for the app executable. This will typically be an .exe or .msi file. + - ``````. The file name for the app executable. This file will typically be an .exe or .msi file. - ``````. The command-line options required for the app installation. - ``````. The file path to the location of your App-V packages. These packages were created when you sequenced your apps. - ``````. The maximum amount of time, in minutes, that the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself. @@ -80,7 +80,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile* ``` Where `````` is the name of the virtual machine (VM) with the App-V Sequencer installed that you'll run the batch updating on, and `````` is the full path to where the updated packages should be copied. - The cmdlet creates a "clean" checkpoint on the VM. After making the checkpoint, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM. This opens a new session of the VM (through VMConnect), allowing app updates to begin from the command-line. After completing the update and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. + The cmdlet creates a "clean" checkpoint on the VM. After the checkpoint is created, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM. This copy-operation opens a new session of the VM (through VMConnect), allowing app updates to begin from the command-line. After the update and package creation for the first app on the VM is completed, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. ## Update multiple apps with the App-V Sequencer interface @@ -94,7 +94,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile* - ``````. The name of the app you're adding to the package. - ``````. The file path to the folder with the app installer. - - ``````. The file name for the app executable. This will typically be an .exe or .msi file. + - ``````. The file name for the app executable. This file will typically be an .exe or .msi file. - ``````. The file path to the location of your App-V packages. These packages were created when you sequenced your apps. - ``````. The maximum amount of time, in minutes, the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself. - ``````. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. @@ -137,7 +137,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile* ``` Where `````` is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch updating, and `````` is the full path to where the updated packages should be copied. - This cmdlet creates a "clean" checkpoint on the VM. After making the checkpoint, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM. This opens a new session of the VM (through VMConnect) and app updating begins from the command-line. After completing updating and package creation for the first app on the VM, the package is copied from the VM to the Host computer specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted to a "clean" checkpoint and turned off. + This cmdlet creates a "clean" checkpoint on the VM. After the checkpoint is created, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM. This opens a new session of the VM (through VMConnect) and app updating begins from the command-line. After the updating and package creation for the first app on the VM is completed, the package is copied from the VM to the Host computer specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted to a "clean" checkpoint and turned off. ### Review the log files diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md index f9e98f0849..322eac59fc 100644 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md @@ -20,7 +20,7 @@ Previous versions of the App-V Sequencer have required you to manually create yo ## Automatic VM provisioning of the sequencing environment -You have two options for provisioning an VM for auto-sequencing: +You have two options for provisioning a VM for auto-sequencing: 1. Using a Virtual Hard Disk (VHD) 2. Updating an existing VM diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 75a7a8d6ec..48df8df7d5 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -23,18 +23,18 @@ The following recommendations can be used as a baseline to help determine capaci ## Determine the project scope -Before you design the App-V infrastructure, determining which applications will be available virtually, and also identify the target users and their locations. This information will determine what type of App-V infrastructure your project should implement. Your should base your decisions about your project's scope on your organization's specific needs. +Before you design the App-V infrastructure, determining which applications will be available virtually, and also identify the target users and their locations. This information will determine what type of App-V infrastructure your project should implement. You should base your decisions about your project's scope on your organization's specific needs. |Task|More information| |----|----------------| -|Determine application scope|The App-V infrastructure can be set up in different ways depending on which applications you want to virtualize. This means your first task is to define which applications you want to virtualize.| +|Determine application scope|The App-V infrastructure can be set up in different ways depending on which applications you want to virtualize. This customization in set up means your first task is to define which applications you want to virtualize.| |Determine location scope|"Location scope" refers to the physical locations where you plan to run the virtualized applications (for example, enterprise-wide or a specific geographic location). It can also refer to the user population that will run the virtual applications (for example, a single department). You should obtain a network map that includes the connection paths, the available bandwidth for each location, the number of users using virtualized applications, and the WAN link speed.| ## Determine which App-V infrastructure is required -You can also manage your App-V environment using an electronic software distribution (ESD) solution such as Microsoft Systems Center Configuration Manager. For more information see [How to deploy App-V packages using electronic software distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md). +You can also manage your App-V environment using an electronic software distribution (ESD) solution such as Microsoft Systems Center Configuration Manager. For more information, see [How to deploy App-V packages using electronic software distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md). -* **Standalone model**—The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V in Standalone mode only needs the sequencer and the client; no additional components are required. Applications are prepared for virtualization using a process called sequencing. For more information, see [Planning for the App-V Sequencer and Client deployment](appv-planning-for-sequencer-and-client-deployment.md). The standalone model is recommended for the following scenarios: +* **Standalone model**—The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V in Standalone mode only needs the sequencer and the client; no extra components are required. Applications are prepared for virtualization using a process called sequencing. For more information, see [Planning for the App-V Sequencer and Client deployment](appv-planning-for-sequencer-and-client-deployment.md). The standalone model is recommended for the following scenarios: * When there are disconnected remote users who can't connect to the App-V infrastructure. * When you're running a software management system, such as System Center 2012 Configuration Manager. @@ -79,8 +79,8 @@ The following table describes each factor that impacts round-trip time in more d |Factors impacting round-trip response time|Description| |------------------------------------------|-----------| |The number of publishing servers simultaneously requesting package metadata refreshes.|A single management server can respond to up to 320 publishing servers simultaneously requesting publishing metadata. For example, in a case with 30 publishing servers simultaneously requesting publishing metadata, the round-trip response time is about 40 seconds, while for less than 50 servers it's less than 5 seconds. From 50 to 320 publishing servers, response team increases linearly (approximately 2×).| -|The number of connection groups configured on the management server.|For up to 100 connection groups, there is no significant change in the round-trip response time on the publishing server. For 100–400 connection groups, there is a minor linear increase in the round-trip response time.| -|The number of access groups configured on the management server.|For up to 40 access groups, there is a linear (approximately 3×) increase in the round-trip response time on the publishing server.| +|The number of connection groups configured on the management server.|For up to 100 connection groups, there's no significant change in the round-trip response time on the publishing server. For 100–400 connection groups, there's a minor linear increase in the round-trip response time.| +|The number of access groups configured on the management server.|For up to 40 access groups, there's a linear (approximately 3×) increase in the round-trip response time on the publishing server.| The following table displays sample values for each of the previous factors. In each variation, 120 packages are refreshed from the App-V management server. @@ -92,7 +92,7 @@ The following table displays sample values for each of the previous factors. In The CPU utilization of the computer running the management server is around 25% irrespective of the number of publishing servers targeting it. The Microsoft SQL Server database transactions/sec, batch requests/sec and user connections are identical irrespective of the number of publishing servers. For example, transactions/sec is approximately 30, batch requests approximately 200, and user connects approximately six. -Using a geographically distributed deployment, where the management server and publishing servers utilize a slow link network between them, the round-trip response time on the publishing servers is within acceptable time limits (<5 seconds), even for 100 simultaneous requests on a single management server. +Through a geographically distributed deployment, where the management server and publishing servers utilize a slow link network between them, the round-trip response time on the publishing servers is within acceptable time limits (<5 seconds), even for 100 simultaneous requests on a single management server. |Scenario|Variation|Number of connection groups|Number of access groups|Number of publishing servers|Network connection type|Round-trip response time (seconds)|Management server CPU utilization (in %)| |---|---|---|---|---|---|---|---| @@ -103,7 +103,7 @@ Whether the management server and publishing servers are connected over a slow l ## App-V Reporting Server capacity planning recommendations -App-V clients send reporting data to the reporting server. The reporting server then records the information in the Microsoft SQL Server database and returns a successful notification back to the computer running App-V client. For more information about the App-V Reporting Server's supported configurations see [App-V supported configurations](appv-supported-configurations.md). +App-V clients send reporting data to the reporting server. The reporting server then records the information in the Microsoft SQL Server database and returns a successful notification back to the computer running App-V client. For more information about the App-V Reporting Server's supported configurations, see [App-V supported configurations](appv-supported-configurations.md). >[!NOTE] >Round-trip response time is the time taken by the computer running the App-V client to send the reporting information to the reporting server and receive a successful notification from the reporting server. @@ -111,7 +111,7 @@ App-V clients send reporting data to the reporting server. The reporting server |Scenario|Summary| |---|---| |Multiple App-V clients send reporting information to the reporting server simultaneously.|Round-trip response time from the reporting server is 2.6 seconds for 500 clients. Round-trip response time from the reporting server is 5.65 seconds for 1000 clients. Round-trip response time increases linearly depending on number of clients.| -|Requests per second processed by the reporting server.|A single reporting server and a single database, can process a maximum of 139 requests per second. The average is 121 requests/second. Using two reporting servers reporting to the same Microsoft SQL Server database, the average requests/second, like a single reporting server, is about 127, with a max of 278 requests/second. A single reporting server can process 500 concurrent/active connections. A single reporting server can process a maximum 1,500 concurrent connections.| +|Requests per second processed by the reporting server.|A single reporting server and a single database can process a maximum of 139 requests per second. The average is 121 requests/second. With the help of two reporting servers that report to the same Microsoft SQL Server database, the average requests/second, like a single reporting server, is about 127, with a max of 278 requests/second. A single reporting server can process 500 concurrent/active connections. A single reporting server can process a maximum 1,500 concurrent connections.| |Reporting database.|Lock contention on the computer running Microsoft SQL Server is the limiting factor for requests/second. Throughput and response time are independent of database size.| ### Calculating random delay @@ -136,7 +136,7 @@ Computers running the App-V client connect to the App-V publishing server to sen |---|---| |Multiple App-V clients connect to a single publishing server simultaneously.|A publishing server running dual core processors can respond to at most 5000 clients requesting a refresh simultaneously. For 5,000–10,000 clients, the publishing server requires a minimum quad core. For 10,000–20,000 clients, the publishing server should have dual quad cores for more efficient response times. A publishing server with a quad core can refresh up to 10,000 packages within three seconds. (Supports 10,000 simultaneous clients.)| |Number of packages in each refresh.|Increasing number of packages will increase response time by about 40% (up to 1,000 packages).| -|Network between the App-V client and the publishing server.|Across a slow network (1.5 Mbps bandwidth), there is a 97% increase in response time compared to LAN (up to 1,000 users).| +|Network between the App-V client and the publishing server.|Across a slow network (1.5-Mbps bandwidth), there's a 97% increase in response time compared to LAN (up to 1,000 users).| >[!NOTE] >The publishing server CPU usage is always high during the time interval when it must process simultaneous requests (>90% in most cases). The publishing server can handle about 1,500 client requests in one second. @@ -145,7 +145,7 @@ Computers running the App-V client connect to the App-V publishing server to sen |---|---|---|---|---|---|---|---| |App-V client sends publishing refresh request and receives response, each request containing 120 packages|Number of clients|100
                                1,000
                                5,000
                                10,000|120
                                120
                                120
                                120|Dual Core
                                Dual Core
                                Quad Core
                                Quad Core|LAN|1
                                2
                                2
                                3|100
                                99
                                89
                                77| |Multiple packages in each refresh.|Number of packages|1,000
                                1,000|500
                                1,000|Quad Core|LAN|2
                                3|92
                                91| -|Network between client and publishing server.|1.5 Mbps Slow link network|100
                                500
                                1,000|120
                                120
                                120|Quad Core|1.5 Mbps intra-continental network|3
                                10 (0.2% failure rate)
                                7 (1% failure rate)|| +|Network between client and publishing server.|1.5 Mbps Slow link network|100
                                500
                                1,000|120
                                120
                                120|Quad Core|1.5-Mbps intra-continental network|3
                                10 (0.2% failure rate)
                                7 (1% failure rate)|| ## App-V streaming capacity planning recommendations @@ -159,9 +159,9 @@ Computers running the App-V client stream the virtual application package from t |Scenario|Summary| |---|---| -|Multiple App-V clients stream applications from a single streaming server simultaneously.|If the number of clients simultaneously streaming from the same server increases, there is a linear relationship with the package download/streaming time.| +|Multiple App-V clients stream applications from a single streaming server simultaneously.|If the number of clients simultaneously streaming from the same server increases, there's a linear relationship with the package download/streaming time.| |Size of the package being streamed.|The package size has a significant impact on the streaming/download time only for larger packages with a size of about 1 GB. For package sizes ranging from 3 MB to 100 MB, the streaming time ranges from 20 seconds to 100 seconds, with 100 simultaneous clients.| -|Network between the App-V client and the streaming server.|Across a slow network (1.5 Mbps bandwidth), there is a 70–80% increase in response time compared to LAN (up to 100 users).| +|Network between the App-V client and the streaming server.|Across a slow network (1.5-Mbps bandwidth), there's a 70–80% increase in response time compared to LAN (up to 100 users).| The following table displays sample values for each of the factors in the previous list: @@ -169,22 +169,22 @@ The following table displays sample values for each of the factors in the previo |---|---|---|---|---|---| |Multiple App-V clients streaming virtual application packages from a streaming server.|Number of clients.|100
                                200
                                1,000
                                100
                                200
                                1,000|3.5 MB
                                3.5 MB
                                3.5 MB
                                5 MB
                                5 MB
                                5 MB|LAN|29
                                39
                                391
                                35
                                68
                                461| |Size of each package being streamed.|Size of each package.|100
                                200
                                100
                                200|21 MB
                                21 MB
                                109 MB
                                109 MB|LAN|33
                                83
                                100
                                160| -|Network connection between client and App-V streaming server.|1.5 Mbps Slow link network.|100
                                100|3.5 MB
                                5 MB|1.5 Mbps intra-continental network|102
                                121| +|Network connection between client and App-V streaming server.|1.5 Mbps Slow link network.|100
                                100|3.5 MB
                                5 MB|1.5-Mbps intra-continental network|102
                                121| Each App-V streaming server should be able to handle a minimum of 200 clients concurrently streaming virtualized applications. >[!NOTE] >The actual time to it will take to stream is determined primarily by the number of clients streaming simultaneously, number of packages, package size, the server’s network activity, and network conditions. -For example, an average user can stream a 100 MB package in less than 2 minutes, when 100 simultaneous clients are streaming from the server. However, a package of size 1 GB could take up to 30 minutes. In most real-world environments, streaming demand is not uniformly distributed, you will need to understand the approximate peak streaming requirements present in your environment to properly size the number of required streaming servers. +For example, an average user can stream a 100-MB package in less than 2 minutes, when 100 simultaneous clients are streaming from the server. However, a package of size 1 GB could take up to 30 minutes. In most real-world environments, streaming demand isn't uniformly distributed, you'll need to understand the approximate peak streaming requirements present in your environment to properly size the number of required streaming servers. -The number of clients a streaming server can support can be significantly increased and the peak streaming requirements reduced if you pre-cache your applications. You can also increase the number of clients a streaming server can support by using on-demand streaming delivery and stream optimized packages. +The number of clients a streaming server can support can be increased and the peak streaming requirements reduced if you pre-cache your applications. You can also increase the number of clients a streaming server can support by using on-demand streaming delivery and stream optimized packages. ## Combining App-V server roles -Discounting scaling and fault-tolerance requirements, the minimum number of servers that a location with Active Directory connectivity needs to function is one. This server will host the management server, management server service, and Microsoft SQL Server roles. This means that you can arrange server roles in any combination you like, as they don't conflict with one another. +Discounting scaling and fault-tolerance requirements, the minimum number of servers that a location with Active Directory connectivity needs to function is 1. This server will host the management server, management server service, and Microsoft SQL Server roles. This coverage means that you can arrange server roles in any combination you like, as they don't conflict with one another. -Ignoring scaling requirements, the minimum number of servers that a fault-tolerant implementation needs to function is four. The management server and Microsoft SQL Server roles support placement in fault-tolerant configurations. The management server service can be combined with any of the roles, but remains a single point of failure. +Notwithstanding scaling requirements, the minimum number of servers that a fault-tolerant implementation needs to function is four. The management server and Microsoft SQL Server roles support placement in fault-tolerant configurations. The management server service can be combined with any of the roles, but remains a single point of failure. Although there are many fault-tolerance strategies and technologies you can use, not all are applicable to a given service. Additionally, if App-V roles are combined, the resulting incompatibilities could cause certain fault-tolerance options to stop working. diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index f66d17b837..a7fc9aee2e 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -16,7 +16,7 @@ ms.topic: article [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md). +The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md). You can use Group Policy to configure App-V client settings by navigating to the **Group Policy management console** at **Computer Configuration** > **Administrative Templates** > **System** > **App-V**. @@ -35,7 +35,7 @@ The following table provides information about App-V client configuration settin | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-LocationProvider**
                                String | Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-CertFilterForClientSsl**
                                String | Specifies the path to a valid certificate in the certificate store. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-VerifyCertificateRevocationList**
                                True (enabled); False (Disabled state) | Verifies Server certificate revocation status before streaming with HTTPS. | 0 | -| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-SharedContentStoreMode**
                                True (enabled); False (Disabled state) | Specifies that streamed package contents will be not be saved to the local hard disk. | 0 | +| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-SharedContentStoreMode**
                                True (enabled); False (Disabled state) | Specifies that streamed package contents will not be saved to the local hard disk. | 0 | | Set-AppvPublishingServer

                                **-Name**
                                String | Displays the name of publishing server. | Policy value not written (same as Not Configured) | | Set-AppvPublishingServer

                                **-URL**
                                String | Displays the URL of publishing server. | Policy value not written (same as Not Configured) | | Set-AppvPublishingServer

                                **-GlobalRefreshEnabled**
                                True (enabled); False (Disabled state) | Enables global publishing refresh (Boolean) | False | @@ -46,20 +46,20 @@ The following table provides information about App-V client configuration settin | Set-AppvPublishingServer

                                **-UserRefreshOnLogon**
                                True (enabled); False (Disabled state) | Triggers a user publishing refresh on sign in. (Boolean) Word count (with spaces): 60 | False | | Set-AppvPublishingServer

                                **-UserRefreshInterval**
                                Word count (with spaces): 85
                                Integer (0–744 Hours) | Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. | 0 | | Set-AppvPublishingServer

                                **-UserRefreshIntervalUnit**
                                0 for hour, 1 for day | Specifies the interval unit (Hour 0–23, Day 0–31). | 1 | -| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-MigrationMode**
                                True (enabled state); False (Disabled state) | Migration mode allows the App-V client to modify shortcuts and FTA’s for packages created by a previous version of App-V. | | +| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-MigrationMode**
                                True (enabled state); False (Disabled state) | Migration mode allows the App-V client to modify shortcuts and FTAs for packages created by a previous version of App-V. | | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-EnablePackageScripts**
                                True (enabled); False (Disabled state) | Enables scripts defined in the package manifest of configuration files that should run. | | -| Set-AppvClientConfiguration

                                **-RoamingFileExclusions**
                                String | Specifies the file paths relative to %userprofile% that do not roam with a user's profile. For example, ```/ROAMINGFILEEXCLUSIONS='desktop;my pictures'``` | | -| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-RoamingRegistryExclusions**
                                String | Specifies the registry paths that do not roam with a user profile. For example, ```/ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients``` | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-IntegrationRootUser**
                                String | Specifies the location to create symbolic links associated with the current version of a per-user published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links will not be used when you publish the package. For example, ```%localappdata%\\Microsoft\\AppV\\Client\\Integration```. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-IntegrationRootGlobal**
                                String | Specifies the location to create symbolic links associated with the current version of a globally published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links will not be used when you publish the package. For example, ```%allusersprofile%\\Microsoft\\AppV\\Client\\Integration```. | Policy value not written (same as Not Configured) | +| Set-AppvClientConfiguration

                                **-RoamingFileExclusions**
                                String | Specifies the file paths relative to %userprofile% that don't roam with a user's profile. For example, ```/ROAMINGFILEEXCLUSIONS='desktop;my pictures'``` | | +| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-RoamingRegistryExclusions**
                                String | Specifies the registry paths that don't roam with a user profile. For example, ```/ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients``` | Policy value not written (same as Not Configured) | +| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-IntegrationRootUser**
                                String | Specifies the location to create symbolic links associated with the current version of a per-user published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links won't be used when you publish the package. For example, ```%localappdata%\\Microsoft\\AppV\\Client\\Integration```. | Policy value not written (same as Not Configured) | +| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-IntegrationRootGlobal**
                                String | Specifies the location to create symbolic links associated with the current version of a globally published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links won't be used when you publish the package. For example, ```%allusersprofile%\\Microsoft\\AppV\\Client\\Integration```. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-VirtualizableExtensions**
                                String | A comma-delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment. When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application associated with the extension point is locally installed. If the extension is located, the **RunVirtual** command-line parameter will be added, and the application will run virtually. For more information about the **RunVirtual** parameter, see [Running a locally installed application inside a virtual environment with virtualized applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md). | Policy value not written | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-ReportingEnabled**
                                True (enabled); False (Disabled state) | Returns information to a reporting server. | False | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-ReportingServerURL**
                                String | Specifies the location on the reporting server where client information is saved. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-ReportingDataCacheLimit**
                                Integer \[0–1024\] | Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-ReportingDataBlockSize**
                                Integer \[1024 - Unlimited\] | Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited. | Policy value not written (same as Not Configured) | +| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-ReportingDataBlockSize**
                                Integer \[1024 - Unlimited\] | Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This limit can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-ReportingStartTime**
                                Integer (0–23) | Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0–23 corresponding to the hour of the day. By default the **ReportingStartTime** will start on the current day at 10 P.M.or 22.
                                **Note** You should configure this setting to a time when computers running the App-V client are least likely to be offline. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-ReportingInterval**
                                Integer | Specifies the retry interval that the client will use to resend data to the reporting server. | Policy value not written (same as Not Configured) | -| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-ReportingRandomDelay**
                                Integer \[0 - ReportingRandomDelay\] | Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This can help to prevent collisions on the server. | Policy value not written (same as Not Configured) | +| Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-ReportingRandomDelay**
                                Integer \[0 - ReportingRandomDelay\] | Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This method can help to prevent collisions on the server. | Policy value not written (same as Not Configured) | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                -EnableDynamicVirtualization
                                1 (Enabled), 0 (Disabled) | Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications. | | | Set-AppvClientConfiguration,
                                Set-AppvPublishingServer

                                **-EnablePublishingRefreshUI**
                                1 (Enabled), 0 (Disabled) | Enables the publishing refresh progress bar for the computer running the App-V Client. | | | Sync-AppvPublishingServer

                                **-HidePublishingRefreshUI**
                                1 (Enabled), 0 (Disabled) | Hides the publishing refresh progress bar. | | diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index dcd72b455c..2f980556bb 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -18,9 +18,9 @@ ms.topic: article ## How package priority is determined -The virtual environment and its current state are associated with the connection group, not with the individual packages. If you remove an App-V package from the connection group, the state that existed as part of the connection group will not migrate with the package. +The virtual environment and its current state are associated with the connection group, not with the individual packages. If you remove an App-V package from the connection group, the state that existed as part of the connection group won't migrate with the package. -If the same package is a part of two different connection groups, you have to indicate which connection group App-V should use. For example, you might have two packages in a connection group that each define the same registry DWORD value. +If the same package is a part of two different connection groups, you have to indicate which connection group App-V should use. For example, you might have two packages in a connection group wherein each defines the same registry DWORD value. The connection group that is used is based on the order in which a package appears inside the **AppConnectionGroup** XML document: @@ -48,12 +48,12 @@ Consider the following example section: Assume that same DWORD value ABC (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region) is defined in the first and third package. -For this example, the DWORD value definition would be the following: +For this example, the DWORD value definition would be as shown below: - Package 1 (A8731008-4523-4713-83A4-CD1363907160): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5 - Package 3 (04220DCA-EE77-42BE-A9F5-96FD8E8593F2): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=10 -Since Package 1 appears first, the AppConnectionGroup's virtual environment will have the single DWORD value of 5 (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5). This means that the virtual applications in Package 1, Package 2, and Package 3 will all see the value 5 when they query for HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region. +Since Package 1 appears first, the AppConnectionGroup's virtual environment will have the single DWORD value of 5 (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5). This result means that the virtual applications in Package 1, Package 2, and Package 3 will all see the value 5 when they query for HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region. Other virtual environment resources are resolved in a similar way, but usually collisions occur in the registry. @@ -72,7 +72,7 @@ The following example shows the order and relationship of a file name lookup in |C:\Windows\System32|C:\Windows\System32| |C:\AppTest|C:\AppTest| -When a virtualized application tries to find a specific file, App-V will first for a matching file path in Package A. If it doesn't find a matching path in Package A, it will then search Package B using the following mapping rules: +When a virtualized application tries to find a specific file, App-V will search for a matching file path in Package A. If it doesn't find a matching path in Package A, it will then search Package B using the following mapping rules: - If a file named **test.txt** exists in the same virtual folder hierarchy in both application packages, App-V will use the first matching file. - If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, App-V will use the first matching file. diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 1088fd28a2..8615309584 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -38,7 +38,7 @@ The App-V package converter will save the App-V 4.6 installation root folder and 2. You can enter the following cmdlets to check or convert packages: - - **Test-AppvLegacyPackage**—This cmdlet checks packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in-depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, enter the following cmdlet: + - **Test-AppvLegacyPackage**—This cmdlet checks packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet won't parse the **.sft** file or do any in-depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, enter the following cmdlet: ```PowerShell Test-AppvLegacyPackage -? @@ -50,9 +50,9 @@ The App-V package converter will save the App-V 4.6 installation root folder and ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages ``` - In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows client virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used. + In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows client virtual application package file will be saved. By default, if you don't specify a new name, the old package name will be used. - Additionally, the package converter optimizes performance of packages in App-V for Windows client by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. + Additionally, the package converter optimizes performance of packages in App-V for Windows client by setting the package to stream fault the App-V package.  This definition of setting is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default. > [!NOTE] > Before you specify the output directory, you must create the output directory. @@ -71,9 +71,9 @@ The App-V package converter will save the App-V 4.6 installation root folder and dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages ``` - This piped example command tests packages, then passes the objects on for conversion. You can also apply a filter on packages without errors or only specify a directory which contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V client. + This piped example command tests packages, then passes the objects on for conversion. You can also apply a filter on packages without errors or only specify a directory that contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V client. -- Batching—The Windows PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the *-Source* parameter that represents a list of directory paths. This allows you to enter the following cmdlets together: +- Batching—The Windows PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the *-Source* parameter that represents a list of directory paths. This feature allows you to enter the following cmdlets together: ```PowerShell $packages = dir C:\contentStore diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index c9eff04f48..d3d32ba71c 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -51,7 +51,7 @@ Use the following procedure to create a package accelerator. 5. If the application is already installed on the computer running the sequencer, then select **Files installed on local system** to specify the installation file. To use this option, the application must already be installed in the default installation location. -6. On the **Gathering Information** page, review the files that you couldn't find in the location specified by the **Installation Files** page. If the files displayed are not required, select **Remove these files**, then select **Next**. If the files are required, select **Previous** and copy the required files to the directory specified on the **Installation Files** page. +6. On the **Gathering Information** page, review the files that you couldn't find in the location specified by the **Installation Files** page. If the files displayed aren't required, select **Remove these files**, then select **Next**. If the files are required, select **Previous** and copy the required files to the directory specified on the **Installation Files** page. > [!NOTE] >You must either remove the unrequired files or select **Previous** and locate the required files to advance to the next page of this wizard. @@ -60,7 +60,7 @@ Use the following procedure to create a package accelerator. 8. Confirm that the **Verify Applications** page displays all installation files required to build the package. The package accelerator requires all installation files displayed in the **Applications** pane in order to create the package. - If you need to add additional Installer files, select **Add**. To remove unnecessary installation files, select the **Installer file**, then select **Delete**. To edit the properties associated with an installer, select **Edit**. The package accelerator requires the installation files specified in this step to create a new virtual application package. After you have confirmed the information displayed, select **Next**. + If you need to add more Installer files, select **Add**. To remove unnecessary installation files, select the **Installer file**, then select **Delete**. To edit the properties associated with an installer, select **Edit**. The package accelerator requires the installation files specified in this step to create a new virtual application package. After you've confirmed the information displayed, select **Next**. 9. On the **Select Guidance** page, select **Browse** to specify the file that will provide the package accelerator with application instructions. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for successful package accelerator application. The file you select must be in rich text (.rtf) or text file (.txt) format. After specifying the file, select **Next**. diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 6a372fbbdf..e1665ced63 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -16,7 +16,7 @@ ms.topic: article [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. +After you've properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx). @@ -42,7 +42,7 @@ When you use the sequencer to create a new virtual application, the following li - **.msi file**. This Windows Installer (.msi) file is created by the sequencer and is used to install the virtual package on target computers. - **Report.xml file**. In this file, the sequencer saves all issues, warnings, and errors that were discovered during sequencing. It displays the information after the package has been created. You can us this report for diagnosing and troubleshooting. -- **.appv file**. This is the virtual application file. +- **.appv file**. This file is the virtual application file. - **Deployment configuration file**. The deployment configuration file determines how the virtual application will be deployed to target computers. - **User configuration file**. The user configuration file determines how the virtual application will run on target computers. @@ -57,7 +57,7 @@ The **Options** dialog box in the sequencer console contains the following tabs: >Package Accelerators created using App-V 4.6 are not supported by App-V. - **Parse Items**. This tab displays the associated file path locations that will be parsed or tokenized into in the virtual environment. Tokens are useful for adding files using the **Package Files** tab in **Advanced Editing**. -- **Exclusion Items**. Use this tab to specify which folders and directories should not be monitored during sequencing. To add local application data that is saved in the Local App Data folder in the package, click **New** and specify the location and the associated **Mapping Type**. This option is required for some packages. +- **Exclusion Items**. Use this tab to specify which folders and directories shouldn't be monitored during sequencing. To add local application data that is saved in the Local App Data folder in the package, click **New** and specify the location and the associated **Mapping Type**. This option is required for some packages. App-V supports applications that include Microsoft Windows Services. If an application includes a Windows service, the service will be included in the sequenced virtual package as long as it's installed while being monitored by the sequencer. If a virtual application creates a Windows service when it initially runs, then after installation, the application must be run while the sequencer is monitoring for the Windows Service to be included in the package. Only services running under the Local System account are supported. Services configured for AutoStart or Delayed AutoStart are started before the first virtual application in a package runs inside the package’s Virtual Environment. Windows Services that are configured to be started on demand by an application are started when the virtual application inside the package starts the Service via API call. @@ -73,7 +73,7 @@ Shell extensions are automatically embedded in the package during the sequencing ### Requirements for using shell extensions -- Packages that contain embedded shell extensions must be published globally. The application requires no additional setup or configuration on the client to enable the shell extension functionality. +- Packages that contain embedded shell extensions must be published globally. The application requires no extra setup or configuration on the client to enable the shell extension functionality. - The “bitness” of the application, Sequencer, and App-V client must match, or the shell extensions won’t work. For example: - The version of the application is 64-bit. - The Sequencer is running on a 64-bit computer. @@ -86,7 +86,7 @@ The following table lists the supported shell extensions: |Context menu handler|Adds menu items to the context menu. It's called before the context menu is displayed.| |Drag-and-drop handler|Controls the action where right-click, drag and drop, and modifies the context menu that appears.| |Drop target handler|Controls the action after a data object is dragged and dropped over a drop target such as a file.| -|Data object handler|Controls the action after a file is copied to the clipboard or dragged and dropped over a drop target. It can provide additional clipboard formats to the drop target.| +|Data object handler|Controls the action after a file is copied to the clipboard or dragged and dropped over a drop target. It can provide more clipboard formats to the drop target.| |Property sheet handler|Replaces or adds pages to the property sheet dialog box of an object.| |Infotip handler|Allows retrieving flags and infotip information for an item and displaying it inside a pop-up tooltip upon mouse hover.| |Column handler|Allows creating and displaying custom columns in **Windows Explorer Details view**. It can be used to extend sorting and grouping.| @@ -94,9 +94,9 @@ The following table lists the supported shell extensions: ## Copy on Write (CoW) file extension support -Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it is being used. +Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it's being used. -The following list shows the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but which cannot be updated on the computer running the App-V client. All other files and directories can be modified. +The following list shows the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but which can't be updated on the computer running the App-V client. All other files and directories can be modified. - .com - .exe @@ -105,13 +105,13 @@ The following list shows the file types that can exist in a virtual package unde ## Modifying an existing virtual application package -You can use the sequencer to modify an existing package. The computer on which you do this should match the chip architecture of the computer you used to create the application. For example, if you initially sequenced a package using a computer running a 64-bit operating system, you should modify the package using a computer running a 64-bit operating system. +You can use the sequencer to modify an existing package. The computer on which you do this modification should match the chip architecture of the computer you used to create the application. For example, if you initially sequenced a package using a computer running a 64-bit operating system, you should modify the package using a computer running a 64-bit operating system. For more information, see [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md). ## Creating a project template -An App-V project template (.appvt) file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings. App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you cannot use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template: +An App-V project template (.appvt) file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings. App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you can't use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template: A template can specify and store multiple settings as follows: @@ -131,11 +131,11 @@ For more information, see [How to Create and Use a Project Template](appv-create >[!NOTE] >Package accelerators created using a previous version of App-V must be recreated using App-V. -You can use App-V package accelerators to automatically generate a new virtual application packages. After you have successfully created a package accelerator, you can reuse and share the package accelerator. +You can use App-V package accelerators to automatically generate a new virtual application package. After you've successfully created a package accelerator, you can reuse and share the package accelerator. In some situations, to create the package accelerator, you might have to install the application locally on the computer that runs the sequencer. In such cases, you should first try to create the package accelerator with the installation media. If multiple missing files are required, you should install the application locally to the computer that runs the sequencer, and then create the package accelerator. -After you have successfully created a Package Accelerator, you can reuse and share the Package Accelerator. Creating App-V Package Accelerators is an advanced task. Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V Package Accelerator is applied. +After you've successfully created a Package Accelerator, you can reuse and share the Package Accelerator. Creating App-V Package Accelerators is an advanced task. Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V Package Accelerator is applied. For more information, see the following articles: diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index e895318669..6e65c2d5b8 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -59,7 +59,7 @@ Complete the following steps to create an Office 2013 package for App-V or later ### Review prerequisites for using the Office Deployment Tool -Before you start, make sure that the computer on which you are installing the Office Deployment Tool has the following: +Before you start, ensure that the computer on which you're installing the Office Deployment Tool has the following prerequisites fulfilled: |Prerequisite|Description| |---|---| @@ -95,7 +95,7 @@ The XML file included in the Office Deployment Tool specifies the product detail 1. Open the sample XML file in Notepad or your favorite text editor. - 2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following is a basic example of the configuration.xml file: + 2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following example denotes a configuration.xml file: ```XML @@ -113,30 +113,30 @@ The XML file included in the Office Deployment Tool specifies the product detail > [!NOTE] >The configuration XML is a sample XML file. This file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. - The previous example of an XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications by specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic. + The previous example of an XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. The Product ID of the applications won't affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications by specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic. - After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml. -2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2013 applications that will later be converted into an App-V package. The following is an example command: + After editing the configuration.xml file to specify the desired product, languages, and also the location that the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml. +2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2013 applications that will later be converted into an App-V package. An example command is: ```PowerShell \\server\Office2013\setup.exe /download \\server\Office2013\Customconfig.xml ``` - The following is a table that describes each element of the command: + The following table describes each element of the command: |Element|Description| |---|---| - |```\\server\Office2013```|This is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, **Customconfig.xml**.| - |```setup.exe```|This is the Office Deployment Tool.| - |```/download```|This downloads the Office 2013 applications that you specify in the **Customconfig.xml** file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.| - |```\\server\Office2013\Customconfig.xml```|This passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After using the download command, Office applications should be found in the location specified in the XML configuration file, which in this example is ```\\Server\Office2013```.| + |```\\server\Office2013```|This network share location is the one that contains the Office Deployment Tool and the custom Configuration.xml file, **Customconfig.xml**.| + |```setup.exe```|This element is the Office Deployment Tool.| + |```/download```|This element downloads the Office 2013 applications that you specify in the **Customconfig.xml** file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.| + |```\\server\Office2013\Customconfig.xml```|This element passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After the download command is used, Office applications should be found in the location specified in the XML configuration file, which in this example is ```\\Server\Office2013```.| #### Customizable attributes and elements of the XML file |Input and description|Example| |---|---| |Add element:
                                Specifies the products and languages to include in the package.|N/A| -|OfficeClientEdition (attribute of Add element):
                                Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if **OfficeClientEdition** is not set to a valid value.|```OfficeClientEdition="32"```
                                ```OfficeClientEdition="64"```| +|OfficeClientEdition (attribute of Add element):
                                Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if **OfficeClientEdition** isn't set to a valid value.|```OfficeClientEdition="32"```
                                ```OfficeClientEdition="64"```| |Product element:
                                Specifies the application. Project 2013 and Visio 2013 must be specified here as an added product to be included in the applications.|```Product ID="O365ProPlusRetail"```
                                ```Product ID="VisioProRetail"```
                                ```Product ID="ProjectProRetail"```
                                ```Product ID="ProPlusVolume"```
                                ```Product ID="ProjectProVolume"```| |Language element:
                                Specifies the language supported in the applications.|```Language ID="en-us"```| |Version (attribute of Add element):
                                Optional. Specifies a build to use for the package. Defaults to latest advertised build (as defined in v32.CAB at the Office source).|```15.1.2.3```| @@ -220,11 +220,11 @@ After you download the Office 2013 applications through the Office Deployment To |Element|Description| |---|---| - |```\\server\Office2013```|This is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, which in this example is named **Customconfig.xml**.| - |```setup.exe```|This is the Office Deployment Tool.| - |```/packager```|This creates the Office 2013 App-V package with Volume Licensing as specified in the **Customconfig.xml** file.| - |```\\server\Office2013\Customconfig.xml```|This passes the configuration XML file, which in this example is named "Customconfig," that has been prepared for the packaging stage.| - |```\\server\share\Office2013AppV```|This specifies the location of the newly created Office App-V package.| + |```\\server\Office2013```|This network share location is the one that contains the Office Deployment Tool and the custom Configuration.xml file, which in this example is named **Customconfig.xml**.| + |```setup.exe```|This element is the Office Deployment Tool.| + |```/packager```|This element creates the Office 2013 App-V package with Volume Licensing as specified in the **Customconfig.xml** file.| + |```\\server\Office2013\Customconfig.xml```|This element passes the configuration XML file, which in this example is named "Customconfig," that has been prepared for the packaging stage.| + |```\\server\share\Office2013AppV```|This element specifies the location of the newly created Office App-V package.| After you run the **/packager** command, the following folders will appear in the directory where you specified the package should be saved: @@ -303,7 +303,7 @@ Use the steps in this section to enable Office plug-ins with your Office package ### Disabling Office 2013 applications -You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you will save the changes, add the Office 2013 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications. +You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You don't have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you'll save the changes, add the Office 2013 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications. >[!NOTE] >To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](/DeployOffice/configuration-options-for-the-office-2016-deployment-tool#excludeapp-element). @@ -371,7 +371,7 @@ You may want to disable shortcuts for certain Office applications instead of unp 3. Save the Deployment Configuration File. 4. Republish Office 2013 App-V Package with new Deployment Configuration File. -Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document. +Many more settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document. ### Managing Office 2013 package upgrades diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index 6899ee3213..6b08ffdfb3 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -55,11 +55,11 @@ The following table describes the recommended methods for excluding specific Off Complete the following steps to create an Office 2016 package for App-V. >[!IMPORTANT] ->In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages. +>In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You can't use the Sequencer to create packages. ### Review prerequisites for using the Office Deployment Tool -The computer on which you are installing the Office Deployment Tool must have the following: +The computer on which you're installing the Office Deployment Tool must have the following: | Prerequisite | Description | |----------------------|--------------------| @@ -77,7 +77,7 @@ Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the ### Download the Office Deployment Tool -Office 2016 App-V packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation, follow these steps: +Office 2016 App-V packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package can't be created or modified through the App-V sequencer. To begin package creation, follow these steps: 1. Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117). @@ -114,7 +114,7 @@ The XML file included in the Office Deployment Tool specifies the product detail > [!NOTE] >The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To uncomment these lines, remove the `````` from the end of the line. - The previous example of an XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016 location where Office applications will be saved. Note that the Product ID of the applications will not affect Office's final licensing. You can create Office 2016 App-V packages with various licensing from the same applications by specifying licensing in a later stage. The following table summarizes the XML file's customizable attributes and elements: + The previous example of an XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016 location where Office applications will be saved. The Product ID of the applications won't affect Office's final licensing. You can create Office 2016 App-V packages with various licensing from the same applications by specifying licensing in a later stage. The following table summarizes the XML file's customizable attributes and elements: | Input | Description | Example | |--------------|----------------------------|----------------| @@ -127,7 +127,7 @@ The XML file included in the Office Deployment Tool specifies the product detail | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
                                The default is **Deferred** for Microsoft 365 Apps for enterprise and **Current** for Visio Pro for Office 365 and Project Desktop Client.
                                For more information about update channels, see [Overview of update channels for Microsoft 365 Apps for enterprise](/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
                                `Channel="Deferred"`
                                `Channel="FirstReleaseDeferred"`
                                `Channel="FirstReleaseCurrent"` | After editing the **configuration.xml** file to specify the desired product, languages, and the location where the Office 2016 applications will be saved to, you can save the configuration file under a name of your choice, such as "Customconfig.xml." -2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. The following is an example command: +2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. An example command is: `\\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml` @@ -135,10 +135,10 @@ After editing the **configuration.xml** file to specify the desired product, lan | Element | Description | |-------------------------------|--------------------------------------| - | ```\\server\Office2016``` | This is the network share location that contains the Office Deployment Tool and the custom **Configuration.xml** file, which in this example is **Customconfig.xml**. | - | ``Setup.exe`` | This is the Office Deployment Tool. | + | ```\\server\Office2016``` | This network share location is the one that contains the Office Deployment Tool and the custom **Configuration.xml** file, which in this example is **Customconfig.xml**. | + | ``Setup.exe`` | This element is the Office Deployment Tool. | | ```/download``` | Downloads the Office 2016 applications that you specify in the **Customconfig.xml** file. | - | ```\\server\Office2016\Customconfig.xml```| This passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After using the download command, Office applications should be found in the location specified in the configuration file, which in this example is ```\\Server\Office2016```. | + | ```\\server\Office2016\Customconfig.xml```| This element passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After the download command is used, Office applications should be found in the location specified in the configuration file, which in this example is ```\\Server\Office2016```. | ### Convert the Office applications into an App-V package @@ -194,7 +194,7 @@ After you download the Office 2016 applications through the Office Deployment To >Even if you use unique package IDs, you can still deploy only one App-V package to a single device. 2. Use the /packager command to convert the Office applications to an Office 2016 App-V package. - The following is an example packager command: + An example packager command is: ```syntax \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml \\server\share\Office2016AppV @@ -204,11 +204,11 @@ After you download the Office 2016 applications through the Office Deployment To | Element | Description | |-------------------------------|--------------------------------------| - |```\\server\Office2016```|This is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, which in this example is Customconfig.xml.| - |```Setup.exe```|This is the Office Deployment Tool.| + |```\\server\Office2016```|This network share location is the one that contains the Office Deployment Tool and the custom Configuration.xml file, which in this example is Customconfig.xml.| + |```Setup.exe```|This element is the Office Deployment Tool.| |```/packager```|This command creates the Office 2016 App-V package with the license type specified in the Customconfig.xml file.| - |```\\server\Office2016\Customconfig.xml```|This passes the configuration XML file that has been prepared for the packaging stage. In this example, the file is Customconfig.xml.| - |```\\server\share\Office2016AppV```|This specifies the location of the newly created Office App-V package.| + |```\\server\Office2016\Customconfig.xml```|This element passes the configuration XML file that has been prepared for the packaging stage. In this example, the file is Customconfig.xml.| + |```\\server\share\Office2016AppV```|This element specifies the location of the newly created Office App-V package.| After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved: @@ -249,7 +249,7 @@ Run the following command to publish an Office package globally: Add-AppvClientPackage | Publish-AppvClientPackage -global ``` -* You can add permissions to a group of computers instead of just a user group through the Web Management Console on the App-V Server. This lets packages be published globally to the computers in the corresponding group. +* You can add permissions to a group of computers instead of just a user group through the Web Management Console on the App-V Server. This feature lets packages be published globally to the computers in the corresponding group. ## Customizing and managing Office App-V packages @@ -286,7 +286,7 @@ The following steps will tell you how to enable Office plug-ins with your Office ### Disabling Office 2016 applications -You can also disable specific applications in your Office App-V package. For example, if you don't want to use Access, you can disable Access while leaving all other Office applications available. When you disable an application, the user will no longer see its shortcut icon. You don't need to re-sequence the application to do this. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, just save the changes and add the Office 2016 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications. +You can also disable specific applications in your Office App-V package. For example, if you don't want to use Access, you can disable Access while leaving all other Office applications available. When you disable an application, the user will no longer see its shortcut icon. You don't need to re-sequence the application to disable it. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, just save the changes and add the Office 2016 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications. >[!NOTE] >To exclude specific Office applications when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. @@ -349,7 +349,7 @@ You may want to disable shortcuts for certain Office applications instead of unp 3. Save the Deployment Configuration File. 4. Republish the Office 2016 App-V Package with the new Deployment Configuration File. -Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document. +Many more settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document. ### Managing Office 2016 package upgrades @@ -372,7 +372,7 @@ The following table describes the requirements and options for deploying Visio 2 | Task | Details | |---------------------|---------------| -| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.
                                If you are not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic. | +| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.
                                If you're not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic. | | How can I deploy Visio 2016 and Project 2016 to specific users? | Use one of the following methods:
                                **To create two different packages and deploy each one to a different group of users**:
                                Create and deploy the following packages:
                                - A package that contains only Office—deploy to computers whose users need only Office.
                                - A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.

                                **To create only one package for the whole organization, or to create a package intended for users who share computers**:
                                1. Create a package that contains Office, Visio, and Project.
                                2. Deploy the package to all users.
                                3. Use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project. | ## Related topics From c4f44840d71f71715ae200d6e1a261315c557932 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 18 Feb 2022 17:58:39 +0530 Subject: [PATCH 35/68] updates --- ...deploying-the-appv-sequencer-and-client.md | 14 +++--- .../app-v/appv-dynamic-configuration.md | 38 +++++++-------- ...ctronic-software-distribution-solutions.md | 4 +- .../app-v/appv-getting-started.md | 4 +- .../app-v/appv-high-level-architecture.md | 6 +-- ...ed-security-identifiers-with-powershell.md | 4 +- ...-a-stand-alone-computer-with-powershell.md | 2 +- ...grating-to-appv-from-a-previous-version.md | 14 +++--- ...an-existing-virtual-application-package.md | 22 ++++----- ...ove-the-appv-server-to-another-computer.md | 4 +- .../app-v/appv-operations.md | 2 +- .../app-v/appv-performance-guidance.md | 48 +++++++++---------- 12 files changed, 81 insertions(+), 81 deletions(-) diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index bfd34cfcaa..16674d7822 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -16,7 +16,7 @@ ms.topic: article [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -The App-V Sequencer and client let administrators to virtualize and run virtual applications. +The App-V Sequencer and client let administrators virtualize and run virtual applications. ## Enable the client @@ -35,12 +35,12 @@ The App-V client stores its configuration in the registry. Understanding the for You can use Group Policy to configure the client settings for the App-V client and the Remote Desktop Services client. -To manage the ADMX template, perform the following steps on the computer that you will use to manage Group Policy. This is typically the Domain Controller. +To manage the ADMX template, perform the following steps on the computer that you'll use to manage Group Policy. This computer is typically the Domain Controller. 1. Save the **.admx** file to the following directory: ```Windows\PolicyDefinitions``` 2. Save the **.adml** file to the following directory: ```Windows\PolicyDefinitions\``` -After you have completed the preceding steps, you can use Group Policy to configure the client settings by using the Group Policy Management Console under **Computer Configuration** > **Administrative Templates** > **System** > **App-V**. +After you've completed the preceding steps, you can use Group Policy to configure the client settings by using the Group Policy Management Console under **Computer Configuration** > **Administrative Templates** > **System** > **App-V**. ## Understanding Shared Content Store mode for App-V clients @@ -49,16 +49,16 @@ App-V Shared Content Store (SCS) mode lets SCS App-V clients run virtualized app >[!IMPORTANT] >If the App-V client is configured to run in the SCS mode, the location where the App-V packages are streamed from must be available, otherwise, the virtualized package will fail. Additionally, we do not recommend deployment of virtualized applications to computers that run the App-V client in the SCS mode across the internet. -Additionally, the SCS is not a physical location that contains virtualized packages. It is a mode that allows the App-V client to stream the required virtualized package data across the network. +Additionally, the SCS isn't a physical location that contains virtualized packages. It's a mode that allows the App-V client to stream the required virtualized package data across the network. The SCS mode is helpful in the following scenarios: * Virtual desktop infrastructure (VDI) deployments * Remote Desktop Services deployments -To use SCS in your environment, you must configure the App-V client to run in SCS mode, as it does not use SCS mode by default. +To use SCS in your environment, you must configure the App-V client to run in SCS mode, as it doesn't use SCS mode by default. -There might be cases when the administrator pre-loads some virtual applications on the computer that runs the App-V client in SCS mode. This can be accomplished with Windows PowerShell commands to add, publish, and mount the package. For example, if a package is pre-loaded on all computers, the administrator could add, publish, and mount the package by using Windows PowerShell commands. The package would not stream across the network because it would be locally stored. +There might be cases when the administrator pre-loads some virtual applications on the computer that runs the App-V client in SCS mode. This pre-load operation can be rendered a successful one with Windows PowerShell commands to add, publish, and mount the package. For example, if a package is pre-loaded on all computers, the administrator could add, publish, and mount the package by using Windows PowerShell commands. The package wouldn't stream across the network because it would be locally stored. ### Configure the Group Policy setting for the SCS Mode for App-V clients @@ -77,7 +77,7 @@ Set-AppvClientConfiguration -SharedContentStoreMode 1 ## Deploy the Sequencer -The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a simple and predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications. +The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications. For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md). diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 26a4d6b23c..a26e03608d 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -18,16 +18,16 @@ ms.topic: article You can use dynamic configuration to customize an App-V package for a user. This article will tell you how to create or edit an existing dynamic configuration file. -When you edit the Dynamic Configuration file, it customizes how an App-V package will run for a user or group. This makes package customization more convenient by removing the need to resequence packages using the desired settings and provides a way to keep package content and custom settings independent. +When you edit the Dynamic Configuration file, it customizes how an App-V package will run for a user or group. Therefore, package customization is made more convenient by removing the need to resequence packages using the desired settings and provides a way to keep package content and custom settings independent. ## Advanced: dynamic configuration -Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no additional customization). If you want to adjust these defaults for a particular user or group, you can create and edit the following files: +Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no further customization). If you want to adjust these defaults for a particular user or group, you can create and edit the following files: - User Configuration file - Deployment Configuration file -These .xml files specify package settings let you customize packages without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. These automatically generated configuration files reflect the package's default settings that were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This provides you with a package-specific template to get started if any of the defaults must be changed. +These .xml files specify package settings let you customize packages without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. These automatically generated configuration files reflect the package's default settings that were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This result provides you with a package-specific template to get started if any of the defaults must be changed. >[!NOTE] >The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements. @@ -40,7 +40,7 @@ All of the additions, deletions, and updates in the configuration files need to - Deployment Configuration .xml file - Package Manifest -The first item represents what will be read last. Therefore, its content takes precedence. All packages inherently contain and provide default settings from the Package Manifest, but it also has the least precedence. If you apply a Deployment Configuration .xml file with customized settings, it will override the Package Manifest's defaults. If you apply a User Configuration .xml file with customized settings prior to that, it will override both the deployment configuration and the Package Manifest's defaults. +The first item represents what will be read last. Therefore, its content takes precedence. All packages inherently contain and provide default settings from the Package Manifest, but it also has the least precedence. If you apply a Deployment Configuration .xml file with customized settings, it will override the Package Manifest's defaults. If you apply a User Configuration .xml file with customized settings prior to the override of the Package Manifest's defaults, it will override both the deployment configuration and the Package Manifest's defaults. There are two types of configuration files: @@ -72,7 +72,7 @@ The structure of the App-V Dynamic Configuration file is explained in the follow ### Header -The following is an example of a Dynamic User Configuration file's header: +An example of a Dynamic User Configuration file's header is: ```xml @@ -83,7 +83,7 @@ The **PackageId** is the same value that exists in the Manifest file. ### Dynamic User Configuration file body -The Dynamic User Configuration file's body can include all app extension points defined in the Manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body: +The Dynamic User Configuration file's body can include all app extension points defined in the Manifest file, and the information to configure virtual applications. There are four subsections allowed in the body: **Applications**: All app-extensions contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored. @@ -121,7 +121,7 @@ Extension Subsystems can be enabled and disabled independently of the content.  #### Example 1 -Content will be ignored if the user defined the following in either the dynamic or deployment config file: +Content will be ignored if the user defined the following syntaxes in either the dynamic or deployment config file: ```xml                               @@ -133,7 +133,7 @@ Content will be ignored if the user defined the following in either the dynamic #### Example 2 -Content in the manifest will be integrated during publishing if the user defined only the following: +Content in the manifest will be integrated during publishing if the user defined only the following syntax: ```xml @@ -142,7 +142,7 @@ Content in the manifest will be integrated during publishing if the user defined #### Example 3 -All shortcuts in the manifest will be ignored and no shortcuts will be integrated if the user defines the following: +All shortcuts in the manifest will be ignored and no shortcuts will be integrated if the user defines the following syntaxes: ```xml                             @@ -152,7 +152,7 @@ All shortcuts in the manifest will be ignored and no shortcuts will be integrate ### Supported Extension Subsystems -**Shortcuts**: This controls shortcuts that will be integrated into the local system. The following example has two shortcuts: +**Shortcuts**: This subsystem controls shortcuts that will be integrated into the local system. The following example has two shortcuts: ```xml @@ -190,7 +190,7 @@ All shortcuts in the manifest will be ignored and no shortcuts will be integrate ``` -**File Type Associations**: Associates file types with programs to open by default as well as setup the context menu. (MIME types can also be set up with this subsystem). The following is an example of a FileType association: +**File Type Associations**: Associates file types with programs to open by default and to set up the context menu. (MIME types can also be set up with this subsystem.) An example of a FileType association is: ```xml @@ -256,7 +256,7 @@ All shortcuts in the manifest will be ignored and no shortcuts will be integrate ``` -**URL Protocols**: This controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” protocol. +**URL Protocols**: This subsystem controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” protocol. ```xml @@ -394,7 +394,7 @@ In addition to Extensions, the following other subsystems can be enabled/disable #### UserScripts -Scripts can be used to set up or alter the virtual environment and execute scripts on deployment or removal, before an application executes, or they can clean up the environment after the application terminates. Please refer to a sample User Configuration file output by the sequencer to see a sample script. See the [Scripts](appv-dynamic-configuration.md#scripts) section for more information about the various triggers you can use to set up scripts. +Scripts can be used to set up or alter the virtual environment and execute scripts on deployment or removal, before an application executes, or they can clean up the environment after the application terminates. Refer to a sample User Configuration file output by the sequencer to see a sample script. For more information about the various triggers you can use to set up scripts, see the [Scripts](appv-dynamic-configuration.md#scripts) section. ## Dynamic Deployment Configuration file @@ -428,7 +428,7 @@ The body of the deployment configuration file includes two sections: ``` -User Configuration: see [Dynamic User Configuration](#dynamic-user-configuration-file) for more information about this section. +User Configuration: For more information about this section, see [Dynamic User Configuration](#dynamic-user-configuration-file). Machine Configuration: The Machine Configuration section of the Deployment Configuration File configures information that can only be set for an entire machine, not a specific user on the computer, like the HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. This element can have the following four subsections. @@ -449,11 +449,11 @@ The following section describes the various subsystems and usage samples. #### Extensions -Some subsystems (Extension Subsystems) control extensions that can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The rules for User Configuration extension controls and settings also apply to the ones in Machine Configuration. +Some subsystems (Extension Subsystems) control extensions that can only apply to all users. The subsystem is application capabilities. Because this subsystem can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The rules for User Configuration extension controls and settings also apply to the ones in Machine Configuration. #### Application Capabilities -Used by default programs in the Windows OS interface, the Application Capabilities extension allows an application to register itself as capable of opening certain file extensions, as a contender for the Start menu's internet browser slot, and as capable of opening certain Windows MIME types. This extension also makes the virtual application visible in the Set Default Programs UI. +Application Capabilities extension is used by default programs in the Windows OS interface; it allows an application to register itself as capable of opening certain file extensions, as a contender for the Start menu's internet browser slot, and as capable of opening certain Windows MIME types. This extension also makes the virtual application visible in the Set Default Programs UI. ```xml @@ -495,7 +495,7 @@ Used by default programs in the Windows OS interface, the Application Capabiliti You can edit other subsystems in addition to extensions: -- Machine-wide Virtual Registry: use this when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine. +- Machine-wide Virtual Registry: Use this subsystem when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine. ```xml @@ -529,9 +529,9 @@ You can edit other subsystems in addition to extensions: ``` -- MachineScripts: The package can be configured to execute scripts upon deployment, publishing, or removal. To see an example script, please see a sample deployment configuration file generated by the sequencer. The following section provides more information about the various triggers you can use to set up scripts. +- MachineScripts: The package can be configured to execute scripts upon deployment, publishing, or removal. To see an example script, see a sample deployment configuration file generated by the sequencer. The following section provides more information about the various triggers you can use to set up scripts. -- TerminateChildProcess: you can use this to specify that an application executable's child processes will be terminated when the application.exe process is terminated. +- TerminateChildProcess: You can use this subsystem to specify that an application executable's child processes will be terminated when the application.exe process is terminated. ```xml diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index bd42de3c84..c70c8402f5 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -1,6 +1,6 @@ --- title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10/11) -description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD). +description: Learn how to enable only administrators to publish packages by using an electronic software delivery (ESD). author: greg-lindsay ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -16,7 +16,7 @@ ms.topic: article [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you could not prevent end users from performing these tasks. +Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you couldn't prevent end users from performing these tasks. Here's how to enable only administrators to publish or unpublish packages: diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index 0e3c91919c..34166cd72c 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -38,7 +38,7 @@ To start using App-V to deliver virtual applications to users, you’ll need to | Component | What it does | Where to find it | |------------|--|------| -| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

                                If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

                                If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

                                If you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

                                See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.| +| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more information, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

                                If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

                                If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

                                If you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

                                For more information about installing and using the server components, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).| | App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | Starting with Windows 10 version 1607, the App-V client is automatically installed.

                                To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). | | App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows client](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). | @@ -48,7 +48,7 @@ If you're new to App-V, it's a good idea to read the documentation thoroughly. B ## Getting started with App-V -[What's new in App-V](appv-about-appv.md) provides a high-level overview of App-V and how it can be used in your organization. +[What's new in App-V](appv-about-appv.md) provides a high-level overview of App-V and how it can be used in your organization? [Evaluating App-V](appv-evaluating-appv.md) provides information about how you can best evaluate App-V for use in your organization. diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index 62ec6658b4..d5e912f8c3 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -24,9 +24,9 @@ A typical App-V implementation consists of the following elements. |Element|Description| |---|---| -|App-V Management server|The App-V Management server provides overall management functionality for the App-V infrastructure. Additionally, you can install more than one instance of the management server in your environment which provides the following benefits:
                                **Fault tolerance and high availability**—installing and configuring the App-V Management server on two separate computers can help in situations when one of the servers is unavailable or offline. You can also help increase App-V availability by installing the Management server on multiple computers. In this scenario, consider using a network load balancer to keep server requests balanced.
                                **Scalability**—you can add additional management servers as necessary to support a high load. For example, you can install multiple servers behind a load balancer.| -|App-V Publishing Server|The App-V publishing server provides functionality for virtual application hosting and streaming. The publishing server does not require a database connection and supports HTTP and HTTPS protocols.
                                You can also help increase App-V availability by installing the Publishing server on multiple computers. You should also consider having a network load balancer to keep server requests balanced.| -|App-V Reporting Server|The App-V Reporting server lets authorized users run and view existing App-V reports and ad hoc reports for managing App-V infrastructure. The Reporting server requires a connection to the App-V reporting database. You can also help increase App-V availability by installing the Reporting server on multiple computers. You should also consider having a network load balancer to keep server requests balanced.| +|App-V Management server|The App-V Management server provides overall management functionality for the App-V infrastructure. Additionally, you can install more than one instance of the management server in your environment, which provides the following benefits:
                                **Fault tolerance and high availability**—installing and configuring the App-V Management server on two separate computers can help in situations when one of the servers is unavailable or offline. You can also help increase App-V availability by installing the Management server on multiple computers. In this scenario, consider using a network load balancer to keep server requests balanced.
                                **Scalability**—you can add more management servers as necessary to support a high load. For example, you can install multiple servers behind a load balancer.| +|App-V Publishing Server|The App-V publishing server provides functionality for virtual application hosting and streaming. The publishing server doesn't require a database connection and supports HTTP and HTTPS protocols.
                                You can also help increase App-V availability by installing the Publishing server on multiple computers. You should also consider having a network load balancer to keep server requests balanced.| +|App-V Reporting Server|The App-V Reporting server lets authorized users run and view existing App-V reports and unplanned reports for managing App-V infrastructure. The Reporting server requires a connection to the App-V reporting database. You can also help increase App-V availability by installing the Reporting server on multiple computers. You should also consider having a network load balancer to keep server requests balanced.| |App-V Client|The App-V client enables packages created using App-V to run on target computers.| >[!NOTE] diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index 446fb2362d..660296e5a7 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -22,7 +22,7 @@ Use the following Windows PowerShell procedure to convert any number of Active D Before attempting this procedure, you should read and understand the information and examples displayed in the following list: -- **.INPUTS** – The account or accounts used to convert to SID format. This can be a single account name or an array of account names. +- **.INPUTS** – The account or accounts used to convert to SID format. This item can be a single account name or an array of account names. - **.OUTPUTS** - A list of account names with the corresponding SID in standard and hexadecimal formats. @@ -129,7 +129,7 @@ Before attempting this procedure, you should read and understand the information } ``` -3. Run the script you saved in step one of this procedure passing the accounts to convert as arguments. +3. Run the script you saved in Step 1 of this procedure passing the accounts to convert as arguments. For example, diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index ab5b11444d..a9993ec010 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -49,7 +49,7 @@ This topic explains the following procedures: Enable-AppvClientConnectionGroup –name "Financial Applications" - When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group. + When any virtual applications that are in the member packages are run on the target computer, they'll run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group. ## To enable or disable a connection group for a specific user diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index 7d268f0f29..9469a8ea6a 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -28,7 +28,7 @@ You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom |New in App-V for Windows client|Prior to App-V for Windows 10| |--- |--- | -|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:

                              • environment variables
                              • shortcuts
                              • file type associations
                              • registry information
                              • scripts

                                You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package were not included in package converter output.

                                The package converter would populate the new package with information from all of the .osd files in the source directory.| +|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
                              • environment variables
                              • shortcuts
                              • file type associations
                              • registry information
                              • scripts

                                You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package weren't included in package converter output.

                                The package converter would populate the new package with information from all of the .osd files in the source directory.| ### Example conversion statement @@ -79,7 +79,7 @@ ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\ |These Source directory files…|…are converted to these Destination directory files…|…and will contain these items|Description| |--- |--- |--- |--- | |
                              • X.osd
                              • Y.osd
                              • Z.osd|
                              • X_Config.xml
                              • Y_Config.xml
                              • Z_Config.xml|
                              • Environment variables:
                              • Shortcuts
                              • File type associations
                              • Registry information
                              • Scripts|Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
                                In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.| -|
                              • X.osd
                              • Y.osd|
                              • ContosoApp.appv
                              • ContosoApp_DeploymentConfig.xml
                              • ContosoApp_UserConfig.xml|
                              • Environment variables
                              • Shortcuts
                              • File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
                                In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.| +|
                              • X.osd
                              • Y.osd|
                              • ContosoApp.appv
                              • ContosoApp_DeploymentConfig.xml
                              • ContosoApp_UserConfig.xml|
                              • Environment variables
                              • Shortcuts
                              • File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter is converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
                                In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it wasn't included as one of these arguments.| ## Converting packages created using a prior version of App-V @@ -96,23 +96,23 @@ After you convert an existing package you should test the package prior to deplo |Issue|Workaround| |--- |--- | -|Virtual packages using DSC are not linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).| +|Virtual packages using DSC aren't linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).| |Environment variable conflicts are detected during conversion.|Resolve any conflicts in the associated **.osd** file.| -|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.| +|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it's recommended to re-sequence the package.| When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path. **Note**   -It is recommended that you use the App-V sequencer for converting critical applications or applications that need to take advantage of features. See [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md). +It's recommended that you use the App-V sequencer for converting critical applications or applications that need to take advantage of features. See [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md). -If a converted package does not open after you convert it, it is also recommended that you re-sequence the application using the App-V sequencer. +If a converted package doesn't open after you convert it, it's also recommended that you resequence the application using the App-V sequencer. [How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md) ## Migrating the App-V Server Full Infrastructure -There is no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server. +There's no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server. |Task|More Information| |--- |--- | diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index 69acd8e60e..9e3df713ad 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -48,11 +48,11 @@ This topic explains how to: 5. On the **Prepare Computer** page, review the issues that could cause the application update to fail or cause the updated application to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** > **Next**. **Important**   - If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package. + If you're required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package. -6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**. +6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update doesn't have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**. -7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**. +7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you're finished with the installation, select **I am finished installing**. Click **Next**. >**Note**  The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard. @@ -62,7 +62,7 @@ This topic explains how to: >**Note**  You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**. -10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**. +10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it's saved. Click **Next**. To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful to identify the application version and provide other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. Click **Create**. @@ -97,7 +97,7 @@ This topic explains how to: - Edit registry settings. - - Review additional package settings (except operating system file properties). + - Review the extra package settings (except operating system file properties). - Set virtualized registry key state (override or merge). @@ -117,15 +117,15 @@ This topic explains how to: 3. On the **Select Task** page, click **Add New Application** > **Next**. -4. On the **Select Package** page, click **Browse** to locate the virtual application package to which you will add the application, and then click **Next**. +4. On the **Select Package** page, click **Browse** to locate the virtual application package to which you'll add the application, and then click **Next**. 5. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or cause the revised package to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** > **Next**. - >**Important**  If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package. + >**Important**  If you're required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package. -6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**. +6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application doesn't have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**. -7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package. +7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If more installation files must be run as part of the installation, click **Run**, and locate and run those installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this directory is a new location so that you don’t overwrite the existing version of the virtual application package. >**Note**  The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard. @@ -133,9 +133,9 @@ This topic explains how to: 9. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information, and then click **Next** to open the **Customize** page. -10. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 13 of this procedure. If you want to perform the following described customization, click **Customize**. +10. If you're finished installing and configuring the virtual application, select **Stop now** and skip to step 13 of this procedure. If you want to perform the following described customization, click **Customize**. - If you are customizing, prepare the virtual package for streaming, and then click **Next**. Streaming improves the experience when the virtual application package is run on target computers. + If you're customizing, prepare the virtual package for streaming, and then click **Next**. Streaming improves the experience when the virtual application package is run on target computers. 11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**. diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index e3bd963ee4..489ce1f4de 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -25,9 +25,9 @@ Use the following information to create a new management server console in your Follow these steps to create a new management server console: -1. Install the management server on a computer in your environment. For more information about installing the management server see [Deploying the App-V server](appv-deploying-the-appv-server.md). +1. Install the management server on a computer in your environment. For more information about installing the management server, see [Deploying the App-V server](appv-deploying-the-appv-server.md). -2. After you have completed the installation, use the following link to connect it to the App-V database - [How to install the Management Server on a Standalone Computer and Connect it to the Database](appv-install-the-management-server-on-a-standalone-computer.md). +2. After you've completed the installation, use the following link to connect it to the App-V database - [How to install the Management Server on a Standalone Computer and Connect it to the Database](appv-install-the-management-server-on-a-standalone-computer.md). diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index 08dba24e7a..9d814b3850 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -34,7 +34,7 @@ This section of the Microsoft Application Virtualization (App-V) Administrator Describes how to deploy App-V packages by using an ESD. - [Using the App-V Client Management Console](appv-using-the-client-management-console.md) - Describes how perform client configuration tasks using the client management console. + Describes how to perform client configuration tasks using the client management console. - [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md) Provides instructions for migrating to App-V from a previous version. diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index 2431493b6c..b6c6e81372 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -44,15 +44,15 @@ To help determine what information is relevant to your environment, you should r ## App-V in stateful\* non-persistent deployments -This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience. +This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This access is achieved by uniquely addressing the often long-running App-V publishing refresh. As you'll discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience. Use the information in the following section for more information: -[Usage Scenarios](#bkmk-us) - As you review the two scenarios, keep in mind that these are the approach extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users and/or virtual applications packages. +[Usage Scenarios](#bkmk-us) - As you review the two scenarios, keep in mind that these scenarios are the approach extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users and/or virtual applications packages. - Optimized for Performance – To provide the optimal experience, you can expect the base image to include some of the App-V virtual application package. This and other requirements are discussed. -- Optimized for Storage – If you are concerned with the storage impact, following this scenario will help address those concerns. +- Optimized for Storage – If you're concerned with the storage impact, following this scenario will help address those concerns. [Preparing your Environment](#bkmk-pe) @@ -62,9 +62,9 @@ Use the information in the following section for more information: [User Experience Walk-through](#bkmk-uewt) -- Walk-through – This is a step-by-step walk-through of the App-V and UE-V operations and the expectations users should have. +- Walk-through – It is a step-by-step walk-through of the App-V and UE-V operations and the expectations users should have. -- Outcome – This describes the expected results. +- Outcome – It describes the expected results. [Impact to Package Lifecycle](#bkmk-plc) @@ -89,13 +89,13 @@ Use the information in the following section for more information: ### Usage Scenarios -As you review the two scenarios, keep in mind that these approach the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both. +As you review the two scenarios, keep in mind that these scenarios represent the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both. - **Performance**: To provide the most optimal user experience, this approach uses the capabilities of a UPM solution and requires extra image preparation and can incur some more image management overhead. The following describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) (in this article). -- **Storage**: The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image. +- **Storage**: The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in costly arrays; a slight alteration has been made to the approach. Don't pre-configure user-targeted virtual application packages in the base image. The impact of this alteration is detailed in the [User Experience Walk-through](#bkmk-uewt) (in this article). @@ -137,14 +137,14 @@ The following information displays the required steps to prepare the base image For critical App-V Client configurations and for a little more context and how-to, review the following configuration settings: -- **Shared Content Store (SCS) Mode**: When running the shared content store only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM). This helps to conserve local storage and minimize disk I/O per second (IOPS). +- **Shared Content Store (SCS) Mode**: When running the shared content store, only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM). Such a result helps to conserve local storage and minimize disk I/O per second (IOPS). This setting is recommended when low-latency connections are available between the App-V Client endpoint and the SCS content server, SAN. - Configurable in Windows PowerShell: `Set-AppvClientConfiguration -SharedContentStoreMode 1` - Configurable with Group Policy: See [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md). -- **PreserveUserIntegrationsOnLogin**: If you have not pre-configured (**Add-AppvClientPackage**) a specific package and this setting is not configured, the App-V Client will de-integrate* the persisted user integrations, then reintegrate*. +- **PreserveUserIntegrationsOnLogin**: If you have not pre-configured (**Add-AppvClientPackage**) a specific package and this setting isn't configured, the App-V Client will de-integrate* the persisted user integrations, then reintegrate*. For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh. @@ -158,11 +158,11 @@ For critical App-V Client configurations and for a little more context and how-t Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync. - If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they log in could take an indeterminate amount of time. + If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they sign in could take an indeterminate amount of time. - Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing`. - Create the DWORD value **MaxConcurrentPublishingrefresh** with the desired maximum number of concurrent publishing refreshes. - - The App-V client service and computer do not need to be restarted. + - The App-V client service and computer don't need to be restarted. ### Configure UE-V solution for App-V Approach @@ -179,7 +179,7 @@ In essence all that is required is to enable the UE-V service and download the f > [!Note] > Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default. -UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V would not currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices. +UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V wouldn't currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices. - If a user has an application installed on one device with .lnk files enabled and the same native application installed on another device to a different installation root with .lnk files enabled. @@ -196,11 +196,11 @@ The expectation in a stateful environment is that a UPM solution is implemented The requirements for the UPM solution are as follows. -To enable an optimized login experience, for example the App-V approach for the user, the solution must be capable of: +To enable an optimized sign-in experience, for example the App-V approach for the user, the solution must be capable of: - Persisting the below user integrations as part of the user profile/persona. -- Triggering a user profile sync on login (or application start), which can guarantee that all user integrations are applied before publishing/refresh begin, or, +- Triggering a user profile sync on sign in (or application start), which can guarantee that all user integrations are applied before publishing/refresh begin, or, - Attaching and detaching a user profile disk (UPD) or similar technology that contains the user integrations. @@ -210,9 +210,9 @@ To enable an optimized login experience, for example the App-V approach for the > > App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders. -- Capturing changes to the locations, which constitute the user integrations, prior to session logoff. +- Capturing changes to the locations, which constitute the user integrations, prior to session sign out. -With App-V when you add a publishing server (**Add-AppvPublishingServer**) you can configure synchronization, for example refresh during log on and/or after a specified refresh interval. In both cases a scheduled task is created. +With App-V when you add a publishing server (**Add-AppvPublishingServer**) you can configure synchronization, for example refresh during log on and/or after a specified refresh interval. In both cases, a scheduled task is created. In previous versions of App-V, both scheduled tasks were configured using a VBScript that would initiate the user and global refresh. Starting with Hotfix Package 4 for Application Virtualization 5.0 SP2 the user refresh on log on was initiated by **SyncAppvPublishingServer.exe**. This change was introduced to provide UPM solutions a trigger process. This process delays the publish /refresh to allow the UPM solution to apply the user integrations. It will exit once the publishing/refresh is complete. @@ -248,12 +248,12 @@ Registry – HKEY\_CURRENT\_USER ### User Experience Walk-through -This following is a step-by-step walk-through of the App-V and UPM operations and the expectations users should expect. +This following process is a step-by-step walk-through of the App-V and UPM operations, and the users' expectations. - **Performance**: After implementing this approach in the VDI/RDSH environment, on first login, - (Operation) A user-publishing/refresh is initiated. - (Expectation) If this is the first time a user has published virtual applications (e.g. non-persistent), this will take the usual duration of a publishing/refresh. + (Expectation) If it's the first time that a user has published virtual applications (for example, non-persistent), this will take the usual duration of a publishing/refresh. - (Operation) After the publishing/refresh, the UPM solution captures the user integrations. @@ -286,7 +286,7 @@ This following is a step-by-step walk-through of the App-V and UPM operations an (Expectation): - - If this is the first time a user has published virtual applications (e.g., non-persistent), this will take the usual duration of a publishing/refresh. + - If this is the first time a user has published virtual applications (for example, non-persistent), this will take the usual duration of a publishing/refresh. - First and subsequent logins will be impacted by pre-configuring of packages (add/refresh). - (Operation) After the publishing/refresh, the UPM solution captures the user integrations. @@ -316,7 +316,7 @@ App-V 5.0 SP2 introduced the concept of pending states. In the past, - Now, if a package is in-use the operation will be pended. The un-publish and publish-pend operations will be processed on service restart or if another publish or un-publish command is issued. In the latter case, if the virtual application is in-use otherwise, the virtual application will remain in a pending state. For globally published packages, a restart (or service restart) often needed. -In a non-persistent environment, it is unlikely these pended operations will be processed. The pended operations, for example tasks are captured under **HKEY\_CURRENT\_USER** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Client** \\ **PendingTasks**. Although this location is persisted by the UPM solution, if it is not applied to the environment prior to log on, it will not be processed. +In a non-persistent environment, it is unlikely these pended operations will be processed. The pended operations, for example tasks are captured under **HKEY\_CURRENT\_USER** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Client** \\ **PendingTasks**. Although this location is persisted by the UPM solution, if it isn't applied to the environment prior to log on, it will not be processed. ### Enhancing the VDI Experience through Performance Optimization Tuning @@ -374,7 +374,7 @@ Removing FB1 does not require the original application installer. After completi 1. Complete the sequencing steps up to Customize -> Streaming. -2. At the Streaming step, do not select **Optimize the package for deployment over slow or unreliable network**. +2. At the Streaming step, don't select **Optimize the package for deployment over slow or unreliable network**. 3. If desired, move on to **Target OS**. @@ -382,7 +382,7 @@ Removing FB1 does not require the original application installer. After completi 1. Complete the sequencing steps up to Streaming. -2. Do not select **Optimize the package for deployment over a slow or unreliable network**. +2. Don't select **Optimize the package for deployment over a slow or unreliable network**. 3. Move to **Create Package**. @@ -405,7 +405,7 @@ Removing FB1 does not require the original application installer. After completi |Step|Considerations|Benefits|Tradeoffs| |--- |--- |--- |--- | -|No SXS Install at Publish (Pre-Install SxS assemblies)|Virtual Application packages do not need to be re-sequenced. SxS Assemblies can remain in the virtual application package.|The SxS Assembly dependencies will not install at publishing time.|SxS Assembly dependencies must be pre-installed.| +|No SXS Install at Publish (Pre-Install SxS assemblies)|Virtual Application packages don't need to be re-sequenced. SxS Assemblies can remain in the virtual application package.|The SxS Assembly dependencies will not install at publishing time.|SxS Assembly dependencies must be pre-installed.| ### Creating a new virtual application package on the sequencer @@ -427,7 +427,7 @@ When publishing a virtual application package, the App-V Client will detect if a **-DynamicDeploymentConfiguration** parameter -- Similarly, when adding new packages using `Add-AppVClientPackage –Path c:\Packages\Apps\MyApp.appv`, do not use the +- Similarly, when adding new packages using `Add-AppVClientPackage –Path c:\Packages\Apps\MyApp.appv`, don't use the **-DynamicDeploymentConfiguration** parameter. From ad71e1d1b77a6dd45bb87041dd84819bfff98fde Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 18 Feb 2022 20:52:04 +0530 Subject: [PATCH 36/68] updates --- .../app-v/appv-performance-guidance.md | 74 +++++++++---------- ...v-planning-folder-redirection-with-appv.md | 8 +- ...lanning-for-high-availability-with-appv.md | 6 +- ...ppv-planning-for-using-appv-with-office.md | 18 ++--- ...ctronic-software-distribution-solutions.md | 4 +- .../app-v/appv-planning-to-deploy-appv.md | 2 +- .../app-v/appv-reporting.md | 26 +++---- ...plications-inside-a-virtual-environment.md | 12 +-- .../app-v/appv-security-considerations.md | 14 ++-- .../app-v/appv-supported-configurations.md | 10 +-- ...f-a-package-with-the-management-console.md | 4 +- ...enterprise-background-activity-controls.md | 12 +-- .../sideload-apps-in-windows-10.md | 2 +- .../svchost-service-refactoring.md | 12 +-- 14 files changed, 102 insertions(+), 102 deletions(-) diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index b6c6e81372..941152b2cc 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -62,7 +62,7 @@ Use the information in the following section for more information: [User Experience Walk-through](#bkmk-uewt) -- Walk-through – It is a step-by-step walk-through of the App-V and UE-V operations and the expectations users should have. +- Walk-through – It's a step-by-step walk-through of the App-V and UE-V operations and the expectations users should have. - Outcome – It describes the expected results. @@ -93,7 +93,7 @@ As you review the two scenarios, keep in mind that these scenarios represent the - **Performance**: To provide the most optimal user experience, this approach uses the capabilities of a UPM solution and requires extra image preparation and can incur some more image management overhead. - The following describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) (in this article). + The following section describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) (in this article). - **Storage**: The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in costly arrays; a slight alteration has been made to the approach. Don't pre-configure user-targeted virtual application packages in the base image. @@ -156,7 +156,7 @@ For critical App-V Client configurations and for a little more context and how-t - **MaxConcurrentPublishingRefresh**: This setting determines the number of users that can perform a publishing refresh/sync at the same time. The default setting is no limit. - Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync. + Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync. If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they sign in could take an indeterminate amount of time. @@ -177,7 +177,7 @@ For more information, see: In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows). > [!Note] -> Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default. +> Without performing an additional configuration step, User Environment Virtualization (UE-V) won't be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default. UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V wouldn't currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices. @@ -208,13 +208,13 @@ To enable an optimized sign-in experience, for example the App-V approach for th > > App-V is supported when using UPD only when the entire profile is stored on the user profile disk. > - > App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders. + > App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver doesn't handle UPD selected folders. - Capturing changes to the locations, which constitute the user integrations, prior to session sign out. -With App-V when you add a publishing server (**Add-AppvPublishingServer**) you can configure synchronization, for example refresh during log on and/or after a specified refresh interval. In both cases, a scheduled task is created. +With App-V when you add a publishing server (**Add-AppvPublishingServer**) you can configure synchronization, for example refresh during a sign in and/or after a specified refresh interval. In both cases, a scheduled task is created. -In previous versions of App-V, both scheduled tasks were configured using a VBScript that would initiate the user and global refresh. Starting with Hotfix Package 4 for Application Virtualization 5.0 SP2 the user refresh on log on was initiated by **SyncAppvPublishingServer.exe**. This change was introduced to provide UPM solutions a trigger process. This process delays the publish /refresh to allow the UPM solution to apply the user integrations. It will exit once the publishing/refresh is complete. +In previous versions of App-V, both scheduled tasks were configured using a VBScript that would initiate the user and global refresh. Starting with Hotfix Package 4 for Application Virtualization 5.0 SP2, the user refresh on a sign in was initiated by **SyncAppvPublishingServer.exe**. This change was introduced to provide UPM solutions a trigger process. This process delays the publish /refresh to allow the UPM solution to apply the user integrations. It will exit once the publishing/refresh is complete. ### User Integrations @@ -253,32 +253,32 @@ This following process is a step-by-step walk-through of the App-V and UPM opera - **Performance**: After implementing this approach in the VDI/RDSH environment, on first login, - (Operation) A user-publishing/refresh is initiated. - (Expectation) If it's the first time that a user has published virtual applications (for example, non-persistent), this will take the usual duration of a publishing/refresh. + (Expectation) If it's the first time that a user has published virtual applications (for example, non-persistent), this operation will take the usual duration of a publishing/refresh. - (Operation) After the publishing/refresh, the UPM solution captures the user integrations. - (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state. + (Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-out process. This result will incur the same/similar overhead as persisting the user state. **On subsequent logins**: - (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh. - (Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (i.e., package entitlements change), some may go away. + (Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (that is, package entitlements change), some may go away. - - (Operation) Publishing/refresh will process un-publish and publish operations for changes in user package entitlements. + - (Operation) Publishing/refresh will process unpublish and publish operations for changes in user package entitlements. (Expectation) If there are no entitlement changes, publishing will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity of virtual applications The publishing operation (**Publish-AppVClientPackage**) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps. - - (Operation) UPM solution will capture user integrations again at logoff. + - (Operation) UPM solution will capture user integrations again at sign off. (Expectation) Same as previous. **Outcome**: - - Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of login. - - The publishing/refresh will process changes to the users entitled virtual applications which impacts the experience. + - Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of sign in. + - The publishing/refresh will process changes to the users-entitled virtual applications, which impacts the experience. - **Storage**: After implementing this approach in the VDI/RDSH environment, on first login @@ -286,12 +286,12 @@ This following process is a step-by-step walk-through of the App-V and UPM opera (Expectation): - - If this is the first time a user has published virtual applications (for example, non-persistent), this will take the usual duration of a publishing/refresh. + - If this instance is the first time a user has published virtual applications (for example, non-persistent), this will take the usual duration of a publishing/refresh. - First and subsequent logins will be impacted by pre-configuring of packages (add/refresh). - (Operation) After the publishing/refresh, the UPM solution captures the user integrations. - (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state. + (Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-off process. This result will incur the same/similar overhead as persisting the user state. **On subsequent logins**: @@ -299,24 +299,24 @@ This following process is a step-by-step walk-through of the App-V and UPM opera - (Operation) Add/refresh must pre-configure all user targeted applications. - (Expectation): - - This may increase the time to application availability significantly (on the order of 10’s of seconds). + - This may increase the time to application availability significantly (on the order of 10s of seconds). - This will increase the publishing refresh time relative to the number and complexity* of virtual applications. - - (Operation) Publishing/refresh will process un-publish and publish operations for changes to user package entitlements. + - (Operation) Publishing/refresh will process unpublish and publish operations for changes to user package entitlements. - **Outcome**: Because the add/refresh must re-configure all the virtual applications to the VM, the publishing refresh time on every login will be extended. + **Outcome**: Because the add/refresh must reconfigure all the virtual applications to the VM, the publishing refresh time on every login will be extended. ### Impact to Package Life Cycle -Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (un-published) virtual application packages, it is recommended you update the base image to reflect these changes. To understand why review the following section: +Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (unpublished) virtual application packages, it's recommended you update the base image to reflect these changes. To understand why review the following section: App-V 5.0 SP2 introduced the concept of pending states. In the past, -- If an administrator changed entitlements or created a new version of a package (upgraded) and during a publishing/refresh that package was in-use, the un-publish or publish operation, respectively, would fail. +- If an administrator changed entitlements or created a new version of a package (upgraded) and during a publishing/refresh that package was in-use, the unpublish or publish operation, respectively, would fail. -- Now, if a package is in-use the operation will be pended. The un-publish and publish-pend operations will be processed on service restart or if another publish or un-publish command is issued. In the latter case, if the virtual application is in-use otherwise, the virtual application will remain in a pending state. For globally published packages, a restart (or service restart) often needed. +- Now, if a package is in use, the operation will be pended. The unpublish and publish-pend operations will be processed on service restart or if another publish or unpublish command is issued. In the latter case, if the virtual application is in-use otherwise, the virtual application will remain in a pending state. For globally published packages, a restart (or service restart) often needed. -In a non-persistent environment, it is unlikely these pended operations will be processed. The pended operations, for example tasks are captured under **HKEY\_CURRENT\_USER** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Client** \\ **PendingTasks**. Although this location is persisted by the UPM solution, if it isn't applied to the environment prior to log on, it will not be processed. +In a non-persistent environment, it's unlikely these pended operations will be processed. The pended operations, for example tasks are captured under **HKEY\_CURRENT\_USER** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Client** \\ **PendingTasks**. Although this location is persisted by the UPM solution, if it isn't applied to the environment prior to a sign in, it will not be processed. ### Enhancing the VDI Experience through Performance Optimization Tuning @@ -364,11 +364,11 @@ Several App-V features facilitate new scenarios or enable new customer deploymen |Step|Consideration|Benefits|Tradeoffs| |--- |--- |--- |--- | -|No Feature Block 1 (FB1, also known as Primary FB)|No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:
                              • Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.
                              • Delay launch until the entire FB1 has been streamed.|Stream faulting decreases the launch time.|Virtual application packages with FB1 configured will need to be re-sequenced.| +|No Feature Block 1 (FB1, also known as Primary FB)|No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:
                              • Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.
                              • Delay launch until the entire FB1 has been streamed.|Stream faulting decreases the launch time.|Virtual application packages with FB1 configured will need to be resequenced.| ### Removing FB1 -Removing FB1 does not require the original application installer. After completing the following steps, it is suggested that you revert the computer running the sequencer to a clean snapshot. +Removing FB1 doesn't require the original application installer. After completing the following steps, it's suggested that you revert the computer running the sequencer to a clean snapshot. **Sequencer UI** - Create a New Virtual Application Package. @@ -405,7 +405,7 @@ Removing FB1 does not require the original application installer. After completi |Step|Considerations|Benefits|Tradeoffs| |--- |--- |--- |--- | -|No SXS Install at Publish (Pre-Install SxS assemblies)|Virtual Application packages don't need to be re-sequenced. SxS Assemblies can remain in the virtual application package.|The SxS Assembly dependencies will not install at publishing time.|SxS Assembly dependencies must be pre-installed.| +|No SXS Install at Publish (Pre-Install SxS assemblies)|Virtual Application packages don't need to be resequenced. SxS Assemblies can remain in the virtual application package.|The SxS Assembly dependencies won't install at publishing time.|SxS Assembly dependencies must be pre-installed.| ### Creating a new virtual application package on the sequencer @@ -414,7 +414,7 @@ If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is ins **Client Side**: -When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Installer (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur. +When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it's included in the package, a traditional Windows Installer (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation won't occur. |Step|Considerations|Benefits|Tradeoffs| |--- |--- |--- |--- | @@ -439,8 +439,8 @@ For documentation on How to Apply a Dynamic Configuration, see: |Step|Considerations|Benefits|Tradeoffs| |--- |--- |--- |--- | -|Account for Synchronous Script Execution during Package Lifecycle.|If script collateral is embedded in the package, Add cmdlets may be significantly slower.
                                Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.|Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.|This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.| -|Remove Extraneous Virtual Fonts from Package.|The majority of applications investigated by the App-V product team contained a small number of fonts, typically fewer than 20.|Virtual Fonts impact publishing refresh performance.|Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.| +|Account for Synchronous Script Execution during Package Lifecycle.|If script collateral is embedded in the package, Add cmdlets may be slower.
                                Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.|Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.|This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.| +|Remove Extraneous Virtual Fonts from Package.|Most applications investigated by the App-V product team contained a few fonts, typically fewer than 20.|Virtual Fonts impact publishing refresh performance.|Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.| ### Determining what virtual fonts exist in the package @@ -448,7 +448,7 @@ For documentation on How to Apply a Dynamic Configuration, see: - Rename Package\_copy.appv to Package\_copy.zip -- Open AppxManifest.xml and locate the following: +- Open AppxManifest.xml and locate the following syntax: ```xml @@ -458,7 +458,7 @@ For documentation on How to Apply a Dynamic Configuration, see: ``` > [!Note] - > If there are fonts marked as **DelayLoad**, those will not impact first launch. + > If there are fonts marked as **DelayLoad**, those won't impact first launch. ### Excluding virtual fonts from the package @@ -485,9 +485,9 @@ The following terms are used when describing concepts and actions related to App - **Re-Integrate** – Applies the user integrations. -- **Non-Persistent, Pooled** – Creates a computer running a virtual environment each time they log in. +- **Non-Persistent, Pooled** – Creates a computer running a virtual environment each time they sign in. -- **Persistent, Personal** – A computer running a virtual environment that remains the same for every login. +- **Persistent, Personal** – A computer running a virtual environment that remains the same for every sign in. - **Stateful** - For this document, implies that user integrations are persisted between sessions and a user environment management technology is used in conjunction with non-persistent RDSH or VDI. @@ -497,13 +497,13 @@ The following terms are used when describing concepts and actions related to App - **User Experience** - In the context of App-V, the user experience, quantitatively, is the sum of the following parts: - - From the point that users initiate a log-in to when they are able to manipulate the desktop. + - From the point that users initiate a sign in to when they're able to manipulate the desktop. - - From the point where the desktop can be interacted with to the point a publishing refresh begins (in Windows PowerShell terms, sync) when using the App-V full server infrastructure. In standalone instances, it is when the **Add-AppVClientPackage** and **Publish-AppVClientPackage** Windows PowerShell commands are initiated. + - From the point where the desktop can be interacted with to the point a publishing refresh begins (in Windows PowerShell terms, sync) when using the App-V full server infrastructure. In standalone instances, it's when the **Add-AppVClientPackage** and **Publish-AppVClientPackage** Windows PowerShell commands are initiated. - - From start to completion of the publishing refresh. In standalone instances, this is the first to last virtual application published. + - From start to completion of the publishing refresh. In standalone instances, this refresh is the first to last instance leading to the virtual application being published. - - From the point where the virtual application is available to launch from a shortcut. Alternatively, it is from the point at which the file type association is registered and will launch a specified virtual application. + - From the point where the virtual application is available to launch from a shortcut. Alternatively, it's from the point at which the file type association is registered and will launch a specified virtual application. - **User Profile Management** – The controlled and structured approach to managing user components associated with the environment. For example, user profiles, preference and policy management, application control and application deployment. You can use scripting or third-party solutions configure the environment as needed. diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index 40386c2097..77aac93712 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -33,7 +33,7 @@ To use %AppData% folder redirection, you must: * Have an App-V package that has an AppData virtual file system (VFS) folder. * Enable folder redirection and redirect users’ folders to a shared folder, typically a network folder. -* Roam both or neither of the following: +* Roam both or neither of the following elements: * Files under %appdata%\Microsoft\AppV\Client\Catalog * Registry settings under HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages @@ -45,7 +45,7 @@ The following scenarios aren't supported by App-V: * Configuring %LocalAppData% as a network drive. * Redirecting the Start menu to a single folder for multiple users. -* If roaming AppData (%AppData%) is redirected to a network share that is not available, App-V applications will fail to launch, unless the unavailable network share has been enabled for Offline Files. +* If roaming AppData (%AppData%) is redirected to a network share that isn't available, App-V applications will fail to launch, unless the unavailable network share has been enabled for Offline Files. ## How to configure folder redirection for use with App-V @@ -53,11 +53,11 @@ Folder redirection can be applied to different folders, such as Desktop, My Docu ## How folder redirection works with App-V -The following table describes how folder redirection works when %AppData% is redirected to a network and when you have met the requirements listed earlier in this article. +The following table describes how folder redirection works when %AppData% is redirected to a network and when you've met the requirements listed earlier in this article. |Virtual environment state|Action that occurs| |---|---| -|When the virtual environment starts.|The virtual file system (VFS) AppData folder is mapped to the local AppData folder (%LocalAppData%) instead of to the user’s roaming AppData folder (%AppData%).
                                - LocalAppData contains a local cache of the user’s roaming AppData folder for the package in use. The local cache is located under ```%LocalAppData%\Microsoft\AppV\Client\VFS\PackageGUID\AppData```
                                - The latest data from the user’s roaming AppData folder is copied to and replaces the data currently in the local cache.
                                - While the virtual environment is running, data continues to be saved to the local cache. Data is served only out of %LocalAppData% and is not moved or synchronized with %AppData% until the end user shuts down the computer.
                                - Entries to the AppData folder are made using the user context, not the system context.| +|When the virtual environment starts.|The virtual file system (VFS) AppData folder is mapped to the local AppData folder (%LocalAppData%) instead of to the user’s roaming AppData folder (%AppData%).
                                - LocalAppData contains a local cache of the user’s roaming AppData folder for the package in use. The local cache is located under ```%LocalAppData%\Microsoft\AppV\Client\VFS\PackageGUID\AppData```
                                - The latest data from the user’s roaming AppData folder is copied to and replaces the data currently in the local cache.
                                - While the virtual environment is running, data continues to be saved to the local cache. Data is served only out of %LocalAppData% and isn't moved or synchronized with %AppData% until the end user shuts down the computer.
                                - Entries to the AppData folder are made using the user context, not the system context.| |When the virtual environment shuts down.|The local cached data in AppData (roaming) is zipped up and copied to the “real” roaming AppData folder in %AppData%. A time stamp that indicates the last known upload is simultaneously saved as a registry key under ```HKCU\Software\Microsoft\AppV\Client\Packages\\AppDataTime```. App-V keeps the three most recent copies of the compressed data under %AppData% for redundancy.| diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index f3e4e0b58f..99bd692a61 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -48,7 +48,7 @@ Running App-V Server in Shared Content Store (SCS) mode with clustered file serv To enable SCS mode configurations, follow these steps: 1. Configure the App-V client to run in SCS mode. For more information, see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md). -2. Configure the file server cluster, configured in either the scale out mode (which started with Windows Server 2012) or the earlier clustering mode, with a virtual SAN. +2. Configure the file server cluster, configured in either the scale-out mode (which started with Windows Server 2012) or the earlier clustering mode, with a virtual SAN. The following steps can be used to validate the configuration: @@ -63,7 +63,7 @@ Review the following articles to learn more about configuring Windows Server fai ## Support for Microsoft SQL Server mirroring -Using Microsoft SQL Server mirroring, where the App-V management server database is mirrored utilizing two SQL Server instances, for App-V management server databases is supported. + With the Microsoft SQL Server mirroring being used, where the App-V management server database is mirrored utilizing two SQL Server instances, for App-V management server databases is supported. Review the following to learn more about how to configure Microsoft SQL Server mirroring: @@ -76,7 +76,7 @@ The following steps can be used to validate the configuration: 2. Select **Failover** to designate a new master Microsoft SQL Server instance. 3. Verify that the App-V management server continues to function as expected after the failover. -The connection string on the management server can be modified to include ```failover partner = ```. This will only help when the primary on the mirror has failed over to the secondary and the computer running the App-V client is doing a fresh connection (say after reboot). +The connection string on the management server can be modified to include ```failover partner = ```. This modification will only help when the primary on the mirror has failed over to the secondary and the computer running the App-V client is doing a fresh connection (say after reboot). Use the following steps to modify the connection string to include ```failover partner = ```: diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index c5885a941b..610ae44c40 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -30,7 +30,7 @@ You can use the App-V Sequencer to create plug-in packages for language packs, l For a list of supported Office products, see [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click). >[!NOTE] ->You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Microsoft 365 Apps for enterprise. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744). +>You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Microsoft 365 Apps for enterprise. App-V doesn't support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744). ## Using App-V with coexisting versions of Office @@ -40,7 +40,7 @@ Microsoft’s recommended best practice is to avoid Office coexistence completel ### Before you implement Office coexistence -Before implementing Office coexistence, review the information in the following table that corresponds to the newest version of Office that you will use in coexistence. The documentation linked here will guide you in implementing coexistence for Windows Installer-based (MSI) and Click-to-Run installations of Office. +Before implementing Office coexistence, review the information in the following table that corresponds to the newest version of Office that you'll use in coexistence. The documentation linked here will guide you in implementing coexistence for Windows Installer-based (MSI) and Click-to-Run installations of Office. |Office version|Relevant how-to guides| |---|---| @@ -52,10 +52,10 @@ Once you've reviewed the relevant guide, this topic will supplement what you've ### Supported Office coexistence scenarios -The following tables summarize supported coexistence scenarios. They are organized according to the version and deployment method you’re starting with and the version and deployment method you are migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience. +The following tables summarize supported coexistence scenarios. They're organized according to the version and deployment method you’re starting with and the version and deployment method you're migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience. >[!NOTE] ->Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service. +>Microsoft doesn't support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service. ### Windows integrations and Office coexistence @@ -65,10 +65,10 @@ The following table describes the integration level of each version of Office, a |Office version|The modes App-V can sequence this version of Office with| |---|---| -|Office 2007|Always non-integrated. App-V does not offer any operating system integrations with a virtualized version of Office 2007.| +|Office 2007|Always non-integrated. App-V doesn't offer any operating system integrations with a virtualized version of Office 2007.| |Office 2010|Integrated and non-integrated mode.| -|Office 2013|Always integrated. Windows operating system integrations cannot be disabled.| -|Office 2016|Always integrated. Windows operating system integrations cannot be disabled.| +|Office 2013|Always integrated. Windows operating system integrations can't be disabled.| +|Office 2016|Always integrated. Windows operating system integrations can't be disabled.| Microsoft recommends deploying Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069). @@ -83,12 +83,12 @@ Limitations can occur when you install the following versions of Office on the s * Office 2010 with the Windows Installer-based version * Office 2013 or Office 2016 with App-V -Publishing Office 2013 or Office 2016 with App-V at the same time as an earlier version of the Windows Installer-based Office 2010 might cause the Windows Installer to start. This is because either the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer. +Publishing Office 2013 or Office 2016 with App-V at the same time as an earlier version of the Windows Installer-based Office 2010 might cause the Windows Installer to start. This scenario is because either the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer. To bypass the auto-registration operation for native Word 2010, follow these steps: 1. Exit Word 2010. -2. Start the Registry Editor by doing the following: +2. Start the Registry Editor by doing the following tasks: * In Windows 7k, select **Start**, type **regedit** in the Start Search box, then select the Enter key. diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index 12d3de4f82..9bcd61489d 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -16,13 +16,13 @@ ms.topic: article [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)] -If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv). +If you're using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv). Review the following component and architecture requirements options that apply when you use an ESD to deploy App-V packages: | Deployment requirement or option | Description | |---|---| -| The App-V Management server, Management database, and Publishing server are not required. | These functions are handled by the implemented ESD solution. | +| The App-V Management server, Management database, and Publishing server aren't required. | These functions are handled by the implemented ESD solution. | | You can deploy the App-V Reporting server and Reporting database side-by-side with the ESD. | The side-by-side deployment lets you collect data and generate reports.
                                If you enable the App-V client to send report information without using the App-V Reporting server, the reporting data will be stored in associated .xml files. | diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index 3bb30afe33..e44be47def 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -20,7 +20,7 @@ There are several different deployment configurations and requirements to consid ## App-V supported configurations -[App-V supported configurations](appv-supported-configurations.md) describes the minimum hardware and operating system requirements for each App-V components. For information about software that you must install before you install App-V, see [App-V Prerequisites](appv-prerequisites.md). +[App-V supported configurations](appv-supported-configurations.md) describes the minimum hardware and operating system requirements for each App-V component. For information about software that you must install before you install App-V, see [App-V Prerequisites](appv-prerequisites.md). ## App-V capacity planning diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index 31fd82260d..8a9c9f48aa 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -29,8 +29,8 @@ The following list displays the end–to-end high-level workflow for reporting i * SQL Server installed and running with SQL Server Reporting Services (SSRS) To confirm SQL Server Reporting Services is running, enter in a web browser as administrator on the server that will host App-V Reporting. The SQL Server Reporting Services Home page should appear. -2. Install the App-V reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server. -3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at [Application Virtualization SSRS Reports](https://www.microsoft.com/download/details.aspx?id=42630). +2. Install the App-V reporting server and associated database. For more information about installing the reporting server, see [How to install the Reporting Server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server. +3. If you aren't using an electronic software distribution system such as Configuration Manager to view reports, then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at [Application Virtualization SSRS Reports](https://www.microsoft.com/download/details.aspx?id=42630). > [!NOTE] >If you are using the Configuration Manager integration with App-V, most reports are generated from Configuration Manager rather than from App-V. @@ -43,13 +43,13 @@ The following list displays the end–to-end high-level workflow for reporting i To immediately send App-V report data, run **Send-AppvClientReport** on the App-V client. For more information about configuring reporting on the App-V client, see [About client configuration settings](appv-client-configuration-settings.md). To administer App-V Reporting with Windows PowerShell, see [How to enable reporting on the App-V client by using PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md). -5. After the reporting server receives the data from the App-V client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server, which then notifies the App-V client. +5. After the reporting server receives the data from the App-V client, it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server, which then notifies the App-V client. 6. When the App-V client receives the success notification, it empties the data cache to conserve space. > [!NOTE] >By default, the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache. - If the App-V client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache. + If the App-V client device doesn't receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache. ### App-V reporting server frequently asked questions @@ -57,7 +57,7 @@ The following sections provide answers to frequently asked questions about how A #### How frequently is reporting information sent to the reporting database? -Frequency depends on the computer running the App-V client's reporting configuration. You must configure the frequency or interval for sending the reporting data manually, as App-V reporting is not enabled by default. +Frequency depends on the computer running the App-V client's reporting configuration. You must configure the frequency or interval for sending the reporting data manually, as App-V reporting isn't enabled by default. #### What information is stored in the reporting server database? @@ -73,10 +73,10 @@ The following information is stored in the reporting database: It depends. Three sets of data can be sent to the reporting server: * Operating system and App-V client information, which is about 150 Bytes every time it gets sent to the server. -* Published package lists, which are about 7 KB per 30 packages. This is sent only when the package list is updated with a publishing refresh, which is done infrequently; if there is no change, this information is not sent. -* Virtual application usage information is about 0.25 KB per event. Opening and closing count as one event if both occur before sending the information. When sending using a scheduled task, only the data since the last successful upload is sent to the server. If sending manually through the Windows PowerShell cmdlet, there is an optional argument called **DeleteOnSuccess** that controls if the data needs to be re-sent the next time around. +* Published package lists, which are about 7 KB per 30 packages. This is sent only when the package list is updated with a publishing refresh, which is done infrequently; if there's no change, this information isn't sent. +* Virtual application usage information is about 0.25 KB per event. Opening and closing count as one event if both occur before sending the information. When the information is sent through a scheduled task, only the data since the last successful upload is sent to the server. If sending manually through the Windows PowerShell cmdlet, there's an optional argument called **DeleteOnSuccess** that controls if the data needs to be resent the next time around. -For example, if twenty applications are opened and closed and reporting information is scheduled to be sent daily, the typical daily traffic should be about 0.15 KB + 20 × 0.25 KB, or about 5 KB/user. +For example, if 20 applications are opened and closed and reporting information is scheduled to be sent daily, the typical daily traffic should be about 0.15 KB + 20 × 0.25 KB, or about 5 KB/user. #### Can I schedule reporting? @@ -96,7 +96,7 @@ Yes. Besides manually sending reporting using Windows PowerShell cmdlets (**Send ## App-V Client reporting -To use App-V reporting you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting. +To use App-V reporting,, you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting. ### Configuring App-V client reporting using Windows PowerShell @@ -177,7 +177,7 @@ Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess If the reporting server has been previously configured, then the **–URL** parameter can be omitted. Alternatively, if the data should be sent to an alternate location, specify a different URL to override the configured **ReportingServerURL** for this data collection. -The **-DeleteOnSuccess** parameter indicates that if the transfer is successful, then the data cache will be cleared. If this is not specified, then the cache will not be cleared. +The **-DeleteOnSuccess** parameter indicates that if the transfer is successful, then the data cache will be cleared. If the transfer-status isn't specified, then the cache won't be cleared. ### Manual Data Collection @@ -185,16 +185,16 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data. |With a reporting server|Without a reporting server| |---|---| -|f you have an existing App-V reporting server, create a customized scheduled task or script. Specify that the client sends the data to the specified location at the desired frequency.|If you do not have an existing App-V reporting Server, use the **–URL** parameter to send the data to a specified share. For example: ```Send-AppVClientReport –URL \\Myshare\MyData\ -DeleteOnSuccess```
                                The previous example will send the reporting data to the ```\\MyShare\MyData\``` location indicated by the **-URL** parameter. After the data has been sent, the cache is cleared.| +|f you have an existing App-V reporting server, create a customized scheduled task or script. Specify that the client sends the data to the specified location at the desired frequency.|If you don't have an existing App-V reporting Server, use the **–URL** parameter to send the data to a specified share. For example: ```Send-AppVClientReport –URL \\Myshare\MyData\ -DeleteOnSuccess```
                                The previous example will send the reporting data to the ```\\MyShare\MyData\``` location indicated by the **-URL** parameter. After the data has been sent, the cache is cleared.| >[!NOTE] >If a location other than the Reporting Server is specified, the data is sent in **.xml** format with no additional processing. ### Creating reports -To retrieve report information and create reports using App-V you must use one of the following methods: +To retrieve report information and create reports using App-V, you must use one of the following methods: -* Microsoft SQL Server Reporting Services (SSRS)—Microsoft SSRS is available with Microsoft SQL Server. SSRS is not installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports. For more information, see the [What is SQL Server Reporting Services (SSRS)?](/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports) article. +* Microsoft SQL Server Reporting Services (SSRS)—Microsoft SSRS is available with Microsoft SQL Server. SSRS isn't installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports. For more information, see the [What is SQL Server Reporting Services (SSRS)?](/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports) article. * Scripting—You can generate reports by scripting directly against the App-V reporting database. For example: diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index 02c25af40d..c6a3d9da29 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -22,7 +22,7 @@ ms.author: greglin - Windows Server 2012 R2 - Windows Server 2016 -You can run a locally installed application in a virtual environment, alongside applications that have been virtualized by using Microsoft Application Virtualization (App-V). You might want to do this if you: +You can run a locally installed application in a virtual environment, alongside applications that have been virtualized by using Microsoft Application Virtualization (App-V). You might want to do this task if you: - Want to install and run an application locally on client computers, but want to virtualize and run specific plug-ins that work with that local application. @@ -45,7 +45,7 @@ Each method accomplishes essentially the same task, but some methods may be bett To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections. -There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Manager or another electronic software distribution (ESD) system, or manually edit the registry. +There's no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Manager or another electronic software distribution (ESD) system, or manually edit the registry. Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user. @@ -63,16 +63,16 @@ Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages glo For example, create `HKEY_CURRENT_USER \SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe`. - Connection group can be: - - Packages that are published just globally or just to the user + - Packages that are published globally or just to the user - Packages that are published globally and to the user - Use the `HKEY_LOCAL_MACHINE` or `HKEY_CURRENT_USER` key. But, all of the following must be true: + Use the `HKEY_LOCAL_MACHINE` or `HKEY_CURRENT_USER` key. But, all of the following conditions must be fulfilled: - If you want to include multiple packages in the virtual environment, you must include them in an enabled connection group. - Create only one subkey for one of the packages in the connection group. If, for example, you have one package that is published globally, and another package that is published to the user, you create a subkey for either of these packages, but not both. Although you create a subkey for only one of the packages, all of the packages in the connection group, plus the local application, will be available in the virtual environment. - The key under which you create the subkey must match the publishing method you used for the package. - For example, if you published the package to the user, you must create the subkey under `HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual`. Do not add a key for the same application under both hives. + For example, if you published the package to the user, you must create the subkey under `HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual`. Don't add a key for the same application under both hives. 2. Set the new registry subkey’s value to the PackageId and VersionId of the package, separating the values with an underscore. @@ -80,7 +80,7 @@ Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages glo **Example**: 4c909996-afc9-4352-b606-0b74542a09c1\_be463724-Oct1-48f1-8604-c4bd7ca92fa - The application in the previous example would produce a registry export file (.reg file) like the following: + The application in the previous example would produce a registry export file (.reg file) like the following example: ```registry Windows Registry Editor Version 5.00 diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index 36f3d39141..8b17375f7c 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -19,15 +19,15 @@ ms.topic: article This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). >[!IMPORTANT] ->App-V is not a security product and does not provide any guarantees for a secure environment. +>App-V isn't a security product and doesn't provide any guarantees for a secure environment. ## The PackageStoreAccessControl (PSAC) feature has been deprecated -Effective as of June, 2014, the PackageStoreAccessControl (PSAC) feature introduced in Microsoft Application Virtualization (App-V) 5.0 Service Pack 2 (SP2) has been deprecated in both single-user and multi-user environments. +Effective as of June 2014, the PackageStoreAccessControl (PSAC) feature introduced in Microsoft Application Virtualization (App-V) 5.0 Service Pack 2 (SP2) has been deprecated in both single-user and multi-user environments. ## General security considerations -**Understand the security risks.** The most serious risk to App-V is from unauthorized users hijacking an App-V client's functionality, giving the hacker the ability to reconfigure key data on App-V clients. By comparison, short-term loss of App-V functionality from a denial-of-service attack would not be as catastrophic. +**Understand the security risks.** The most serious risk to App-V is from unauthorized users hijacking an App-V client's functionality, giving the hacker the ability to reconfigure key data on App-V clients. By comparison, short-term loss of App-V functionality from a denial-of-service attack wouldn't be as catastrophic. **Physically secure your computers**. A security strategy that doesn't consider physical security is incomplete. Anyone with physical access to an App-V server could potentially attack the entire client base, so potential physical attacks or thefts should be prevented at all cost. App-V servers should be stored in a physically secure server room with controlled access. Lock the computer with the operating system or a secured screen saver to keep computers secure when the administrators are away. @@ -50,8 +50,8 @@ No groups are created automatically during App-V setup. You should create the fo |---|---|---| |App-V Management Admin group|Used to manage the App-V management server. This group is created during the App-V Management Server installation.|The management console can't create a new group after installation is complete.| |Database read/write for Management Service account|Provides read/write access to the management database. This account should be created during App-V management database installation.|| -|App-V Management Service install admin account|Provides public access to schema-version table in management database. This account should be created during App-V management database installation.|This is only required if the management database is being installed separately from the service.| -|App-V Reporting Service install admin account|Public access to schema-version table in reporting database. This account should be created during the App-V reporting database installation.|This is only required if reporting database is being installed separately from the service.| +|App-V Management Service install admin account|Provides public access to schema-version table in management database. This account should be created during App-V management database installation.|This account is only required if the management database is being installed separately from the service.| +|App-V Reporting Service install admin account|Public access to schema-version table in reporting database. This account should be created during the App-V reporting database installation.|This account is only required if reporting database is being installed separately from the service.| Consider the following additional information: @@ -62,9 +62,9 @@ Consider the following additional information: ### App-V package security -The following will help you plan how to ensure that virtualized packages are secure. +The following information will help you plan how to ensure that virtualized packages are secure. -* If an application installer applies an access control list (ACL) to a file or directory, then that ACL is not persisted in the package. If the file or directory is modified by a user when the package is deployed, the modified file or directory will either inherit the ACL in the **%userprofile%** or inherit the ACL of the target computer’s directory. The former occurs if the file or directory does not exist in a virtual file system location; the latter occurs if the file or directory exists in a virtual file system location, such as **%windir%**. +* If an application installer applies an access control list (ACL) to a file or directory, then that ACL isn't persisted in the package. If the file or directory is modified by a user when the package is deployed, the modified file or directory will either inherit the ACL in the **%userprofile%** or inherit the ACL of the target computer’s directory. The former occurs if the file or directory doesn't exist in a virtual file system location; the latter occurs if the file or directory exists in a virtual file system location, such as **%windir%**. ## App-V log files diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index 8c5bffbbd6..522da1d43d 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -50,7 +50,7 @@ You can install the App-V Management server on a server running Windows Server 2 ### Management server hardware requirements * A 64-bit (x64) processor that runs at 1.4 GHz or faster. -* 1 GB RAM (64-bit). +* 1-GB RAM (64-bit). * 200 MB of available hard disk space, not including the content directory. ### Management server database requirements @@ -74,10 +74,10 @@ The App-V Publishing server can be installed on a server that runs Windows Serve ### Publishing server hardware requirements -App-V adds no additional requirements beyond those of Windows Server. +App-V adds requires nothing beyond the requirements of Windows Server. * A 64-bit (x64) processor that runs at 1.4 GHz or faster. -* 2 GB RAM (64-bit). +* 2-GB RAM (64-bit). * 200 MB of available hard disk space, not including the content directory. ### Reporting server operating system requirements @@ -86,10 +86,10 @@ You can install the App-V Reporting server on a server running Windows Server 20 ### Reporting server hardware requirements -App-V adds no additional requirements beyond those of Windows Server. +App-V adds no other requirements beyond those requirements of Windows Server. * A 64-bit (x64) processor that runs at 1.4 GHz or faster. -* 2 GB RAM (64-bit). +* 2-GB RAM (64-bit). * 200 MB of available hard disk space, not including the content directory. ### Reporting server database requirements diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md index 52fd89cf85..b36494538e 100644 --- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md @@ -21,13 +21,13 @@ Use the following procedure to transfer the access and default package configura **To transfer access and configurations to another version of a package** -1. To view the package that you want to configure, open the App-V Management Console. Select the package to which you will transfer the new configuration, right-click the package and select **transfer default configuration from** or **transfer access and configurations from**, depending on the configuration that you want to transfer. +1. To view the package that you want to configure, open the App-V Management Console. Select the package to which you'll transfer the new configuration, right-click the package and select **transfer default configuration from** or **transfer access and configurations from**, depending on the configuration that you want to transfer. 2. To transfer the configuration, in the **Select Previous Version** dialog box, select the package that contains the settings that you want to transfer, and then click **OK**. If you select **transfer default configuration from**, then only the underlying dynamic deployment configuration will be transferred. - If you select **transfer access and configurations from**, then all access permissions, as well as the configuration settings, will be copied. + If you select **transfer access and configurations from**, then all access permissions, and the configuration settings, will be copied. diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 9c4133cd25..0fae5a2104 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -25,11 +25,11 @@ Users have the ability to control background activity for their device through t ![Background apps settings page.](images/backgroundapps-setting.png) -The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop:  +The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, and turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here's the set of available controls on desktop:  ![Battery usage by app on desktop.](images/battery-usage-by-app-desktop.png) -Here is the set of available controls for mobile devices:  +Here's the set of available controls for mobile devices:  ![Battery usage by app on mobile.](images/battery-usage-by-app-mobile.png) @@ -48,13 +48,13 @@ These policies control the background activity battery settings for Universal Wi An app can determine which settings are in place for itself by using [BackgroundExecutionManager.RequestAccessAsync](/uwp/api/Windows.ApplicationModel.Background.BackgroundAccessStatus) before any background activity is attempted, and then examining the returned [BackgroundAccessStatus](/uwp/api/windows.applicationmodel.background.backgroundaccessstatus) enumeration. The values of this enumeration correspond to settings in the **battery usage by App** settings page:     -- **AlwaysAllowed**: Corresponds to **Always Allowed in Background** and **Managed By User**. This enables apps to run as much as possible in the background, including while the device is in battery saver mode. +- **AlwaysAllowed**: Corresponds to **Always Allowed in Background** and **Managed By User**. This correspondence enables apps to run as much as possible in the background, including while the device is in battery saver mode.    -- **AllowedSubjectToSystemPolicy**: This is the default value. It corresponds to **Managed by Windows**. This enables apps to run in the background as determined by Windows. If the device is currently in the battery saver state then background activities do not run.  +- **AllowedSubjectToSystemPolicy**: This value is the default one. It corresponds to **Managed by Windows**. This correspondence enables apps to run in the background as determined by Windows. If the device is currently in the battery saver state, then background activities don't run.     -- **DeniedDueToSystemPolicy**: Corresponds to **Managed by Windows** and indicates that the system has determined that the app cannot currently run in the background.  +- **DeniedDueToSystemPolicy**: Corresponds to **Managed by Windows** and indicates that the system has determined that the app can't currently run in the background.     -- **DeniedByUser**: Corresponds to **Never Allowed in the Background**. The app cannot run in the background. Either the configuration in the settings app, or enterprise policy, has defined that this app is not allowed to run in the background.  +- **DeniedByUser**: Corresponds to **Never Allowed in the Background**. The app can't run in the background. Either the configuration in the settings app, or enterprise policy, has defined that this app isn't allowed to run in the background.  The Universal Windows Platform ensures that consumers will have great battery life and that foreground apps will perform well. Enterprises have the ability to change settings to enable scenarios specific to their business needs. Administrators can use the **Background apps** policies to enable or disable whether a UWP app can run in the background. diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 645475d40c..9fbe73a8d9 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -53,7 +53,7 @@ You can sideload apps on managed or unmanaged devices. Managed devices are typically owned by your organization. They're managed by Group Policy (on-premises), or a Mobile Device Management (MDM) provider, such as Microsoft Intune (cloud). Bring your own devices (BYOD) and personal devices can also be managed by your organization. On managed devices, you can create a policy that turns on sideloading, and then deploy this policy to your Windows devices. -Unmanaged devices are devices that are not managed by your organization. These devices are typically personal devices owned by users. Users can turn on sideloading using the Settings app. +Unmanaged devices are devices that aren't managed by your organization. These devices are typically personal devices owned by users. Users can turn on sideloading using the Settings app. > [!IMPORTANT] > To install an app on Windows client, you can: diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 8482a3497c..3a01c9e059 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -16,7 +16,7 @@ manager: dansimp > Applies to: Windows 10 -The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance does not affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example: +The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance doesn't affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example: * Local Service * Local Service No Network @@ -33,7 +33,7 @@ Benefits of this design change include: * Increased reliability by insulating critical network services from the failure of another non-network service in the host, and adding the ability to restore networking connectivity seamlessly when networking components crash. * Reduced support costs by eliminating the troubleshooting overhead associated with isolating misbehaving services in the shared host. -* Increased security by providing additional inter-service isolation +* Increased security by providing more inter-service isolation * Increased scalability by allowing per-service settings and privileges * Improved resource management through per-service CPU, I/O and memory management and increase clear diagnostic data (report CPU, I/O and network usage per service). @@ -58,24 +58,24 @@ Compare that to the same view of running processes in Windows 10 version 1703: ## Exceptions -Some services will continue to be grouped on PCs running with 3.5GB or higher RAM. For example, the Base Filtering Engine (BFE) and the Windows Firewall (Mpssvc) will be grouped together in a single host group, as will the RPC Endpoint Mapper and Remote Procedure Call services. +Some services will continue to be grouped on PCs running with 3.5 GB or higher RAM. For example, the Base Filtering Engine (BFE) and the Windows Firewall (Mpssvc) will be grouped together in a single host group, as will the RPC Endpoint Mapper and Remote Procedure Call services. If you need to identify services that will continue to be grouped, in addition to seeing them in Task Manager and using command line tools, you can look for the *SvcHostSplitDisable* value in their respective service keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. The default value of **1** prevents the service from being split. -For example, this is the registry key configuration for BFE: +For example, the registry key configuration for BFE is: ![Example of a service that cannot be separated.](media/svchost-separation-disabled.png) ## Memory footprint Be aware that separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) -Consider the following: +Consider the following example: -|Grouped Services (< 3.5GB) | Split Services (3.5GB+) +|Grouped Services (< 3.5 GB) | Split Services (3.5 GB+) |--------------------------------------- | ------------------------------------------ | |![Memory utilization for grouped services.](media/svchost-grouped-utilization.png) |![Memory utilization for separated services](media/svchost-separated-utilization.png) | From 693cdf21274692c4cada4caee5a9f9e1e0c71a81 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 21 Feb 2022 11:29:53 +0530 Subject: [PATCH 37/68] Update svchost-service-refactoring.md --- windows/application-management/svchost-service-refactoring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md index 3a01c9e059..55ade4a303 100644 --- a/windows/application-management/svchost-service-refactoring.md +++ b/windows/application-management/svchost-service-refactoring.md @@ -70,7 +70,7 @@ For example, the registry key configuration for BFE is: ## Memory footprint -Be aware that separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) +Separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) Consider the following example: From 8ee1d39704b4252dfac0eb871225bf0495643510 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 21 Feb 2022 19:16:57 +0530 Subject: [PATCH 38/68] Acrolinx enhancement effort --- ...nced-troubleshooting-802-authentication.md | 12 +++--- .../advanced-troubleshooting-boot-problems.md | 38 +++++++++---------- ...eshooting-wireless-network-connectivity.md | 36 +++++++++--------- .../connect-to-remote-aadj-pc.md | 14 +++---- .../data-collection-for-802-authentication.md | 12 +++--- .../determine-appropriate-page-file-size.md | 34 ++++++++--------- 6 files changed, 73 insertions(+), 73 deletions(-) diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index d55df0054b..601a5f259b 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -18,11 +18,11 @@ ms.collection: highpri ## Overview -This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves a lot of third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution. +This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves many third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution. ## Scenarios -This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. +This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication are attempted and then fail to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. ## Known issues @@ -38,9 +38,9 @@ Viewing [NPS authentication status events](/previous-versions/windows/it-pro/win NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article. -Check the Windows Security event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. +Check the Windows Security event log on the NPS Server for NPS events that correspond to the rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or the accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. -In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. +In the event message, scroll to the bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. ![example of an audit failure.](images/auditfailure.png) *Example: event ID 6273 (Audit Failure)*

                                @@ -48,7 +48,7 @@ In the event message, scroll to the very bottom, and then check the [Reason Code ![example of an audit success.](images/auditsuccess.png) *Example: event ID 6272 (Audit Success)*
                                -‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one. +‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, if connectivity problems occur, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one. On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example: @@ -114,7 +114,7 @@ auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enab Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**. -## Additional references +## More references [Troubleshooting Windows Vista 802.11 Wireless Connections](/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))
                                [Troubleshooting Windows Vista Secure 802.3 Wired Connections](/previous-versions/windows/it-pro/windows-vista/cc749352(v=ws.10)) \ No newline at end of file diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 0c976ceceb..55fdb38136 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -44,11 +44,11 @@ Essential drivers required to start the Windows kernel are loaded and the kernel **4. Windows NT OS Kernel** -The kernel loads into memory the system registry hive and additional drivers that are marked as BOOT_START. +The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START. -The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START. +The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START. -Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. +Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. ![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)
                                [Click to enlarge](img-boot-sequence.md)
                                @@ -74,15 +74,15 @@ To determine whether the system has passed the BIOS phase, follow these steps: 1. If there are any external peripherals connected to the computer, disconnect them. -2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase. +2. Check whether the hard disk drive light on the physical computer is working. If it's not working, this dysfunction indicates that the startup process is stuck at the BIOS phase. -3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS. +3. Press the NumLock key to see whether the indicator light toggles on and off. If it doesn't toggle, this dysfunction indicates that the startup process is stuck at BIOS. If the system is stuck at the BIOS phase, there may be a hardware problem. ## Boot loader phase -If the screen is completely black except for a blinking cursor, or if you receive one of the following error codes, this indicates that the boot process is stuck in the Boot Loader phase: +If the screen is black except for a blinking cursor, or if you receive one of the following error codes, this status indicates that the boot process is stuck in the Boot Loader phase: - Boot Configuration Data (BCD) missing or corrupted - Boot file or MBR corrupted @@ -98,7 +98,7 @@ To troubleshoot this problem, use Windows installation media to start the comput The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically. -To do this, follow these steps. +To do this task of invoking the Startup Repair tool, follow these steps. > [!NOTE] > For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). @@ -142,7 +142,7 @@ BOOTREC /FIXBOOT If you receive BCD-related errors, follow these steps: -1. Scan for all the systems that are installed. To do this, run the following command: +1. Scan for all the systems that are installed. To do this step, run the following command: ```console Bootrec /ScanOS @@ -150,7 +150,7 @@ If you receive BCD-related errors, follow these steps: 2. Restart the computer to check whether the problem is fixed. -3. If the problem is not fixed, run the following commands: +3. If the problem isn't fixed, run the following commands: ```console bcdedit /export c:\bcdbackup @@ -166,7 +166,7 @@ If you receive BCD-related errors, follow these steps: ### Method 4: Replace Bootmgr -If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps: +If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this replacement, follow these steps: 1. At a command prompt, change the directory to the System Reserved partition. @@ -196,7 +196,7 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv ### Method 5: Restore System Hive -If Windows cannot load the system registry hive into memory, you must restore the system hive. To do this, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config. +If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step,, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config. If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. @@ -205,7 +205,7 @@ If the problem persists, you may want to restore the system state backup to an a ## Kernel Phase -If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following: +If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These error messages include, but aren't limited to, the following examples: - A Stop error appears after the splash screen (Windows Logo screen). @@ -248,7 +248,7 @@ On the **Advanced Boot Options** screen, try to start the computer in **Safe Mod ### Clean boot To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig). -Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you cannot find the cause, try including system services. However, in most cases, the problematic service is third-party. +Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party. Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**. @@ -273,7 +273,7 @@ problems can be solved. Modify the registry at your own risk. To troubleshoot this Stop error, follow these steps to filter the drivers: -1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version. +1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version. 2. Open the registry. @@ -289,7 +289,7 @@ To troubleshoot this Stop error, follow these steps to filter the drivers: 7. Restart the server in Normal mode. -For additional troubleshooting steps, see the following articles: +For more troubleshooting steps, see the following articles: - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) @@ -314,7 +314,7 @@ To fix problems that occur after you install Windows updates, check for pending Try to start the computer. -If the computer does not start, follow these steps: +If the computer doesn't start, follow these steps: 1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad. @@ -346,7 +346,7 @@ If the Stop error occurs late in the startup process, or if the Stop error is st - [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md) -For more information about page file problems in Windows 10 or Windows Server 2016, see the following: +For more information about page file problems in Windows 10 or Windows Server 2016, see the following article: - [Introduction to page files](./introduction-page-file.md) For more information about Stop errors, see the following Knowledge Base article: @@ -357,7 +357,7 @@ If the dump file shows an error that is related to a driver (for example, window - Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does. -- If the driver is not important and has no dependencies, load the system hive, and then disable the driver. +- If the driver isn't important and has no dependencies, load the system hive, and then disable the driver. - If the stop error indicates system file corruption, run the system file checker in offline mode. @@ -369,7 +369,7 @@ If the dump file shows an error that is related to a driver (for example, window For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues) - - If there is disk corruption, run the check disk command: + - If there's disk corruption, run the check disk command: ```console chkdsk /f /r diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index 49d26516fa..f0e0de91df 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -20,7 +20,7 @@ ms.topic: troubleshooting ## Overview -This is a general troubleshooting of establishing Wi-Fi connections from Windows clients. +This overview describes the general troubleshooting of establishing Wi-Fi connections from Windows clients. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found. This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario. @@ -29,11 +29,11 @@ This workflow involves knowledge and use of [TextAnalysisTool](https://github.co This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7. > [!NOTE] -> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario. +> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It's not meant to be representative of every wireless problem scenario. -Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. +Wireless ETW is incredibly verbose and calls out many innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. -It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors. +It's important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors. The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem. ### Known Issues and fixes @@ -57,14 +57,14 @@ Make sure that you install the latest Windows updates, cumulative updates, and r ## Data Collection -1. Network Capture with ETW. Enter the following at an elevated command prompt: +1. Network Capture with ETW. Enter the following command at an elevated command prompt: ```console netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl ``` 2. Reproduce the issue. - - If there is a failure to establish connection, try to manually connect. - - If it is intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure. + - If there's a failure to establish connection, try to manually connect. + - If it's intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure. - If the issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data. - If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop). 3. Stop the trace by entering the following command: @@ -78,11 +78,11 @@ Make sure that you install the latest Windows updates, cumulative updates, and r netsh trace convert c:\tmp\wireless.etl ``` -See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you will have three files: wireless.cab, wireless.etl, and wireless.txt. +See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you'll have three files: wireless.cab, wireless.etl, and wireless.txt. ## Troubleshooting -The following is a high-level view of the main wifi components in Windows. +The following view is a high-level one of the main wifi components in Windows. |Wi-fi Components|Description| |--- |--- | @@ -116,7 +116,7 @@ Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnaly Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page. -The following is an example of a good connection setup: +An example of a good connection setup is: ```console 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset @@ -127,7 +127,7 @@ The following is an example of a good connection setup: 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected ``` -The following is an example of a failed connection setup: +An example of a failed connection setup is: ```console 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset @@ -138,9 +138,9 @@ The following is an example of a failed connection setup: 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming ``` -By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. +By identifying the state at which the connection fails, one can focus more specifically in the trace on logs prior to the last known good state. -Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components. +Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components. In many cases the next component of interest will be the MSM, which lies just below Wlansvc. The important components of the MSM include: @@ -149,10 +149,10 @@ The important components of the MSM include: ![MSM details.](images/msmdetails.png) -Each of these components has their own individual state machines which follow specific transitions. +Each of these components has its own individual state machines that follow specific transitions. Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail. -Continuing with the example above, the combined filters look like this: +Further to the preceding example, the combined filters look like the following command example: ```console [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: @@ -177,7 +177,7 @@ Authenticating to State: Roaming > [!NOTE] > In the next to last line the SecMgr transition is suddenly deactivating:
                                >\[2\] 0C34.2FF0::08/28/17-13:24:29.7512788 \[Microsoft-Windows-WLAN-AutoConfig\]Port\[13\] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)

                                ->This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation. +>This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing prior to this SecMgr behavior to determine the reason for the deactivation. Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition: @@ -203,7 +203,7 @@ The trail backwards reveals a **Port Down** notification: Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication. -Below, the MSM is the native wifi stack. These are Windows native wifi drivers which talk to the wifi miniport drivers. It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it. +Below, the MSM is the native wifi stack. These drivers are Windows native wifi drivers that talk to the wifi miniport drivers. It's responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it. Enable trace filter for **[Microsoft-Windows-NWifi]:** @@ -230,7 +230,7 @@ In the trace above, we see the line: [0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4 ``` -This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from the AP. +This line is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This denail could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This action would be done by examining internal logging/tracing from the AP. ### Resources diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index ec54bee4ae..cf0c18ee1d 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -31,11 +31,11 @@ From its release, Windows 10 has supported remote connections to PCs joined to A ## Set up -- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. -- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported. -- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop. +- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported. +- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. +- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. -Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC. +Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC. - On the PC you want to connect to: @@ -45,7 +45,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu ![Allow remote connections to this computer.](images/allow-rdp.png) - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: + 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: - Adding users manually @@ -55,14 +55,14 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu ``` where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - In order to execute this PowerShell command you be a member of the local Administrators group. Otherwise, you'll get an error like this example: + In order to execute this PowerShell command, you must be a member of the local Administrators group. Otherwise, you'll get an error like this example: - for cloud only user: "There is no such global user or group : *name*" - for synced user: "There is no such global user or group : *name*"
                                > [!NOTE] > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections. > - > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. - Adding users using policy diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index 0002838314..8717d386a2 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -42,7 +42,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl ``` -3. Run the following command to enable CAPI2 logging and increase the size : +3. Run the following command to enable CAPI2 logging and increase the size: ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600 @@ -70,7 +70,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl ``` -6. Run the following command to enable CAPI2 logging and increase the size : +6. Run the following command to enable CAPI2 logging and increase the size: ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600 @@ -241,7 +241,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx ``` - - Run the following 3 commands on Windows Server 2012 and later: + - Run the following commands on Windows Server 2012 and later: ``` wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx @@ -320,7 +320,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx ``` - - Run the following 3 lines on Windows 2012 and up + - Run the following lines on Windows 2012 and up ``` wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx @@ -371,9 +371,9 @@ Use the following steps to collect wireless and wired logs on Windows and Window reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.txt ``` 3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf -4. Log on to a domain controller and create C:\MSLOG to store captured logs. +4. Sign in to a domain controller and create C:\MSLOG to store captured logs. 5. Launch Windows PowerShell as an administrator. -6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain. +6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for "; test.local"; domain. ```powershell Import-Module ActiveDirectory diff --git a/windows/client-management/determine-appropriate-page-file-size.md b/windows/client-management/determine-appropriate-page-file-size.md index be28170923..6c0e959124 100644 --- a/windows/client-management/determine-appropriate-page-file-size.md +++ b/windows/client-management/determine-appropriate-page-file-size.md @@ -15,7 +15,7 @@ ms.collection: highpri # How to determine the appropriate page file size for 64-bit versions of Windows -Page file sizing depends on the system crash dump setting requirements and the peak usage or expected peak usage of the system commit charge. Both considerations are unique to each system, even for systems that are identical. This means that page file sizing is also unique to each system and cannot be generalized. +Page file sizing depends on the system crash dump setting requirements and the peak usage or expected peak usage of the system commit charge. Both considerations are unique to each system, even for systems that are identical. This uniqueness means that page file sizing is also unique to each system and can't be generalized. ## Determine the appropriate page file size @@ -23,17 +23,17 @@ Use the following considerations for page file sizing for all versions of Window ### Crash dump setting -If you want a crash dump file to be created during a system crash, a page file or a dedicated dump file must exist and be large enough to back up the system crash dump setting. Otherwise, a system memory dump file is not created. +If you want a crash dump file to be created during a system crash, a page file or a dedicated dump file must exist and be large enough to back up the system crash dump setting. Otherwise, a system memory dump file isn't created. For more information, see [Support for system crash dumps](introduction-page-file.md#support-for-system-crash-dumps) section. ### Peak system commit charge -The system commit charge cannot exceed the system commit limit. This limit is the sum of physical memory (RAM) and all page files combined. If no page files exist, the system commit limit is slightly less than the physical memory that is installed. Peak system-committed memory usage can vary greatly between systems. Therefore, physical memory and page file sizing also vary. +The system commit charge can't exceed the system commit limit. This limit is the sum of physical memory (RAM) and all page files combined. If no page files exist, the system commit limit is slightly less than the physical memory that is installed. Peak system-committed memory usage can vary greatly between systems. Therefore, physical memory and page file sizing also vary. ### Quantity of infrequently accessed pages -The purpose of a page file is to *back* (support) infrequently accessed modified pages so that they can be removed from physical memory. This provides more available space for more frequently accessed pages. The "\Memory\Modified Page List Bytes" performance counter measures, in part, the number of infrequently accessed modified pages that are destined for the hard disk. However, be aware that not all the memory on the modified page list is written out to disk. Typically, several hundred megabytes of memory remains resident on the modified list. Therefore, consider extending or adding a page file if all the following conditions are true: +The purpose of a page file is to *back* (support) infrequently accessed modified pages so that they can be removed from physical memory. This removal provides more available space for more frequently accessed pages. The "\Memory\Modified Page List Bytes" performance counter measures, in part, the number of infrequently accessed modified pages that are destined for the hard disk. However, not all the memory on the modified page list is written out to disk. Typically, several hundred megabytes of memory remains resident on the modified list. Therefore, consider extending or adding a page file if all the following conditions are true: - More available physical memory (\Memory\Available MBytes) is required. @@ -43,7 +43,7 @@ The purpose of a page file is to *back* (support) infrequently accessed modified ## Support for system crash dumps -A system crash (also known as a “bug check” or a "Stop error") occurs when the system cannot run correctly. The dump file that is produced from this event is called a system crash dump. A page file or dedicated dump file is used to write a crash dump file (Memory.dmp) to disk. Therefore, a page file or a dedicated dump file must be large enough to support the kind of crash dump selected. Otherwise, the system cannot create the crash dump file. +A system crash (also known as a “bug check” or a "Stop error") occurs when the system can't run correctly. The dump file that is produced from this event is called a system crash dump. A page file or dedicated dump file is used to write a crash dump file (Memory.dmp) to disk. Therefore, a page file or a dedicated dump file must be large enough to support the kind of crash dump selected. Otherwise, the system can't create the crash dump file. >[!Note] >During startup, system-managed page files are sized respective to the system crash dump settings. This assumes that enough free disk space exists. @@ -57,29 +57,29 @@ A system crash (also known as a “bug check” or a "Stop error") occurs when t \* 1 MB of header data and device drivers can total 256 MB of secondary crash dump data. -The **Automatic memory dump** setting is enabled by default. This is a setting instead of a kind of crash dump. This setting automatically selects the best page file size, depending on the frequency of system crashes. +The **Automatic memory dump** setting is enabled by default. This setting is an alternative to a kind of crash dump. This setting automatically selects the best page file size, depending on the frequency of system crashes. The Automatic memory dump feature initially selects a small paging file size. It would accommodate the kernel memory most of the time. If the system crashes again within four weeks, the Automatic memory dump feature sets the page file size as either the RAM size or 32 GB, whichever is smaller. -Kernel memory crash dumps require enough page file space or dedicated dump file space to accommodate the kernel mode side of virtual memory usage. If the system crashes again within four weeks of the previous crash, a Complete memory dump is selected at restart. This requires a page file or dedicated dump file of at least the size of physical memory (RAM) plus 1 MB for header information plus 256 MB for potential driver data to support all the potential data that is dumped from memory. Again, the system-managed page file will be increased to back this kind of crash dump. If the system is configured to have a page file or a dedicated dump file of a specific size, make sure that the size is sufficient to back the crash dump setting that is listed in the table earlier in this section together with and the peak system commit charge. +Kernel memory crash dumps require enough page file space or dedicated dump file space to accommodate the kernel mode side of virtual memory usage. If the system crashes again within four weeks of the previous crash, a Complete memory dump is selected at restart. This dump requires a page file or dedicated dump file of at least the size of physical memory (RAM) plus 1 MB for header information plus 256 MB for potential driver data to support all the potential data that is dumped from memory. Again, the system-managed page file will be increased to back this kind of crash dump. If the system is configured to have a page file or a dedicated dump file of a specific size, make sure that the size is sufficient to back the crash dump setting that is listed in the table earlier in this section together with and the peak system commit charge. ### Dedicated dump files -Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators now have the option to create a dedicated dump file instead. +Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators can now create a dedicated dump file instead. -A dedicated dump file is a page file that is not used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you do not want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options). +A dedicated dump file is a page file that isn't used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you don't want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options). ## System-managed page files -By default, page files are system-managed. This means that the page files increase and decrease based on many factors, such as the amount of physical memory installed, the process of accommodating the system commit charge, and the process of accommodating a system crash dump. +By default, page files are system-managed. This system management means that the page files increase and decrease based on many factors, such as the amount of physical memory installed, the process of accommodating the system commit charge, and the process of accommodating a system crash dump. -For example, when the system commit charge is more than 90 percent of the system commit limit, the page file is increased to back it. This continues to occur until the page file reaches three times the size of physical memory or 4 GB, whichever is larger. This all assumes that the logical disk that is hosting the page file is large enough to accommodate the growth. +For example, when the system commit charge is more than 90 percent of the system commit limit, the page file is increased to back it. This surge continues to occur until the page file reaches three times the size of physical memory or 4 GB, whichever is larger. Therefore, it's assumes that the logical disk that is hosting the page file is large enough to accommodate the growth. The following table lists the minimum and maximum page file sizes of system-managed page files in Windows 10 and Windows 11. |Minimum page file size |Maximum page file size| |---------------|------------------| -|Varies based on page file usage history, amount of RAM (RAM ÷ 8, max 32 GB) and crash dump settings. |3 × RAM or 4 GB, whichever is larger. This is then limited to the volume size ÷ 8. However, it can grow to within 1 GB of free space on the volume if required for crash dump settings.| +|Varies based on page file usage history, amount of RAM (RAM ÷ 8, max 32 GB) and crash dump settings. |3 × RAM or 4 GB, whichever is larger. This size is then limited to the volume size ÷ 8. However, it can grow to within 1 GB of free space on the volume if necessary for crash dump settings.| ## Performance counters @@ -87,7 +87,7 @@ Several performance counters are related to page files. This section describes t ### \Memory\Page/sec and other hard page fault counters -The following performance counters measure hard page faults (which include, but are not limited to, page file reads): +The following performance counters measure hard page faults (which include, but aren't limited to, page file reads): - \Memory\Page/sec @@ -103,7 +103,7 @@ The following performance counters measure page file writes: Hard page faults are faults that must be resolved by retrieving the data from disk. Such data can include portions of DLLs, .exe files, memory-mapped files, and page files. These faults might or might not be related to a page file or to a low-memory condition. Hard page faults are a standard function of the operating system. They occur when the following items are read: -- Parts of image files (.dll and .exe files) as they are used +- Parts of image files (.dll and .exe files) as they're used - Memory-mapped files @@ -111,11 +111,11 @@ Hard page faults are faults that must be resolved by retrieving the data from di High values for these counters (excessive paging) indicate disk access of generally 4 KB per page fault on x86 and x64 versions of Windows and Windows Server. This disk access might or might not be related to page file activity but may contribute to poor disk performance that can cause system-wide delays if the related disks are overwhelmed. -Therefore, we recommend that you monitor the disk performance of the logical disks that host a page file in correlation with these counters. Be aware that a system that has a sustained 100 hard page faults per second experiences 400 KB per second disk transfers. Most 7,200 RPM disk drives can handle about 5 MB per second at an IO size of 16 KB or 800 KB per second at an IO size of 4 KB. No performance counter directly measures which logical disk the hard page faults are resolved for. +Therefore, we recommend that you monitor the disk performance of the logical disks that host a page file in correlation with these counters. A system that has a sustained 100 hard page faults per second experiences 400 KB per second disk transfers. Most 7,200-RPM disk drives can handle about 5 MB per second at an IO size of 16 KB or 800 KB per second at an IO size of 4 KB. No performance counter directly measures which logical disk the hard page faults are resolved for. ### \Paging File(*)\% Usage -The \Paging File(*)\% Usage performance counter measures the percentage of usage of each page file. 100 percent usage of a page file does not indicate a performance problem as long as the system commit limit is not reached by the system commit charge, and if a significant amount of memory is not waiting to be written to a page file. +The \Paging File(*)\% Usage performance counter measures the percentage of usage of each page file. 100 percent usage of a page file doesn't indicate a performance problem as long as the system commit limit isn't reached by the system commit charge, and if a significant amount of memory isn't waiting to be written to a page file. >[!Note] >The size of the Modified Page List (\Memory\Modified Page List Bytes) is the total of modified data that is waiting to be written to disk. @@ -127,4 +127,4 @@ If the Modified Page List (a list of physical memory pages that are the least fr ## Multiple page files and disk considerations -If a system is configured to have more than one page files, the page file that responds first is the one that is used. This means that page files that are on faster disks are used more frequently. Also, whether you put a page file on a “fast” or “slow” disk is important only if the page file is frequently accessed and if the disk that is hosting the respective page file is overwhelmed. Be aware that actual page file usage depends greatly on the amount of modified memory that the system is managing. This means that files that already exist on disk (such as .txt, .doc, .dll, and .exe) are not written to a page file. Only modified data that does not already exist on disk (for example, unsaved text in Notepad) is memory that could potentially be backed by a page file. After the unsaved data is saved to disk as a file, it is backed by the disk and not by a page file. +If a system is configured to have more than one page files, the page file that responds first is the one that is used. This customized configuration means that page files that are on faster disks are used more frequently. Also, whether you put a page file on a “fast” or “slow” disk is important only if the page file is frequently accessed and if the disk that is hosting the respective page file is overwhelmed. Actual page file usage depends greatly on the amount of modified memory that the system is managing. This dependency means that files that already exist on disk (such as .txt, .doc, .dll, and .exe) aren't written to a page file. Only modified data that doesn't already exist on disk (for example, unsaved text in Notepad) is memory that could potentially be backed by a page file. After the unsaved data is saved to disk as a file, it's backed by the disk and not by a page file. From a3281c7a217a7fb422df23d82acf9ce13a7fe83c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 22 Feb 2022 14:23:26 +0530 Subject: [PATCH 39/68] acrolinx --- .../generate-kernel-or-complete-crash-dump.md | 12 +++++----- .../allow-a-shared-books-folder-shortdesc.md | 2 +- ...ended-telemetry-for-books-tab-shortdesc.md | 23 ++++++++++--------- .../allow-fullscreen-mode-shortdesc.md | 23 ++++++++++--------- .../allow-saving-history-shortdesc.md | 23 ++++++++++--------- ...low-sideloading-of-extensions-shortdesc.md | 23 ++++++++++--------- ...-telemetry-for-m365-analytics-shortdesc.md | 23 ++++++++++--------- 7 files changed, 67 insertions(+), 62 deletions(-) diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md index 12bd194bc7..b3c3a0f026 100644 --- a/windows/client-management/generate-kernel-or-complete-crash-dump.md +++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md @@ -46,7 +46,7 @@ To enable memory dump setting, follow these steps: When the computer crashes and restarts, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed. -Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. Even in a best case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. This can cause a prolonged server outage. +Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. Even in a best-case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. This read-and-write process can cause a prolonged server outage. >[!Note] >Use this method to generate complete memory dump files with caution. Ideally, you should do this only when you are explicitly requested to by the Microsoft Support engineer. Any kernel or complete memory dump file debugging should be the last resort after all standard troubleshooting methods have been completely exhausted. @@ -55,7 +55,7 @@ Depending on the speed of the hard disk on which Windows is installed, dumping m ### Use the NotMyFault tool -If you can log on while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool. To do this, follow these steps: +If you can sign in while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool by following these steps: 1. Download the [NotMyFault](https://download.sysinternals.com/files/NotMyFault.zip) tool. @@ -71,17 +71,17 @@ If you can log on while the problem is occurring, you can use the Microsoft Sysi ### Use NMI -On some computers, you cannot use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard is not attached to the HP BladeSystem server. +On some computers, you can't use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard isn't attached to the HP BladeSystem server. In these cases, you must generate a complete crash dump file or a kernel crash dump file by using the Non-Maskable Interrupt (NMI) switch that causes an NMI on the system processor. -To do this, follow these steps: +To implement this process, follow these steps: > [!IMPORTANT] > Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. > [!NOTE] -> This registry key is not required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect. +> This registry key isn't required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect. 1. In Registry Editor, locate the following registry subkey: @@ -104,7 +104,7 @@ To do this, follow these steps: >[!Note] >For the exact steps, see the BIOS reference manual or contact your hardware vendor. -9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction. +9. Test this method on the server by using the NMI switch to generate a dump file. You'll see a STOP 0x00000080 hardware malfunction. If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/azure/virtual-machines/linux/serial-console-nmi-sysrq). diff --git a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md b/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md index ecfa4c5ca0..9b1d7821f3 100644 --- a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md +++ b/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md @@ -9,4 +9,4 @@ ms.prod: edge ms.topic: include --- -Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. +Microsoft Edge doesn't use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. diff --git a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md b/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md index 9d39c7e091..6fa1849707 100644 --- a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md +++ b/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and more diagnostic data, such as usage data. diff --git a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md b/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md index 1aca979b7e..06b4e1eb02 100644 --- a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md +++ b/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. To use fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. diff --git a/windows/client-management/includes/allow-saving-history-shortdesc.md b/windows/client-management/includes/allow-saving-history-shortdesc.md index 9acffb1e18..822a8f9b81 100644 --- a/windows/client-management/includes/allow-saving-history-shortdesc.md +++ b/windows/client-management/includes/allow-saving-history-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy doesn't stop roaming of existing browsing history or browsing history from other devices. diff --git a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md b/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md index e16dbdc2db..985741be58 100644 --- a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md +++ b/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but doesn't prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). diff --git a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md index 75a3631a95..90eddc5182 100644 --- a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md +++ b/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge doesn't send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. From 7d1d0fd6abeff189f2d12d7a6f57dc7d948daec8 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 22 Feb 2022 19:11:12 +0530 Subject: [PATCH 40/68] Acrolinx --- .../configure-do-not-track-shortdesc.md | 23 +-- ...gure-open-microsoft-edge-with-shortdesc.md | 23 +-- .../configure-start-pages-shortdesc.md | 23 +-- ...-windows-defender-smartscreen-shortdesc.md | 23 +-- ...sable-lockdown-of-start-pages-shortdesc.md | 23 +-- ...nt-access-to-about-flags-page-shortdesc.md | 23 +-- ...calhost-ip-address-for-webrtc-shortdesc.md | 23 +-- ...e-device-installation-with-group-policy.md | 156 +++++++++--------- ...-in-your-organization-modern-management.md | 20 +-- .../mdm/accountmanagement-csp.md | 14 +- windows/client-management/mdm/accounts-csp.md | 10 +- 11 files changed, 184 insertions(+), 177 deletions(-) diff --git a/windows/client-management/includes/configure-do-not-track-shortdesc.md b/windows/client-management/includes/configure-do-not-track-shortdesc.md index dd27fad917..34e7b8c42e 100644 --- a/windows/client-management/includes/configure-do-not-track-shortdesc.md +++ b/windows/client-management/includes/configure-do-not-track-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge doesn't send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. diff --git a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md b/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md index 8d1cc4f603..97d9c264c0 100644 --- a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md +++ b/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New Tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allows users to make changes. With this policy, you can configure Microsoft Edge to load the Start page, New Tab page, or the previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. diff --git a/windows/client-management/includes/configure-start-pages-shortdesc.md b/windows/client-management/includes/configure-start-pages-shortdesc.md index 146511b737..e8c18a3d8b 100644 --- a/windows/client-management/includes/configure-start-pages-shortdesc.md +++ b/windows/client-management/includes/configure-start-pages-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users can't make changes. diff --git a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md b/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md index 62547e8955..8eeb1e44a5 100644 --- a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md +++ b/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users can't disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. diff --git a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md b/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md index 37ff4011ad..37156ee3a7 100644 --- a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md +++ b/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies can't be changed, and they remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start pages or any Start page configured with the Configure Start pages policy. diff --git a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md b/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md index 5bf46ea949..f4acce9ce0 100644 --- a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md +++ b/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, users can access the about:flags page in Microsoft Edge that is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. diff --git a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md index 5ef4bbdeca..b7b66d315b 100644 --- a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md +++ b/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md @@ -1,11 +1,12 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -audience: itpro manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. +--- +author: dansimp +ms.author: dansimp +ms.date: 10/02/2018 +ms.reviewer: +audience: itpro +manager: dansimp +ms.prod: edge +ms.topic: include +--- + +By default, Microsoft Edge shows localhost IP address while making calls through usage of the WebRTC protocol. Enabling this policy hides the localhost IP addresses. diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 8155a9f26b..c90baeac67 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -27,19 +27,19 @@ By using Windows operating systems, administrators can determine what devices ca ## Introduction ### General -This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and cannot install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios: +This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios: -- Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it. -- Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it. +- Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it. +- Allow users to install only devices that are on an "approved" list. If a device isn't on the list, then the user can't install it. This guide describes the device installation process and introduces the device identification strings that Windows uses to match a device with the device-driver packages available on a machine. The guide also illustrates two methods of controlling device installation. Each scenario shows, step by step, one method you can use to allow or prevent the installation of a specific device or a class of devices. -The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide will not exactly match the user interface that appears on the computer. +The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide won't exactly match the user interface that appears on the computer. -It is important to understand that the Group Policies that are presented in this guide are only apply to machines/machine-groups, not to users/user-groups. +It's important to understand that the Group Policies that are presented in this guide are only applied to machines/machine-groups, not to users/user-groups. > [!IMPORTANT] -> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide is not meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document. +> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide isn't meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document. ### Who Should Use This Guide? @@ -56,7 +56,7 @@ Restricting the devices that users can install reduces the risk of data theft an #### Reduce the risk of data theft -It is more difficult for users to make unauthorized copies of company data if users' computers cannot install unapproved devices that support removable media. For example, if users cannot install a USB thumb-drive device, they cannot download copies of company data onto a removable storage. This benefit cannot eliminate data theft, but it creates another barrier to unauthorized removal of data. +It's more difficult for users to make unauthorized copies of company data if users' computers can't install unapproved devices that support removable media. For example, if users can't install a USB thumb-drive device, they can't download copies of company data onto a removable storage. This benefit can't eliminate data theft, but it creates another barrier to unauthorized removal of data. #### Reduce support costs @@ -82,7 +82,7 @@ In this scenario, the administrator allows standard users to install all printer ### Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed -In this scenario, you will combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This is a more realistic scenario and brings you a step farther in understanding of the Device Installation Restrictions policies. +In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies. ### Scenario #4: Prevent installation of a specific USB device @@ -90,7 +90,7 @@ This scenario, although similar to scenario #2, brings another layer of complexi ### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive -In this scenario, combining all previous 4 scenarios, you will learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first 4 scenarios and therefore it is preferred to go over them first before attempting this scenario. +In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. ## Technology Review @@ -99,9 +99,9 @@ The following sections provide a brief overview of the core technologies discuss ### Device Installation in Windows -A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it is a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. +A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. -When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those included with the driver packages. +When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages. Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows to specify which of these identifiers to allow or block. @@ -122,24 +122,24 @@ Windows can use each string to match a device to a driver package. The strings r ##### Hardware IDs -Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision is not available. +Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision isn't available. ##### Compatible IDs -Windows uses these identifiers to select a driver if the operating system cannot find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they are very generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device. +Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device. When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library. > [!NOTE] > For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging. -Some physical devices create one or more logical devices when they are installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function. +Some physical devices create one or more logical devices when they're installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function. -When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you did not allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs. +When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs. #### Device setup classes -Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices are belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached. +Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached. When you use device Classes to allow or prevent users from installing drivers, you must specify the GUIDs for all of the device's device setup classes, or you might not achieve the results you want. The installation might fail (if you want it to succeed) or it might succeed (if you want it to fail). @@ -147,36 +147,36 @@ For example, a multi-function device, such as an all-in-one scanner/fax/printer, For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs. -This guide does not depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. +This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. -The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly refer to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly refer to devices that could be connected to an existing computer/machine: +The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly referred to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly referred to devices that could be connected to an existing computer/machine: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) #### ‘Removable Device’ Device type -Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it is connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. +Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. ### Group Policy Settings for Device Installation Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. -Device Installation section in Group Policy is a set of policies that control which device could or could not be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more details, see Group Policy Object Editor Technical Reference. +Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see Group Policy Object Editor Technical Reference. The following passages are brief descriptions of the Device Installation policies that are used in this guide. > [!NOTE] -> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You cannot apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. +> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. #### Allow administrators to override Device Installation Restriction policies -This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or do not configure this policy setting, administrators are subject to all policy settings that restrict device installation. +This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or don't configure this policy setting, administrators are subject to all policy settings that restrict device installation. #### Allow installation of devices that match any of these device IDs -This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device. +This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and doesn't take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation hasn't been prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users can't install it even if the device is also described by a value in this policy setting. If you disable or don't configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device. #### Allow installation of devices that match any of these device instance IDs @@ -184,20 +184,20 @@ This policy setting allows you to specify a list of Plug and Play device instanc #### Allow installation of devices using drivers that match these device setup classes -This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device. +This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and doesn't take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation hasn't been prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users can't install it even if the device is also described by a value in this policy setting. If you disable or don't configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device. #### Prevent installation of devices that match these device IDs -This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users cannot install. If you enable this policy setting, users cannot install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or do not configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation. +This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users can't install. If you enable this policy setting, users can't install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or don't configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation. Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device even if it matches another policy setting that would allow installation of that device. #### Prevent installation of devices that match any of these device instance IDs -This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. #### Prevent installation of devices using drivers that match these device setup classes -This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users cannot install. If you enable this policy setting, users cannot install or update devices that belong to any of the listed device setup classes. If you disable or do not configure this policy setting, users can install and update devices as permitted by other policy settings for device installation. +This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users can't install. If you enable this policy setting, users can't install or update devices that belong to any of the listed device setup classes. If you disable or don't configure this policy setting, users can install and update devices as permitted by other policy settings for device installation. Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device from being installed even if it matches another policy setting that would allow installation of that device. ### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria @@ -209,7 +209,7 @@ This policy setting will change the evaluation order in which Allow and Prevent > [!NOTE] > This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. > -> If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. +> If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below. @@ -222,11 +222,11 @@ Some of these policies take precedence over other policies. The flowchart shown ### General -To complete each of the scenarios, please ensure your have: +To complete each of the scenarios, ensure your have: - A client computer running Windows. -- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives do not require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. +- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. - A USB/network printer pre-installed on the machine. @@ -234,18 +234,18 @@ To complete each of the scenarios, please ensure your have: ### Understanding implications of applying ‘Prevent’ policies retroactive -All ‘Prevent’ policies have an option to apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator is not sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. +All ‘Prevent’ policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones. -This is a powerful tool, but as such it has to be used carefully. +This option is a powerful tool, but as such it has to be used carefully. > [!IMPORTANT] > Applying the ‘Prevent retroactive’ option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all ‘Disk Drives’ could block the access to the disk on which the OS boots with; Preventing retroactive all ‘Net’ could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. ## Determine device identification strings -By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device do not match those shown in this guide, use the IDs that are appropriate to your device (this applies to Instance IDs and Classes, but we are not going to give an example for them in this guide). +By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device don't match those IDs shown in this guide, use the IDs that are appropriate to your device (this policy applies to Instance IDs and Classes, but we aren't going to give an example for them in this guide). You can determine the hardware IDs and compatible IDs for your device in two ways. You can use Device Manager, a graphical tool included with the operating system, or PnPUtil, a command-line tool available for all Windows versions. Use the following procedure to view the device identification strings for your device. @@ -268,7 +268,7 @@ To find device identification strings using Device Manager ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)
                                _Open the ‘Details’ tab to look for the device identifiers_ -6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies. +6. From the ‘Value’ window, copy the most detailed Hardware ID – we'll use this value in the policies. ![HWID.](images/device-installation-dm-printer-hardware-ids.png) @@ -283,7 +283,7 @@ To find device identification strings using Device Manager pnputil /enum-devices /ids ``` -Here is an example of an output for a single device on a machine: +Here's an example of an output for a single device on a machine: ```console @@ -310,7 +310,7 @@ Compatible IDs: PCI\VEN_8086&DEV_2F34&REV_02 ## Scenario #1: Prevent installation of all printers -In this simple scenario, you will learn how to prevent the installation of an entire Class of devices. +In this simple scenario, you'll learn how to prevent the installation of an entire Class of devices. ### Setting up the environment @@ -335,7 +335,7 @@ Getting the right device identifier to prevent it from being installed: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -3. Our current scenario is focused on preventing all printers from being installed, as such here is the Class GUID for most of printers in the market: +3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: > Printers\ > Class = Printer\ @@ -343,7 +343,7 @@ Getting the right device identifier to prevent it from being installed: > This class includes printers. > [!NOTE] - > As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system. + > As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they're not blocking any other existing device that is crucial to your system. Creating the policy to prevent all printers from being installed: @@ -357,15 +357,15 @@ Creating the policy to prevent all printers from being installed: 4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block. +5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
                                _List of prevent Class GUIDs_ 7. Click ‘OK’. -8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. 9. Optional – if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ @@ -374,13 +374,13 @@ Creating the policy to prevent all printers from being installed: ### Testing the scenario -1. If you have not completed step #9 – follow these steps: +1. If you haven't completed step #9 – follow these steps: 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. 1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. - 1. You should not be able to reinstall the printer. + 1. You shouldn't be able to reinstall the printer. -2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use. +2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. ## Scenario #2: Prevent installation of a specific printer @@ -392,13 +392,13 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Make sure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this is optional to be On/Off this scenario). Although the policy is disabled in default, it is recommended to be enabled in most practical applications. For scenario #2 it is optional. +2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. ### Scenario steps – preventing installation of a specific device Getting the right device identifier to prevent it from being installed: -1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously +1. Get your printer’s Hardware ID – in this example we'll use the identifier we found previously ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)
                                _Printer Hardware ID_ @@ -414,7 +414,7 @@ Creating the policy to prevent a single printer from being installed: 3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to block. +4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to block. 5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0 @@ -422,26 +422,26 @@ Creating the policy to prevent a single printer from being installed: 6. Click ‘OK’. -7. Click ‘Apply’ on the bottom right of the policy’s window. This pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install. +7. Click ‘Apply’ on the bottom right of the policy’s window. This option pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install. 8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’. ### Testing the scenario -If you completed step #8 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use. +If you completed step #8 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. -If you have not completed step #8, follow these steps: +If you haven't completed step #8, follow these steps: 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. 2. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. -3. You should not be able to reinstall the printer. +3. You shouldn't be able to reinstall the printer. ## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed -Now, using the knowledge from both previous scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed. +Now, using the knowledge from both previous scenarios, you'll learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed. ### Setting up the environment @@ -474,15 +474,15 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block. +5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
                                _List of prevent Class GUIDs_ 7. Click ‘OK’. -8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. 9. To complete the coverage of all future and existing printers – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’ @@ -494,7 +494,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. -10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to allow. +10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. 11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. @@ -502,18 +502,18 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 12. Click ‘OK’. -13. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and allows the target printer to be installed (or stayed installed). +13. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and allows the target printer to be installed (or stayed installed). ## Testing the scenario -1. Simply look for your printer under Device Manager or the Windows Settings app and see that it is still there and accessible. Or just print a test document. +1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document. -2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you should not be bale to print anything or able to access the printer at all. +2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you shouldn't be bale to print anything or able to access the printer at all. ## Scenario #4: Prevent installation of a specific USB device -The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you will gain an understanding of how some devices are built into the PnP (Plug and Play) device tree. +The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you'll gain an understanding of how some devices are built into the PnP (Plug and Play) device tree. ### Setting up the environment @@ -521,7 +521,7 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section -2. Make sure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this is optional to be On/Off this scenario) – although the policy is disabled in default, it is recommended to be enabled in most practical applications. +2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario) – although the policy is disabled in default, it's recommended to be enabled in most practical applications. ### Scenario steps – preventing installation of a specific device @@ -546,7 +546,7 @@ Getting the right device identifier to prevent it from being installed and its l 5. Double-click the USB thumb-drive and move to the ‘Details’ tab. -6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 +6. From the ‘Value’ window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)
                                _USB device hardware IDs_ @@ -560,7 +560,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed: 3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This will take you to a table where you can enter the device identifier to block. +4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This option will take you to a table where you can enter the device identifier to block. 5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07 @@ -568,24 +568,24 @@ Creating the policy to prevent a single USB thumb-drive from being installed: 6. Click ‘OK’. -7. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install. +7. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install. 8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window, mark the checkbox that says ‘also apply to matching devices that are already installed’ ### Testing the scenario -1. If you have not completed step #8 – follow these steps: +1. If you haven't completed step #8 – follow these steps: - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”. - - You should not be able to reinstall the device. + - You shouldn't be able to reinstall the device. -2. If you completed step #8 above and restarted the machine, simply look for your Disk drives under Device Manager and see that it is no-longer available for you to use. +2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. ## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive -Now, using the knowledge from all the previous 4 scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed. +Now, using the knowledge from all the previous four scenarios, you'll learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed. ### Setting up the environment @@ -611,11 +611,11 @@ Getting the device identifier for both the USB Classes and a specific USB thumb- - USB Device - Class = USBDevice - ClassGuid = {88BAE032-5A81-49f0-BC3D-A4FF138216D6} - - USBDevice includes all USB devices that do not belong to another class. This class is not used for USB host controllers and hubs. + - USBDevice includes all USB devices that don't belong to another class. This class isn't used for USB host controllers and hubs. - Hardware ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 -As mentioned in scenario #4, it is not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one are not blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: +As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: - “Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -> PCI\CC_0C03 - “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30 @@ -623,18 +623,18 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I ![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)
                                _USB devices nested under each other in the PnP tree_ -These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine. +These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine. > [!IMPORTANT] -> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it is important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: +> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: > > PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ > USB\USB20_HUB (for Generic USB Hubs)/ > -> Specifically for desktop machines, it is very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. +> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. > -> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it is done. +> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one: @@ -648,7 +648,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block. +5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. 6. Enter both USB classes GUID you found above with the curly braces: @@ -657,7 +657,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 7. Click ‘OK’. -8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs. +8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs. > [!IMPORTANT] > The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice. @@ -668,7 +668,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one 10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. -11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to allow. +11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. 12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07 @@ -682,4 +682,4 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one ### Testing the scenario -You should not be able to install any USB thumb-drive, except the one you authorized for usage +You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 0e9dd8a789..e71f64b505 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -17,9 +17,9 @@ ms.topic: article # Manage Windows 10 in your organization - transitioning to modern management -Use of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. +Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. -Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist. +Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist. Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. @@ -50,7 +50,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man ## Deployment and Provisioning -With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: +With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can: - Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/). @@ -59,7 +59,7 @@ With Windows 10, you can continue to use traditional OS deployment, but you can - Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction). -You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7. +You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive – everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7. ## Identity and Authentication @@ -73,8 +73,8 @@ You can envision user and device management as falling into these two categories - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. -- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises. - With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This provides: +- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. + With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: - Single sign-on to cloud and on-premises resources from everywhere @@ -98,7 +98,7 @@ As you review the roles in your organization, you can use the following generali Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.  -**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go. +**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. **Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices: @@ -115,7 +115,7 @@ MDM with Intune provide tools for applying Windows updates to client computers i ## Next steps -There are a variety of steps you can take to begin the process of modernizing device management in your organization: +There are various steps you can take to begin the process of modernizing device management in your organization: **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies. @@ -123,10 +123,10 @@ There are a variety of steps you can take to begin the process of modernizing de **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md) +**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here's the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md) -**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details: +**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Configuration Manager 1710 onward, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details: - [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview) - [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 5f2a7ff230..7be2cf47f8 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -19,7 +19,7 @@ AccountManagement CSP is used to configure setting in the Account Manager servic > [!NOTE] > The AccountManagement CSP is only supported in Windows Holographic for Business edition. -The following shows the AccountManagement configuration service provider in tree format. +The following syntax shows the AccountManagement configuration service provider in tree format. ```console ./Vendor/MSFT @@ -41,7 +41,7 @@ Interior node. **UserProfileManagement/EnableProfileManager** Enable profile lifetime management for shared or communal device scenarios. Default value is false. -Supported operations are Add, Get,Replace, and Delete. Value type is bool. +Supported operations are Add, Get, Replace, and Delete. Value type is bool. **UserProfileManagement/DeletionPolicy** Configures when profiles will be deleted. Default value is 1. @@ -52,19 +52,19 @@ Valid values: - 1 - delete at storage capacity threshold - 2 - delete at both storage capacity threshold and profile inactivity threshold -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **UserProfileManagement/StorageCapacityStartDeletion** Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **UserProfileManagement/StorageCapacityStopDeletion** Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **UserProfileManagement/ProfileInactivityThreshold** -Start deleting profiles when they have not been logged on during the specified period, given as number of days. Default value is 30. +Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 1269c2797e..e1fef760a0 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -1,6 +1,6 @@ --- title: Accounts CSP -description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & joint them to a group. +description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -17,7 +17,7 @@ manager: dansimp The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803. -The following shows the Accounts configuration service provider in tree format. +The following syntax shows the Accounts configuration service provider in tree format. ``` ./Device/Vendor/MSFT @@ -37,7 +37,7 @@ Root node. Interior node for the account domain information. **Domain/ComputerName** -This node specifies the DNS hostname for a device. This setting can be managed remotely, but note that this not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. +This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management is not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. Available naming macros: @@ -61,9 +61,9 @@ This node specifies the username for a new local user account. This setting can This node specifies the password for a new local user account. This setting can be managed remotely. Supported operation is Add. -GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager. +GET operation isn't supported. This setting will report as failed when deployed from the Endpoint Manager. **Users/_UserName_/LocalUserGroup** -This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. +This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. Supported operation is Add. From b8329d0398fe43725879f09e941d717003ada59b Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 23 Feb 2022 11:56:15 +0530 Subject: [PATCH 41/68] Acrolinx enhancement --- windows/client-management/mdm/accounts-csp.md | 2 +- .../client-management/mdm/activesync-csp.md | 50 +++++++++---------- ...ure-ad-tenant-and-azure-ad-subscription.md | 6 +-- .../mdm/alljoynmanagement-csp.md | 10 ++-- .../mdm/applicationcontrol-csp.md | 36 ++++++------- .../client-management/mdm/applocker-csp.md | 48 +++++++++--------- 6 files changed, 76 insertions(+), 76 deletions(-) diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index e1fef760a0..badfb5ccd9 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -37,7 +37,7 @@ Root node. Interior node for the account domain information. **Domain/ComputerName** -This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management is not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. +This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. Available naming macros: diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index e69eef0c44..307391743a 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -17,7 +17,7 @@ ms.date: 06/26/2017 The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status. -Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported. +Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported. > [!NOTE] > The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path. @@ -28,7 +28,7 @@ The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in th -The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. +The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. ``` ./Vendor/MSFT @@ -86,7 +86,7 @@ Defines a specific ActiveSync account. A globally unique identifier (GUID) must Supported operations are Get, Add, and Delete. -When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account. +When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and doesn't create the new account. Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example: @@ -107,7 +107,7 @@ For OMA DM, you must use the ASCII values of %7B and %7D for the opening and clo ***Account GUID*/EmailAddress** Required. A character string that specifies the email address associated with the Exchange ActiveSync account. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com". @@ -119,21 +119,21 @@ Supported operations are Get, Replace, Add, and Delete. ***Account GUID*/AccountIcon** Required. A character string that specifies the location of the icon associated with the account. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired. ***Account GUID*/AccountType** Required. A character string that specifies the account type. -Supported operations are Get and Add (cannot Add after the account is created). +Supported operations are Get and Add (can't Add after the account is created). -This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange". +This value is entered during setup and can't be modified once entered. An Exchange account is indicated by the string value "Exchange". ***Account GUID*/AccountName** Required. A character string that specifies the name that refers to the account on the device. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). ***Account GUID*/Password** Required. A character string that specifies the password for the account. @@ -145,14 +145,14 @@ For the Get command, only asterisks are returned. ***Account GUID*/ServerName** Required. A character string that specifies the server name used by the account. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). ***Account GUID*/UserName** Required. A character string that specifies the user name for the account. -Supported operations are Get, and Add (cannot Add after the account is created). +Supported operations are Get, and Add (can't Add after the account is created). -The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com". +The user name can't be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com". **Options** Node for other parameters. @@ -163,9 +163,9 @@ Specifies the time window used for syncing calendar items to the device. Value t **Options/Logging** Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled). -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). -Valid values are one of the following: +Valid values are any of the following values: - 0 (default) - Logging is off. @@ -173,7 +173,7 @@ Valid values are one of the following: - 2 - Advanced logging is enabled. -Logging is set to off by default. The user might be asked to set this to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic. +Logging is set to off by default. The user might be asked to set this logging to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic. **Options/MailBodyType** Indicates the email format. Valid values: @@ -185,19 +185,19 @@ Indicates the email format. Valid values: - 4 - MIME **Options/MailHTMLTruncation** -Specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation. +Specifies the size beyond which HTML-formatted email messages are truncated when they're synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation. **Options/MailPlainTextTruncation** -This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. +This setting specifies the size beyond which text-formatted e-mail messages are truncated when they're synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. **Options/UseSSL** Optional. A character string that specifies whether SSL is used. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). Valid values are: -- 0 - SSL is not used. +- 0 - SSL isn't used. - 1 (default) - SSL is used. @@ -206,7 +206,7 @@ Required. A character string that specifies the time until the next sync is perf Supported operations are Get and Replace. -Valid values are one of the following: +Valid values are any of the following values: - -1 (default) - A sync will occur as items are received @@ -223,7 +223,7 @@ Required. A character string that specifies the time window used for syncing ema Supported operations are Get and Replace. -Valid values are one of the following: +Valid values are any of the following values: - 0 – No age filter is used, and all email items are synced to the device. @@ -238,7 +238,7 @@ Valid values are one of the following: **Options/ContentTypes/***Content Type GUID* Defines the type of content to be individually enabled/disabled for sync. -The *GUID* values allowed are one of the following: +The *GUID* values allowed are any of the following values: - Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}" @@ -251,11 +251,11 @@ The *GUID* values allowed are one of the following: **Options/ContentTypes/*Content Type GUID*/Enabled** Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled). -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). -Valid values are one of the following: +Valid values are any of the following values: -- 0 - Sync for email, contacts, calendar, or tasks is disabled. +- 0 - Sync for email, contacts, calendar, or tasks are disabled. - 1 (default) - Sync is enabled. **Options/ContentTypes/*Content Type GUID*/Name** @@ -265,7 +265,7 @@ Required. A character string that specifies the name of the content type. > In Windows 10, this node is currently not working. -Supported operations are Get, Replace, and Add (cannot Add after the account is created). +Supported operations are Get, Replace, and Add (can't Add after the account is created). When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected. diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index 740ad8289d..3328f5ca2a 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -57,7 +57,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png) -10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....). +10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange). ![admin center left navigation menu.](images/azure-ad-add-tenant9.png) @@ -75,7 +75,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent ![register in azure-ad.](images/azure-ad-add-tenant11.png) -3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. +3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. ![register azuread](images/azure-ad-add-tenant12.png) @@ -87,7 +87,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent ![registration in azuread.](images/azure-ad-add-tenant14.png) -6. You will see a welcome page when the process completes. +6. You'll see a welcome page when the process completes. ![register screen of azuread](images/azure-ad-add-tenant15.png) diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index 26bcc2dda6..9238507a72 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -26,7 +26,7 @@ This CSP was added in Windows 10, version 1511. For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). -The following shows the AllJoynManagement configuration service provider in tree format +The following example shows the AllJoynManagement configuration service provider in tree format ``` ./Vendor/MSFT @@ -70,10 +70,10 @@ List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects. **Services/*Node name*/Port** -The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports. +The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it's possible to specify more ports. **Services/*Node name*/Port/***Node name* -Port number used for communication. This is specified by the configurable AllJoyn object and reflected here. +Port number used for communication. This value is specified by the configurable AllJoyn object and reflected here. **Services/*Node name*/Port/*Node name*/CfgObject** The set of configurable interfaces that are available on the port of the AllJoyn object. @@ -89,7 +89,7 @@ This is the credential store. An administrator can set credentials for each AllJ When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase. **Credentials/***Node name* -This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID. +This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It's typically implemented as a GUID. **Credentials/*Node name*/Key** An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard. @@ -128,7 +128,7 @@ SyncML xmlns="SYNCML:SYNCML1.2"> ``` -You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting. +You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. The data is base-64 encoded representation of the configuration file that you're setting. Get PIN data diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 648d9c245f..d18a0ebd70 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -13,10 +13,10 @@ ms.date: 09/10/2020 # ApplicationControl CSP -Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and hence doesn't schedule a reboot. Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. -The following shows the ApplicationControl CSP in tree format. +The following example shows the ApplicationControl CSP in tree format. ``` ./Vendor/MSFT @@ -80,14 +80,14 @@ Scope is dynamic. Supported operation is Get. Value type is char. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective** -This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system. +This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system. -- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default. +- True—Indicates that the policy is loaded by the enforcement engine and is in effect on a system. +- False—Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** This node specifies whether a policy is deployed on the system and is present on the physical machine. @@ -96,18 +96,18 @@ Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is deployed on the system and is present on the physical machine. -- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default. +- True—Indicates that the policy is deployed on the system and is present on the physical machine. +- False—Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** -This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system. +This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system. -- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. +- True—Indicates that the policy is authorized to be loaded by the enforcement engine on the system. +- False—Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value. The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes: @@ -144,7 +144,7 @@ For customers using Intune standalone or hybrid management with Configuration Ma ## Generic MDM Server Usage Guidance -In order to leverage the ApplicationControl CSP without using Intune, you must: +In order to use the ApplicationControl CSP without using Intune, you must: 1. Know a generated policy's GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. 2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -171,7 +171,7 @@ To deploy base policy and supplemental policies: 1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. 2. Repeat for each base or supplemental policy (with its own GUID and data). -The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and doesn't need that reflected in the ADD). #### Example 1: Add first base policy @@ -240,7 +240,7 @@ The following table displays the result of Get operation on different nodes: |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful| |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy| -The following is an example of Get command: +An example of Get command is: ```xml @@ -257,7 +257,7 @@ The following is an example of Get command: #### Rebootless Deletion -Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. +Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This sequence will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. #### Unsigned Policies @@ -266,7 +266,7 @@ To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationCon #### Signed Policies > [!NOTE] -> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy. +> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** isn't sufficient to delete a signed policy. To delete a signed policy: @@ -274,7 +274,7 @@ To delete a signed policy: 2. Deploy another update with unsigned Allow All policy. 3. Perform delete. -The following is an example of Delete command: +An example of Delete command is: ```xml @@ -289,7 +289,7 @@ The following is an example of Delete command: ## PowerShell and WMI Bridge Usage Guidance -The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). +The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). ### Setup for using the WMI Bridge @@ -305,7 +305,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi ### Deploying a policy via WMI Bridge -Run the following command. PolicyID is a GUID which can be found in the policy xml, and should be used here without braces. +Run the following command. PolicyID is a GUID that can be found in the policy xml, and should be used here without braces. ```powershell New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{ParentID="./Vendor/MSFT/ApplicationControl/Policies";InstanceID="";Policy=$policyBase64} diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 61070859fe..4d6a2a787f 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -15,9 +15,9 @@ ms.date: 11/19/2019 # AppLocker CSP -The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked. +The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked. -The following shows the AppLocker configuration service provider in tree format. +The following example shows the AppLocker configuration service provider in tree format. ```console ./Vendor/MSFT @@ -75,7 +75,7 @@ Defines restrictions for applications. > [!NOTE] > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. -> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. +> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node. > [!NOTE] > The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI. @@ -83,7 +83,7 @@ Defines restrictions for applications. Additional information: **AppLocker/ApplicationLaunchRestrictions/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. Supported operations are Get, Add, Delete, and Replace. @@ -101,7 +101,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -125,7 +125,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -144,7 +144,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -163,7 +163,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -182,7 +182,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -211,7 +211,7 @@ Supported operations are Get, Add, Delete, and Replace. **AppLocker/EnterpriseDataProtection** Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). -In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. +In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy @@ -227,10 +227,10 @@ Exempt examples: Additional information: -- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. +- [Recommended blocklist for Windows Information Protection](#recommended-blocklist-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. **AppLocker/EnterpriseDataProtection/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. Supported operations are Get, Add, Delete, and Replace. @@ -259,7 +259,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. -1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). +1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive). 2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. The **Device Portal** page opens on your browser. @@ -267,11 +267,11 @@ Supported operations are Get, Add, Delete, and Replace. ![device portal screenshot.](images/applocker-screenshot1.png) 3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. -4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. +4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps. ![device portal app manager.](images/applocker-screenshot3.png) -5. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. +5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. ![app manager.](images/applocker-screenshot2.png) @@ -281,9 +281,9 @@ The following table shows the mapping of information to the AppLocker publisher |--- |--- | |PackageFullName|ProductName

                                The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.| |Publisher|Publisher| -|Version|Version

                                This can be used either in the HighSection or LowSection of the BinaryVersionRange.

                                HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| +|Version|Version

                                The version can be used either in the HighSection or LowSection of the BinaryVersionRange.

                                HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| -Here is an example AppLocker publisher rule: +Here's an example AppLocker publisher rule: ```xml @@ -307,7 +307,7 @@ Request URI: https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata ``` -Here is the example for Microsoft OneNote: +Here's the example for Microsoft OneNote: Request @@ -330,13 +330,13 @@ Result |--- |--- | |packageIdentityName|ProductName| |publisherCertificateName|Publisher| -|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

                                This value will only be present if there is a XAP package associated with the app in the Store.

                                If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| +|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

                                This value will only be present if there's a XAP package associated with the app in the Store.

                                If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| ## Settings apps that rely on splash apps -These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. +These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. The product name is first part of the PackageFullName followed by the version number. @@ -526,7 +526,7 @@ The following example blocks the usage of the map application. ``` -The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. +The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. ```xml @@ -1022,7 +1022,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo ``` ## Example for Windows 10 Holographic for Business -The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, as well as Settings. +The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, and Settings. ```xml @@ -1276,8 +1276,8 @@ The following example for Windows 10 Holographic for Business denies all apps an ``` -## Recommended deny list for Windows Information Protection -The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. +## Recommended blocklist for Windows Information Protection +The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. In this example, Contoso is the node name. We recommend using a GUID for this node. From 1b0d252ddd5d9727390e4f7242574086350fe8de Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 23 Feb 2022 12:29:53 +0530 Subject: [PATCH 42/68] Update configure-do-not-track-shortdesc.md --- .../includes/configure-do-not-track-shortdesc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/includes/configure-do-not-track-shortdesc.md b/windows/client-management/includes/configure-do-not-track-shortdesc.md index 34e7b8c42e..c5253680b3 100644 --- a/windows/client-management/includes/configure-do-not-track-shortdesc.md +++ b/windows/client-management/includes/configure-do-not-track-shortdesc.md @@ -9,4 +9,4 @@ ms.prod: edge ms.topic: include --- -Microsoft Edge doesn't send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. +Microsoft Edge doesn't send ‘Do Not Track’ requests to websites that ask for tracking information. However, users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. From 1b9cb9e4d7636876eeb8542dda9a06296f471be8 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 23 Feb 2022 18:41:59 +0530 Subject: [PATCH 43/68] Acrolinx score enhancement --- .../mdm/appv-deploy-and-config.md | 6 +- .../mdm/assignedaccess-csp.md | 30 +-- ...e-active-directory-integration-with-mdm.md | 20 +- .../client-management/mdm/bitlocker-csp.md | 172 +++++++++--------- ...ollment-using-windows-provisioning-tool.md | 36 ++-- .../mdm/cellularsettings-csp.md | 2 +- .../mdm/certificatestore-csp.md | 52 +++--- .../change-history-for-mdm-documentation.md | 30 +-- 8 files changed, 174 insertions(+), 174 deletions(-) diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index ac7cb56c39..79bb949ff1 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -23,7 +23,7 @@ manager: dansimp [EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md) -The following shows the EnterpriseAppVManagement configuration service provider in tree format. +The following example shows the EnterpriseAppVManagement configuration service provider in tree format. ```console ./Vendor/MSFT @@ -54,7 +54,7 @@ EnterpriseAppVManagement ------------Policy ``` -

                                (./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.

                                +

                                (./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.

                                AppVPublishing - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

                                @@ -144,7 +144,7 @@ EnterpriseAppVManagement #### Configure App-V client -

                                This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts assists in package deployments (add and publish of App-V apps).

                                +

                                This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).

                                ```xml diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 15f4ca1e01..2d0d1a0b7d 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -14,7 +14,7 @@ ms.date: 09/18/2018 # AssignedAccess CSP -The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. +The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user sign in that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app) @@ -29,7 +29,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. -The following shows the AssignedAccess configuration service provider in tree format +The following example shows the AssignedAccess configuration service provider in tree format ``` ./Vendor/MSFT @@ -54,7 +54,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u > Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. > [!Note] -> You cannot set both KioskModeApp and ShellLauncher at the same time on the device. +> You can't set both KioskModeApp and ShellLauncher at the same time on the device. Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md). @@ -69,7 +69,7 @@ Here's an example: > > This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string.  -When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name. +When the kiosk mode app is being configured, the account name will be used to find the target user. The account name includes domain name and user name. > [!Note] > The domain name can be optional if the user name is unique across the system. @@ -80,7 +80,7 @@ For a local account, the domain name should be the device name. When Get is exec The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. **./Device/Vendor/MSFT/AssignedAccess/Configuration** -Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here's the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). > [!Note] > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. @@ -91,18 +91,18 @@ Enterprises can use this to easily configure and manage the curated lockdown exp Supported operations are Add, Get, Delete, and Replace. -Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout). +Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies back (for example, Start Layout). **./Device/Vendor/MSFT/AssignedAccess/Status** Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload. -In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible status available for single app kiosk mode. +In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible statuses available for single app kiosk mode. |Status |Description | |---------|---------|---------| -| KioskModeAppRunning | This means the kiosk app is running normally. | -| KioskModeAppNotFound | This occurs when the kiosk app is not deployed to the machine. | -| KioskModeAppActivationFailure | This happens when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. | +| KioskModeAppRunning | This status means the kiosk app is running normally. | +| KioskModeAppNotFound | This state occurs when the kiosk app isn't deployed to the machine. | +| KioskModeAppActivationFailure | This state occurs when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. | > [!NOTE] > Status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus. @@ -145,7 +145,7 @@ Supported operation is Get. Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher). > [!Note] -> You cannot set both ShellLauncher and KioskModeApp at the same time on the device. +> You can't set both ShellLauncher and KioskModeApp at the same time on the device. > > Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function. > @@ -154,9 +154,9 @@ Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration **./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration** Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema. -By default the StatusConfiguration node does not exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node. +By default, the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node. -Optionally, the MDM server can opt-in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node. +Optionally, the MDM server can opt in to the MDM alert so that an MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node. This MDM alert header is defined as follows: @@ -431,7 +431,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ``` -Here is the schema for new features introduced in Windows 10 1809 release +Here's the schema for new features introduced in Windows 10 1809 release ```xml ``` -To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure auto-launch feature that is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. ```xml /ContosoMDM`, then select OK. @@ -168,7 +168,7 @@ The application keys used by your MDM service are a sensitive resource. They sho For security best practices, see [Windows Azure Security Essentials](https://go.microsoft.com/fwlink/p/?LinkId=613715). -You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. +You can roll over the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys. @@ -326,7 +326,7 @@ The following table shows the error codes. |Cause|HTTP status|Error|Description| |--- |--- |--- |--- | |api-version|302|invalid_request|unsupported version| -|Tenant or user data are missing or other required prerequisites for device enrollment are not met|302|unauthorized_client|unauthorized user or tenant| +|Tenant or user data are missing or other required prerequisites for device enrollment aren't met|302|unauthorized_client|unauthorized user or tenant| |Azure AD token validation failed|302|unauthorized_client|unauthorized_client| |internal service error|302|server_error|internal service error| @@ -358,7 +358,7 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. **Multiple user management for Azure AD joined devices** -In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically MDM enrollment completes before Azure AD user sign in to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. +In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. **Adding a work account and MDM enrollment to a device** In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. @@ -370,7 +370,7 @@ The Azure AD token is in the HTTP Authorization header in the following format: Authorization:Bearer ``` -Additional claims may be present in the Azure AD token, such as: +More claims may be present in the Azure AD token, such as: - User - user currently logged in - Device compliance - value set the MDM service into Azure @@ -411,9 +411,9 @@ An alert is sent to the MDM server in DM package\#1. - Alert type - com.microsoft/MDM/LoginStatus - Alert format - chr -- Alert data - provide login status information for the current active logged in user. - - Logged in user who has an Azure AD account - predefined text: user. - - Logged in user without an Azure AD account- predefined text: others. +- Alert data - provide sign-in status information for the current active logged in user. + - Signed-in user who has an Azure AD account - predefined text: user. + - Signed-in user without an Azure AD account- predefined text: others. - No active user - predefined text:none Here's an example. @@ -477,7 +477,7 @@ Response: ## Data loss during unenrollment from Azure Active Directory Join -When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. +When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data. ![aadj unenrollment.](images/azure-ad-unenrollment.png) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 6b83e9c150..f269887364 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -14,19 +14,19 @@ ms.collection: highpri --- # BitLocker CSP -The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro. +The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro. > [!NOTE] -> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes. +> Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes. > > You must send all the settings together in a single SyncML to be effective. A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin. -For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength). +For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength). -The following shows the BitLocker configuration service provider in tree format. +The following example shows the BitLocker configuration service provider in tree format. ```console ./Device/Vendor/MSFT @@ -84,7 +84,7 @@ Supported operations are Add, Get, Replace, and Delete. Status of OS volumes and encryptable fixed data volumes are checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives. -Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet additional criteria to be considered encryptable: +Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet other criteria to be considered encryptable: - It must not be a dynamic volume. - It must not be a recovery partition. @@ -95,8 +95,8 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix The following list shows the supported values: -- 0 (default) —Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes. -- 1 – Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy). +- 0 (default)—Disable. If the policy setting isn't set or is set to 0, the device's enforcement status isn't checked. The policy doesn't enforce encryption and it doesn't decrypt encrypted volumes. +- 1–Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy). If you want to disable this policy, use the following SyncML: @@ -154,9 +154,9 @@ ADMX Info: This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. -If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511. +If you enable this setting you'll be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511. -If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script. +If you disable or don't configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script. Sample value for this node to enable this policy and set the encryption methods is: @@ -178,7 +178,7 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov > [!NOTE] > When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status. - If you want to disable this policy use the following SyncML: + If you want to disable this policy, use the following SyncML: ```xml @@ -228,11 +228,11 @@ ADMX Info: This setting is used to establish an identifier that is applied to all drives that are encrypted in your organization. -Identifiers are usually stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde): +Identifiers are stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde): - **BitLocker identification field**: It allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field. -- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations. +- **Allowed BitLocker identification field**: The allowed identification field is used in combination with the 'Deny write access to removable drives not protected by BitLocker' policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations. >[!Note] >When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization. @@ -245,12 +245,12 @@ Sample value for this node to enable this policy is: ``` -Data Id: +Data ID: - IdentificationField: BitLocker identification field - SecIdentificationField: Allowed BitLocker identification field -If you disable or do not configure this setting, the identification field is not required. +If you disable or don't configure this setting, the identification field isn't required. >[!Note] >Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters. @@ -286,7 +286,7 @@ ADMX Info: > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). -This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware. +This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This setting overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware. If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication. @@ -331,9 +331,9 @@ ADMX Info: This setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. Enhanced startup PINs permit the usage of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. >[!Note] ->Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. +>Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. -If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected. +If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected. Sample value for this node to enable this policy is: @@ -341,7 +341,7 @@ Sample value for this node to enable this policy is: ``` -If you disable or do not configure this policy setting, enhanced PINs will not be used. +If you disable or don't configure this policy setting, enhanced PINs won't be used. @@ -378,9 +378,9 @@ This policy setting allows you to configure whether or not standard users are al >[!Note] >To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker. -If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. +If you enable this policy setting, standard users won't be allowed to change BitLocker PINs or passwords. -If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords. +If you disable or don't configure this policy setting, standard users will be permitted to change BitLocker PINs or passwords. Sample value for this node to disable this policy is: @@ -418,9 +418,9 @@ ADMX Info: > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). -The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password. +The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password. -It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard. +It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard. Sample value for this node to enable this policy is: @@ -429,10 +429,10 @@ Sample value for this node to enable this policy is: ``` If this policy is disabled, the Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password. -When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard. +When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard. >[!Note] ->If you do not enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available: +>If you don't enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available: > >- Configure TPM startup PIN: Required and Allowed >- Configure TPM startup key and PIN: Required and Allowed @@ -471,7 +471,7 @@ ADMX Info: This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. -If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. +If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard. Sample value for this node to enable this policy is: @@ -483,7 +483,7 @@ If this policy is disabled, the BitLocker Setup Wizard asks the user to select t >[!Note] >This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. ->For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space. +>For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). @@ -507,7 +507,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition ADMX Info:
                                  -
                                • GP Friendly name: Require additional authentication at startup
                                  • +
                                • GP Friendly name: Require more authentication at startup
                                • GP name: ConfigureAdvancedStartup_Name
                                • GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
                                • GP ADMX file name: VolumeEncryption.admx
                                  • @@ -517,12 +517,12 @@ ADMX Info: > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). -This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker. +This setting allows you to configure whether BitLocker requires more authentication each time the computer starts and whether you're using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker. > [!NOTE] > Only one of the additional authentication options can be required at startup, otherwise an error occurs. -If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. +If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When a startup key is being used, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you've forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. @@ -531,21 +531,21 @@ On a computer with a compatible TPM, four types of authentication methods can be If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. -If you disable or do not configure this setting, users can configure only basic options on computers with a TPM. +If you disable or don't configure this setting, users can configure only basic options on computers with a TPM. > [!NOTE] > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. > [!NOTE] > Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern -> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. +> Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. Sample value for this node to enable this policy is: ```xml ``` -Data id: +Data ID:
                                  • ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
                                  • ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.
                                    • @@ -567,7 +567,7 @@ The possible values for 'yy' are:
                                  • 0 = Disallowed
                                  -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: +Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: ```xml @@ -614,16 +614,16 @@ ADMX Info: > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). -This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits. +This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of six digits and can have a maximum length of 20 digits. > [!NOTE] > In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits. > ->In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2. +>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This doesn't apply to TPM 1.2. If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN. -If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits. +If you disable or don't configure this setting, users can configure a startup PIN of any length between 6 and 20 digits. Sample value for this node to enable this policy is: @@ -631,7 +631,7 @@ Sample value for this node to enable this policy is: ``` -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: +Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: ```xml @@ -683,7 +683,7 @@ ADMX Info: This setting lets you configure the entire recovery message or replace the existing URL that is displayed on the pre-boot key recovery screen when the OS drive is locked. -If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). +If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you've previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. @@ -707,7 +707,7 @@ The possible values for 'xx' are: > [!NOTE] > When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status. -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: +Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: ```xml @@ -725,7 +725,7 @@ Disabling the policy will let the system choose the default behaviors. If you w ``` > [!NOTE] -> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. +> Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -760,22 +760,22 @@ ADMX Info: This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker. -The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. +The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet. In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. -Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. +Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. -Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Set the "OSRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. > [!NOTE] -> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. +> If the "OSRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. -If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. +If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS. Sample value for this node to enable this policy is: @@ -796,7 +796,7 @@ The possible values for 'zz' are: - 2 = Store recovery passwords only - 1 = Store recovery passwords and key packages -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: +Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: ```xml @@ -846,24 +846,24 @@ ADMX Info: This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. -The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. +The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet. In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. -Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. +Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. -Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Set the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. > [!NOTE] -> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. +> If the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. -If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. +If this setting isn't configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information isn't backed up to AD DS. Sample value for this node to enable this policy is: @@ -891,7 +891,7 @@ The possible values for 'zz' are:
                                • 1 = Store recovery passwords and key packages
                                -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: +Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: ```xml @@ -941,7 +941,7 @@ ADMX Info: This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. -If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. +If you enable this setting, all fixed data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. Sample value for this node to enable this policy is: @@ -949,7 +949,7 @@ Sample value for this node to enable this policy is: ``` -If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML: +If you disable or don't configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy, use the following SyncML: ```xml @@ -1001,7 +1001,7 @@ This policy setting is applied when you turn on BitLocker and controls whether f Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. -If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard. +If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard. Sample value for this node to enable this policy is: @@ -1012,8 +1012,8 @@ Sample value for this node to enable this policy is: If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. >[!Note] ->This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. ->For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space. +>This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method. +>For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). @@ -1049,11 +1049,11 @@ ADMX Info: This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. -If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. +If you enable this setting, all removable data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. -If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. +If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. -If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. +If you disable or don't configure this policy setting, all removable data drives on the computer will be mounted with read and write access. > [!NOTE] > This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. @@ -1070,7 +1070,7 @@ The possible values for 'xx' are:
                              • false = Policy not set
                              -Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: +Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML: ```xml @@ -1120,7 +1120,7 @@ This policy controls whether removed data drives utilize Full encryption or Used Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. -If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. +If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard. Sample value for this node to enable this policy is: @@ -1166,7 +1166,7 @@ For information about suspending BitLocker protection, see [BitLocker Basic Depl The options for choosing property settings that control how users can configure BitLocker are: -- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on a removable data drives. +- **Allow users to apply BitLocker protection on removable data drives**: Enables the user to enable BitLocker on a removable data drive. - **Allow users to suspend and decrypt BitLocker on removable data drives**: Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. If you enable this policy setting, you can select property settings that control how users can configure BitLocker. @@ -1176,13 +1176,13 @@ Sample value for this node to enable this policy is: ```xml ``` -Data id: +Data ID: - RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives - RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives -If this policy is disabled,users cannot use BitLocker on removable disk drives. +If this policy is disabled, users can't use BitLocker on removable disk drives. -If you do not configure this policy setting, users can use BitLocker on removable disk drives. +If you don't configure this policy setting, users can use BitLocker on removable disk drives. @@ -1247,7 +1247,7 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced. -If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. +If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged on user in the system. |Edition|Windows 10|Windows 11| @@ -1263,9 +1263,9 @@ If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDe The expected values for this policy are: - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. -- 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. +- 0 = This value is the default value, when the policy isn't set. If current logged on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive. -If you want to disable this policy use the following SyncML: +If you want to disable this policy, use the following SyncML: ```xml @@ -1322,16 +1322,16 @@ Supported values are: -This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate. +This setting refreshes all recovery passwords for OS and fixed drives (removable drives aren't included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. If errors occur, an error code will be returned so that server can take appropriate action to remediate. The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. -Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client will not retry, but if needed, the server can re-issue the execute request. +Policy type is Execute. When “Execute Policy” is pushed, the client sets the status as Pending and initiates an asynchronous rotation operation. After refresh is complete, pass or fail status is updated. The client won't retry, but if needed, the server can reissue the execute request. Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh. -Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices cannot refresh recovery passwords if they are only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account. +Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices can't refresh recovery passwords if they're only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account. Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request. - RotateRecoveryPasswordsRequestID: Returns request ID of last request processed. @@ -1387,26 +1387,26 @@ Value type is int. Supported operation is Get. Supported values: - 0 - Indicates that the device is compliant. -- Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table: +- Any non-zero value - Indicates that the device isn't compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table: | Bit | Error Code | |-----|------------| | 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| -| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.| +| 1 |The encryption method of the OS volume does not match the BitLocker policy.| | 2 |The OS volume is unprotected.| -| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| -| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| -| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| -| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| -| 7 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| +| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection is not used.| +| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector is not used.| +| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector is not used.| +| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector is not used.| +| 7 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM is not used.| | 8 |Recovery key backup failed.| | 9 |A fixed drive is unprotected.| -| 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.| +| 10 |The encryption method of the fixed drive does not match the BitLocker policy.| | 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.| -| 12 |Windows Recovery Environment (WinRE) isn't configured.| -| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. | -| 14 |The TPM isn't ready for BitLocker.| -| 15 |The network isn't available, which is required for recovery key backup. | +| 12 |Windows Recovery Environment (WinRE) is not configured.| +| 13 |A TPM is not available for BitLocker, either because it is not present, it has been made unavailable in the Registry, or the OS is on a removable drive. | +| 14 |The TPM is not ready for BitLocker.| +| 15 |The network is not available, which is required for recovery key backup. | | 16-31 |For future use.| @@ -1421,7 +1421,7 @@ Supported values: This node reports the status of RotateRecoveryPasswords request. -Status code can be one of the following: +Status code can be one of the following values: - 2 – Not started - 1 - Pending @@ -1467,7 +1467,7 @@ Value type is string. Supported operation is Get. ### SyncML example -The following example is provided to show proper format and should not be taken as a recommendation. +The following example is provided to show proper format and shouldn't be taken as a recommendation. ```xml diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index d1db6d514e..0309b24aad 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,6 +1,6 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and Windows 11. +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11. MS-HAID: - 'p\_phdevicemgmt.bulk\_enrollment' - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' @@ -18,7 +18,7 @@ ms.date: 06/26/2017 # Bulk enrollment -Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. +Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. ## Typical use cases @@ -28,7 +28,7 @@ Bulk enrollment is an efficient way to set up a large number of devices to be ma - Set up industrial machinery. - Set handheld POS devices. -On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can log in to use it. This is especially useful in getting a large number of desktop ready to use within a domain. +On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain. On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. @@ -63,21 +63,21 @@ Using the WCD, create a provisioning package using the enrollment information re 5. Skip **Import a provisioning package (optional)** and click **Finish**. 6. Expand **Runtime settings** > **Workplace**. 7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". + The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". 8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here is the list of available settings: + Here's the list of available settings: - **AuthPolicy** - Select **OnPremise**. - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - **Secret** - Password For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). - Here is the screenshot of the WCD at this point. + Here's the screenshot of the WCD at this point. ![bulk enrollment screenshot.](images/bulk-enrollment.png) -9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -10. When you are done adding all the settings, on the **File** menu, click **Save**. -11. On the main menu click **Export** > **Provisioning package**. +9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +10. When you're done adding all the settings, on the **File** menu, click **Save**. +11. On the main menu, click **Export** > **Provisioning package**. ![icd menu for export.](images/bulk-enrollment2.png) 12. Enter the values for your package and specify the package output location. @@ -112,17 +112,17 @@ Using the WCD, create a provisioning package using the enrollment information re 7. Specify the workplace settings. 1. Got to **Workplace** > **Enrollments**. 2. Enter the **UPN** for the enrollment and then click **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". + The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". 3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here is the list of available settings: + Here's the list of available settings: - **AuthPolicy** - Select **Certificate**. - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - **Secret** - the certificate thumbprint. For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). -8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -9. When you are done adding all the settings, on the **File** menu, click **Save**. +8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +9. When you're done adding all the settings, on the **File** menu, click **Save**. 10. Export and build the package (steps 10-13 in the procedure above). 11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 12. Apply the package to your devices. @@ -145,17 +145,17 @@ Here's the list of topics about applying a provisioning package: 1. Go to **Settings** > **Accounts** > **Access work or school**. 2. Click **Add or remove a provisioning package**. - You should see the your package listed. + You should see your package listed. ## Retry logic in case of a failure -If the provisioning engine receives a failure from a CSP it will retry to provision 3 times in a row. +If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. -If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry 4 times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context. +If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context. -It will also retry to apply the provisioning each time it is launched, if started from somewhere else as well. +It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well. -In addition, provisioning will be restarted in a SYSTEM context after a login and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)). +In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)). ## Other provisioning topics diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 74af96a45d..321195f12c 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -19,7 +19,7 @@ The CellularSettings configuration service provider is used to configure cellula > [!Note] > Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. -The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. +The following example shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider. ```console ./Vendor/MSFT diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index aa562a1b58..a29cdbaf8a 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -1,6 +1,6 @@ --- title: CertificateStore CSP -description: Use the The CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates. +description: Use the CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates. ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3 ms.reviewer: manager: dansimp @@ -23,9 +23,9 @@ The CertificateStore configuration service provider is used to add secure socket -For the CertificateStore CSP, you cannot use the Replace command unless the node already exists. +For the CertificateStore CSP, you can't use the Replace command unless the node already exists. -The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. +The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. ``` ./Vendor/MSFT @@ -127,7 +127,7 @@ Supported operation is Get. **My/User** -Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. +Defines the certificate store that contains public keys for client certificates. This certificate store is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. Supported operation is Get. @@ -137,7 +137,7 @@ Supported operation is Get. **My/System** -Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. +Defines the certificate store that contains public key for client certificate. This certificate store is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. Supported operation is Get. @@ -152,27 +152,27 @@ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certifi Supported operations are Get, Delete, and Replace. ***CertHash*/EncodedCertificate** -Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. +Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value can't include extra formatting characters such as embedded linefeeds, etc. Supported operations are Get, Add, Delete, and Replace. ***CertHash*/IssuedBy** -Required. Returns the name of the certificate issuer. This is equivalent to the *Issuer* member in the CERT\_INFO data structure. +Required. Returns the name of the certificate issuer. This name is equivalent to the *Issuer* member in the CERT\_INFO data structure. Supported operation is Get. ***CertHash*/IssuedTo** -Required. Returns the name of the certificate subject. This is equivalent to the *Subject* member in the CERT\_INFO data structure. +Required. Returns the name of the certificate subject. This name is equivalent to the *Subject* member in the CERT\_INFO data structure. Supported operation is Get. ***CertHash*/ValidFrom** -Required. Returns the starting date of the certificate's validity. This is equivalent to the *NotBefore* member in the CERT\_INFO structure. +Required. Returns the starting date of the certificate's validity. This date is equivalent to the *NotBefore* member in the CERT\_INFO structure. Supported operation is Get. ***CertHash*/ValidTo** -Required. Returns the expiration date of the certificate. This is equivalent to the *NotAfter* member in the CERT\_INFO structure. +Required. Returns the expiration date of the certificate. This expiration date is equivalent to the *NotAfter* member in the CERT\_INFO structure. Supported operation is Get. @@ -224,25 +224,25 @@ Required. Specifies the extended key usages and subject to SCEP server configura Supported operations are Get, Add, Delete, and Replace. **My/SCEP/*UniqueID*/Install/KeyUsage** -Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value does not have those bits set, configuration will fail. Value type is an integer. +Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail. Value type is an integer. Supported operations are Get, Add, Delete, and Replace. **My/SCEP/*UniqueID*/Install/SubjectName** Required. Specifies the subject name. -The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ). +The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”). -For more details, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). +For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). Value type is chr. Supported operations are Get, Add, Delete, and Replace. **My/SCEP/*UniqueID*/Install/KeyProtection** -Optional. Specifies the location of the private key. Although the private key is protected by TPM, it is not protected with TPM PIN. SCEP enrolled certificate does not support TPM PIN protection. +Optional. Specifies the location of the private key. Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection. -Supported values are one of the following: +Supported values are one of the following values: - 1 – Private key is protected by device TPM. @@ -260,12 +260,12 @@ Optional. Specifies the device retry waiting time in minutes when the SCEP serve Supported operations are Get, Add, and Delete. **My/SCEP/*UniqueID*/Install/RetryCount** -Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value cannot be larger than 30. If it is larger than 30, the device will use 30. The min value is 0, which means no retry. +Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry. Supported operations are Get, Add, Delete, and Replace. **My/SCEP/*UniqueID*/Install/TemplateName** -Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server; therefore, the MDM server typically does not need to provide it. Value type is chr. +Optional. OID of certificate template name. This name is typically ignored by the SCEP server; therefore, the MDM server typically doesn't need to provide it. Value type is chr. Supported operations are Get, Add, and Delete. @@ -282,7 +282,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace. **My/SCEP/*UniqueID*/Install/CAThumbprint** -Required. Specifies the root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it does not match, the authentication fails. Value type is chr. +Required. Specifies the root CA thumbprint. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails. Value type is chr. Supported operations are Get, Add, Delete, and Replace. @@ -296,7 +296,7 @@ Optional. Specifies the units for the valid period. Value type is chr. Supported operations are Get, Add, Delete, and Replace. -Valid values are one of the following: +Valid values are one of the following values: - Days (default) - Months @@ -318,7 +318,7 @@ Supported operations are Get, Add, Delete, and Replace. **My/SCEP/*UniqueID*/Install/Enroll** -Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node does not contain a value. +Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value. Supported operation is Exec. @@ -332,11 +332,11 @@ Required. Specifies the latest status for the certificate due to enrollment requ Supported operation is Get. -Valid values are one of the following: +Valid values are one of the following values: - 1 – Finished successfully. -- 2 – Pending. The device has not finished the action, but has received the SCEP server pending response. +- 2 – Pending. The device hasn't finished the action, but has received the SCEP server pending response. - 16 - Action failed. @@ -348,7 +348,7 @@ Optional. The integer value that indicates the HRESULT of the last enrollment er Supported operation is Get. **My/SCEP/*UniqueID*/CertThumbprint** -Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr. +Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr. Supported operation is Get. @@ -368,7 +368,7 @@ Optional. The parent node to group renewal related settings. Supported operation is Get. **My/WSTEP/Renew/ServerURL** -Optional. Specifies the URL of certificate renewal server. If this node does not exist, the client uses the initial certificate enrollment URL. +Optional. Specifies the URL of certificate renewal server. If this node doesn't exist, the client uses the initial certificate enrollment URL. > [!NOTE] > The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service. @@ -378,7 +378,7 @@ Optional. Specifies the URL of certificate renewal server. If this node does not Supported operations are Add, Get, Delete, and Replace. **My/WSTEP/Renew/RenewalPeriod** -Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It is recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. +Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. The default value is 42 and the valid values are 1 – 1000. Value type is an integer. @@ -422,7 +422,7 @@ Required. Shows the latest action status for this certificate. Value type is an Supported operation is Get. -Supported values are one of the following: +Supported values are one of the following values: - 0 – Not started. diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index 089b3868fd..e8662afe79 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -14,7 +14,7 @@ ms.date: 10/19/2020 # Change history for Mobile Device Management documentation -This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues are not listed. +This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those articles that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues aren't listed. ## November 2020 @@ -60,7 +60,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |New or updated article | Description| |--- | ---| |[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.| -|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with additional details. Added policy timeline table. +|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with more details. Added policy timeline table. ## February 2020 @@ -101,7 +101,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |New or updated article | Description| |--- | ---| |[DiagnosticLog CSP](diagnosticlog-csp.md)
                              [DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
                              Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.| -|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:
                              Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.| +|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include more reference links and the following two topics:
                              Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.| ## July 2019 @@ -111,7 +111,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.| |[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:
                              SecurityKey, SecurityKey/UseSecurityKeyForSignin| |[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:
                              LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock| -|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:
                              Create a custom configuration service provider
                              Design a custom configuration service provider
                              IConfigServiceProvider2
                              IConfigServiceProvider2::ConfigManagerNotification
                              IConfigServiceProvider2::GetNode
                              ICSPNode
                              ICSPNode::Add
                              ICSPNode::Clear
                              ICSPNode::Copy
                              ICSPNode::DeleteChild
                              ICSPNode::DeleteProperty
                              ICSPNode::Execute
                              ICSPNode::GetChildNodeNames
                              ICSPNode::GetProperty
                              ICSPNode::GetPropertyIdentifiers
                              ICSPNode::GetValue
                              ICSPNode::Move
                              ICSPNode::SetProperty
                              ICSPNode::SetValue
                              ICSPNodeTransactioning
                              ICSPValidate
                              Samples for writing a custom configuration service provider.| +|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs isn't currently supported:
                              Create a custom configuration service provider
                              Design a custom configuration service provider
                              IConfigServiceProvider2
                              IConfigServiceProvider2::ConfigManagerNotification
                              IConfigServiceProvider2::GetNode
                              ICSPNode
                              ICSPNode::Add
                              ICSPNode::Clear
                              ICSPNode::Copy
                              ICSPNode::DeleteChild
                              ICSPNode::DeleteProperty
                              ICSPNode::Execute
                              ICSPNode::GetChildNodeNames
                              ICSPNode::GetProperty
                              ICSPNode::GetPropertyIdentifiers
                              ICSPNode::GetValue
                              ICSPNode::Move
                              ICSPNode::SetProperty
                              ICSPNode::SetValue
                              ICSPNodeTransactioning
                              ICSPValidate
                              Samples for writing a custom configuration service provider.| ## June 2019 @@ -141,7 +141,7 @@ This article lists new and updated articles for the Mobile Device Management (MD | New or updated article | Description | |-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
                              Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. | +| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
                              Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it doesn't. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. | | [Policy CSP - UserRights](policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag () to wrap the data fields. | ## March 2019 @@ -193,12 +193,12 @@ This article lists new and updated articles for the Mobile Device Management (MD |New or updated article|Description| |--- |--- | -|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following note:

                              You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.| +|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following note:

                              You can only assign one single app kiosk profile to an individual user account on a device. The single app profile doesn't support domain groups.| |[PassportForWork CSP](passportforwork-csp.md)|Added new settings in Windows 10, version 1809.| |[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added NonRemovable setting under AppManagement node in Windows 10, version 1809.| |[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)|Added new configuration service provider in Windows 10, version 1809.| |[WindowsLicensing CSP](windowslicensing-csp.md)|Added S mode settings and SyncML examples in Windows 10, version 1809.| -|[SUPL CSP](supl-csp.md)|Added 3 new certificate nodes in Windows 10, version 1809.| +|[SUPL CSP](supl-csp.md)|Added three new certificate nodes in Windows 10, version 1809.| |[Defender CSP](defender-csp.md)|Added a new node Health/ProductStatus in Windows 10, version 1809.| |[BitLocker CSP](bitlocker-csp.md)|Added a new node AllowStandardUserEncryption in Windows 10, version 1809.| |[DevDetail CSP](devdetail-csp.md)|Added a new node SMBIOSSerialNumber in Windows 10, version 1809.| @@ -211,7 +211,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |[Wifi CSP](wifi-csp.md)|Added a new node WifiCost in Windows 10, version 1809.| |[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)|Recent changes:
                            • Added procedure for collecting logs remotely from Windows 10 Holographic.
                            • Added procedure for downloading the MDM Diagnostic Information log.| |[BitLocker CSP](bitlocker-csp.md)|Added new node AllowStandardUserEncryption in Windows 10, version 1809.| -|[Policy CSP](policy-configuration-service-provider.md)|Recent changes:
                            • AccountPoliciesAccountLockoutPolicy
                            • AccountLockoutDuration - removed from docs. Not supported.
                            • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
                            • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.
                            • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.
                            • System/AllowFontProviders is not supported in HoloLens (1st gen) Commercial Suite.
                            • Security/RequireDeviceEncryption is supported in the Home SKU.
                            • Start/StartLayout - added a table of SKU support information.
                            • Start/ImportEdgeAssets - added a table of SKU support information.

                              Added the following new policies in Windows 10, version 1809:
                            • Update/EngagedRestartDeadlineForFeatureUpdates
                            • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
                            • Update/EngagedRestartTransitionScheduleForFeatureUpdates
                            • Update/SetDisablePauseUXAccess
                            • Update/SetDisableUXWUAccess| +|[Policy CSP](policy-configuration-service-provider.md)|Recent changes:
                            • AccountPoliciesAccountLockoutPolicy
                            • AccountLockoutDuration - removed from docs. Not supported.
                            • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
                            • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.
                            • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.
                            • System/AllowFontProviders isn't supported in HoloLens (first gen) Commercial Suite.
                            • Security/RequireDeviceEncryption is supported in the Home SKU.
                            • Start/StartLayout - added a table of SKU support information.
                            • Start/ImportEdgeAssets - added a table of SKU support information.

                              Added the following new policies in Windows 10, version 1809:
                            • Update/EngagedRestartDeadlineForFeatureUpdates
                            • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
                            • Update/EngagedRestartTransitionScheduleForFeatureUpdates
                            • Update/SetDisablePauseUXAccess
                            • Update/SetDisableUXWUAccess| |[WiredNetwork CSP](wirednetwork-csp.md)|New CSP added in Windows 10, version 1809.| ## May 2018 @@ -240,7 +240,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)|Added the following videos:
                            • [How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)
                            • [How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)| |[AccountManagement CSP](accountmanagement-csp.md)|Added a new CSP in Windows 10, version 1803.| |[RootCATrustedCertificates CSP](rootcacertificates-csp.md)|Added the following node in Windows 10, version 1803:
                            • UntrustedCertificates| -|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
                            • ApplicationDefaults/EnableAppUriHandlers
                            • ApplicationManagement/MSIAllowUserControlOverInstall
                            • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
                            • Connectivity/AllowPhonePCLinking
                            • Notifications/DisallowCloudNotification
                            • Notifications/DisallowTileNotification
                            • RestrictedGroups/ConfigureGroupMembership

                              The following existing policies were updated:
                            • Browser/AllowCookies - updated the supported values. There are 3 values - 0, 1, 2.
                            • InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
                            • TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.

                              Added a new section:
                            • [[Policies in Policy CSP supported by Group Policy](/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.| +|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
                            • ApplicationDefaults/EnableAppUriHandlers
                            • ApplicationManagement/MSIAllowUserControlOverInstall
                            • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
                            • Connectivity/AllowPhonePCLinking
                            • Notifications/DisallowCloudNotification
                            • Notifications/DisallowTileNotification
                            • RestrictedGroups/ConfigureGroupMembership

                              The following existing policies were updated:
                            • Browser/AllowCookies - updated the supported values. There are three values - 0, 1, 2.
                            • InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
                            • TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.

                              Added a new section:
                            • [[Policies in Policy CSP supported by Group Policy](/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.| |[Policy CSP - Bluetooth](policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide).| |[MultiSIM CSP](multisim-csp.md)|Added SyncML examples and updated the settings descriptions.| |[RemoteWipe CSP](remotewipe-csp.md)|Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.| @@ -251,7 +251,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |--- |--- | |[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
                            • Display/DisablePerProcessDpiForApps
                            • Display/EnablePerProcessDpi
                            • Display/EnablePerProcessDpiForApps
                            • Experience/AllowWindowsSpotlightOnSettings
                            • TextInput/ForceTouchKeyboardDockedState
                            • TextInput/TouchKeyboardDictationButtonAvailability
                            • TextInput/TouchKeyboardEmojiButtonAvailability
                            • TextInput/TouchKeyboardFullModeAvailability
                            • TextInput/TouchKeyboardHandwritingModeAvailability
                            • TextInput/TouchKeyboardNarrowModeAvailability
                            • TextInput/TouchKeyboardSplitModeAvailability
                            • TextInput/TouchKeyboardWideModeAvailability| |[VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md)|Updated the XSD and Plug-in profile example for VPNv2 CSP.| -|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:
                            • Status
                            • ShellLauncher
                            • StatusConfiguration

                              Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.| +|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:
                            • Status
                            • ShellLauncher
                            • StatusConfiguration

                              Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (first gen) Commercial Suite. Added example for HoloLens (first gen) Commercial Suite.| |[MultiSIM CSP](multisim-csp.md)|Added a new CSP in Windows 10, version 1803.| |[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following node in Windows 10, version 1803:
                            • MaintainProcessorArchitectureOnUpdate| @@ -259,7 +259,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |New or updated article|Description| |--- |--- | -|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
                            • Browser/AllowConfigurationUpdateForBooksLibrary
                            • Browser/AlwaysEnableBooksLibrary
                            • Browser/EnableExtendedBooksTelemetry
                            • Browser/UseSharedFolderForBooks
                            • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
                            • DeliveryOptimization/DODelayForegroundDownloadFromHttp
                            • DeliveryOptimization/DOGroupIdSource
                            • DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
                            • DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
                            • DeliveryOptimization/DORestrictPeerSelectionBy
                            • DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
                            • DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
                            • KioskBrowser/BlockedUrlExceptions
                            • KioskBrowser/BlockedUrls
                            • KioskBrowser/DefaultURL
                            • KioskBrowser/EnableHomeButton
                            • KioskBrowser/EnableNavigationButtons
                            • KioskBrowser/RestartOnIdleTime
                            • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
                            • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
                            • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
                            • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
                            • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
                            • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
                            • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
                            • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
                            • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
                            • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
                            • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
                            • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
                            • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
                            • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
                            • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
                            • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
                            • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
                            • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
                            • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
                            • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
                            • RestrictedGroups/ConfigureGroupMembership
                            • Search/AllowCortanaInAAD
                            • Search/DoNotUseWebResults
                            • Security/ConfigureWindowsPasswords
                            • System/FeedbackHubAlwaysSaveDiagnosticsLocally
                            • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
                            • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
                            • SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
                            • SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
                            • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
                            • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
                            • TaskScheduler/EnableXboxGameSaveTask
                            • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
                            • Update/ConfigureFeatureUpdateUninstallPeriod
                            • UserRights/AccessCredentialManagerAsTrustedCaller
                            • UserRights/AccessFromNetwork
                            • UserRights/ActAsPartOfTheOperatingSystem
                            • UserRights/AllowLocalLogOn
                            • UserRights/BackupFilesAndDirectories
                            • UserRights/ChangeSystemTime
                            • UserRights/CreateGlobalObjects
                            • UserRights/CreatePageFile
                            • UserRights/CreatePermanentSharedObjects
                            • UserRights/CreateSymbolicLinks
                            • UserRights/CreateToken
                            • UserRights/DebugPrograms
                            • UserRights/DenyAccessFromNetwork
                            • UserRights/DenyLocalLogOn
                            • UserRights/DenyRemoteDesktopServicesLogOn
                            • UserRights/EnableDelegation
                            • UserRights/GenerateSecurityAudits
                            • UserRights/ImpersonateClient
                            • UserRights/IncreaseSchedulingPriority
                            • UserRights/LoadUnloadDeviceDrivers
                            • UserRights/LockMemory
                            • UserRights/ManageAuditingAndSecurityLog
                            • UserRights/ManageVolume
                            • UserRights/ModifyFirmwareEnvironment
                            • UserRights/ModifyObjectLabel
                            • UserRights/ProfileSingleProcess
                            • UserRights/RemoteShutdown
                            • UserRights/RestoreFilesAndDirectories
                            • UserRights/TakeOwnership
                            • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
                            • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
                            • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
                            • WindowsDefenderSecurityCenter/HideSecureBoot
                            • WindowsDefenderSecurityCenter/HideTPMTroubleshooting

                              Added the following policies the were added in Windows 10, version 1709
                            • DeviceLock/MinimumPasswordAge
                            • Settings/AllowOnlineTips
                            • System/DisableEnterpriseAuthProxy

                              Security/RequireDeviceEncryption - updated to show it is supported in desktop.| +|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
                            • Browser/AllowConfigurationUpdateForBooksLibrary
                            • Browser/AlwaysEnableBooksLibrary
                            • Browser/EnableExtendedBooksTelemetry
                            • Browser/UseSharedFolderForBooks
                            • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
                            • DeliveryOptimization/DODelayForegroundDownloadFromHttp
                            • DeliveryOptimization/DOGroupIdSource
                            • DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
                            • DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
                            • DeliveryOptimization/DORestrictPeerSelectionBy
                            • DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
                            • DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
                            • KioskBrowser/BlockedUrlExceptions
                            • KioskBrowser/BlockedUrls
                            • KioskBrowser/DefaultURL
                            • KioskBrowser/EnableHomeButton
                            • KioskBrowser/EnableNavigationButtons
                            • KioskBrowser/RestartOnIdleTime
                            • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
                            • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
                            • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
                            • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
                            • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
                            • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
                            • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
                            • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
                            • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
                            • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
                            • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
                            • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
                            • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
                            • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
                            • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
                            • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
                            • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
                            • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
                            • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
                            • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
                            • RestrictedGroups/ConfigureGroupMembership
                            • Search/AllowCortanaInAAD
                            • Search/DoNotUseWebResults
                            • Security/ConfigureWindowsPasswords
                            • System/FeedbackHubAlwaysSaveDiagnosticsLocally
                            • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
                            • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
                            • SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
                            • SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
                            • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
                            • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
                            • TaskScheduler/EnableXboxGameSaveTask
                            • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
                            • Update/ConfigureFeatureUpdateUninstallPeriod
                            • UserRights/AccessCredentialManagerAsTrustedCaller
                            • UserRights/AccessFromNetwork
                            • UserRights/ActAsPartOfTheOperatingSystem
                            • UserRights/AllowLocalLogOn
                            • UserRights/BackupFilesAndDirectories
                            • UserRights/ChangeSystemTime
                            • UserRights/CreateGlobalObjects
                            • UserRights/CreatePageFile
                            • UserRights/CreatePermanentSharedObjects
                            • UserRights/CreateSymbolicLinks
                            • UserRights/CreateToken
                            • UserRights/DebugPrograms
                            • UserRights/DenyAccessFromNetwork
                            • UserRights/DenyLocalLogOn
                            • UserRights/DenyRemoteDesktopServicesLogOn
                            • UserRights/EnableDelegation
                            • UserRights/GenerateSecurityAudits
                            • UserRights/ImpersonateClient
                            • UserRights/IncreaseSchedulingPriority
                            • UserRights/LoadUnloadDeviceDrivers
                            • UserRights/LockMemory
                            • UserRights/ManageAuditingAndSecurityLog
                            • UserRights/ManageVolume
                            • UserRights/ModifyFirmwareEnvironment
                            • UserRights/ModifyObjectLabel
                            • UserRights/ProfileSingleProcess
                            • UserRights/RemoteShutdown
                            • UserRights/RestoreFilesAndDirectories
                            • UserRights/TakeOwnership
                            • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
                            • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
                            • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
                            • WindowsDefenderSecurityCenter/HideSecureBoot
                            • WindowsDefenderSecurityCenter/HideTPMTroubleshooting

                              Added the following policies in Windows 10, version 1709
                            • DeviceLock/MinimumPasswordAge
                            • Settings/AllowOnlineTips
                            • System/DisableEnterpriseAuthProxy

                              Security/RequireDeviceEncryption - updated to show it's supported in desktop.| |[BitLocker CSP](bitlocker-csp.md)|Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.| |[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.| |[DMClient CSP](dmclient-csp.md)|Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
                            • AADSendDeviceToken
                            • BlockInStatusPage
                            • AllowCollectLogsButton
                            • CustomErrorText
                            • SkipDeviceStatusPage
                            • SkipUserStatusPage| @@ -309,11 +309,11 @@ This article lists new and updated articles for the Mobile Device Management (MD |[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)|Added new step-by-step guide to enable ADMX-backed policies.| |[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:

                              Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.| |[CM_CellularEntries CSP](cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.| -|[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following:
                            • 0 (default) – Off / No protection (decrypts previously protected data).
                            • 1 – Silent mode (encrypt and audit only).
                            • 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
                            • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).| -|[AppLocker CSP](applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allow list examples](applocker-csp.md#allow-list-examples).| +|[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:
                            • 0 (default) – Off / No protection (decrypts previously protected data).
                            • 1 – Silent mode (encrypt and audit only).
                            • 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
                            • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).| +|[AppLocker CSP](applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](applocker-csp.md#allow-list-examples).| |[DeviceManageability CSP](devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:
                            • Provider/ProviderID/ConfigInfo
                            • Provider/ProviderID/EnrollmentInfo| |[Office CSP](office-csp.md)|Added the following setting in Windows 10, version 1709:
                            • Installation/CurrentStatus| -|[BitLocker CSP](bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.| +|[BitLocker CSP](bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.| |[Firewall CSP](firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:
                            • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
                            • Changed some data types from integer to bool.
                            • Updated the list of supported operations for some settings.
                            • Added default values.| |[Policy DDF file](policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
                            • Browser/AllowMicrosoftCompatibilityList
                            • Update/DisableDualScan
                            • Update/FillEmptyContentUrls| -|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:
                            • Browser/ProvisionFavorites
                            • Browser/LockdownFavorites
                            • ExploitGuard/ExploitProtectionSettings
                            • Games/AllowAdvancedGamingServices
                            • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
                            • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
                            • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
                            • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
                            • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
                            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
                            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
                            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
                            • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
                            • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
                            • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
                            • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
                            • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
                            • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
                            • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
                            • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
                            • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
                            • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
                            • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
                            • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
                            • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
                            • Privacy/EnableActivityFeed
                            • Privacy/PublishUserActivities
                            • Update/DisableDualScan
                            • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork

                              Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

                              Changed the names of the following policies:
                            • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
                            • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
                            • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess

                              Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).

                              There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:
                            • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
                            • Start/HideAppList| +|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:
                            • Browser/ProvisionFavorites
                            • Browser/LockdownFavorites
                            • ExploitGuard/ExploitProtectionSettings
                            • Games/AllowAdvancedGamingServices
                            • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
                            • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
                            • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
                            • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
                            • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
                            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
                            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
                            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
                            • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
                            • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
                            • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
                            • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
                            • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
                            • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
                            • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
                            • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
                            • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
                            • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
                            • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
                            • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
                            • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
                            • Privacy/EnableActivityFeed
                            • Privacy/PublishUserActivities
                            • Update/DisableDualScan
                            • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork

                              Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

                              Changed the names of the following policies:
                            • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
                            • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
                            • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess

                              Added links to the extra [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).

                              There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:
                            • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
                            • Start/HideAppList| From 4cfe1cc2a020a58fc17986a22f2ed0bc008f903d Mon Sep 17 00:00:00 2001 From: Anders Ahl <58516456+GenerAhl@users.noreply.github.com> Date: Wed, 23 Feb 2022 17:26:01 +0100 Subject: [PATCH 44/68] Update update-compliance-configuration-script.md Sorted the error codes in numerical order. Also noticed that there are two "12" with different error messages?!?! --- .../update-compliance-configuration-script.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 3bd9ab7dd2..3a3ce84428 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -55,32 +55,31 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru |Error |Description | |---------|---------| -| 27 | Not system account. | -| 37 | Unexpected exception when collecting logs| | 1 | General unexpected error| | 6 | Invalid CommercialID| -| 48 | CommercialID is not a GUID| | 8 | Couldn't create registry key path to setup CommercialID| | 9 | Couldn't write CommercialID at registry key path| -| 53 | There are conflicting CommercialID values.| | 11 | Unexpected result when setting up CommercialID.| -| 62 | AllowTelemetry registry key is not of the correct type REG_DWORD| -| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.| -| 64 | AllowTelemetry is not of the correct type REG_DWORD.| -| 99 | Device is not Windows 10.| -| 40 | Unexpected exception when checking and setting telemetry.| | 12 | CheckVortexConnectivity failed, check Log output for more information.| | 12 | Unexpected failure when running CheckVortexConnectivity.| -| 66 | Failed to verify UTC connectivity and recent uploads.| -| 67 | Unexpected failure when verifying UTC CSP.| +| 16 | Reboot is pending on device, restart device and restart script.| +| 17 | Unexpected exception in CheckRebootRequired.| +| 27 | Not system account. | +| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| +| 34 | Unexpected exception when attempting to check Proxy settings.| +| 35 | Unexpected exception when checking User Proxy.| +| 37 | Unexpected exception when collecting logs| +| 40 | Unexpected exception when checking and setting telemetry.| | 41 | Unable to impersonate logged-on user.| | 42 | Unexpected exception when attempting to impersonate logged-on user.| | 43 | Unexpected exception when attempting to impersonate logged-on user.| -| 16 | Reboot is pending on device, restart device and restart script.| -| 17 | Unexpected exception in CheckRebootRequired.| | 44 | Error when running CheckDiagTrack service.| | 45 | DiagTrack.dll not found.| +| 48 | CommercialID is not a GUID| | 50 | DiagTrack service not running.| +| 51 | Unexpected exception when attempting to run Census.exe| +| 52 | Could not find Census.exe| +| 53 | There are conflicting CommercialID values.| | 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| | 55 | Failed to create new registry path for SetDeviceNameOptIn| | 56 | Failed to create property for SetDeviceNameOptIn at registry path| @@ -89,12 +88,13 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru | 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.| | 60 | Failed to delete registry key when attempting to clean up OneSettings.| | 61 | Unexpected exception when attempting to clean up OneSettings.| -| 52 | Could not find Census.exe| -| 51 | Unexpected exception when attempting to run Census.exe| -| 34 | Unexpected exception when attempting to check Proxy settings.| -| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| -| 35 | Unexpected exception when checking User Proxy.| +| 62 | AllowTelemetry registry key is not of the correct type REG_DWORD| +| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.| +| 64 | AllowTelemetry is not of the correct type REG_DWORD.| +| 66 | Failed to verify UTC connectivity and recent uploads.| +| 67 | Unexpected failure when verifying UTC CSP.| | 91 | Failed to create new registry path for EnableAllowUCProcessing| | 92 | Failed to create property for EnableAllowUCProcessing at registry path| | 93 | Failed to update value for EnableAllowUCProcessing| | 94 | Unexpected exception in EnableAllowUCProcessing| +| 99 | Device is not Windows 10.| From dfd10d661cf4f8bcd1f4bcd068b444167941d03e Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 24 Feb 2022 17:42:44 +0530 Subject: [PATCH 45/68] Acrolinx --- .../mdm/clientcertificateinstall-csp.md | 38 ++++++------ .../mdm/cm-cellularentries-csp.md | 24 +++---- windows/client-management/mdm/cmpolicy-csp.md | 6 +- .../mdm/cmpolicyenterprise-csp.md | 12 ++-- .../mdm/customdeviceui-csp.md | 6 +- windows/client-management/mdm/defender-csp.md | 62 +++++++++---------- .../mdm/devicemanageability-csp.md | 8 +-- .../client-management/mdm/devicestatus-csp.md | 50 +++++++-------- windows/client-management/mdm/devinfo-csp.md | 12 ++-- .../diagnose-mdm-failures-in-windows-10.md | 8 +-- .../mdm/diagnosticlog-csp.md | 58 ++++++++--------- windows/client-management/mdm/dmacc-csp.md | 36 +++++------ .../mdm/dmsessionactions-csp.md | 4 +- .../mdm/dynamicmanagement-csp.md | 6 +- .../mdm/eap-configuration.md | 26 ++++---- .../mdm/enable-admx-backed-policies-in-mdm.md | 12 ++-- ...device-automatically-using-group-policy.md | 50 +++++++-------- 17 files changed, 209 insertions(+), 209 deletions(-) diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 1a39403fad..77cebf5d49 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -16,14 +16,14 @@ ms.date: 07/30/2021 The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. -For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block. +For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block. > [!Note] > Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. -The following shows the ClientCertificateInstall configuration service provider in tree format. +The following example shows the ClientCertificateInstall configuration service provider in tree format. ``` ./Vendor/MSFT ClientCertificateInstall @@ -95,19 +95,19 @@ The data type is an integer corresponding to one of the following values: | Value | Description | |-------|---------------------------------------------------------------------------------------------------------------| | 1 | Install to TPM if present, fail if not present. | -| 2 | Install to TPM if present. If not present, fallback to software. | +| 2 | Install to TPM if present. If not present, fall back to software. | | 3 | Install to software. | | 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified | **ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** -Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail. +Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail. Date type is string. Supported operations are Get, Add, Delete, and Replace. **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob** -CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation. +CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This Add operation requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before the Add operation is called. This trigger for addition also sets the Status node to the current Status of the operation. The data type format is binary. @@ -115,7 +115,7 @@ Supported operations are Get, Add, and Replace. If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten. -If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail. +If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail. In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB. @@ -131,7 +131,7 @@ Optional. Used to specify whether the PFX certificate password is encrypted with The data type is int. Valid values: -- 0 - Password is not encrypted. +- 0 - Password isn't encrypted. - 1 - Password is encrypted with the MDM certificate. - 2 - Password is encrypted with custom certificate. @@ -140,7 +140,7 @@ When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCer Supported operations are Get, Add, and Replace. **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** -Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM. +Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX isn't exportable when it's installed to TPM. > [!Note] > You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. @@ -185,7 +185,7 @@ A node required for SCEP certificate enrollment. Parent node to group SCEP cert Supported operations are Get, Add, Replace, and Delete. > [!Note] -> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. +> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and ensure the device isn't at an unknown state before changing child node values. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. @@ -211,9 +211,9 @@ Supported operations are Get, Add, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName** Required. Specifies the subject name. -The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ). +The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”). -For more details, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). +For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). Data type is string. @@ -223,7 +223,7 @@ Supported operations are Add, Get, and Replace. Optional. Specifies where to keep the private key. > [!Note] -> Even if the private key is protected by TPM, it is not protected with a TPM PIN. +> Even if the private key is protected by TPM, it isn't protected with a TPM PIN. The data type is an integer corresponding to one of the following values: @@ -298,14 +298,14 @@ Data type is string. Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint** -Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail. +Required. Specifies Root CA thumbprint. This thumbprint is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it isn't a match, the authentication will fail. Data type is string. Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames** -Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information. +Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. For more information, see the name type definitions in MSDN. Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2]. @@ -330,7 +330,7 @@ Valid values are: Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** -Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. +Optional. Specifies the desired number of units used in the validity period. This number is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) is defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Data type is string. @@ -340,7 +340,7 @@ Data type is string. Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** -Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail. +Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node isn't specified when Windows Hello for Business KSP is chosen, the enrollment will fail. Data type is string. @@ -354,7 +354,7 @@ Data type is string. Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll** -Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added. +Required. Triggers the device to start the certificate enrollment. The device won't notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added. The date type format is Null, meaning this node doesn’t contain a value. @@ -368,9 +368,9 @@ Data type is string. Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint** -Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. +Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. -If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string. +If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted) then it will return an empty string. Data type is string. diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 7886a382f6..5d1db70846 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -18,7 +18,7 @@ The CM\_CellularEntries configuration service provider is used to configure the This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application. -The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. +The following example shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider. ```console CM_CellularEntries @@ -56,9 +56,9 @@ CM_CellularEntries **AlwaysOn**

                              Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. -

                              A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. +

                              A value of "0" specifies that AlwaysOn isn't supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. -

                              A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. +

                              A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it's available. This setting is recommended for general purpose Internet APNs.

                              There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. @@ -112,7 +112,7 @@ CM_CellularEntries

                              A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present. -

                              For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. +

                              For example, if the multimedia messaging service (MMS) APN shouldn't have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. **Version**

                              Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider. @@ -133,13 +133,13 @@ CM_CellularEntries - 5 - Roaming only. **OEMConnectionID** -

                              Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. +

                              Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. **ApnId** -

                              Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices. +

                              Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices. **IPType** -

                              Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4". +

                              Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value isn't specified, the default value is "IPv4". > [!WARNING] > Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6. @@ -147,9 +147,9 @@ CM_CellularEntries **ExemptFromDisablePolicy** -

                              Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt). +

                              Added back in Windows 10, version 1511. Optional. Type: Int. This value should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value isn't specified, the default value is "0" (not exempt). -

                              To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed. +

                              To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". These settings indicates that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Sending MMS while roaming is still not allowed. > [!IMPORTANT] > Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections. @@ -162,16 +162,16 @@ CM_CellularEntries **ExemptFromRoaming** -

                              Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt). +

                              Added back in Windows 10, version 1511. Optional. Type: Int. This value should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value isn't specified, the default value is "0" (not exempt). **TetheringNAI** -

                              Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0". +

                              Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection isn't a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value isn't specified, the default value is "0". **IdleDisconnectTimeout**

                              Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds. > [!IMPORTANT] ->

                              You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used. +>

                              You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it isn't specified, the default value of 30 seconds may be used. > [!NOTE] diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index a9652c71d0..c23a98cffc 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -23,7 +23,7 @@ The CMPolicy configuration service provider defines rules that the Connection Ma Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies -**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. +**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. **Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. @@ -67,12 +67,12 @@ The following list describes the available mapping policy types: **Host** Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use. -The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com". +The host pattern can have two wild cards, "\*" and "+". The host pattern isn't a URL pattern and there's no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com". **OrderedConnections** Specifies whether the list of connections is in preference order. -A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. +A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. **Conn***XXX* Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits, which increment starting from "000". For example, a policy, which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index d843207762..2d2469af91 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -24,7 +24,7 @@ The CMPolicyEnterprise configuration service provider is used by the enterprise Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies -**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. +**Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. **Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. @@ -67,15 +67,15 @@ The following list describes the available mapping policy types: **Host** Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use. -The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com". +The host pattern can have two wild cards, "\*" and "+". The host pattern isn't a URL pattern and there's no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com". **OrderedConnections** Specifies whether the list of connections is in preference order. -A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. +A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. **Conn***XXX* -Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". +Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". **ConnectionID** Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter. @@ -110,8 +110,8 @@ For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network typ |HSPA HSUPA|{1536A1C6-A4AF-423C-8884-6BDDA3656F84}| |LTE|{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}| |EHRPD|{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}| -|Ethernet 10Mbps|{97D3D1B3-854A-4C32-BD1C-C13069078370}| -|Ethernet 100Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}| +|Ethernet 10 Mbps|{97D3D1B3-854A-4C32-BD1C-C13069078370}| +|Ethernet 100 Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}| |Ethernet Gbps|{556C1E6B-B8D4-448E-836D-9451BA4CCE75}| For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available: diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 7a4eb3b5e1..1a0f77c9ed 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -14,8 +14,8 @@ ms.date: 06/26/2017 # CustomDeviceUI CSP -The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported. -The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. +The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, and the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported. +The following example shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. > [!NOTE] > This configuration service provider only applies to Windows 10 IoT Core (IoT Core). @@ -38,7 +38,7 @@ AppID string value is the default appid/AUMID to launch during startup. The supp List of package names of background tasks that need to be launched on device startup. The supported operation is Get. **BackgroundTasksToLaunch/***BackgroundTaskPackageName* -Package Full Name of the App that needs be launched in the background. This can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace. +Package Full Name of the application that needs to be launched in the background. This application can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace. ## SyncML examples diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index ef25d5205b..779212c73e 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -20,7 +20,7 @@ ms.date: 02/22/2022 The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. -The following shows the Windows Defender configuration service provider in tree format. +The following example shows the Windows Defender configuration service provider in tree format. ``` ./Vendor/MSFT Defender @@ -97,7 +97,7 @@ The data type is a string. Supported operation is Get. **Detections/*ThreatId*/URL** -URL link for additional threat information. +URL link for more threat information. The data type is a string. @@ -255,9 +255,9 @@ Supported operation is Get. The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources. The acceptable values for this parameter are: -- 0: Disabled. The Network Protection service will not block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections. +- 0: Disabled. The Network Protection service won't block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections. - 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service. -- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log. +- 2: AuditMode. As above, but the Network Protection service won't block connections to malicious websites, but will instead log the access to the event log. Accepted values: Disabled, Enabled, and AuditMode Position: Named @@ -267,7 +267,7 @@ Accept wildcard characters: False **EnableNetworkProtection/AllowNetworkProtectionDownLevel** -By default, network protection is not allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. +By default, network protection isn't allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. - Type: Boolean - Position: Named - Default value: False @@ -276,7 +276,7 @@ By default, network protection is not allowed to be enabled on Windows versions **EnableNetworkProtection/AllowNetworkProtectionOnWinServer** -By default, network protection is not allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. +By default, network protection isn't allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. - Type: Boolean - Position: Named @@ -306,7 +306,7 @@ Network Protection inspects UDP connections allowing us to find malicious DNS or **EnableNetworkProtection/DisableInboundConnectionFiltering** -Network Protection inspects and can block both connections that originate from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true". +Network Protection inspects and can block both connections that originate from the host machine, and those connections that originate from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true". - Type: Boolean - Position: Named @@ -316,7 +316,7 @@ Network Protection inspects and can block both connections that originate from t **EnableNetworkProtection/EnableDnsSinkhole** -Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature. +Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS-based malicious attacks. Set this configuration to "$true" to enable this feature. - Type: Boolean - Position: Named @@ -326,7 +326,7 @@ Network Protection can inspect the DNS traffic of a machine and, in conjunction **EnableNetworkProtection/DisableDnsOverTcpParsing** -Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true". +Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -336,7 +336,7 @@ Network Protection inspects DNS traffic that occurs over a TCP channel, to provi **EnableNetworkProtection/DisableDnsParsing** -Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true". +Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -390,7 +390,7 @@ An interior node to group information about Windows Defender health status. Supported operation is Get. **Health/ProductStatus** -Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. +Added in Windows 10, version 1809. Provide the current state of the product. This value is a bitmask flag value that can represent one or multiple product states from below list. The data type is integer. Supported operation is Get. @@ -480,7 +480,7 @@ Supported operation is Get. **Health/QuickScanOverdue** Indicates whether a Windows Defender quick scan is overdue for the device. -A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default). +A Quick scan is overdue when a scheduled Quick scan didn't complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default). The data type is a Boolean. @@ -489,7 +489,7 @@ Supported operation is Get. **Health/FullScanOverdue** Indicates whether a Windows Defender full scan is overdue for the device. -A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default). +A Full scan is overdue when a scheduled Full scan didn't complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default). The data type is a Boolean. @@ -585,30 +585,30 @@ An interior node to group Windows Defender configuration information. Supported operation is Get. **Configuration/TamperProtection** -Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. +Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. -Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. +Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob. Supported operations are Add, Delete, Get, Replace. Intune tamper protection setting UX supports three states: -- Not configured (default): Does not have any impact on the default state of the device. +- Not configured (default): Doesn't have any impact on the default state of the device. - Enabled: Enables the tamper protection feature. - Disabled: Turns off the tamper protection feature. -When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. **Configuration/DisableLocalAdminMerge**
                              This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions. -If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings. +If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings. If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator. > [!NOTE] -> Applying this setting will not remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**. +> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**. Supported OS versions: Windows 10 @@ -621,14 +621,14 @@ Valid values are: - 0 (default) – Disable. **Configuration/HideExclusionsFromLocalAdmins**
                              -This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled. +This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled. -If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell. +If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell. If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app, in the registry, or via PowerShell. > [!NOTE] -> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**. +> Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**. Supported OS versions: Windows 10 @@ -641,7 +641,7 @@ Valid values are: - 0 (default) – Disable. **Configuration/DisableCpuThrottleOnIdleScans**
                              -Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. +Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur. The data type is integer. @@ -682,7 +682,7 @@ Supported operations are Add, Delete, Get, Replace. **Configuration/EnableFileHashComputation** Enables or disables file hash computation feature. -When this feature is enabled Windows Defender will compute hashes for files it scans. +When this feature is enabled, Windows Defender will compute hashes for files it scans. The data type is integer. @@ -701,11 +701,11 @@ Supported operations are Add, Delete, Get, Replace. Intune Support log location setting UX supports three states: -- Not configured (default) - Does not have any impact on the default state of the device. +- Not configured (default) - Doesn't have any impact on the default state of the device. - 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path. - 0 - Disabled. Turns off the Support log location feature. -When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. More details: @@ -725,7 +725,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only -If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. +If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. The data type is integer. @@ -758,7 +758,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only -If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. +If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. The data type is integer. @@ -784,7 +784,7 @@ Current Channel (Staged): Devices will be offered updates after the release cycl Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). -If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. +If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. The data type is integer. Supported operations are Add, Delete, Get, Replace. @@ -801,12 +801,12 @@ More details: **Configuration/DisableGradualRelease** Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates. -Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This is best for datacenters that only receive limited updates. +Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This facility for devices is best for datacenters that only receive limited updates. > [!NOTE] > This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates. -If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. +If you disable or don't configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. The data type is integer. diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index c964ed065c..9768af70a3 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -17,9 +17,9 @@ ms.date: 11/01/2017 The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607. -For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information. +For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that both the paths return the same information. -The following shows the DeviceManageability configuration service provider in a tree format. +The following example shows the DeviceManageability configuration service provider in a tree format. ``` ./Device/Vendor/MSFT DeviceManageability @@ -46,14 +46,14 @@ Added in Windows 10, version 1709. Interior node. Added in Windows 10, version 1709. Provider ID of the configuration source. ProviderID should be unique among the different config sources. **Provider/_ProviderID_/ConfigInfo** -Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session. +Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to use during sync session. ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources. Data type is string. Supported operations are Add, Get, Delete, and Replace. **Provider/_ProviderID_/EnrollmentInfo** -Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It is readable by MDM server during sync session. +Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session. Data type is string. Supported operations are Add, Get, Delete, and Replace.  diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index f87acbed2e..17cb3d7424 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -17,7 +17,7 @@ ms.date: 06/25/2021 The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies. -The following shows the DeviceStatus configuration service provider in tree format. +The following example shows the DeviceStatus configuration service provider in tree format. ``` ./Vendor/MSFT DeviceStatus @@ -67,7 +67,7 @@ DeviceStatus The root node for the DeviceStatus configuration service provider. **DeviceStatus/SecureBootState** -Indicates whether secure boot is enabled. The value is one of the following: +Indicates whether secure boot is enabled. The value is one of the following values: - 0 - Not supported - 1 - Enabled @@ -136,7 +136,7 @@ Boolean value that indicates whether the network card associated with the MAC ad Supported operation is Get. **DeviceStatus/NetworkIdentifiers/*MacAddress*/Type** -Type of network connection. The value is one of the following: +Type of network connection. The value is one of the following values: - 2 - WLAN (or other Wireless interface) - 1 - LAN (or other Wired interface) @@ -148,7 +148,7 @@ Supported operation is Get. Node for the compliance query. **DeviceStatus/Compliance/EncryptionCompliance** -Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: +Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values: - 0 - Not encrypted - 1 - Encrypted @@ -194,9 +194,9 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi Valid values: -- 0 - The security software reports that it is not the most recent version. -- 1 (default) - The security software reports that it is the most recent version. -- 2 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) +- 0 - The security software reports that it isn't the most recent version. +- 1 (default) - The security software reports that it's the most recent version. +- 2 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.) Supported operation is Get. @@ -213,9 +213,9 @@ Valid values: - 0 – Antivirus is on and monitoring. - 1 – Antivirus is disabled. -- 2 – Antivirus is not monitoring the device/PC or some options have been turned off. +- 2 – Antivirus isn't monitoring the device/PC or some options have been turned off. - 3 (default) – Antivirus is temporarily not completely monitoring the device/PC. -- 4 – Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) +- 4 – Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.) Supported operation is Get. @@ -229,9 +229,9 @@ Added in Windows, version 1607. Integer that specifies the status of the antisp Valid values: -- 0 - The security software reports that it is not the most recent version. -- 1 - The security software reports that it is the most recent version. -- 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) +- 0 - The security software reports that it isn't the most recent version. +- 1 - The security software reports that it's the most recent version. +- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.) Supported operation is Get. @@ -246,10 +246,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antisp Valid values: -- 0 - The status of the security provider category is good and does not need user attention. -- 1 - The status of the security provider category is not monitored by Windows Security. +- 0 - The status of the security provider category is good and doesn't need user attention. +- 1 - The status of the security provider category isn't monitored by Windows Security. - 2 - The status of the security provider category is poor and the computer may be at risk. -- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service is not actively protecting the computer. +- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service isn't actively protecting the computer. Supported operation is Get. @@ -265,9 +265,9 @@ Valid values: - 0 – Firewall is on and monitoring. - 1 – Firewall has been disabled. -- 2 – Firewall is not monitoring all networks or some rules have been turned off. +- 2 – Firewall isn't monitoring all networks or some rules have been turned off. - 3 (default) – Firewall is temporarily not monitoring all networks. -- 4 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) +- 4 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.) Supported operation is Get. @@ -292,21 +292,21 @@ Added in Windows, version 1607. Integer that specifies the status of the batter Supported operation is Get. **DeviceStatus/Battery/EstimatedChargeRemaining** -Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). +Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). -The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1. +The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1. Supported operation is Get. **DeviceStatus/Battery/EstimatedRuntime** -Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). +Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). -The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1. +The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1. Supported operation is Get. **DeviceStatus/DomainName** -Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device is not domain-joined, it returns an empty string. +Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string. Supported operation is Get. @@ -322,15 +322,15 @@ Added in Windows, version 1709. Virtualization-based security hardware requirem - 0x1: SecureBoot required - 0x2: DMA Protection required - 0x4: HyperV not supported for Guest VM -- 0x8: HyperV feature is not available +- 0x8: HyperV feature isn't available Supported operation is Get. **DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus** -Added in Windows, version 1709. Virtualization-based security status. Value is one of the following: +Added in Windows, version 1709. Virtualization-based security status. Value is one of the following values: - 0 - Running - 1 - Reboot required -- 2 - 64 bit architecture required +- 2 - 64-bit architecture required - 3 - Not licensed - 4 - Not configured - 5 - System doesn't meet hardware requirements diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index 670c0d736e..ef7c93a036 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -1,6 +1,6 @@ --- title: DevInfo CSP -description: Learn now the DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. +description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. ms.assetid: d3eb70db-1ce9-4c72-a13d-651137c1713c ms.reviewer: manager: dansimp @@ -15,16 +15,16 @@ ms.date: 06/26/2017 # DevInfo CSP -The DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session. +The DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session. > [!NOTE] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.   -For the DevInfo CSP, you cannot use the Replace command unless the node already exists. +For the DevInfo CSP, you can't use the Replace command unless the node already exists. -The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider. +The following example shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider. ``` . DevInfo @@ -52,14 +52,14 @@ The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp. **Man** Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer. -If no name is found, this returns "Unknown". +If no name is found, the value returned is "Unknown". Supported operation is Get. **Mod** Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName. -If no name is found, this returns "Unknown". +If no name is found, the value returned is "Unknown". Supported operation is Get. diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 5dc126771b..057030f5f3 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -19,7 +19,7 @@ To help diagnose enrollment or device management issues in Windows 10 devices m ## Download the MDM Diagnostic Information log from Windows 10 PCs -1. On your managed device go to **Settings** > **Accounts** > **Access work or school**. +1. On your managed device, go to **Settings** > **Accounts** > **Access work or school**. 1. Click your work or school account, then click **Info.** ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png) @@ -88,7 +88,7 @@ You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC ## Collect logs remotely from Windows 10 PCs -When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels: +When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels: - Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin - Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug @@ -234,7 +234,7 @@ After the logs are collected on the device, you can retrieve the files through t ## View logs -For best results, ensure that the PC or VM on which you are viewing logs matches the build of the OS from which the logs were collected. +For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected. 1. Open eventvwr.msc. 2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. @@ -256,7 +256,7 @@ For best results, ensure that the PC or VM on which you are viewing logs matches ![event filter for Device Management.](images/diagnose-mdm-failures13.png) -7. Now you are ready to start reviewing the logs. +7. Now you're ready to start reviewing the logs. ![event viewer review logs.](images/diagnose-mdm-failures14.png) diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index fb9c555681..799eadcd6d 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -18,16 +18,16 @@ The DiagnosticLog configuration service provider (CSP) provides the following fe - [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting. - [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size. - [EtwLog area](#etwlog-area). Control ETW trace sessions. -- [DeviceStateData area](#devicestatedata-area). Provide additional device information. +- [DeviceStateData area](#devicestatedata-area). Provide more device information. - [FileDownload area](#filedownload-area). Pull trace and state data directly from the device. -The following are the links to different versions of the DiagnosticLog CSP DDF files: +The links to different versions of the DiagnosticLog CSP DDF files are: - [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4) - [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3) - [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2) -The following shows the DiagnosticLog CSP in tree format. +The following example shows the DiagnosticLog CSP in tree format. ``` ./Vendor/MSFT/DiagnosticLog @@ -90,7 +90,7 @@ The data type is string. Expected value: Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip". -The following is an example of a `Collection` XML. +An example of a `Collection` XML is: ``` xml @@ -113,7 +113,7 @@ The XML should include the following elements within the `Collection` element: The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server. **SasUrl** -The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It is the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could: +The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could: - Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container - Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container - Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value. @@ -124,7 +124,7 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain - Exports all of the key names and values under a given path (recursive). - Expected input value: Registry path such as "HKLM\Software\Policies". - Output format: Creates a .reg file, similar to the output of reg.exe EXPORT command. - - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those under HKLM and HKCR. + - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those paths that're under HKLM and HKCR. - **Events** - Exports all events from the named Windows event log. @@ -132,9 +132,9 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain - Output format: Creates a .evtx file. - **Commands** - - This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives are not a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files. + - This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files. - Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`. - - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter. + - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands that may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter. - Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed: - %windir%\\system32\\certutil.exe - %windir%\\system32\\dxdiag.exe @@ -229,11 +229,11 @@ A Get to the above URI will return the results of the data gathering for the las ``` -Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed. +Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, the mdmdiagnosticstool.exe command failed. ### Making use of the uploaded data -The zip archive which is created and uploaded by the CSP contains a folder structure like the following: +The zip archive that is created and uploaded by the CSP contains a folder structure like the following example: ```powershell PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z @@ -270,7 +270,7 @@ Administrators can apply automation to 'results.xml' to create their own preferr ```powershell Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++} ``` -This example produces output similar to the following: +This example produces output similar to the following output: ``` DirectiveNumber DirectiveHRESULT DirectiveInput --------------- ---------------- -------------- @@ -327,7 +327,7 @@ foreach( $element in $resultElements ) #endregion Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse ``` -That example script produces a set of files similar to the following, which can be a useful view for an administrator interactively browsing the results without needing to navigate any sub-folders or refer to `results.xml` repeatedly: +That example script produces a set of files similar to the following set of files, which can be a useful view for an administrator interactively browsing the results without needing to navigate any subfolders or refer to `results.xml` repeatedly: ```powershell PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name @@ -363,7 +363,7 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains The supported operation is Get. **Policy/Channels/_ChannelName_** -Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI. +Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When the name is being specified in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI. Supported operations are Add, Delete, and Get. @@ -430,7 +430,7 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments. -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. +If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. Supported operations are Add, Delete, Get, and Replace. @@ -627,11 +627,11 @@ Supported operations are Add, Delete, Get, and Replace. The data type is string. The following are the possible values: -- Truncate — When the log file reaches its maximum file size, new events are not written to the log and are lost. -- Overwrite — When the log file reaches its maximum file size, new events overwrite old events. -- Archive — When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file. +- Truncate—When the log file reaches its maximum file size, new events aren't written to the log and are lost. +- Overwrite—When the log file reaches its maximum file size, new events overwrite old events. +- Archive—When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value isn't set, the new file is saved in the same directory as current log file. -If you disable or do not configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but do not replace local configuration. +If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration. Add **ActionWhenFull** @@ -728,10 +728,10 @@ Supported operations are Add, Delete, Get, and Replace. The data type is boolean. The following are the possible values: -- TRUE — Enables the channel. -- FALSE — Disables the channel. +- TRUE—Enables the channel. +- FALSE—Disables the channel. -If you disable or do not configure this policy setting, the locally configured value is used as default. +If you disable or don't configure this policy setting, the locally configured value is used as default. Get **Enabled** ``` xml @@ -844,7 +844,7 @@ For each collector node, the user can: - Change trace log file mode - Change trace log file size limit -The configurations log file mode and log file size limit does not take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector. +The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector. For each registered provider in this collector, the user can: @@ -859,7 +859,7 @@ The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediat ### Channel-based tracing -The type of event tracing exports event data from a specific channel. This is only supported on the desktop. +The type of event tracing exports event data from a specific channel. This method is only supported on the desktop. Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin. @@ -990,7 +990,7 @@ The following table lists the possible values: The supported operation is Execute. -After you have added a logging task, you can start a trace by running an Execute command on this node with the value START. +After you've added a logging task, you can start a trace by running an Execute command on this node with the value START. To stop the trace, running an execute command on this node with the value STOP. @@ -1208,7 +1208,7 @@ The following table lists the possible values: | Value | Description | | ----- | ------------------ | -| TRUE | Provider is enabled in the trace session. This is the default. | +| TRUE | Provider is enabled in the trace session. This value is the default value. | | FALSE | Provider is disabled in the trace session. | Set provider **State** @@ -1395,7 +1395,7 @@ Set channel **State** ## DeviceStateData area -The DeviceStateData functionality within the DiagnosticLog CSP provides additional device information. +The DeviceStateData functionality within the DiagnosticLog CSP provides extra device information. The following section describes the nodes for the DeviceStateData functionality. @@ -1434,10 +1434,10 @@ The FileDownload feature of the DiagnosticLog CSP enables a management server to ### Comparing FileDownload and DiagnosticArchive -Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they are optimized for different workflows. +Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they're optimized for different workflows. -- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It is typically used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage. -- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT. +- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It's used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage. +- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions, the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT. The following section describes the nodes for the FileDownload functionality. diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 9b4f0785ff..4e55cd3c89 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -21,9 +21,9 @@ The DMAcc configuration service provider allows an OMA Device Management (DM) ve -For the DMAcc CSP, you cannot use the Replace command unless the node already exists. +For the DMAcc CSP, you can't use the Replace command unless the node already exists. -The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider. +The following example shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider. ``` ./SyncML @@ -103,7 +103,7 @@ Required. **AppAddr/***ObjectName* Required. Defines the OMA DM server address. Only one server address can be configured. -When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the w7 APPLICATION configuration service provider, other DM accounts are ignored. +When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1". This DM address is the first one encountered in the w7 APPLICATION configuration service provider; other DM accounts are ignored. ***ObjectName*/Addr** Required. Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element. @@ -125,10 +125,10 @@ Optional. **Port/***ObjectName* Required. Only one port number can be configured. -When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1". +When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1". ***ObjectName*/PortNbr** -Required. Specifies the port number of the OMA MD account address. This must be a decimal number that fits within the range of a 16-bit unsigned integer. +Required. Specifies the port number of the OMA MD account address. This number must be a decimal number that fits within the range of a 16-bit unsigned integer. Value type is string. Supported operations are Add, Get, and Replace. @@ -137,7 +137,7 @@ Optional. Specifies the application authentication preference. A value of "BASIC" specifies that the client attempts BASIC authentication. A value of "DIGEST' specifies that the client attempts MD5 authentication. -If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first. +If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria aren't met, then the client tries BASIC authorization first. Value type is string. Supported operations are Add, Get, and Replace. @@ -147,7 +147,7 @@ Optional. Defines authentication settings. **AppAuth/***ObjectName* Required. Defines one set of authentication settings. -When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED"). +When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED"). ***ObjectName*/AAuthlevel** Required. Specifies the application authentication level. @@ -176,7 +176,7 @@ Value type is string. Supported operations are Add and Replace. ***ObjectName*/AAuthData** Optional. Specifies the next nonce used for authentication. -"Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks. +"Nonce" refers to a number used once. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in repeat attacks. Value type is binary. Supported operations are Add and Replace. @@ -226,16 +226,16 @@ The default value is 86400000. Value type is integer. Supported operations are Add, Get, and Replace. **Microsoft/ProtoVer** -Optional. Specifies the OMA DM Protocol version that the server supports. There is no default value. +Optional. Specifies the OMA DM Protocol version that the server supports. There's no default value. -Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element is not specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2. +Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2. Value type is string. Supported operations are Add, Get, and Replace. **Microsoft/Role** Required. Specifies the role mask that the OMA DM session runs with when it communicates with the server. -If this parameter is not present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values. +If this parameter isn't present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values. - 4 = SECROLE\_OPERATOR @@ -245,7 +245,7 @@ If this parameter is not present, the DM session is given the role mask of the O - 128 = SECROLE\_OPERATOR\_TPS -The acceptable access roles for this node cannot be more than the roles assigned to the DMAcc object. +The acceptable access roles for this node can't be more than the roles assigned to the DMAcc object. Value type is integer. Supported operations are Get and Replace. @@ -267,9 +267,9 @@ Value type is bool. Supported operations are Add, Get, and Replace. **Microsoft/UseNonceResync** Optional. Specifies whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication. The default is "FALSE". -If the authentication fails because the server nonce does not match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device did not authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message. +If the authentication fails because the server nonce doesn't match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device didn't authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message. -The default value of "FALSE" specifies that the client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed. +The default value of "FALSE" specifies that the client doesn't try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed. Value type is bool. Supported operations are Add, Get, and Replace. @@ -284,19 +284,19 @@ Optional. Determines whether the OMA DM client should be launched when roaming. Value type is bool. Supported operations are Add, Get, and Replace. **SSLCLIENTCERTSEARCHCRITERIA** -Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored. +Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it's ignored. The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC. -The supported names are Subject and Stores; wildcard certificate search is not supported. +The supported names are Subject and Stores; wildcard certificate search isn't supported. -Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive. +Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive. > **Note**   %EF%80%80 is the UTF8-encoded character U+F000. -Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following: +Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following schema: ```xml Value type is string. Supported operation is Get.

                              **PowerSettings** -

                              Node for power-related configrations

                              +

                              Node for power-related configurations

                              **PowerSettings/MaxSkippedSessionsInLowPowerState**

                              Maximum number of continuous skipped sync sessions when the device is in low-power state.

                              diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 37a56ed643..355e5d1e79 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -14,11 +14,11 @@ ms.collection: highpri # DynamicManagement CSP -Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. +Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. This CSP was added in Windows 10, version 1703. -The following shows the DynamicManagement configuration service provider in tree format. +The following example shows the DynamicManagement configuration service provider in tree format. ``` ./Device/Vendor/MSFT DynamicManagement @@ -85,7 +85,7 @@ DynamicManagement

                              Value type is integer. Supported operation is Get.

                              **Altitude** -

                              A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.

                              +

                              A value that determines how to handle conflict resolution of applying multiple contexts on the device. This value is required and must be distinct of other priorities.

                              Value type is integer. Supported operations are Add, Get, Delete, and Replace.

                              **AlertsEnabled** diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 37f0269edb..9f9d1ab88c 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -34,7 +34,7 @@ To get the EAP configuration from your desktop using the rasphone tool that is s ![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png) -1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters. +1. Enter an Internet address and connection name. These details can be fake since it doesn't impact the authentication parameters. ![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png) @@ -60,7 +60,7 @@ To get the EAP configuration from your desktop using the rasphone tool that is s Get-VpnConnection -Name Test ``` - Here is an example output. + Here's an example output. ``` syntax Name : Test @@ -88,7 +88,7 @@ To get the EAP configuration from your desktop using the rasphone tool that is s $a.EapConfigXmlStream.InnerXml ``` - Here is an example output. + Here's an example output. ```xml listed. The *text id* and *enum id* represents the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. + 5. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. - Here is the snippet from appv.admx: + Here's the snippet from appv.admx: ```xml @@ -208,7 +208,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ 6. From the **\** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor. - Here is the example XML for Publishing_Server2_Policy: + Here's the example XML for Publishing_Server2_Policy: ```xml @@ -225,7 +225,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ 7. Create the SyncML to enable the policy. Payload contains \ and name/value pairs. - Here is the example for **AppVirtualization/PublishingAllowServer2**: + Here's the example for **AppVirtualization/PublishingAllowServer2**: > [!NOTE] > The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type. diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 1bb3dbc3a7..137eee65ff 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -20,17 +20,17 @@ ms.collection: highpri Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. -The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. +The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. Requirements: - Active Directory-joined PC running Windows 10, version 1709 or later - The enterprise has configured a mobile device management (MDM) service - The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad) -- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) -- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. +- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) +- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan). > [!TIP] -> For additional information, see the following topics: +> For more information, see the following topics: > - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) > - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) > - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md) @@ -42,7 +42,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins) +In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins) For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. @@ -54,7 +54,7 @@ The following steps demonstrate required settings using the Intune service: :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) @@ -64,7 +64,7 @@ The following steps demonstrate required settings using the Intune service: > For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. 3. Verify that the device OS version is Windows 10, version 1709 or later. -4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. +4. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. @@ -86,10 +86,10 @@ The following steps demonstrate required settings using the Intune service: :::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: -7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. +7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. -8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal). +8. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal). 9. Verify that Microsoft Intune should allow enrollment of Windows devices. @@ -97,7 +97,7 @@ You may contact your domain administrators to verify if the group policy has bee ## Configure the auto-enrollment Group Policy for a single PC -This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). +This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). Requirements: - AD-joined PC running Windows 10, version 1709 or later @@ -132,7 +132,7 @@ Requirements: To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). - If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. + If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot. ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png) @@ -140,13 +140,13 @@ Requirements: > You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). -6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account. +6. To verify successful enrollment to MDM, click **Start > Settings > Accounts > Access work or school**, then select your domain account. 7. Click **Info** to see the MDM enrollment information. ![Work School Settings.](images/autoenrollment-settings-work-school.png) - If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app). + If you don't see the **Info** button or the enrollment information, it's possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app). ### Task Scheduler app @@ -161,12 +161,12 @@ Requirements: :::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: - To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. + To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. The message **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. > [!NOTE] - > The GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies. + > The GPEdit console does not reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies. ## Configure the auto-enrollment for a group of devices @@ -177,7 +177,7 @@ Requirements: - Ensure that PCs belong to same computer group. > [!IMPORTANT] -> If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. +> If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. 1. Download: @@ -222,7 +222,7 @@ Requirements: 5. Copy PolicyDefinitions folder to **\\SYSVOL\contoso.com\policies\PolicyDefinitions**. - If this folder does not exist, then be aware that you will be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain. + If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain. 6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. @@ -247,19 +247,19 @@ To collect Event Viewer logs: > [!Tip] > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc). -3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully: +3. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully: :::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png"::: - If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons: + If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons: - - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed: + - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed: :::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png"::: - To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors) for more information. + To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors). - - The auto-enrollment did not trigger at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section. + - The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section. The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot: @@ -278,16 +278,16 @@ To collect Event Viewer logs: :::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png"::: - Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment. + The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment. - If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. + If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there's possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this step still doesn't help, further troubleshooting on the Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: :::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. - A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: + A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: :::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png"::: From 2e5c98fc286e8f852455920f05df343e4d1cb350 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 25 Feb 2022 13:25:47 +0530 Subject: [PATCH 46/68] Acrolinx --- .../mdm/enterpriseapn-csp.md | 10 +-- .../mdm/enterpriseappmanagement-csp.md | 18 ++--- .../mdm/enterprisedataprotection-csp.md | 22 +++--- .../mdm/enterprisedesktopappmanagement-csp.md | 32 ++++----- .../mdm/enterprisemodernappmanagement-csp.md | 70 +++++++++---------- 5 files changed, 76 insertions(+), 76 deletions(-) diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index 2b50af966e..8893e068c9 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -19,7 +19,7 @@ The EnterpriseAPN configuration service provider (CSP) is used by the enterprise > [!Note] > Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. -The following shows the EnterpriseAPN configuration service provider in tree format. +The following example shows the EnterpriseAPN configuration service provider in tree format. ``` ./Vendor/MSFT EnterpriseAPN @@ -52,7 +52,7 @@ EnterpriseAPN

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/IPType** -

                              This value can be one of the following:

                              +

                              This value can be one of the following values:

                              - IPv4 - only IPV4 connection type - IPv6 - only IPv6 connection type @@ -67,12 +67,12 @@ EnterpriseAPN

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/ClassId** -

                              GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.

                              +

                              GUID that defines the APN class to the modem. This GUID is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN.

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/AuthType** -

                              Authentication type. This value can be one of the following:

                              +

                              Authentication type. This value can be one of the following values:

                              - None (default) - Auto @@ -93,7 +93,7 @@ EnterpriseAPN

                              Supported operations are Add, Get, Delete, and Replace.

                              **EnterpriseAPN/*ConnectionName*/IccId** -

                              Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.

                              +

                              Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.

                              Supported operations are Add, Get, Delete, and Replace.

                              diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index 4192b8bdcc..b59fc137e1 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -21,7 +21,7 @@ The EnterpriseAppManagement enterprise configuration service provider is used to > The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core. -The following shows the EnterpriseAppManagement configuration service provider in tree format. +The following example shows the EnterpriseAppManagement configuration service provider in tree format. ```console ./Vendor/MSFT @@ -52,7 +52,7 @@ EnterpriseAppManagement ``` ***EnterpriseID*** -Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications. +Optional. A dynamic node that represents the EnterpriseID as a GUID. It's used to enroll or unenroll enterprise applications. Supported operations are Add, Delete, and Get. @@ -190,11 +190,11 @@ Supported operation is Exec. ### Install and Update Line of Business (LOB) applications -A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support a variety of file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section. +A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support various file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section. ### Uninstall Line of Business (LOB) applications -A workplace can also remotely uninstall Line of Business applications on the device. It is not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that are not installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section +A workplace can also remotely uninstall Line of Business applications on the device. It's not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that aren't installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section. ### Query installed Store application @@ -242,7 +242,7 @@ All node values under the ProviderID interior node represent the policy values t - An Add or Replace command on those nodes returns success in both of the following cases: - - The value is actually applied to the device. + - The value is applied to the device. - The value isn’t applied to the device because the device has a more secure value set already. @@ -252,9 +252,9 @@ From a security perspective, the device complies with the policy request that is - If a Replace command fails, the node value is set to be the previous value before Replace command was applied. -- If an Add command fails, the node is not created. +- If an Add command fails, the node isn't created. -The value actually applied to the device can be queried via the nodes under the DeviceValue interior node. +The value applied to the device can be queried via the nodes under the DeviceValue interior node. ## OMA DM examples @@ -303,7 +303,7 @@ Update the enrollment token (for example, to update an expired application enrol ``` -Query all installed applications that belong to enterprise id “4000000001”: +Query all installed applications that belong to enterprise ID “4000000001”: ```xml @@ -430,7 +430,7 @@ Response from the device (that contains two installed applications): Install or update the installed app with the product ID “{B316008A-141D-4A79-810F-8B764C4CFDFB}”. -To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application does not exist, the application will be silently installed without any user interaction. If the application cannot be installed, the user will be notified with an Alert dialog. +To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application doesn't exist, the application will be silently installed without any user interaction. If the application can't be installed, the user will be notified with an Alert dialog. > [!NOTE] > - If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation). diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index e406d98d74..d8ec6f71d5 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -29,7 +29,7 @@ To learn more about WIP, see the following articles: - [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy) - [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip) -The following shows the EnterpriseDataProtection CSP in tree format. +The following example shows the EnterpriseDataProtection CSP in tree format. ```console ./Device/Vendor/MSFT @@ -53,7 +53,7 @@ The root node for the CSP. The root node for the Windows Information Protection (WIP) configuration settings. **Settings/EDPEnforcementLevel** -Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. +Set the WIP enforcement level. Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. The following list shows the supported values: @@ -67,7 +67,7 @@ Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/EnterpriseProtectedDomainNames** A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. -Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. +Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client. > [!Note] > The client requires domain name to be canonical, otherwise the setting will be rejected by the client. @@ -82,7 +82,7 @@ Here are the steps to create canonical domain names: Supported operations are Add, Get, Replace, and Delete. Value type is string. **Settings/AllowUserDecryption** -Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. +Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user won't be able to remove protection from enterprise content through the operating system or the application user experiences. > [!IMPORTANT] > Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. @@ -97,7 +97,7 @@ Most restricted value is 0. Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/DataRecoveryCertificate** -Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. +Specifies a recovery certificate that can be used for data recovery of encrypted files. This certificate is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. > [!Note] > If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced. @@ -226,12 +226,12 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { } PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG; ``` -For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. +For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate. Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. **Settings/RevokeOnUnenroll** -This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. +This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1. The following list shows the supported values: @@ -241,7 +241,7 @@ The following list shows the supported values: Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff** -Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. +Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. - 0 - Don't revoke keys - 1 (default) - Revoke keys @@ -262,8 +262,8 @@ Specifies whether to allow Azure RMS encryption for WIP. Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. -When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. +Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. +When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. Supported operations are Add, Get, Replace and Delete. Value type is string. **Settings/EDPShowIcons** @@ -290,7 +290,7 @@ Bit 0 indicates whether WIP is on or off. Bit 1 indicates whether AppLocker WIP policies are set. -Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero). +Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero). Here's the list of mandatory WIP policies: diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 9be9cb8c8d..ee200b54ed 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -17,9 +17,9 @@ ms.date: 07/11/2017 The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications. -Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). +Application installations can take some time to complete, hence they're done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). -The following shows the EnterpriseDesktopAppManagement CSP in tree format. +The following example shows the EnterpriseDesktopAppManagement CSP in tree format. ``` ./Device/Vendor/MSFT @@ -66,9 +66,9 @@ Installation date of the application. Value type is string. Supported operation **MSI/*ProductID*/DownloadInstall** Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get. -In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. +In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (don't send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. -Here is an example: +Here's an example: ```xml @@ -99,12 +99,12 @@ Status of the application. Value type is string. Supported operation is Get. **MSI/*ProductID*/LastError** -The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed. +The last error code during the application installation process. This error code is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this error could be the result of executing MSIExec.exe or the error result from an API that failed. Value type is string. Supported operation is Get. **MSI/*ProductID*/LastErrorDesc** -Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned. +Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there's no LastErrorDesc returned. Value type is string. Supported operation is Get. @@ -112,7 +112,7 @@ Value type is string. Supported operation is Get. Added in the March service release of Windows 10, version 1607. **MSI/UpgradeCode/_Guid_** -Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed. +Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when an administrator wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed. Value type is string. Supported operation is Get. @@ -143,7 +143,7 @@ The following table describes the fields in the previous sample: | Name | Description | |--------|-------------------------------------------------------------------------------------------------------------------------------| | Get | Operation being performed. The Get operation is a request to return information. | -| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | | LocURI | Path to Win32 CSP command processor. | @@ -171,7 +171,7 @@ The following table describes the fields in the previous sample: | Name | Description | |--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Delete | Operation being performed. The Delete operation is a request to delete the CSP node that represents the specified MSI installed application and to perform and uninstall of the application as part of the process. | -| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | @@ -199,7 +199,7 @@ The following table describes the fields in the previous sample: | Name | Description | |--------|-----------------------| | Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.| -| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. | | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | @@ -261,8 +261,8 @@ The following table describes the fields in the previous sample: |Name|Description| |--- |--- | -|Add|This is required to precede the Exec command.
                            • CmdID - Input value used to reference the request. Responses includes this value, which can be use to match the request and response.
                            • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.| -|Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
                            • CmdID - Input value used to reference the request. Responses will include this value which can be used to match request and response.
                            • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
                            • Data - The Data node contains an embedded XML, of type “MsiInstallJob”
                            • MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).| +|Add|This field is required to precede the Exec command.
                            • CmdID - Input value used to reference the request. Responses include this value, which can be used to match the request and response.
                            • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.| +|Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
                            • CmdID - Input value used to reference the request. Responses will include this value that can be used to match request and response.
                            • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
                            • Data - The Data node contains an embedded XML, of type “MsiInstallJob”
                            • MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).| > [!Note] @@ -326,10 +326,10 @@ The following table MsiInstallJob describes the schema elements. |Element|Description| |--- |--- | -|MsiInstallJob|root element
                              "Attribute: "id - the application identifier of the application being installed| +|MsiInstallJob|root element
                              Attribute: "id" - the application identifier of the application being installed| |Product|child element of MsiInstallJob
                              Attribute: “Version” – string representation of application version| |Download|child element of Product. Container for download configuration information.| -|ContentURLList|child element of Download. Contains list of 1 or more content download URL locators in the form of ContentURL elements.| +|ContentURLList|child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements.| |ContentURL|Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file.| |Validation|Contains information used to validate contend authenticity. • FileHash – SHA256 hash value of file content| |FileHash|SHA256 hash value of file content| @@ -341,7 +341,7 @@ The following table MsiInstallJob describes the schema elements. -Here is an example of a common response to a request +Here's an example of a common response to a request ```xml @@ -370,7 +370,7 @@ Here is an example of a common response to a request ## How to determine which installation context to use for an MSI package -The following tables shows how app targeting and MSI package type (per-user, per machine, or dual mode) are installed in the client. +The following tables show how app targeting and MSI package type (per-user, per machine, or dual mode) are installed in the client. For Intune standalone environment, the MSI package will determine the MSI execution context. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 38daca74a6..709013b0bd 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -19,7 +19,7 @@ The EnterpriseModernAppManagement configuration service provider (CSP) is used f > [!Note] > Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP. -The following shows the EnterpriseModernAppManagement configuration service provider in tree format. +The following example shows the EnterpriseModernAppManagement configuration service provider in tree format. ```console ./Vendor/MSFT @@ -109,18 +109,18 @@ Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. - - PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but does not validate RequiresReinstall. + - PackageDetails - returns all inventory attributes of the package. This information includes all information from PackageNames parameter, but doesn't validate RequiresReinstall. - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state. - Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are: - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business. - - nonStore - This classification is for apps that were not acquired from the Microsoft Store. - - System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried. + - nonStore - This classification is for apps that weren't acquired from the Microsoft Store. + - System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried. - PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are: - Main - returns the main installed package. - Bundle - returns installed bundle packages. - Framework - returns installed framework packages. - - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle. + - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle. - XAP - returns XAP package types. This filter is only supported on Windows Mobile. - All - returns all package types. @@ -128,11 +128,11 @@ Query parameters: - PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value. - If you do not specify this value, then all packages are returned. + If you don't specify this value, then all packages are returned. - Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field. - If you do not specify this value, then all publishers are returned. + If you don't specify this value, then all publishers are returned. Supported operation is Get and Replace. @@ -161,8 +161,8 @@ Parameters:
                            • Name: Specifies the PackageFullName of the particular package to remove.
                            • RemoveForAllUsers:
                                -
                              • 0 (default) – Package will be un-provisioned so that new users do not receive the package. The package will remain installed for current users. This is not currently supported.
                                • -
                              • 1 – Package will be removed for all users only if it is a provisioned package.
                                • +
                              • 0 (default) – Package will be unprovisioned so that new users don't receive the package. The package will remain installed for current users. This option isn't currently supported.
                                • +
                              • 1 – Package will be removed for all users only if it's a provisioned package.
                            @@ -189,7 +189,7 @@ The following example removes a package for all users: ```` **AppManagement/nonStore** -Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store. +Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. Supported operation is Get. @@ -210,7 +210,7 @@ Added in Windows 10, version 1809. Interior node for the managing updates throug > ReleaseManagement settings only apply to updates through the Microsoft Store. **AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_** -Added in Windows 10, version 1809. Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. +Added in Windows 10, version 1809. Identifier for the app or set of apps. If there's only one app, it's the PackageFamilyName. If it's for a set of apps, it's the PackageFamilyName of the main app. **AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId** @@ -237,7 +237,7 @@ Added in Windows 10, version 1809. Returns the last user release ID on the devic Value type is string. Supported operation is Get. **.../***PackageFamilyName* -Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. +Optional. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. Supported operations are Get and Delete. @@ -323,7 +323,7 @@ Required. Date the app was installed. Value type is string. Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/ResourceID** -Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string. +Required. Resource ID of the app. This value is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string. > [!Note] > Not applicable to XAP files. @@ -334,10 +334,10 @@ Supported operation is Get. Required. Provides information about the status of the package. Value type is int. Valid values are: - OK (0) - The package is usable. -- LicenseIssue (1) - The license of the package is not valid. +- LicenseIssue (1) - The license of the package isn't valid. - Modified (2) - The package payload was modified by an unknown source. - Tampered (4) - The package payload was tampered intentionally. -- Disabled (8) - The package is not available for use. It can still be serviced. +- Disabled (8) - The package isn't available for use. It can still be serviced. > [!Note] > Not applicable to XAP files. @@ -345,7 +345,7 @@ Required. Provides information about the status of the package. Value type is in Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall** -Required. Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int. +Required. Specifies whether the package state has changed and requires a reinstallation of the app. This change of status can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int. > [!Note] > Not applicable to XAP files. @@ -386,7 +386,7 @@ Added in Windows 10, version 1511. Interior node for all managed app setting val **.../*PackageFamilyName*/AppSettingPolicy/***SettingValue* (only for ./User/Vendor/MSFT) Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. -This setting only works for apps that support the feature and it is only supported in the user context. +This setting only works for apps that support the feature and it's only supported in the user context. Value type is string. Supported operations are Add, Get, Replace, and Delete. @@ -423,7 +423,7 @@ The following example gets all managed app settings for a specific app. ``` **.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate** -Added in Windows 10, version 1803. Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. +Added in Windows 10, version 1803. Specify whether on an AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available. Supported operations are Add, Get, Delete, and Replace. Value type is integer. @@ -439,14 +439,14 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M **.../_PackageFamilyName_/NonRemovable** Added in Windows 10, version 1809. Specifies if an app is nonremovable by the user. -This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users. +This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This setting is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This setting is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users. -NonRemovable requires admin permission. This can only be set per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. +NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. Value type is integer. Supported operations are Add, Get, and Replace. Valid values: -- 0 – app is not in the nonremovable app policy list +- 0 – app isn't in the nonremovable app policy list - 1 – app is included in the nonremovable app policy list **Examples:** @@ -492,7 +492,7 @@ Get the status for a particular app ``` Replace an app in the nonremovable app policy list -Data 0 = app is not in the app policy list +Data 0 = app isn't in the app policy list Data 1 = app is in the app policy list ```xml @@ -519,7 +519,7 @@ Data 1 = app is in the app policy list Required node. Used to perform app installation. **AppInstallation/***PackageFamilyName* -Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. +Optional node. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. Supported operations are Get and Add. @@ -533,7 +533,7 @@ Required. Command to perform an install of an app and a license from the Microso Supported operation is Execute, Add, Delete, and Get. **AppInstallation/*PackageFamilyName*/HostedInstall** -Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). +Required. Command to perform an install of an app package from a hosted location (this location can be a local drive, a UNC, or https data source). The following list shows the supported deployment options: - ForceApplicationShutdown @@ -541,10 +541,10 @@ The following list shows the supported deployment options: - InstallAllResources - ForceTargetApplicationShutdown  - ForceUpdateToAnyVersion -- DeferRegistration="1". If the app is in use at the time of installation. This stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1. +- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1. - StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803. - LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607. -- ValidateDependencies="1". This is used at provisioning/staging time. If it is set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies are not present. Available in the latest insider flight of 20H1. +- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1. - ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809. Supported operation is Execute, Add, Delete, and Get. @@ -555,7 +555,7 @@ Required. Last error relating to the app installation. Supported operation is Get. > [!Note] -> This element is not present after the app is installed. +> This element isn't present after the app is installed. @@ -565,30 +565,30 @@ Required. Description of last error relating to the app installation. Supported operation is Get. > [!Note] -> This element is not present after the app is installed. +> This element isn't present after the app is installed. **AppInstallation/*PackageFamilyName*/Status** Required. Status of app installation. The following values are returned: -- NOT\_INSTALLED (0) - The node was added, but the execution has not completed. -- INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. +- NOT\_INSTALLED (0) - The node was added, but the execution hasn't completed. +- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, this value is updated. - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. -- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear. +- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean-up action hasn't completed, this state may briefly appear. Supported operation is Get. > [!Note] -> This element is not present after the app is installed. +> This element isn't present after the app is installed. **AppInstallation/*PackageFamilyName*/ProgessStatus** -Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). +Required. An integer that indicates the progress of the app installation. For https locations, this integer indicates the download progress. ProgressStatus isn't available for provisioning and it's only for user-based installations. ProgressStatus value is always 0 (zero) in provisioning. Supported operation is Get. > [!Note] -> This element is not present after the app is installed. +> This element isn't present after the app is installed. **AppLicenses** @@ -617,7 +617,7 @@ Supported operation is Get. Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values: - Unknown - usage is unknown -- Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. +- Online - the license is only valid for online usage. This license is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. - Offline - license is valid for use offline. You don't need a connection to the internet to use this license. - Enterprise Root - From a45e71aab3b6ea35447349f48af48d406142b325 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 2 Mar 2022 16:49:50 +0530 Subject: [PATCH 47/68] Acrolinx changes --- windows/client-management/mdm/euiccs-csp.md | 16 ++-- ...erated-authentication-device-enrollment.md | 40 ++++---- windows/client-management/mdm/firewall-csp.md | 56 +++++------ .../mdm/get-seats-assigned-to-a-user.md | 6 +- .../mdm/healthattestation-csp.md | 94 +++++++++---------- ...rver-side-mobile-application-management.md | 31 +++--- windows/client-management/mdm/index.md | 4 +- 7 files changed, 125 insertions(+), 122 deletions(-) diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 3ac910ac33..aea59b7da0 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -1,6 +1,6 @@ --- title: eUICCs CSP -description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. +description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,9 +14,9 @@ manager: dansimp # eUICCs CSP -The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709. +The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709. -The following shows the eUICCs configuration service provider in tree format. +The following example shows the eUICCs configuration service provider in tree format. ``` ./Device/Vendor/MSFT eUICCs @@ -48,12 +48,12 @@ eUICCs Root node. **_eUICC_** -Interior node. Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. +Interior node. Represents information associated with an eUICC. There's one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, for example, this association could be an SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. Supported operation is Get. **_eUICC_/Identifier** -Required. Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. +Required. Identifies an eUICC in an implementation-specific manner, for example, this identification could be an SHA-256 hash of the EID. Supported operation is Get. Value type is string. @@ -63,7 +63,7 @@ Required. Indicates whether this eUICC is physically present and active. Updated Supported operation is Get. Value type is boolean. **_eUICC_/PPR1Allowed** -Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed. +Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 isn't allowed. Supported operation is Get. Value type is boolean. @@ -88,7 +88,7 @@ Required. Current state of the discovery operation for the parent ServerName (Re Supported operation is Get. Value type is integer. Default value is 1. **_eUICC_/DownloadServers/_ServerName_/AutoEnable** -Required. Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. +Required. Indicates whether the discovered profile must be enabled automatically after install. This setting must be defined by the MDM when the ServerName subtree is created. Supported operations are Add, Get, and Replace. Value type is bool. @@ -133,7 +133,7 @@ Required. Determines whether the local user interface of the LUI is available (t Supported operations are Get and Replace. Value type is boolean. Default value is true. **_eUICC_/Actions** -Interior node. Required. Actions that can be performed on the eUICC as a whole (when it is active). +Interior node. Required. Actions that can be performed on the eUICC as a whole (when it's active). Supported operation is Get. diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 254ba46424..6dc5301d1b 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -14,7 +14,7 @@ ms.date: 07/28/2017 # Federated authentication device enrollment -This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call. +This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is used by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call. The `` element the discovery response message specifies web authentication broker page start URL. @@ -75,9 +75,9 @@ After the device gets a response from the server, the device sends a POST reques The following logic is applied: -1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. -2. If that fails, the device tries HTTP to see whether it is redirected: - - If the device is not redirected, it prompts the user for the server address. +1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails. +2. If that fails, the device tries HTTP to see whether it's redirected: + - If the device isn't redirected, it prompts the user for the server address. - If the device is redirected, it prompts the user to allow the redirect. The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address @@ -126,12 +126,12 @@ The discovery response is in the XML format and includes the following fields: - Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. - Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. -- In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. +- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. > [!Note] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. -When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be leveraged by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call. +When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call. > [!Note] > Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance: @@ -157,12 +157,12 @@ AuthenticationServiceUrl?appru=&login_hint= ``` - `` is of the form ms-app://string -- `` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication. +- `` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign-in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication. After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter. > [!NOTE] -> To make an application compatible with strict Content Security Policy, it is usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed. +> To make an application compatible with strict Content Security Policy, it's usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed. ```html HTTP/1.1 200 OK @@ -191,9 +191,9 @@ Content-Length: 556 ``` -The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it is just HTML encoded. This string is opaque to the enrollment client; the client does not interpret the string. +The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it's just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string. -The following example shows a response received from the discovery web service which requires authentication via WAB. +The following example shows a response received from the discovery web service that requires authentication via WAB. ```xml ` element defined in \[WSS\] section 5. The `` element must be a child of the `` element. - wsse:BinarySecurityToken: The enrollment client implements the `` element defined in \[WSS\] section 6.3. The `` element must be included as a child of the `` element in the SOAP header. -As was described in the discovery response section, the inclusion of the `` element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `` element of `` and the enterprise server. +As was described in the discovery response section, the inclusion of the `` element is opaque to the enrollment client, and the client doesn't interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `` element of `` and the enterprise server. The `` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `` element. @@ -248,7 +248,7 @@ The `` element contains a base64-encoded string. The e - wsse:BinarySecurityToken/attributes/EncodingType: The `` EncodingType attribute must be `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary`. -The following is an enrollment policy request example with a received security token as client credential. +The following example is an enrollment policy request with a received security token as client credential. ```xml [!NOTE] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. @@ -381,11 +381,11 @@ The following snippet shows the policy web service response. This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client. -The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully. +The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on, match the certificate template), the client can enroll successfully. -Note that the RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. +The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more information, see the Response section. -The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. +The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. > [!Note] > The policy service and the enrollment service must be on the same server; that is, they must have the same host name. @@ -485,13 +485,13 @@ The provisioning XML contains: - The requested certificates (required) - The DM client configuration (required) -The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there is one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server. +The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server. -Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. Additional root and intermediate CA certificates could be provisioned during an OMA DM session. +Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. More root and intermediate CA certificates could be provisioned during an OMA DM session. -When provisioning root and intermediate CA certificates, the supported CSP node path is: CertificateStore/Root/System for root certificate provisioning, CertificateStore/My/User for intermediate CA certificate provisioning. +When root and intermediate CA certificates are being provisioned, the supported CSP node path is: CertificateStore/Root/System for root certificate provisioning, CertificateStore/My/User for intermediate CA certificate provisioning. -Here is a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies and app management section. +Here's a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies and app management section. The following example shows the enrollment web service response. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 65b65a3326..a9735120d7 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -14,13 +14,13 @@ manager: dansimp # Firewall configuration service provider (CSP) -The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. +The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively. -For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac). +For detailed information on some of the fields below, see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac). -The following shows the Firewall configuration service provider in tree format. +The following example shows the Firewall configuration service provider in tree format. ``` ./Vendor/MSFT Firewall @@ -113,11 +113,11 @@ Firewall

                            Supported operations are Get.

                            **MdmStore/Global/PolicyVersionSupported** -

                            Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.

                            +

                            Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.

                            Value type in integer. Supported operation is Get.

                            **MdmStore/Global/CurrentProfiles** -

                            Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

                            +

                            Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law.

                            Value type in integer. Supported operation is Get.

                            **MdmStore/Global/DisableStatefulFtp** @@ -126,40 +126,40 @@ Firewall

                            Data type is bool. Supported operations are Add, Get, Replace, and Delete.

                            **MdmStore/Global/SaIdleTime** -

                            This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                            +

                            This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.

                            Default value is 300.

                            Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                            **MdmStore/Global/PresharedKeyEncoding** -

                            Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                            +

                            Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.

                            Default value is 1.

                            Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                            **MdmStore/Global/IPsecExempt** -

                            This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

                            +

                            This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.

                            Default value is 0.

                            Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                            **MdmStore/Global/CRLcheck** -

                            This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:

                            +

                            This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued:

                            • 0 disables CRL checking
                              • -
                            • 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
                              • +
                            • 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail.
                            • 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing

                            Default value is 0.

                            Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                            **MdmStore/Global/PolicyVersion** -

                            This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.

                            +

                            This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.

                            Value type is string. Supported operation is Get.

                            **MdmStore/Global/BinaryVersionSupported** -

                            This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

                            +

                            This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

                            Value type is string. Supported operation is Get.

                            **MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** -

                            This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                            +

                            This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                            Boolean value. Supported operations are Add, Get, Replace, and Delete.

                            **MdmStore/Global/EnablePacketQueue** @@ -184,12 +184,12 @@ Firewall

                            Interior node. Supported operation is Get.

                            **/EnableFirewall** -

                            Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                            +

                            Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

                            Default value is true.

                            Value type is bool. Supported operations are Add, Get and Replace.

                            **/DisableStealthMode** -

                            Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                            +

                            Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

                            Default value is false.

                            Value type is bool. Supported operations are Add, Get and Replace.

                            @@ -199,22 +199,22 @@ Firewall

                            Value type is bool. Supported operations are Get and Replace.

                            **/DisableUnicastResponsesToMulticastBroadcast** -

                            Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                            +

                            Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

                            Default value is false.

                            Value type is bool. Supported operations are Add, Get and Replace.

                            **/DisableInboundNotifications** -

                            Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                            +

                            Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

                            Default value is false.

                            Value type is bool. Supported operations are Add, Get and Replace.

                            **/AuthAppsAllowUserPrefMerge** -

                            Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                            +

                            Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

                            Default value is true.

                            Value type is bool. Supported operations are Add, Get and Replace.

                            **/GlobalPortsAllowUserPrefMerge** -

                            Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

                            +

                            Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

                            Default value is true.

                            Value type is bool. Supported operations are Add, Get and Replace.

                            @@ -229,7 +229,7 @@ Firewall

                            Value type is bool. Supported operations are Add, Get and Replace.

                            **/DefaultOutboundAction** -

                            This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.

                            +

                            This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block.

                            • 0x00000000 - allow
                            • 0x00000001 - block
                              • @@ -262,7 +262,7 @@ Sample syncxml to provision the firewall settings to evaluate ``` **/DefaultInboundAction** -

                              This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.

                              +

                              This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.

                              • 0x00000000 - allow
                              • 0x00000001 - block
                                • @@ -271,7 +271,7 @@ Sample syncxml to provision the firewall settings to evaluate

                                Value type is integer. Supported operations are Add, Get and Replace.

                                **/DisableStealthModeIpsecSecuredPacketExemption** -

                                Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                                +

                                Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

                                Default value is true.

                                Value type is bool. Supported operations are Add, Get and Replace.

                                @@ -306,7 +306,7 @@ Sample syncxml to provision the firewall settings to evaluate

                                Value type is string. Supported operations are Add, Get, Replace, and Delete.

                                **FirewallRules/_FirewallRuleName_/App/ServiceName** -

                                This is a service name used in cases when a service, not an application, is sending or receiving traffic.

                                +

                                This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic.

                                Value type is string. Supported operations are Add, Get, Replace, and Delete.

                                **FirewallRules/_FirewallRuleName_/Protocol** @@ -325,9 +325,9 @@ Sample syncxml to provision the firewall settings to evaluate

                                Value type is string. Supported operations are Add, Get, Replace, and Delete.

                                **FirewallRules/*FirewallRuleName*/LocalAddressRanges** -

                                Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:

                                +

                                Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:

                                  -
                                • "*" indicates any local address. If present, this must be the only token included.
                                  • +
                                • "*" indicates any local address. If present, the local address must be the only token included.
                                • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
                                • A valid IPv6 address.
                                • An IPv4 address range in the format of "start address - end address" with no spaces included.
                                  • @@ -339,7 +339,7 @@ Sample syncxml to provision the firewall settings to evaluate **FirewallRules/*FirewallRuleName*/RemoteAddressRanges**

                                  List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:

                                    -
                                  • "*" indicates any remote address. If present, this must be the only token included.
                                    • +
                                  • "*" indicates any remote address. If present, the address must be the only token included.
                                  • "Defaultgateway"
                                  • "DHCP"
                                  • "DNS"
                                    • @@ -348,7 +348,7 @@ Sample syncxml to provision the firewall settings to evaluate
                                  • "RmtIntranet"
                                  • "Internet"
                                  • "Ply2Renders"
                                    • -
                                  • "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
                                    • +
                                  • "LocalSubnet" indicates any local address on the local subnet. This token isn't case-sensitive.
                                  • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
                                  • A valid IPv6 address.
                                  • An IPv4 address range in the format of "start address - end address" with no spaces included.
                                    • @@ -411,7 +411,7 @@ Sample syncxml to provision the firewall settings to evaluate

                                    Value type is bool. Supported operations are Add, Get, Replace, and Delete.

                                    **FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList** -

                                    Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.

                                    +

                                    Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format.

                                    Value type is string. Supported operations are Add, Get, Replace, and Delete.

                                    **FirewallRules/_FirewallRuleName_/Status** diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md index d7167f4626..5f70d09f93 100644 --- a/windows/client-management/mdm/get-seats-assigned-to-a-user.md +++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md @@ -1,6 +1,6 @@ --- title: Get seats assigned to a user -description: The Get seats assigned to a user operation retrieves information about assigned seats in the Micosoft Store for Business. +description: The Get seats assigned to a user operation retrieves information about assigned seats in the Microsoft Store for Business. ms.assetid: CB963E44-8C7C-46F9-A979-89BBB376172B ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get seats assigned to a user -The **Get seats assigned to a user** operation retrieves information about assigned seats in the Micosoft Store for Business. +The **Get seats assigned to a user** operation retrieves information about assigned seats in the Microsoft Store for Business. ## Request @@ -39,7 +39,7 @@ The following parameters may be specified in the request URI. ### Response body -The response body contain [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset). +The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset). |Error code|Description|Retry|Data field| |--- |--- |--- |--- | diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 2513599a28..b5adad8cb7 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -16,7 +16,7 @@ ms.date: The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions. -The following is a list of functions performed by the Device HealthAttestation CSP: +The following list is a description of the functions performed by the Device HealthAttestation CSP: - Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device - Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service) @@ -25,7 +25,7 @@ The following is a list of functions performed by the Device HealthAttestation C ## Windows 11 Device health attestation -Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation. +Windows 11 introduces an update to the device health attestation feature. This update helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces more child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation. The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device. @@ -48,7 +48,7 @@ The attestation report provides a health assessment of the boot-time properties - **MAA endpoint**: Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint. -- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair. +- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it's digitally signed. JWTs can be signed using a secret or a public/private key pair. ### Attestation Flow with Microsoft Azure Attestation Service @@ -126,9 +126,9 @@ Data fields: - rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. - serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. -- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. +- nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks. - aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service. -- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes. +- cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes. Sample Data: @@ -182,7 +182,7 @@ Example: 0x80072efd, WININET_E_CANNOT_CONNECT Node type: GET -This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. +This node will retrieve the attestation report per the call made by the TriggerAttestation, if there's any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. Templated SyncML Call: @@ -217,7 +217,7 @@ OR Sync ML 404 error if not cached report available. Node type: GET -This node will retrieve the service-generated correlation IDs for the given MDM provider. If there is more than one correlation ID, they are separated by “;” in the string. +This node will retrieve the service-generated correlation IDs for the given MDM provider. If there's more than one correlation ID, they're separated by “;” in the string. Templated SyncML Call: @@ -249,7 +249,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo ``` > [!NOTE] -> > MAA CSP nodes are available on arm64 but is not currently supported. +> > MAA CSP nodes are available on arm64 but isn't currently supported. ### MAA CSP Integration Steps @@ -372,7 +372,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); - [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present + [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it's not present //Finding the Boot App SVN // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR @@ -490,7 +490,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes - DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health. - DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices. - - DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. + - DHA-SignedBlob: it's a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. - DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts: - DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service @@ -510,7 +510,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes - Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification - Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action -- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed. +- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties can't be spoofed. The following list of operations is performed by DHA-CSP: @@ -535,8 +535,8 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes |DHA-Service type|Description|Operation cost| |--- |--- |--- | |Device Health Attestation – Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
                                  • Available in Windows for free
                                  • Running on a high-availability and geo-balanced cloud infrastructure
                                  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
                                  • Accessible to all enterprise-managed devices via following:
                                    • FQDN = has.spserv.microsoft.com port
                                    • Port = 443
                                    • Protocol = TCP|No cost
                                    • | -|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
                                  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
                                  • Hosted on an enterprise owned and managed server device/hardware
                                  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                                  • Accessible to all enterprise-managed devices via following:
                                    • FQDN = (enterprise assigned)
                                    • Port = (enterprise assigned)
                                    • Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
                                    • | -|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
                                  • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
                                  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                                  • Accessible to all enterprise-managed devices via following:
                                    • FQDN = (enterprise assigned)
                                    • Port = (enterprise assigned)
                                    • Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
                                    • | +|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
                                  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
                                  • Hosted on an enterprise owned and managed server device/hardware
                                  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                                  • Accessible to all enterprise-managed devices via following settings:
                                    • FQDN = (enterprise assigned)
                                    • Port = (enterprise assigned)
                                    • Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
                                    • | +|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
                                  • Offered to Windows Server 2016 customers with no extra licensing cost (no added licensing cost for enabling/running DHA-Service)
                                  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                                  • Accessible to all enterprise-managed devices via following settings:
                                    • FQDN = (enterprise assigned)
                                    • Port = (enterprise assigned)
                                    • Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
                                    • | ### CSP diagram and node descriptions @@ -578,7 +578,7 @@ The following list shows some examples of supported values. For the complete lis - 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device -- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes +- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes - 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup **ForceRetrieve** (Optional) @@ -609,7 +609,7 @@ Value type is integer, the minimum value is - 2,147,483,648 and the maximum valu **HASEndpoint** (Optional) -Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. +Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN isn't assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com. @@ -638,7 +638,7 @@ Each step is described in detail in the following sections of this topic. Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS). -You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service: +You can use OpenSSL to validate access to DHA-Service. Here's a sample OpenSSL command and the response that was generated by DHA-Service: ```console PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443 @@ -736,7 +736,7 @@ The following example shows a sample call that triggers collection and verificat ``` -### Step 4: Take action based on the clients response +### Step 4: Take action based on the client's response After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. @@ -744,7 +744,7 @@ After the client receives the health attestation request, it sends a response. T - If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section. - If the response is HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED (0) wait for an alert, then proceed to the next section. -Here is a sample alert that is issued by DHA_CSP: +Here's a sample alert that is issued by DHA_CSP: ```xml @@ -762,14 +762,14 @@ Here is a sample alert that is issued by DHA_CSP: ``` -- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). +- If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). ### Step 5: Instruct the client to forward health attestation data for verification Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device. -Here is an example: +Here's an example: ```xml @@ -876,7 +876,7 @@ The following list of data points is verified by the DHA-Service in DHA-Report v \*\* Reports if BitLocker was enabled during initial boot. \*\*\* The "Hybrid Resume" must be disabled on the device. Reports first-party ELAM "Defender" was loaded during boot. -Each of these are described in further detail in the following sections, along with the recommended actions to take. +Each of these data points is described in further detail in the following sections, along with the recommended actions to take. **Issued** @@ -907,7 +907,7 @@ This attribute reports the number of times a PC device has rebooted. A device can be trusted more if the DEP Policy is enabled on the device. -Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on. +Data Execution Prevention (DEP) Policy defines a set of hardware and software technologies that perform extra checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on. DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script: @@ -927,9 +927,9 @@ If DEPPolicy = 0 (Off), then take one of the following actions that align with y When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. -Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. +Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen. -If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. +If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM has verified the state of the computer. If BitLockerStatus = 1 (On), then allow access. @@ -955,7 +955,7 @@ If BootManagerRevListVersion != [CurrentVersion], then take one of the following **CodeIntegrityRevListVersion** -This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action. +This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it's exposed to security risks (revoked), and enforce an appropriate policy action. If CodeIntegrityRevListVersion = [CurrentVersion], then allow access. @@ -968,7 +968,7 @@ If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the followi **SecureBootEnabled** -When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot. +When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this requirement before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot. If SecureBootEnabled = 1 (True), then allow access. @@ -1014,7 +1014,7 @@ If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions t When code integrity is enabled, code execution is restricted to integrity verified code. -Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges. +Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. @@ -1029,7 +1029,7 @@ If CodeIntegrityEnabled = 0 (False), then take one of the following actions that **TestSigningEnabled** -When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot. +When test signing is enabled, the device doesn't enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot. Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script: @@ -1116,7 +1116,7 @@ This attribute identifies the security version number of the Boot Application th If reported BootAppSVN equals an accepted value, then allow access. -If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies: +If reported BootAppSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. @@ -1127,7 +1127,7 @@ This attribute identifies the security version number of the Boot Manager that w If reported BootManagerSVN equals an accepted value, then allow access. -If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies: +If reported BootManagerSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. @@ -1142,7 +1142,7 @@ This attribute identifies the version of the TPM that is running on the attested Based on the reply you receive from TPMVersion node: - If reported TPMVersion equals an accepted value, then allow access. -- If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies: +- If reported TPMVersion doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. @@ -1150,13 +1150,13 @@ Based on the reply you receive from TPMVersion node: The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer. -Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison. +Enterprise managers can create an allowlist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allowlist, and then make a trust decision based on the result of the comparison. -If your enterprise does not have a allow list of accepted PCR[0] values, then take no action. +If your enterprise doesn't have an allowlist of accepted PCR[0] values, then take no action. -If PCR[0] equals an accepted allow list value, then allow access. +If PCR[0] equals an accepted allowlist value, then allow access. -If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies: +If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. @@ -1165,9 +1165,9 @@ If PCR[0] does not equal any accepted listed value, then take one of the followi SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs. -If SBCPHash is not present, or is an accepted allow-listed value, then allow access. +If SBCPHash isn't present, or is an accepted allow-listed value, then allow access. -If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies: +If SBCPHash is present in DHA-Report, and isn't an allowlisted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. @@ -1176,9 +1176,9 @@ If SBCPHash is present in DHA-Report, and is not an allow-listed value, then tak This attribute indicates the Code Integrity policy that is controlling the security of the boot environment. -If CIPolicy is not present, or is an accepted allow-listed value, then allow access. +If CIPolicy isn't present, or is an accepted allow-listed value, then allow access. -If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies: +If CIPolicy is present and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. @@ -1189,7 +1189,7 @@ This attribute identifies the Boot Revision List that was loaded during initial If reported BootRevListInfo version equals an accepted value, then allow access. -If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies: +If reported BootRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. @@ -1200,7 +1200,7 @@ This attribute identifies the Operating System Revision List that was loaded dur If reported OSRevListInfo version equals an accepted value, then allow access. -If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies: +If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. @@ -1209,12 +1209,12 @@ If reported OSRevListInfo version does not equal an accepted value, then take on HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation. -In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute. +If an issue is detected, a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute. ### Device HealthAttestation CSP status and error codes Error code: 0 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED -Error description: This is the initial state for devices that have never participated in a DHA-Session. +Error description: This state is the initial state for devices that have never participated in a DHA-Session. Error code: 1 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED Error description: This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. @@ -1241,13 +1241,13 @@ Error code: 8 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL Error description: Deprecated in Windows 10, version 1607. Error code: 9 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION -Error description: Invalid TPM version (TPM version is not 1.2 or 2.0) +Error description: Invalid TPM version (TPM version isn't 1.2 or 2.0) Error code: 10 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL -Error description: Nonce was not found in the registry. +Error description: Nonce wasn't found in the registry. Error code: 11 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL -Error description: Correlation ID was not found in the registry. +Error description: Correlation ID wasn't found in the registry. Error code: 12 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL Error description: Deprecated in Windows 10, version 1607. @@ -1331,7 +1331,7 @@ Error code: 400 | Error name: Bad_Request_From_Client Error description: DHA-CSP has received a bad (malformed) attestation request. Error code: 404 | Error name: Endpoint_Not_Reachable -Error description: DHA-Service is not reachable by DHA-CSP +Error description: DHA-Service isn't reachable by DHA-CSP ### DHA-Report V3 schema diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 396d3ea018..35bed03a19 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -20,7 +20,7 @@ The Windows version of mobile application management (MAM) is a lightweight solu MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  -MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. +MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. @@ -28,7 +28,7 @@ Regular non-admin users can enroll to MAM.  ## Integration with Windows Information Protection -MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.  +MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.  To make applications WIP-aware, app developers need to include the following data in the app resource file. @@ -42,22 +42,25 @@ To make applications WIP-aware, app developers need to include the following dat ## Configuring an Azure AD tenant for MAM enrollment -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: -MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  +MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. + +> [!NOTE] +> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  ## MAM enrollment MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  Below are protocol changes for MAM enrollment:  -- MDM discovery is not supported. +- MDM discovery isn't supported. - APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional. -- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. +- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. -Here is an example provisioning XML for MAM enrollment. +Here's an example provisioning XML for MAM enrollment. ```xml @@ -97,10 +100,10 @@ MAM on Windows supports the following configuration service providers (CSPs). Al MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. -We do not recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: +We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: -- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS. -- If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights. +- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies, and reports compliance with EAS. +- If the device is found to be compliant, EAS will report compliance with the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance doesn't require device admin rights. - If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights. - If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM and EAS, and the resultant set of policies will be a superset of both. @@ -110,10 +113,10 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to ## Change MAM enrollment to MDM -Windows does not support applying both MAM and MDM policies to the same devices. If configured by the admin, a user can change his MAM enrollment to MDM. +Windows doesn't support applying both MAM and MDM policies to the same devices. If configured by the admin, users can change their MAM enrollment to MDM. > [!NOTE] -> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we do not recommend pushing MDM policies to enable users to upgrade. +> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade. To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment. @@ -123,11 +126,11 @@ In the process of changing MAM enrollment to MDM, MAM policies will be removed f - EDP CSP Enterprise ID is the same for both MAM and MDM. - EDP CSP RevokeOnMDMHandoff is set to false. -If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected. +If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected. ## Skype for Business compliance with MAM -We have updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature. +We've updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature. |Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products| |--- |--- |--- |--- | diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index bf8ff417c4..7fe9cd95eb 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -22,7 +22,7 @@ There are two parts to the Windows management component: - The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). +Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). ## MDM security baseline @@ -52,7 +52,7 @@ For information about the MDM policies defined in the Intune security baseline, ## Learn about migrating to MDM -When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy settings in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf). +When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy setting in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf). ## Learn about device enrollment From 72aa691c6462a0b19846fe3fd6f03da3a367b952 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 2 Mar 2022 18:51:35 +0530 Subject: [PATCH 48/68] Acrolinx enhancement --- ...ent-tool-for-windows-store-for-business.md | 6 +- .../mdm/mdm-enrollment-of-windows-devices.md | 86 +++++++++---------- .../mdm/mobile-device-enrollment.md | 20 ++--- 3 files changed, 56 insertions(+), 56 deletions(-) diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 408691f2ed..d210a1ee7e 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -46,13 +46,13 @@ The Store for Business provides services that enable a management tool to synchr ### Offline-licensed application distribution -The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. +The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. ![business store offline app distribution.](images/businessstoreportalservices2.png) ### Online-licensed application distribution -The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application. +The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application. ![business store online app distribution.](images/businessstoreportalservices3.png) @@ -85,7 +85,7 @@ Here are the details for requesting an authorization token: ## Using the management tool -After registering your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns: +After you register your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns: - First the ability to get new or updated applications. - Second the ability to assign or reclaim applications. diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index e475077509..f3255ab42f 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -24,7 +24,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l ## Connect corporate-owned Windows 10-based devices -You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. +You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. ![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png) @@ -33,11 +33,11 @@ You can connect corporate-owned devices to work by either joining the device to Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app. > [!NOTE] -> Mobile devices cannot be connected to an Active Directory domain. +> Mobile devices can't be connected to an Active Directory domain. ### Out-of-box-experience -Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) is not supported. To join a domain: +Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain: 1. On the **Who Owns this PC?** page, select **My work or school owns it**. @@ -81,14 +81,14 @@ To create a local account and connect the device: ### Help with connecting to an Active Directory domain -There are a few instances where your device cannot be connected to an Active Directory domain. +There are a few instances where your device can't be connected to an Active Directory domain. | Connection issue | Description | |-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time. | -| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. | -| You are logged in as a standard user. | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. You’ll need to switch to an administrator account to continue. | -| Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Active Directory domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | +| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | +| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | +| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | @@ -108,11 +108,11 @@ To join a domain: ![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png) -3. Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services. +3. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. - If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly on this page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. + If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you'll be able to enter your password directly on this page. If the tenant is part of a federated domain, you'll be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. ![azure ad signin.](images/unifiedenrollment-rs1-13.png) @@ -136,43 +136,43 @@ To create a local account and connect the device: ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png) -5. Under **Alternate Actions**, selct **Join this device to Azure Active Directory**. +5. Under **Alternate Actions**, select **Join this device to Azure Active Directory**. ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) -6. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. +6. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) -7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication. +7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. - After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username. + After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. ![corporate sign in screen](images/unifiedenrollment-rs1-20.png) ### Help with connecting to an Azure AD domain -There are a few instances where your device cannot be connected to an Azure AD domain. +There are a few instances where your device can't be connected to an Azure AD domain. | Connection issue | Description | |-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | -| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. | -| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You cannot connect to both simultaneously. | -| You are logged in as a standard user. | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. You’ll need to switch to an administrator account to continue. | +| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | +| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | +| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | | Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | -| Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Azure AD domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | +| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | ## Connect personally owned devices -Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school. +Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school. ### Connect to a work or school account @@ -194,17 +194,17 @@ To create a local account and connect the device: ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png) -4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. +4. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) -5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication. +5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. - Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up. + Starting in Windows 10, version 1709, you'll see the status page that shows the progress of your device being set up. ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) @@ -240,9 +240,9 @@ To create a local account and connect the device: ![set up work or school account screen](images/unifiedenrollment-rs1-32.png) -6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. +6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you'll see the enrollment progress on screen. ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) @@ -255,10 +255,10 @@ There are a few instances where your device may not be able to connect to work. | Error Message | Description | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| | Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | -| We could not find your identity in your organization’s cloud. | The username you entered was not found on your Azure AD tenant. | +| We couldn't find your identity in your organization’s cloud. | The username you entered wasn't found on your Azure AD tenant. | | Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Endpoint Configuration Manager. | -| You don’t have the right privileges to perform this operation. Please talk to your admin. | You cannot enroll your device into MDM as a standard user. You must be on an administrator account. | -| We couldn’t auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | +| You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | +| We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | ## Connect your Windows 10-based device to work using a deep link @@ -277,10 +277,10 @@ The deep link used for connecting your device to work will always use the follow | mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory Joined (AADJ). | |username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | | servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| -| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | -| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | -| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | -| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | +| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | +| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | +| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | +| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | > [!NOTE] > AWA and AADJ values for mode are only supported on Windows 10, version 1709 and later. @@ -297,7 +297,7 @@ To connect your devices to MDM using deep links: 1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: - (Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) + (This link will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) - IT admins can add this link to a welcome email that users can select to enroll into MDM. @@ -311,7 +311,7 @@ To connect your devices to MDM using deep links: ![set up a work or school account screen](images/deeplinkenrollment3.png) -3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. +3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. After you complete the flow, your device will be connected to your organization's MDM. @@ -326,15 +326,15 @@ To manage your work or school connections, select **Settings** > **Accounts** > ### Info -The **Info** button can be found on work or school connections involving MDM. This includes the following scenarios: +The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios: - Connecting your device to an Azure AD domain that has auto-enroll into MDM configured. - Connecting your device to a work or school account that has auto-enroll into MDM configured. - Connecting your device to MDM. -Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which forces your device to communicate to the MDM server and fetch any updates to policies if needed. +Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. -Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot. +Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. ![work or school info.](images/unifiedenrollment-rs1-35-b.png) @@ -343,10 +343,10 @@ Starting in Windows 10, version 1709, selecting the **Info** button will show a ### Disconnect -The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this: +The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this functionality: -- Devices that enforce the AllowManualMDMUnenrollment policy will not allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. -- On mobile devices, you cannot disconnect from Azure AD. These connections can only be removed by wiping the device. +- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. +- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device. > [!WARNING] > Disconnecting might result in the loss of data on the device. @@ -356,7 +356,7 @@ The **Disconnect** button can be found on all work connections. Generally, selec You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files. -Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here. +Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report, as shown here. ![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 10c37d020b..7a55677360 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -33,7 +33,7 @@ The enrollment process includes the following steps: ## Enrollment protocol -There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). The enrollment process involves the following steps: @@ -56,7 +56,7 @@ The following topics describe the end-to-end enrollment process using various au - [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) > [!Note] -> As a best practice, do not use hardcoded server-side checks on values such as: +> As a best practice, don't use hardcoded server-side checks on values such as: > - User agent string > - Any fixed URIs that are passed during enrollment > - Specific formatting of any value unless otherwise noted, such as the format of the device ID. @@ -67,11 +67,11 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v ## Disable MDM enrollments -In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. +In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. With the GP editor being used, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. ![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) -Here is the corresponding registry key: +Here's the corresponding registry key: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM @@ -79,10 +79,10 @@ Value: DisableRegistration ## Enrollment scenarios not supported -The following scenarios do not allow MDM enrollments: +The following scenarios don't allow MDM enrollments: -- Built-in administrator accounts on Windows desktop cannot enroll into MDM. -- Standard users cannot enroll in MDM. Only admin users can enroll. +- Built-in administrator accounts on Windows desktop can't enroll into MDM. +- Standard users can't enroll in MDM. Only admin users can enroll. ## Enrollment error messages @@ -128,7 +128,7 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma - **Namespace**: `s:` - **Subcode**: Authorization - **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR - - **Description**: The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. + - **Description**: The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. - **HRESULT**: 80180003 - **Namespace**: `s:` @@ -155,7 +155,7 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma - **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. - **HRESULT**: 80180007 -In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example: +In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here's an example: ```xml @@ -224,7 +224,7 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. - **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. - **HRESULT**: 80180019 -TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. +TraceID is a freeform text node that is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. ## Related topics From 2c61d9303012d147eb62d454169ed2348409116d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 3 Mar 2022 15:32:52 +0530 Subject: [PATCH 49/68] Acrolinx enhancement effort --- windows/client-management/mdm/nap-csp.md | 10 ++-- windows/client-management/mdm/napdef-csp.md | 16 ++--- .../mdm/networkqospolicy-csp.md | 4 +- ...ew-in-windows-mdm-enrollment-management.md | 52 ++++++++--------- .../client-management/mdm/nodecache-csp.md | 28 ++++----- .../mdm/oma-dm-protocol-support.md | 44 +++++++------- .../mdm/passportforwork-csp.md | 58 +++++++++---------- 7 files changed, 106 insertions(+), 106 deletions(-) diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index e3edb1b0d1..c29289fd2b 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -19,9 +19,9 @@ The NAP (Network Access Point) Configuration Service Provider is used to manage > [!Note] > This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application. -For the NAP CSP, you cannot use the Replace command unless the node already exists. +For the NAP CSP, you can't use the Replace command unless the node already exists. -The following shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. +The following example shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol isn't supported by this configuration service provider. ```console ./Vendor/MSFT @@ -67,7 +67,7 @@ Root node. ***NAPX*** Required. Defines the name of the network access point. -It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). +It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). ***NAPX*/NAPID** Required. Specifies the identifier of the destination network. @@ -105,13 +105,13 @@ Optional. Specifies the user name and domain to be used during authentication. T ***NAPX*/AuthInfo/AuthSecret** Optional. Specifies the password used during authentication. -Queries of this field will return a string composed of sixteen asterisks (\*). +Queries of this field will return a string composed of 16 asterisks (\*). ***NAPX*/Bearer** Node. ***NAPX*/Bearer/BearerType** -Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi. +Required. Specifies the network type of the destination network. This parameter's value can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi. ## Related articles diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 341c72e038..075e0f6619 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -21,7 +21,7 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP > > This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application. -The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. +The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol isn't supported by this configuration service provider. ```console NAPDEF @@ -39,7 +39,7 @@ NAPDEF ----NAPID ``` -The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. +The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol isn't supported by this configuration service provider. ```console NAPDEF @@ -74,7 +74,7 @@ Specifies the protocol used to authenticate the user. The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note > [!Note] -> **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change. +> **AuthName** and **AuthSecret** are not created if **AuthType** isn't included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** isn't included in the provisioning XML used to make the change. **BEARER** Specifies the type of bearer. @@ -82,11 +82,11 @@ Specifies the type of bearer. Only Global System for Mobile Communication (GSM) and GSM-General Packet Radio Services (GPRS) are supported. **INTERNET** -Optional. Specifies whether this is an AlwaysOn connection. +Optional. Specifies whether this connection is an AlwaysOn connection. -If **INTERNET** exists, the connection is an AlwaysOn connection and does not require a connection manager policy. +If **INTERNET** exists, the connection is an AlwaysOn connection and doesn't require a connection manager policy. -If **INTERNET** does not exist, the connection is not an AlwaysOn connection and the connection requires a connection manager connection policy to be set. +If **INTERNET** doesn't exist, the connection isn't an AlwaysOn connection and the connection requires a connection manager connection policy to be set. **LOCAL-ADDR** Required for GPRS. Specifies the local address of the WAP client for GPRS access points. @@ -115,7 +115,7 @@ The maximum length of the **NAPID** value is 16 characters. ***NAPID*** Required for bootstrapping updating. Defines the name of the NAP. -The name of the *NAPID* element is the same as the value passed during initial bootstrapping. In addition, the Microsoft format for NAPDEF contains the provisioning XML attribute mwid. This custom attribute is optional when adding a NAP or a proxy. It is required for *NAPID* when updating and deleting existing NAPs and proxies and must have its value set to 1. +The name of the *NAPID* element is the same as the value passed during initial bootstrapping. In addition, the Microsoft format for NAPDEF contains the provisioning XML attribute mwid. This custom attribute is optional when adding a NAP or a proxy. It's required for *NAPID* when updating and deleting existing NAPs and proxies and must have its value set to 1. ## Microsoft Custom Elements @@ -123,7 +123,7 @@ The following table shows the Microsoft custom elements that this configuration |Elements|Available| |--- |--- | -|Parm-query|Yes
                                    Note that some GPRS parameters will not necessarily contain the exact same value as was set.| +|Parm-query|Yes
                                    Some GPRS parameters won't necessarily contain the exact same value as was set.| |Noparm|Yes| |Nocharacteristic|Yes| |Characteristic-query|Yes| diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 464a920e6d..cf15fbcacc 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -1,6 +1,6 @@ --- title: NetworkQoSPolicy CSP -description: he NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703. +description: The NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -31,7 +31,7 @@ The following actions are supported: > > The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Windows 10, version 2004. -The following shows the NetworkQoSPolicy configuration service provider in tree format. +The following example shows the NetworkQoSPolicy configuration service provider in tree format. ``` ./Device/Vendor/MSFT NetworkQoSPolicy diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index a982810497..4a289525aa 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -20,7 +20,7 @@ ms.date: 10/20/2020 This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. -For details about Microsoft mobile device management protocols for Windows 10 and Windows 11 see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). ## What’s new in MDM for Windows 11, version 21H2 @@ -35,15 +35,15 @@ For details about Microsoft mobile device management protocols for Windows 10 a ### Get command inside an atomic command is not supported -In Windows 10 and Windows 11, a Get command inside an atomic command is not supported. +In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported. ### Apps installed using WMI classes are not removed -Applications installed using WMI classes are not removed when the MDM account is removed from device. +Applications installed using WMI classes aren't removed when the MDM account is removed from device. ### Passing CDATA in SyncML does not work -Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10 and Windows 11. +Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11. ### SSL settings in IIS server for SCEP must be set to "Ignore" @@ -53,7 +53,7 @@ The certificate setting under "SSL Settings" in the IIS server for SCEP must be ### MDM enrollment fails on the Windows device when traffic is going through proxy -When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network. +When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network. ### Server-initiated unenrollment failure @@ -63,26 +63,26 @@ Remote server unenrollment is disabled for mobile devices enrolled via Azure Act ### Certificates causing issues with Wi-Fi and VPN -In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. +In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. ### Version information for Windows 11 -The software version information from **DevDetail/Ext/Microsoft/OSPlatform** does not match the version in **Settings** under **System/About**. +The software version information from **DevDetail/Ext/Microsoft/OSPlatform** doesn't match the version in **Settings** under **System/About**. ### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11 -In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. +In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. -Enterprises deploying certificate based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as: +Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as: - The user may be prompted to select the certificate. - The wrong certificate may get auto selected and cause an authentication failure. A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. -EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: +EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: -- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. +- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. - For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. For information about EAP Settings, see . @@ -98,14 +98,14 @@ The following list describes the prerequisites for a certificate to be used with - The certificate must have at least one of the following EKU (Extended Key Usage) properties: - Client Authentication. - - As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. + - As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. - Any Purpose. - - An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering. + - An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. - All Purpose. - - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. + - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. - The user or the computer certificate on the client chains to a trusted root CA. -- The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. -- The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. +- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. +- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. - The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. The following XML sample explains the properties for the EAP TLS XML including certificate filtering. @@ -219,14 +219,14 @@ Alternatively you can use the following procedure to create an EAP Configuration 1. Follow steps 1 through 7 in [EAP configuration](eap-configuration.md). -2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.) +2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.). :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png"::: > [!NOTE] > For PEAP or TTLS, select the appropriate method and continue following this procedure. -3. Click the **Properties** button underneath the drop down menu. +3. Click the **Properties** button underneath the drop-down menu. 4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. @@ -246,17 +246,17 @@ Alternatively you can use the following procedure to create an EAP Configuration > You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). -### MDM client will immediately check-in with the MDM server after client renews WNS channel URI +### MDM client will immediately check in with the MDM server after client renews WNS channel URI After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. ### User provisioning failure in Azure Active Directory joined Windows 10 and Windows 11 devices -In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. +In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. ### Requirements to note for VPN certificates also used for Kerberos Authentication -If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. +If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. ### Device management agent for the push-button reset is not working @@ -270,7 +270,7 @@ The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push- No. Only one MDM is allowed. ### How do I set the maximum number of Azure Active Directory joined devices per user? -1. Login to the portal as tenant admin: https://manage.windowsazure.com. +1. Log on to the portal as tenant admin: https://manage.windowsazure.com. 2. Click Active Directory on the left pane. 3. Choose your tenant. 4. Click **Configure**. @@ -283,9 +283,9 @@ No. Only one MDM is allowed. Entry | Description --------------- | -------------------- -What is dmwappushsvc? | It is a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | -What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service does not send telemetry.| -How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. Disabling this will cause your management to fail.| +What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | +What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service doesn't send telemetry.| +How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.| @@ -337,7 +337,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o | [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. | | [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. | | [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. | -| [SUPL CSP](supl-csp.md) | Added 3 new certificate nodes in Windows 10, version 1809. | +| [SUPL CSP](supl-csp.md) | Added three new certificate nodes in Windows 10, version 1809. | | [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. | | [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. | | [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. | diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 4ac44047b0..039ac5d742 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -25,9 +25,9 @@ application/x-nodemon-sha256 ``` -NodeCache will hash the values and compare with a hash value that was sent down by the server. This supports checking a parent node and its children recursively. +NodeCache will hash the values and compare with a hash value that was sent down by the server. This process supports checking a parent node and its children recursively. -The following shows the NodeCache configuration service provider in tree format. +The following example shows the NodeCache configuration service provider in tree format. ``` ./User/Vendor/MSFT NodeCache @@ -69,7 +69,7 @@ NodeCache ----------------AutoSetExpectedValue ``` **./Device/Vendor/MSFT and ./User/Vendor/MSFT** -Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax. +Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax. ***ProviderID*** Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic. @@ -82,14 +82,14 @@ Optional. Character string representing the cache version set by the server. Sco Data type is string. Supported operations are Get, Add, and Replace. ***ProviderID*/ChangedNodes** -Optional. List of nodes whose values do not match their expected values as specified in **/*NodeID*/ExpectedValue**. Scope is dynamic. +Optional. List of nodes whose values don't match their expected values as specified in **/*NodeID*/ExpectedValue**. Scope is dynamic. Data type is string. Supported operation is Get. ***ProviderID*/ChangedNodesData** -Added in Windows 10, version 1703. Optional. XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue. +Added in Windows 10, version 1703. Optional. XML containing nodes whose values don't match their expected values as specified in /NodeID/ExpectedValue. -Suppported operation is Get. +Supported operation is Get. ***ProviderID*/Nodes** Required. Root node for cached nodes. Scope is dynamic. @@ -107,7 +107,7 @@ Required. This node's value is a complete OMA DM node URI. It can specify either Data type is string. Supported operations are Get, Add, and Delete. **/*NodeID*/ExpectedValue** -Required. This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. Scope is dynamic. Supported values are string and x-nodemon-nonexistent. +Required. The server expects this value to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. Scope is dynamic. Supported values are string and x-nodemon-nonexistent. Supported operations are Get, Add, and Delete. @@ -129,7 +129,7 @@ Here's an example for setting the ExpectedValue to nonexistent. ``` **/*NodeID*/AutoSetExpectedValue** -Added in Windows 10, version 1703. Required. This automatically sets the value on the device to match the actual value of the node. The node is specified in NodeURI. +Added in Windows 10, version 1703. Required. This parameter's value automatically sets the value on the device to match the actual value of the node. The node is specified in NodeURI. Supported operations are Add, Get, and Delete. @@ -166,7 +166,7 @@ Supported operations are Add, Get, and Delete. 1. If a value already exists in the server-side cache, retrieve the value from the server-side cache instead of going to the device. - 2. If a value does not exist in the server-side cache, do the following: + 2. If a value doesn't exist in the server-side cache, do the following tasks: 1. Create a new entry with a unique *NodeID* in the server-side cache. @@ -370,12 +370,12 @@ For AutoSetExpectedValue, a Replace operation with empty data will query the ./D A Get operation on ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/ExpectedValue returns what the Device Name was when the AutoSet was called. -A Get operation on the ChangedNodesData returns an encoded XML. Here is example: +A Get operation on the ChangedNodesData returns an encoded XML. Here's an example: ```xml U09NRU5FV1ZBTFVF ``` -It represents this: +It represents this example: ```xml @@ -383,10 +383,10 @@ It represents this: U09NRU5FV1ZBTFVF ``` -Id is the node ID that was added by the MDM server, and Uri is the path that the node is tracking. -If a Uri is not set, the node will always be reported as changed, as in Node id 10. +Id is the node Id that was added by the MDM server, and Uri is the path that the node is tracking. +If a Uri isn't set, the node will always be reported as changed, as in Node Id 10. -The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously. +The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName didn't match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously. ## Related topics diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 8249c0eca9..e058dc2073 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -25,12 +25,12 @@ The following table shows the OMA DM standards that Windows uses. |--- |--- | |Data transport and session|
                                  • Client-initiated remote HTTPS DM session over SSL.
                                  • Remote HTTPS DM session over SSL.
                                  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
                                  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.| |Bootstrap XML|OMA Client Provisioning XML.| -|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
                                  • Add (Implicit Add supported)
                                  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
                                  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
                                  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
                                  • Exec: Invokes an executable on the client device
                                  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
                                  • Replace: Overwrites data on the client device
                                  • Result: Returns the data results of a Get command to the DM server
                                  • Sequence: Specifies the order in which a group of commands must be processed
                                  • Status: Indicates the completion status (success or failure) of an operation

                                    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
                                  • SyncBody
                                  • Atomic
                                  • Sequence

                                    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

                                    If Atomic elements are nested, the following status codes are returned:
                                  • The nested Atomic command returns 500.
                                  • The parent Atomic command returns 507.

                                    For more information about the Atomic command, see OMA DM protocol common elements.
                                    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.

                                    LocURI cannot start with `/`.

                                    Meta XML tag in SyncHdr is ignored by the device.| +|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
                                  • Add (Implicit Add supported)
                                  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
                                  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element isn't supported. Nested Atomic and Get commands aren't allowed and will generate error code 500.
                                  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
                                  • Exec: Invokes an executable on the client device
                                  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
                                  • Replace: Overwrites data on the client device
                                  • Result: Returns the data results of a Get command to the DM server
                                  • Sequence: Specifies the order in which a group of commands must be processed
                                  • Status: Indicates the completion status (success or failure) of an operation

                                    If an XML element that isn't a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
                                  • SyncBody
                                  • Atomic
                                  • Sequence

                                    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

                                    If Atomic elements are nested, the following status codes are returned:
                                  • The nested Atomic command returns 500.
                                  • The parent Atomic command returns 507.

                                    For more information about the Atomic command, see OMA DM protocol common elements.
                                    Performing an Add command followed by Replace on the same node within an Atomic element isn't supported.

                                    LocURI can't start with `/`.

                                    Meta XML tag in SyncHdr is ignored by the device.| |OMA DM standard objects|DevInfo
                                  • DevDetail
                                  • OMA DM DMS account objects (OMA DM version 1.2)| |Security|
                                  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
                                  • Application layer Basic and MD5 client authentication
                                  • Authenticate server with MD5 credential at application level
                                  • Data integrity and authentication with HMAC at application level
                                  • SSL level certificate-based client/server authentication, encryption, and data integrity check| -|Nodes|In the OMA DM tree, the following rules apply for the node name:
                                  • "." can be part of the node name.
                                  • The node name cannot be empty.
                                  • The node name cannot be only the asterisk (*) character.| -|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).

                                    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
                                    **Note**
                                    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
                                    | -|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.| +|Nodes|In the OMA DM tree, the following rules apply for the node name:
                                  • "." can be part of the node name.
                                  • The node name can't be empty.
                                  • The node name can't be only the asterisk (*) character.| +|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).

                                    If an XML element that isn't a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
                                    **Note**
                                    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
                                    | +|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.| |Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| @@ -52,7 +52,7 @@ Common elements are used by other OMA DM element types. The following table list |MsgID|Specifies a unique identifier for an OMA DM session message.| |MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| |RespURI|Specifies the URI that the recipient must use when sending a response to this message.| -|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
                                    **Note**
                                    If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.
                                    | +|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
                                    **Note**
                                    If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.
                                    | |Source|Specifies the message source address.| |SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| |Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| @@ -64,13 +64,13 @@ Common elements are used by other OMA DM element types. The following table list A Device Management (DM) session consists of a series of commands exchanged between a DM server and a client device. The server sends commands indicating operations that must be performed on the client device's management tree. The client responds by sending commands that contain the results and any requested status information. -A short DM session can be summarized as the following: +A short DM session can be summarized as: A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents. A DM session can be divided into two phases: 1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. -2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. +2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. The following information shows the sequence of events during a typical DM session. @@ -92,7 +92,7 @@ The following information shows the sequence of events during a typical DM sessi The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). -During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started. +During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. If the MD5 authentication occurs, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started. If a request includes credentials and the response code to the request is 200, the same credential must be sent within the next request. If the Chal element is included and the MD5 authentication is required, a new digest is created by using the next nonce via the Chal element for next request. @@ -101,13 +101,13 @@ For more information about Basic or MD5 client authentication, MD5 server authen ## User targeted vs. Device targeted configuration -For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the login status via a device alert (1224) with Alert type = in DM pkg\#1. +For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the sign-in status via a device alert (1224) with Alert type = in DM pkg\#1. The data part of this alert could be one of following strings: - User – the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration -- Others – another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device. -- None – no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login). +- Others – another user sign in but that user doesn't have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device. +- None – no active user sign in. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user sign in). Below is an alert example: @@ -125,7 +125,7 @@ Below is an alert example: ``` -The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management node’s LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration. +The server notifies the device whether it's a user-targeted or device-targeted configuration by a prefix to the management node’s LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it's device targeted configuration. The following LocURL shows a per user CSP node configuration: **./user/vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/<PackageFamilyName>/StoreInstall** @@ -135,28 +135,28 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo ## SyncML response status codes -When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification. +When SyncML in OMA DM is being used, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you're likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification. | Status code | Description | |---|----| | 200 | The SyncML command completed successfully. | -| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. | -| 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. | +| 202 | Accepted for processing. This code denotes an asynchronous operation, such as a request to run a remote execution of an application. | +| 212 | Authentication accepted. Normally you'll only see this code in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this code if you look at OMA DM logs, but CSPs don't typically generate this code. | | 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. | -| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. | +| 215 | Not executed. A command wasn't executed as a result of user interaction to cancel the command. | | 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | -| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. | -| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. | +| 400 | Bad request. The requested command couldn't be performed because of malformed syntax. CSPs don't usually generate this error, however you might see it if your SyncML is malformed. | +| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs don't usually generate this error. | | 403 | Forbidden. The requested command failed, but the recipient understood the requested command. | -| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. | +| 404 | Not found. The requested target wasn't found. This code will be generated if you query a node that doesn't exist. | | 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. | | 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. | | 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. | | 418 | Already exists. This response code occurs if you attempt to add a node that already exists. | -| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | -| 500 | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code. | +| 425 | Permission Denied. The requested command failed because the sender doesn't have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | +| 500 | Command failed. Generic failure. The recipient encountered an unexpected condition, which prevented it from fulfilling the request. This response code will occur when the SyncML DPU can't map the originating error code. | | 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | -| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. | +| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command wasn't rolled back successfully. | ## Related topics diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 68bd28dd1e..a46a2f7016 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -14,14 +14,14 @@ ms.date: 07/19/2019 # PassportForWork CSP -The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. +The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to sign in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. > [!IMPORTANT] > Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.   ### User configuration diagram -The following shows the PassportForWork configuration service provider in tree format. +The following example shows the PassportForWork configuration service provider in tree format. ```console ./User/Vendor/MSFT @@ -44,7 +44,7 @@ PassportForWork ### Device configuration diagram -The following shows the PassportForWork configuration service provider in tree format. +The following example shows the PassportForWork configuration service provider in tree format. ```console ./Device/Vendor/MSFT @@ -88,7 +88,7 @@ PassportForWork Root node for PassportForWork configuration service provider. ***TenantId*** -A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). +A globally unique identifier (GUID), without curly braces ({ , }), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). ***TenantId*/Policies** Node for defining the Windows Hello for Business policy settings. @@ -96,14 +96,14 @@ Node for defining the Windows Hello for Business policy settings. ***TenantId*/Policies/UsePassportForWork** Boolean value that sets Windows Hello for Business as a method for signing into Windows. -Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business. +Default value is true. If you set this policy to false, the user can't provision Windows Hello for Business. Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/RequireSecurityDevice** -Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices. +Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an extra security benefit over software so that data stored in it can't be used on other devices. -Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable. +Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there isn't a usable TPM. If you don't configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable. Supported operations are Add, Get, Delete, and Replace. @@ -116,7 +116,7 @@ Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are comp Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. -If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. +If you disable or don't configure this policy setting, TPM revision 1.2 modules will be used with Windows Hello for Business. Supported operations are Add, Get, Delete, and Replace. @@ -126,7 +126,7 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed. -If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. +If you disable or don't configure this policy setting, the PIN recovery secret won't be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. Supported operations are Add, Get, Delete, and Replace. @@ -135,7 +135,7 @@ Boolean value that enables Windows Hello for Business to use certificates to aut If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. -If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. +If you disable or don't configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. Supported operations are Add, Get, Delete, and Replace. @@ -145,7 +145,7 @@ Node for defining PIN settings. ***TenantId*/Policies/PINComplexity/MinimumPINLength** Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. -If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4. +If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 4. > [!NOTE] > If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. @@ -156,7 +156,7 @@ Value type is int. Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/MaximumPINLength** Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. -If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127. +If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127. > [!NOTE] > If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. @@ -170,10 +170,10 @@ Integer value that configures the use of uppercase letters in the Windows Hello Valid values: - 0 - Allows the use of uppercase letters in PIN. -- 1 - Requires the use of at least one uppercase letters in PIN. -- 2 - Does not allow the use of uppercase letters in PIN. +- 1 - Requires the use of at least one uppercase letter in PIN. +- 2 - Doesn't allow the use of uppercase letters in PIN. -Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply. Supported operations are Add, Get, Delete, and Replace. @@ -183,10 +183,10 @@ Integer value that configures the use of lowercase letters in the Windows Hello Valid values: - 0 - Allows the use of lowercase letters in PIN. -- 1 - Requires the use of at least one lowercase letters in PIN. -- 2 - Does not allow the use of lowercase letters in PIN. +- 1 - Requires the use of at least one lowercase letter in PIN. +- 2 - Doesn't allow the use of lowercase letters in PIN. -Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply. Supported operations are Add, Get, Delete, and Replace. @@ -197,9 +197,9 @@ Valid values: - 0 - Allows the use of special characters in PIN. - 1 - Requires the use of at least one special character in PIN. -- 2 - Does not allow the use of special characters in PIN. +- 2 - Doesn't allow the use of special characters in PIN. -Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply. Supported operations are Add, Get, Delete, and Replace. @@ -210,16 +210,16 @@ Valid values: - 0 - Allows the use of digits in PIN. - 1 - Requires the use of at least one digit in PIN. -- 2 - Does not allow the use of digits in PIN. +- 2 - Doesn't allow the use of digits in PIN. -Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. +Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply. Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/PINComplexity/History** -Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511. +Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required. This node was added in Windows 10, version 1511. -The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset. +The current PIN of the user is included in the set of PINs associated with the user account. PIN history isn't preserved through a PIN reset. Default value is 0. @@ -248,7 +248,7 @@ Supported operations are Add, Get, Delete, and Replace. ***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT) Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. -If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. +If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in. @@ -262,7 +262,7 @@ Node for defining biometric settings. This node was added in Windows 10, versi *Not supported on Windows Holographic and Windows Holographic for Business.* **Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) -Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. +Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use if there are failures. This node was added in Windows 10, version 1511. Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. @@ -277,9 +277,9 @@ Boolean value used to enable or disable enhanced anti-spoofing for facial featur Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. -If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing. +If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that don't support enhanced anti-spoofing. -Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. +Enhanced anti-spoofing for Windows Hello face authentication isn't required on unmanaged devices. Supported operations are Add, Get, Delete, and Replace. @@ -324,7 +324,7 @@ Scope is permanent. Supported operation is Get. **SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT) -Added in Windows 10, version 1903. Enables users to sign-in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation. +Added in Windows 10, version 1903. Enables users to sign in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation. Scope is dynamic. Supported operations are Add, Get, Replace, and Delete. From c24214d2e76303811cd495b99fcd4c4204ae9738 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 4 Mar 2022 19:03:28 +0530 Subject: [PATCH 50/68] Acrolinx enhancement effort --- .../mdm/personalization-csp.md | 6 +-- ...ed-by-hololens-1st-gen-commercial-suite.md | 6 +-- ...by-hololens-1st-gen-development-edition.md | 6 +-- .../mdm/policy-csp-accounts.md | 2 +- .../mdm/policy-csp-activexcontrols.md | 4 +- .../policy-csp-admx-activexinstallservice.md | 4 +- .../mdm/policy-csp-admx-addremoveprograms.md | 40 +++++++++---------- .../mdm/policy-csp-admx-appcompat.md | 34 ++++++++-------- 8 files changed, 51 insertions(+), 51 deletions(-) diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 67b7f88ce5..ff76751aef 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -20,7 +20,7 @@ This CSP was added in Windows 10, version 1703. > [!Note] > Personalization CSP is supported in Windows 10 Enterprise and Education SKUs. It works in Windows 10 Pro and Windows 10 Pro in S mode if SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set. -The following shows the Personalization configuration service provider in tree format. +The following example shows the Personalization configuration service provider in tree format. ``` ./Vendor/MSFT Personalization @@ -33,7 +33,7 @@ Personalization

                                    Defines the root node for the Personalization configuration service provider.

                                    **DesktopImageUrl** -

                                    Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

                                    +

                                    Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.

                                    Value type is string. Supported operations are Add, Get, Delete, and Replace.

                                    **DesktopImageStatus** @@ -53,7 +53,7 @@ Personalization > This setting is only used to query status. To set the image, use the DesktopImageUrl setting. **LockScreenImageUrl** -

                                    Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

                                    +

                                    Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.

                                    Value type is string. Supported operations are Add, Get, Delete, and Replace.

                                    diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md index c4bd9e3c6b..8710e9bfa0 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md @@ -1,6 +1,6 @@ --- -title: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite -description: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite +title: Policies in Policy CSP supported by HoloLens (first gen) Commercial Suite +description: Policies in Policy CSP supported by HoloLens (first gen) Commercial Suite ms.reviewer: manager: dansimp ms.author: dansimp @@ -12,7 +12,7 @@ ms.localizationpriority: medium ms.date: 09/17/2019 --- -# Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite +# Policies in Policy CSP supported by HoloLens (first gen) Commercial Suite > [!div class="op_single_selector"] > diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md index f2ee79c529..cd6a350651 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md @@ -1,6 +1,6 @@ --- -title: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition -description: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition +title: Policies in Policy CSP supported by HoloLens (first gen) Development Edition +description: Policies in Policy CSP supported by HoloLens (first gen) Development Edition ms.reviewer: manager: dansimp ms.author: dansimp @@ -12,7 +12,7 @@ ms.localizationpriority: medium ms.date: 07/18/2019 --- -# Policies in Policy CSP supported by HoloLens (1st gen) Development Edition +# Policies in Policy CSP supported by HoloLens (first gen) Development Edition > [!div class="op_single_selector"] > diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index ffbfabf801..ecc331dd79 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Accounts -description: Learn about the Policy configuration service provider (CSP). This articles describes account policies. +description: Learn about the Policy configuration service provider (CSP). This article describes account policies. ms.author: dansimp ms.localizationpriority: medium ms.topic: article diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 352549f4d0..ab40952b4f 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -65,9 +65,9 @@ This policy setting determines which ActiveX installation sites standard users i If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. -If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. +If you disable or don't configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. -Note: Wild card characters cannot be used when specifying the host URLs. +Note: Wild card characters can't be used when specifying the host URLs. diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 01c897def4..98d786e57c 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -66,9 +66,9 @@ This policy setting controls the installation of ActiveX controls for sites in T If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. -If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. +If you disable or don't configure this policy setting, ActiveX controls prompt the user before installation. -If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore. +If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If a trusted site has a certificate error but you want to trust it anyway, you can select the certificate errors that you want to ignore. > [!NOTE] > This policy setting applies to all sites in Trusted zones. diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index cda9438358..d81d638767 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -93,7 +93,7 @@ The policy setting specifies the category of programs that appears when users op To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. -If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they are most likely to need. +If you disable this setting or don't configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they're most likely to need. > [!NOTE] > This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. @@ -148,12 +148,12 @@ ADMX Info: -This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. +This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This feature removal prevents users from using Add or Remove Programs to install programs from removable media. -If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. +If you disable this setting or don't configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting doesn't prevent users from using other tools and methods to add or remove program components. > [!NOTE] -> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users can't add programs from removable media, regardless of this setting. @@ -207,7 +207,7 @@ ADMX Info: This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. -If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. +If you disable this setting or don't configure it, "Add programs from Microsoft" is available to all users. This setting doesn't prevent users from using other tools and methods to connect to Windows Update. > [!NOTE] > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. @@ -265,9 +265,9 @@ ADMX Info: This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. -If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. +If you enable this setting, users can't tell which programs have been published by the system administrator, and they can't use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. -If you disable this setting or do not configure it, "Add programs from your network" is available to all users. +If you disable this setting or don't configure it, "Add programs from your network" is available to all users. > [!NOTE] > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. @@ -322,9 +322,9 @@ ADMX Info: -This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. +This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. -If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. +If you disable this setting or don't configure it, the Add New Programs button is available to all users. This setting doesn't prevent users from using other tools and methods to install programs. @@ -379,7 +379,7 @@ ADMX Info: This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. -If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. +If you disable this setting or don't configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting doesn't prevent users from using other tools and methods to install or uninstall programs. @@ -432,9 +432,9 @@ ADMX Info: -This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. +This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. -If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. +If you disable this setting or don't configure it, the **Set Program Access and Defaults** button is available to all users. This setting doesn't prevent users from using other tools and methods to change program access or defaults. This setting doesn't prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. @@ -488,9 +488,9 @@ ADMX Info: -This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. +This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. -If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. +If you disable this setting or don't configure it, the Change or Remove Programs page is available to all users. This setting doesn't prevent users from using other tools and methods to delete or uninstall programs. @@ -543,12 +543,12 @@ ADMX Info: -This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. +This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that haven't been configured and offers users easy access to the configuration tools. -If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. +If you disable this setting or don't configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting doesn't prevent users from using other methods to configure services. > [!NOTE] -> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. +> When "Set up services" doesn't appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. @@ -603,7 +603,7 @@ ADMX Info: This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. -If you disable this setting or do not configure it, the Support Info hyperlink appears. +If you disable this setting or don't configure it, the Support Info hyperlink appears. > [!NOTE] > Not all programs provide a support information hyperlink. @@ -658,9 +658,9 @@ ADMX Info: -This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. +This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. -If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. +If you disable this setting or don't configure it, the Add/Remove Windows Components button is available to all users. This setting doesn't prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index f77ed606ef..7f52047c72 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -98,11 +98,11 @@ This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.e You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. -If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run. +If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components can't run. If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer. -If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run. +If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this setting prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run. > [!NOTE] > This setting appears only in Computer Configuration. @@ -151,7 +151,7 @@ This policy setting controls the visibility of the Program Compatibility propert The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. -Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface. +Enabling this policy setting removes the property page from the context-menus, but doesn't affect previous compatibility settings applied to application using this interface. @@ -198,11 +198,11 @@ The policy setting controls the state of the Application Telemetry engine in the Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. -Turning Application Telemetry off by selecting "enable" will stop the collection of usage data. +Turning off Application Telemetry by selecting "enable" will stop the collection of usage data. If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set. -Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine. +Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, reboot your machine. @@ -251,9 +251,9 @@ Switchback is a mechanism that provides generic compatibility mitigations to old Switchback is on by default. -If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using. +If you enable this policy setting, Switchback will be turned off. Turning off Switchback may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they're using. -If you disable or do not configure this policy setting, the Switchback will be turned on. +If you disable or don't configure this policy setting, the Switchback will be turned on. Reboot the system after changing the setting to ensure that your system accurately reflects those changes. @@ -298,13 +298,13 @@ ADMX Info: This policy setting controls the state of the application compatibility engine in the system. -The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. +The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a known problem. -Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed. +Turning off the application compatibility engine will boost system performance. However, this turn-off will degrade the compatibility of many popular legacy applications, and won't block known incompatible applications from installing. For example, this prevention of blocking may result in a blue screen if an old anti-virus application is installed. -The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly. +The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations won't be applied to applications and their installers and these applications may fail to install or run properly. -This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. +This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they're using. It's useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. > [!NOTE] > Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes. @@ -350,7 +350,7 @@ ADMX Info: -This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. +This policy setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. @@ -395,9 +395,9 @@ ADMX Info: This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. -If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. +If you enable this policy setting, the PCA will be turned off. The user won't be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. -If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. +If you disable or don't configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. > [!NOTE] > The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. @@ -449,7 +449,7 @@ Steps Recorder keeps a record of steps taken by the user. The data generated by If you enable this policy setting, Steps Recorder will be disabled. -If you disable or do not configure this policy setting, Steps Recorder will be enabled. +If you disable or don't configure this policy setting, Steps Recorder will be enabled. @@ -496,9 +496,9 @@ This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. -If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. +If you enable this policy setting, the Inventory Collector will be turned off and data won't be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. -If you disable or do not configure this policy setting, the Inventory Collector will be turned on. +If you disable or don't configure this policy setting, the Inventory Collector will be turned on. > [!NOTE] > This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. From f71cd85109a507c907db0b813c604fb7ec630375 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 7 Mar 2022 11:26:50 +0530 Subject: [PATCH 51/68] Acrolinx enhancement effort --- .../mdm/policy-csp-admx-appxruntime.md | 18 +++--- .../mdm/policy-csp-admx-attachmentmanager.md | 18 +++--- .../mdm/policy-csp-admx-auditsettings.md | 2 +- .../mdm/policy-csp-admx-bits.md | 56 +++++++++---------- .../mdm/policy-csp-admx-controlpanel.md | 6 +- 5 files changed, 50 insertions(+), 50 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index 4cc5ed5e0b..aaf619a4d3 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -72,7 +72,7 @@ manager: dansimp This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. -If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. +If you enable this policy setting, you can define more Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. @@ -117,11 +117,11 @@ ADMX Info: -This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. +This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there's a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. -If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. +If you enable this policy setting, Windows Store apps can't open files in the default desktop app for a file type; they can open files only in other Windows Store apps. -If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. +If you disable or don't configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. @@ -164,9 +164,9 @@ ADMX Info: This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. -If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. +If you enable this policy setting, Universal Windows apps that declare Windows Runtime API access in ApplicationContentUriRules section of the manifest can't be launched; Universal Windows apps that haven't declared Windows Runtime API access in the manifest aren't affected. -If you disable or do not configure this policy setting, all Universal Windows apps can be launched. +If you disable or don't configure this policy setting, all Universal Windows apps can be launched. > [!WARNING] > This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. @@ -211,11 +211,11 @@ ADMX Info: -This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. +This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there's a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. -If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. +If you enable this policy setting, Windows Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. -If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. +If you disable or don't configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. > [!NOTE] > Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index c73a012b15..8a9bb817c9 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -77,13 +77,13 @@ This policy setting allows you to configure the logic that Windows uses to deter Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. -Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options. +Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation that will cause users to see more trust prompts than choosing the other options. If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. -If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. +If you don't configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. @@ -130,13 +130,13 @@ High Risk: If the attachment is in the list of high-risk file types and is from Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. -Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. +Low Risk: If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information. If you enable this policy setting, you can specify the default risk level for file types. If you disable this policy setting, Windows sets the default risk level to moderate. -If you do not configure this policy setting, Windows sets the default risk level to moderate. +If you don't configure this policy setting, Windows sets the default risk level to moderate. @@ -183,7 +183,7 @@ If you enable this policy setting, you can create a custom list of high-risk fil If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. -If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. +If you don't configure this policy setting, Windows uses its built-in list of high-risk file types. @@ -224,13 +224,13 @@ ADMX Info: -This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). +This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types that pose a low risk. If you disable this policy setting, Windows uses its default trust logic. -If you do not configure this policy setting, Windows uses its default trust logic. +If you don't configure this policy setting, Windows uses its default trust logic. @@ -273,11 +273,11 @@ ADMX Info: This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). -If you enable this policy setting, you can specify file types which pose a moderate risk. +If you enable this policy setting, you can specify file types that pose a moderate risk. If you disable this policy setting, Windows uses its default trust logic. -If you do not configure this policy setting, Windows uses its default trust logic. +If you don't configure this policy setting, Windows uses its default trust logic. diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index c0329444bd..e977a9fd9e 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -65,7 +65,7 @@ This policy setting determines what information is logged in security audit even If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. -If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. +If you disable or don't configure this policy setting, the process's command line information won't be included in Audit Process Creation events. Default is Not configured. diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index db8592a2d7..96f13849ae 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -102,12 +102,12 @@ manager: dansimp This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. -If you enable this policy setting, the BITS client does not use Windows Branch Cache. +If you enable this policy setting, the BITS client doesn't use Windows Branch Cache. -If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache. +If you disable or don't configure this policy setting, the BITS client uses Windows Branch Cache. > [!NOTE] -> This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. +> This policy setting doesn't affect the use of Windows Branch Cache by applications other than BITS. This policy setting doesn't apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. @@ -152,7 +152,7 @@ This policy setting specifies whether the computer will act as a BITS peer cachi If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. -If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. +If you disable or don't configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. > [!NOTE] > This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. @@ -201,7 +201,7 @@ This policy setting specifies whether the computer will act as a BITS peer cachi If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. -If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to its peers. +If you disable or don't configure this policy setting, the computer will offer downloaded and cached files to its peers. > [!NOTE] > This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. @@ -249,11 +249,11 @@ ADMX Info: This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. -If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. +If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When a download job is being transferred, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. -If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. +If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it's possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. -If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. +If you disable or don't configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. @@ -296,15 +296,15 @@ ADMX Info: -This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). +This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting doesn't affect transfers from the origin server). -To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. +To prevent any negative impact to a computer caused by serving other peers, by default, BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100-Mbps network card and a 56-Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching. If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching. -If you disable this policy setting or do not configure it, the default value of 30 percent of the slowest active network interface will be used. +If you disable this policy setting or don't configure it, the default value of 30 percent of the slowest active network interface will be used. > [!NOTE] > This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. @@ -354,7 +354,7 @@ If you enable this policy setting, you can define a separate set of network band You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. -If you disable or do not configure this policy setting, the limits defined for work or non-work schedules will be used. +If you disable or don't configure this policy setting, the limits defined for work or non-work schedules will be used. > [!NOTE] > The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. @@ -399,13 +399,13 @@ ADMX Info: -This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that aren't defined in a work schedule are considered non-work hours. If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for non-work hours. -If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. +If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers. @@ -451,7 +451,7 @@ This policy setting limits the maximum amount of disk space that can be used for If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. -If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. +If you disable or don't configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. > [!NOTE] > This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. @@ -495,11 +495,11 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that have not been accessed in the past 90 days. +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default, BITS removes any files in the peer cache that haven't been accessed in the past 90 days. If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. -If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cache. +If you disable or don't configure this policy setting, files that haven't been accessed for the past 90 days will be removed from the peer cache. > [!NOTE] > This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. @@ -547,11 +547,11 @@ This policy setting limits the amount of time that Background Intelligent Transf The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state. -By default BITS uses a maximum download time of 90 days (7,776,000 seconds). +By default, BITS uses a maximum download time of 90 days (7,776,000 seconds). If you enable this policy setting, you can set the maximum job download time to a specified number of seconds. -If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. +If you disable or don't configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. @@ -593,14 +593,14 @@ ADMX Info: -This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. +This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS job can contain. If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. -If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. +If you disable or don't configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. > [!NOTE] -> BITS Jobs created by services and the local administrator account do not count toward this limit. +> BITS Jobs created by services and the local administrator account don't count toward this limit. @@ -646,10 +646,10 @@ This policy setting limits the number of BITS jobs that can be created for all u If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. -If you disable or do not configure this policy setting, BITS will use the default BITS job limit of 300 jobs. +If you disable or don't configure this policy setting, BITS will use the default BITS job limit of 300 jobs. > [!NOTE] -> BITS jobs created by services and the local administrator account do not count toward this limit. +> BITS jobs created by services and the local administrator account don't count toward this limit. @@ -695,10 +695,10 @@ This policy setting limits the number of BITS jobs that can be created by a user If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. -If you disable or do not configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. +If you disable or don't configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. > [!NOTE] -> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. +> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account don't count toward this limit. @@ -744,10 +744,10 @@ This policy setting limits the number of ranges that can be added to a file in a If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. -If you disable or do not configure this policy setting, BITS will limit ranges to 500 ranges per file. +If you disable or don't configure this policy setting, BITS will limit ranges to 500 ranges per file. > [!NOTE] -> BITS Jobs created by services and the local administrator account do not count toward this limit. +> BITS Jobs created by services and the local administrator account don't count toward this limit. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 4d63de3739..3474e7502e 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -130,7 +130,7 @@ If this policy setting is enabled, the Control Panel opens to the icon view. If this policy setting is disabled, the Control Panel opens to the category view. -If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. +If this policy setting isn't configured, the Control Panel opens to the view used in the last Control Panel session. > [!NOTE] > Icon size is dependent upon what the user has set it to in the previous session. @@ -177,7 +177,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. Disables all Control Panel programs and the PC settings app. -This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items. +This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users can't start Control Panel or PC settings, or run any of their items. This setting removes Control Panel from: @@ -233,7 +233,7 @@ ADMX Info: -This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. +This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those items you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. From ababda2c198e4313e3d91bec32e48996801adaba Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Tue, 22 Mar 2022 08:11:33 -0700 Subject: [PATCH 52/68] Added notes to use AAD v2 Tokens AAD has made platform change to only support AAD v2 Tokens. Added instructions in multi-app MDM app creation steps to clarify v2 Token is a hard requirement. --- .../mdm/azure-active-directory-integration-with-mdm.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 634025c4b9..c8a55e1c7f 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -114,7 +114,10 @@ The MDM vendor must first register the application in their home tenant and mark > [!NOTE] > For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. -The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenent the managed device belongs. +The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenant the managed device belongs. + +> [!NOTE] +> All MDM apps must implement AAD V2 tokens before we certify that integration works. Due to changes in AAD app platform, it is a hard requirement. More info is available in [Microsoft identity platform access tokens](https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#token-formats-and-ownership). Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery. From 1712200957c80799e2c295ea71e54a76bb1bd77f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 22 Mar 2022 12:47:45 -0700 Subject: [PATCH 53/68] Update azure-active-directory-integration-with-mdm.md --- .../mdm/azure-active-directory-integration-with-mdm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index c8a55e1c7f..323d3f6d8e 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -117,7 +117,7 @@ The MDM vendor must first register the application in their home tenant and mark The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenant the managed device belongs. > [!NOTE] -> All MDM apps must implement AAD V2 tokens before we certify that integration works. Due to changes in AAD app platform, it is a hard requirement. More info is available in [Microsoft identity platform access tokens](https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#token-formats-and-ownership). +> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats-and-ownership). Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery. From 09e9f4f13f277c1eaf655063f3cbbb29873f2a38 Mon Sep 17 00:00:00 2001 From: Lee Yan Date: Tue, 5 Apr 2022 11:33:57 -0700 Subject: [PATCH 54/68] Update lock-down-windows-10-to-specific-apps.md --- windows/configuration/lock-down-windows-10-to-specific-apps.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 54a3969108..cdfafbb396 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -24,6 +24,7 @@ ms.collection: highpri > [!NOTE] > [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)] +> Add note: The user of dual- or multi-monitor is not supported for Multi-app kiosk mode. A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. From 5b4d02e7f20ee769b60fad3323a5523c1e74d0a0 Mon Sep 17 00:00:00 2001 From: Andrei-George Stoica <5600871+andreiztm@users.noreply.github.com> Date: Wed, 6 Apr 2022 12:34:31 +0300 Subject: [PATCH 55/68] Link to more information about automatic maintenance behavior --- windows/client-management/mdm/policy-csp-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 7b40a61a6b..36c9571d09 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -427,8 +427,8 @@ ADMX Info: The following list shows the supported values: - 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart. -- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. Automatic restarting when a device is not being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shut down properly on restart. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). +- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. Automatic restarting when a device is not being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). - 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. - 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. - 5 – Turn off automatic updates. From e3adc49723ae3bf9d96da554fa73ca1ba87b8cfb Mon Sep 17 00:00:00 2001 From: Shesh <56231259+sheshachary@users.noreply.github.com> Date: Thu, 14 Apr 2022 15:08:14 +0530 Subject: [PATCH 56/68] updated the broken links --- ...rsion-2-schema-and-enterprise-mode-tool.md | 8 ++++---- ...ie11-delivery-through-automatic-updates.md | 2 +- .../what-is-enterprise-mode.md | 2 -- .../licensing-version-and-features-ieak11.md | 2 +- ...-in-your-organization-modern-management.md | 2 +- ...e-active-directory-integration-with-mdm.md | 2 +- .../mdm/policy-csp-browser.md | 4 ++-- .../troubleshoot-stop-errors.md | 12 +++++------- .../troubleshoot-tcpip-rpc-errors.md | 2 +- .../troubleshoot-windows-freeze.md | 19 +------------------ .../privacy/Microsoft-DiagnosticDataViewer.md | 2 +- .../access-control/access-control.md | 2 +- .../access-control/microsoft-accounts.md | 2 +- .../identity-protection/configure-s-mime.md | 2 +- .../credential-guard-known-issues.md | 9 --------- .../vpn/vpn-conditional-access.md | 2 +- .../tpm/how-windows-uses-the-tpm.md | 2 +- .../create-wip-policy-using-intune-azure.md | 2 +- .../threat-protection/auditing/audit-sam.md | 2 -- .../threat-protection/auditing/event-4826.md | 4 ++-- .../threat-protection/auditing/event-4911.md | 2 +- .../threat-protection/auditing/event-4964.md | 2 +- .../threat-protection/auditing/event-5056.md | 2 -- .../threat-protection/auditing/event-5057.md | 2 -- .../threat-protection/auditing/event-5060.md | 2 -- 25 files changed, 28 insertions(+), 66 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md index 37ef55dea6..18c0b63cac 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md @@ -16,9 +16,9 @@ ms.date: 10/24/2017 --- -# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) - -[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)] +# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) + +[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)] **Applies to:** @@ -91,7 +91,7 @@ The following is an example of what your XML file should look like when you’re ``` In the above example, the following is true: -- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode. +- ```www.cpandl.com```, as the main domain, must use IE8 Enterprise Mode. However, ```www.cpandl.com/images``` must use IE7 Enterprise Mode. - contoso.com, and all of its domain paths, can use the default compatibility mode for the site. diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index cd8bea93d3..f937017376 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -60,7 +60,7 @@ If you use Automatic Updates in your company, but want to stop your users from a If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit. > [!NOTE] - > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). + > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx). diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md index bebac3ffe6..fd8cca1014 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md @@ -170,6 +170,4 @@ Because the tool is open-source, the source code is readily available for examin - [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) -- [Microsoft Services Support](https://www.microsoft.com/microsoftservices/support.aspx) - - [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index 54ae269373..9eba34b5e1 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -104,7 +104,7 @@ Support for some of the Internet Explorer settings on the wizard pages varies de Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. - **External Distribution** - You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy). + You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy). - **Internal Distribution - corporate intranet** The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. \ No newline at end of file diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 0e9dd8a789..55882ecb16 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -135,6 +135,6 @@ There are a variety of steps you can take to begin the process of modernizing de ## Related topics -- [What is Intune?](//mem/intune/fundamentals/what-is-intune) +- [What is Intune?](/mem/intune/fundamentals/what-is-intune) - [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md) - [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 96dd333a39..cb81d2d6d3 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -166,7 +166,7 @@ For more information about registering applications with Azure AD, see [Basics o The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Microsoft Graph API are bearer tokens and should be protected to avoid unauthorized disclosure. -For security best practices, see [Windows Azure Security Essentials](https://go.microsoft.com/fwlink/p/?LinkId=613715). +For security best practices, see [Windows Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index cbf9ef190b..63b510d42f 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -2116,7 +2116,7 @@ Most restricted value: 0 > This policy has no effect when the Browser/HomePages policy is not configured.  > [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy). +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy). @@ -2975,7 +2975,7 @@ Most restricted value: 0 [!INCLUDE [set-default-search-engine-shortdesc](../includes/set-default-search-engine-shortdesc.md)] > [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy). +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy). Most restricted value: 0 diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index e9f150cb37..7cf04db28e 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -68,13 +68,11 @@ To troubleshoot Stop error messages, follow these general steps: 1. Run any relevant hardware and memory tests. -3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions. +3. Run [Microsoft Safety Scanner](https://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections. -4. Run [Microsoft Safety Scanner](https://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections. +4. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10–15 percent free disk space. -5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10–15 percent free disk space. - -6. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios: +5. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios: - The error message indicates that a specific driver is causing the problem. - You are seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash. @@ -93,7 +91,7 @@ To troubleshoot Stop error messages, follow these general steps: To configure the system for memory dump files, follow these steps: -1. [Download DumpConfigurator tool](https://codeplexarchive.blob.core.windows.net/archive/projects/WinPlatTools/WinPlatTools.zip). +1. Use the DumpConfigurator tool. 2. Extract the .zip file and navigate to **Source Code** folder. @@ -266,7 +264,7 @@ SYSTEM_SERVICE_EXCEPTION
                                    Stop error code c000021a {Fatal System Error} The W NTFS_FILE_SYSTEM
                                    Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button.We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem. KMODE_EXCEPTION_NOT_HANDLED
                                    Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.

                                    If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To do this, follow these steps:

                                    Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option. DPC_WATCHDOG_VIOLATION
                                    Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump. -USER_MODE_HEALTH_MONITOR
                                    Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
                                    This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
                                    Event ID: 4870
                                    Source: Microsoft-Windows-FailoverClustering
                                    Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
                                    For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). +USER_MODE_HEALTH_MONITOR
                                    Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
                                    This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
                                    Event ID: 4870
                                    Source: Microsoft-Windows-FailoverClustering
                                    Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
                                    For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://techcommunity.microsoft.com/t5/failover-clustering/decoding-bugcheck-0x0000009e/ba-p/371863) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). ## Debugging examples diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md index 6601c0c57d..1364f8bca1 100644 --- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md +++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md @@ -101,7 +101,7 @@ You should open up a range of ports above port 5000. Port numbers below 5000 may >Description: >The Netlogon service could not add the AuthZ RPC interface. The service was terminated. The following error occurred: 'The parameter is incorrect.' -If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](https://blogs.technet.microsoft.com/askds/2012/01/24/rpc-over-itpro/). +If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/rpc-over-it-pro/ba-p/399898). ## Troubleshooting RPC error diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index 9d73bacae3..b529756032 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -175,15 +175,6 @@ logman stop LOGNAME_Long / LOGNAME_Short The Performance Monitor log is located in the path: C:\PERFLOGS -### Method 4: Microsoft Support Diagnostics - -1. In the search box of the [Microsoft Support Diagnostics Self-Help Portal](https://home.diagnostics.support.microsoft.com/selfhelp), type Windows Performance Diagnostic. - -2. In the search results, select **Windows Performance Diagnostic**, and then click **Create**. - -3. Follow the steps of the diagnostic. - - ### Additional methods to collect data #### Use memory dump to collect data for the physical computer that's running in a frozen state @@ -277,12 +268,4 @@ You can use VMware Snapshots or suspend state and extract a memory dump file equ #### Citrix XenServer -The memory dump process occurs by pressing the RIGHT CTRL + SCROLL LOCK + SCROLL LOCK keyboard combination that's described in Method 1 and on [the Citrix site](http://support.citrix.com/article/ctx123177). - -## Space limitations on the system drive in Windows Server 2008 - -On Windows Server 2008, you may not have enough free disk space to generate a complete memory dump file on the system volume. There's a [hotfix](https://support.microsoft.com/help/957517) that allows for the data collection even though there isn't sufficient space on the system drive to store the memory dump file. - -Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](/windows/client-management/generate-kernel-or-complete-crash-dump). - -For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx). \ No newline at end of file +The memory dump process occurs by pressing the RIGHT CTRL + SCROLL LOCK + SCROLL LOCK keyboard combination that's described in Method 1 and on [the Citrix site](http://support.citrix.com/article/ctx123177). \ No newline at end of file diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 8b2b1f883d..33e357fa9e 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -47,7 +47,7 @@ Using the Diagnostic Data Viewer for PowerShell requires administrative (elevate ### Install the Diagnostic Data Viewer for PowerShell >[!IMPORTANT] - >It is recommended to visit the documentation on [Getting Started](/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. + >It is recommended to visit the documentation on [Getting Started](/powershell/scripting/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: ```powershell diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index eacb21eb26..2ba26987bb 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -131,7 +131,7 @@ For more information about user rights, see [User Rights Assignment](/windows/de With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer. -For more information about auditing, see [Security Auditing Overview](/windows/security/threat-protection/auditing/security-auditing-overview). +For more information about auditing, see [Security Auditing Overview](../../threat-protection/auditing/security-auditing-overview.md). ## See also diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md index 79e1a30a6a..992afda9d6 100644 --- a/windows/security/identity-protection/access-control/microsoft-accounts.md +++ b/windows/security/identity-protection/access-control/microsoft-accounts.md @@ -60,7 +60,7 @@ Credential information is encrypted twice. The first encryption is based on the Blank passwords are not allowed. - For more information, see [Microsoft Account Security Overview](https://www.microsoft.com/account/security/default.aspx). + For more information, see [How to help keep your Microsoft account safe and secure](https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-safe-and-secure-628538c2-7006-33bb-5ef4-c917657362b9). - **Secondary proof of identity is required**. diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index d0ddb7f478..c6922f3901 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -43,7 +43,7 @@ A digitally signed message reassures the recipient that the message hasn't been - Valid Personal Information Exchange (PFX) certificates are installed on the device. - [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10)) - - [Enable access to company resources using certificate profiles with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=718216) + - [Enable access to company resources using certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-configure) ## Choose S/MIME settings diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index d370cb1473..3599199593 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -57,15 +57,6 @@ The following known issues have been fixed by servicing releases made available This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221) -- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview) - - This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems: - - - Windows 10 Version 1607 and Windows Server 2016: - [KB4015217 (OS Build 14393.1066 and 14393.1083)](https://support.microsoft.com/help/4015217) - - Windows 10 Version 1511: [KB4015219 (OS Build 10586.873)](https://support.microsoft.com/help/4015219) - - Windows 10 Version 1507: [KB4015221 (OS Build 10240.17354)](https://support.microsoft.com/help/4015221) - ## Known issues involving third-party applications The following issue affects the Java GSS API. See the following Oracle bug database article: diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index fafe96b51b..ec2a6bed29 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -35,7 +35,7 @@ See also [Always On VPN deployment for Windows Server and Windows 10](/windows-s - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued. -- [Microsoft Intune device compliance policies](/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. +- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. - Antivirus status - Auto-update status and update compliance diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index e12bbc3156..c54c2521ad 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -165,4 +165,4 @@ The TPM adds hardware-based security benefits to Windows. When installed on hard
                                    -Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows IoT Core](https://developer.microsoft.com/windows/iot/iotcore). IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements. +Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows IoT Core](/windows/iot-core/windows-iot-core). IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index f8388b1544..3fa8df029b 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -569,7 +569,7 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. -**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp). +**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp). - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md index df74e9eb71..93c399ae54 100644 --- a/windows/security/threat-protection/auditing/audit-sam.md +++ b/windows/security/threat-protection/auditing/audit-sam.md @@ -42,8 +42,6 @@ Changes to user and group objects are tracked by the Account Management audit ca **Event volume**: High on domain controllers. -For information about reducing the number of events generated in this subcategory, see [KB841001](https://support.microsoft.com/kb/841001). - | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. | diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md index 136684f355..a5fc916065 100644 --- a/windows/security/threat-protection/auditing/event-4826.md +++ b/windows/security/threat-protection/auditing/event-4826.md @@ -120,9 +120,9 @@ This event is always logged regardless of the "Audit Other Policy Change Events" - **HyperVisor Load Options** \[Type = UnicodeString\]**:** shows hypervisor **loadoptions**. See more information here: . -- **HyperVisor Launch Type** \[Type = UnicodeString\]**:** shows the hypervisor launch options (**Off** or **Auto**). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to **Auto** on the target computer. For more information, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/library/windows/hardware/ff538138(v=vs.85).aspx). Information about [Hyper-V](/windows/deployment/deploy-whats-new) technology is available on Microsoft TechNet web site. +- **HyperVisor Launch Type** \[Type = UnicodeString\]**:** shows the hypervisor launch options (**Off** or **Auto**). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to **Auto** on the target computer. For more information, see [Attaching to a Target Computer Running Hyper-V](/windows-hardware/drivers/debugger/setting-up-network-debugging-of-a-virtual-machine-host). Information about [Hyper-V](/windows/deployment/deploy-whats-new) technology is available on Microsoft TechNet web site. -- **HyperVisor Debugging** \[Type = UnicodeString\]**:** shows whether the hypervisor debugger is enabled or not (**Yes** or **No**). For information about hypervisor debugging, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/library/windows/hardware/ff538138(v=vs.85).aspx). +- **HyperVisor Debugging** \[Type = UnicodeString\]**:** shows whether the hypervisor debugger is enabled or not (**Yes** or **No**). For information about hypervisor debugging, see [Attaching to a Target Computer Running Hyper-V](/windows-hardware/drivers/debugger/setting-up-network-debugging-of-a-virtual-machine-host). ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index dae7e74958..4a2e0e7e1f 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates when [resource attributes](https://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed. +This event generates when [resource attributes](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview) of the file system object were changed. Resource attributes for file or folder can be changed, for example, using Windows File Explorer (object’s Properties->Classification tab). diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md index b153e56a00..6e7bc52761 100644 --- a/windows/security/threat-protection/auditing/event-4964.md +++ b/windows/security/threat-protection/auditing/event-4964.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event occurs when an account that is a member of any defined [Special Group](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in. +This event occurs when an account that is a member of any defined [Special Group](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) logs in. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index 59e64af10b..a0be07f3bf 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- - - This event is mainly used for CNG troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index 625c998826..8ef262994a 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -- - - This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index 9497f26ebf..e20a614013 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -25,8 +25,6 @@ For more information about CNG, visit these pages: - -- - - This event is mainly used for CNG troubleshooting. From 900677ed6d6ae3725b2717769e38d881d822b890 Mon Sep 17 00:00:00 2001 From: Shesh <56231259+sheshachary@users.noreply.github.com> Date: Thu, 14 Apr 2022 15:29:43 +0530 Subject: [PATCH 57/68] updated the warnings and suggestion --- windows/client-management/troubleshoot-windows-freeze.md | 2 -- windows/privacy/Microsoft-DiagnosticDataViewer.md | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index b529756032..8f7addc632 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -106,8 +106,6 @@ If the computer is no longer frozen and now is running in a good state, use the 5. Make sure that there's a paging file (pagefile.sys) on the system drive and that it’s at least 100 megabytes (MB) over the installed RAM (Initial and Maximum Size). - Additionally, you can use the workaround for [space limitations on the system drive in Windows Server 2008](#space-limitations-on-the-system-drive-in-windows-server-2008). - 6. Make sure that there's more available space on the system drive than there is physical RAM. 2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 33e357fa9e..cfe5cdf277 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -187,4 +187,4 @@ When resetting the size of your data history to a lower value, be sure to turn o ## Related Links - [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer) -- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps) \ No newline at end of file +- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?) \ No newline at end of file From aaca001696f2231cdc41703b85686f17938a8180 Mon Sep 17 00:00:00 2001 From: Shesh <56231259+sheshachary@users.noreply.github.com> Date: Tue, 19 Apr 2022 12:28:26 +0530 Subject: [PATCH 58/68] updated the broken links in the articles --- .../whats-new-windows-10-version-1703.md | 28 +++++++++---------- .../whats-new-windows-10-version-1709.md | 2 +- .../whats-new-windows-10-version-1809.md | 2 +- .../whats-new-windows-10-version-1903.md | 2 +- .../whats-new-windows-10-version-2004.md | 2 +- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 84777b43cf..8b4d2992e1 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -125,27 +125,27 @@ You can read more about ransomware mitigations and detection capability in Micro Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10 and the new capabilities in Windows 10, version 1703 see [Microsoft Defender for Endpoint for Windows 10 Creators Update](/windows/deployment/deploy-whats-new). ### Microsoft Defender Antivirus -Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). +Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on: -- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus) -- [Managing updates](/windows/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) -- [Reporting](/windows/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus) -- [Configuring features](/windows/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) -- [Troubleshooting](/windows/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus) +- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus) +- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus) +- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus) +- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features) +- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus) Some of the highlights of the new library include: -- [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) -- [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus) +- [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus) +- [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus) New features for Microsoft Defender AV in Windows 10, version 1703 include: -- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) -- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) -- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus) +- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) +- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus) +- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus) -In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). +In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus). You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). @@ -167,7 +167,7 @@ You can now reset a forgotten PIN without deleting company managed data or apps For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. -For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). +For more details, check out [What if I forget my PIN?](/security/identity-protection/hello-for-business/hello-feature-pin-reset.md). ### Windows Information Protection (WIP) and Azure Active Directory (Azure AD) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). @@ -186,7 +186,7 @@ Windows Update for Business managed devices are now able to defer feature update ### Windows Insider for Business -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows-insider/business/register). ### Optimize update delivery diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index e1c64c7943..bb97981cfe 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -87,7 +87,7 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c ### Microsoft Defender for Endpoint -Microsoft Defender for Endpoint has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Microsoft Defender for Endpoint Security analytics dashboard](/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection). +Microsoft Defender for Endpoint has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Microsoft Defender for Endpoint Security analytics dashboard](/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices). ### Windows Defender Application Guard diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 7e050b3435..9ce31284cc 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -157,7 +157,7 @@ A network connection is now required to set up a new device. As a result, we rem - [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics)
                                    Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. -- [Custom detection](/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
                                    +- [Custom detection](/microsoft-365/security/defender/custom-detections-overview)
                                    With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. - [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
                                    diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index a048b03c95..35ed9f16c3 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -138,7 +138,7 @@ Several new features are coming in the next version of Edge. See the [news from ## See Also -[What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
                                    +[What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server.
                                    [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
                                    [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
                                    [What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
                                    diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index e3d23c3da3..726580724f 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -263,6 +263,6 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha - [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10. - [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers. - [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses. -- [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features. +- [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/archive/new-in-20h1): This list also includes consumer focused new features. - [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features. - [Windows 10 features we're no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed. From 4a1a4520e673330b3478a59608cd1b4a9d103de4 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Wed, 27 Apr 2022 11:46:00 -0700 Subject: [PATCH 59/68] Adding link to HL page for policy. --- windows/client-management/mdm/policy-csp-power.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 6b1bf6a7d3..30eb1c679f 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -272,6 +272,8 @@ ADMX Info: |Enterprise|Yes|Yes| |Education|Yes|Yes| +Added to HoloLens 2 in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2). +
                                    From 2fddea2ad4cff0503b6b6221688755161b0fe0f6 Mon Sep 17 00:00:00 2001 From: Shesh <56231259+sheshachary@users.noreply.github.com> Date: Fri, 29 Apr 2022 12:16:43 +0530 Subject: [PATCH 60/68] updated the warnings --- .../ie11-delivery-through-automatic-updates.md | 2 +- windows/client-management/troubleshoot-windows-freeze.md | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index f937017376..bbfd85b95e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -2,7 +2,7 @@ ms.localizationpriority: medium ms.mktglfcycl: support ms.pagetype: security -description: +description: A high-level overview of the delivery process and your options to control deployment of Internet Explorer through automatic updates. author: dansimp ms.author: dansimp ms.manager: dansimp diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index cdaab205cb..01d04d52a9 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -106,8 +106,6 @@ If the computer is no longer frozen and now is running in a good state, use the 5. Make sure that there's a paging file (pagefile.sys) on the system drive and that it’s at least 100 megabytes (MB) over the installed RAM (Initial and Maximum Size). - Additionally, you can use the workaround for [space limitations on the system drive in Windows Server 2008](#space-limitations-on-the-system-drive-in-windows-server-2008). - 6. Make sure that there's more available space on the system drive than there's physical RAM. 2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this enablement, follow these steps: From 7407b1fa4ce6d3387b58ecb80b3617e657ad6279 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 2 May 2022 17:20:05 -0700 Subject: [PATCH 61/68] editorial revision --- windows/configuration/lock-down-windows-10-to-specific-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index cdfafbb396..1a07160c5e 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -24,7 +24,7 @@ ms.collection: highpri > [!NOTE] > [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)] -> Add note: The user of dual- or multi-monitor is not supported for Multi-app kiosk mode. +> The use of multiple monitors isn't supported for multi-app kiosk mode. A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. From cab71e43f47442a67b3086124d7c68709d7b0764 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 2 May 2022 17:57:14 -0700 Subject: [PATCH 62/68] Acrolinx review --- .../lock-down-windows-10-to-specific-apps.md | 138 +++++++++--------- 1 file changed, 68 insertions(+), 70 deletions(-) diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 1a07160c5e..b230404a80 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -1,18 +1,14 @@ --- -title: Set up a multi-app kiosk on Windows 10 | Microsoft Docs +title: Set up a multi-app kiosk on Windows 10 description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. -ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 -ms.reviewer: sybruckm -manager: dougeby -keywords: ["lockdown", "app restrictions", "applocker"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: edu, security +ms.technology: windows author: aczechowski -ms.localizationpriority: medium ms.author: aaroncz -ms.topic: article +manager: dougeby +ms.reviewer: sybruckm +ms.localizationpriority: medium +ms.topic: how-to ms.collection: highpri --- @@ -26,7 +22,7 @@ ms.collection: highpri > [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)] > The use of multiple monitors isn't supported for multi-app kiosk mode. -A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. +A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. The following table lists changes to multi-app kiosk in recent updates. @@ -86,11 +82,11 @@ Let's start by looking at the basic structure of the XML file. - Multiple config sections can be associated to the same profile. -- A profile has no effect if it’s not associated to a config section. +- A profile has no effect if it's not associated to a config section. ![profile = app and config = account.](images/profile-config.png) -You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) +You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) ```xml @@ -121,7 +117,7 @@ You can start your file by pasting the following XML (or any other examples in t There are two types of profiles that you can specify in the XML: - **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen. -- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode. +- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode. A lockdown profile section in the XML has the following entries: @@ -156,25 +152,25 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can **AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#startlayout). -- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). -- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”. +- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of `%variableName%`. For example, `%systemroot%` or `%windir%`. +- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both `"C:\Program Files\internet explorer\iexplore.exe"` and `"C:\Program Files (x86)\Internet Explorer\iexplore.exe"`. - To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: 1. Default rule is to allow all users to launch the signed package apps. -2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list. +2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list. - >[!NOTE] - >You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. + > [!NOTE] + > You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. > - >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. + > Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. Here are the predefined assigned access AppLocker rules for **desktop apps**: 1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. -2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration. -3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list. +2. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration. +3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist. The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. @@ -196,7 +192,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula ##### FileExplorerNamespaceRestrictions -Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune. +Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This behavior can also be set using Microsoft Intune. The following example shows how to allow user access to the Downloads folder in the common file dialog box. @@ -226,13 +222,14 @@ The following example shows how to allow user access to the Downloads folder in ``` -FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerelease for finer granularity and easier use, see in the [Assigned access XML reference.](kiosk-xml.md) for full samples. The changes will allow IT Admin to configure if user can access Downloads folder, Removable drives, or no restriction at all by using certain new elements. Note that FileExplorerNamesapceRestrictions and AllowedNamespace:Downloads are available in namespace https://schemas.microsoft.com/AssignedAccess/201810/config, AllowRemovableDrives and NoRestriction are defined in a new namespace https://schemas.microsoft.com/AssignedAccess/2020/config. -* When FileExplorerNamespaceRestrictions node is not used, or used but left empty, user will not be able to access any folder in common dialog (e.g. Save As in Microsoft Edge browser). +`FileExplorerNamespaceRestriction` has been extended in current Windows 10 Prerelease for finer granularity and easier use, see in the [Assigned access XML reference.](kiosk-xml.md) for full samples. The changes will allow IT Admin to configure if user can access Downloads folder, Removable drives, or no restriction at all by using certain new elements. Note that `FileExplorerNamespaceRestrictions` and `AllowedNamespace:Downloads` are available in namespace ```https://schemas.microsoft.com/AssignedAccess/201810/config```, `AllowRemovableDrives` and `NoRestriction` are defined in a new namespace ```https://schemas.microsoft.com/AssignedAccess/2020/config```. + +* When `FileExplorerNamespaceRestrictions` node isn't used, or used but left empty, the user won't be able to access any folder in a common dialog. For example, **Save As** in the Microsoft Edge browser. * When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder. -* When AllowRemovableDrives is used, user will be to access removable drives. -* When NoRestriction is used, no restriction will be applied to the dialog. -* AllowRemovableDrives and AllowedNamespace:Downloads can be used at the same time. +* When `AllowRemovableDrives` is used, user will be to access removable drives. +* When `NoRestriction` is used, no restriction will be applied to the dialog. +* `AllowRemovableDrives` and `AllowedNamespace:Downloads` can be used at the same time. ##### StartLayout @@ -244,10 +241,10 @@ A few things to note here: - The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration. - Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout. -- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration. -- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). +- There are no apps pinned on the taskbar in the multi-app mode, and it's not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration. +- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). -This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start. +The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start: ```xml @@ -312,9 +309,9 @@ The following example hides the taskbar: #### Configs -Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. +Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. -The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in. +The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in. You can assign: @@ -362,7 +359,7 @@ Individual accounts are specified using ``. - Local account can be entered as `machinename\account` or `.\account` or just `account`. - Domain account should be entered as `domain\account`. -- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider it’s a fixed domain name), then follow with the Azure AD email address, e.g. AzureAD\someone@contoso.onmicrosoft.com. +- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Azure AD email address. For example, `AzureAD\someone@contoso.onmicrosoft.com` >[!WARNING] >Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. @@ -370,7 +367,7 @@ Individual accounts are specified using ``. Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. >[!NOTE] ->For both domain and Azure AD accounts, it’s not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. +>For both domain and Azure AD accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. ```xml @@ -383,9 +380,9 @@ Before applying the multi-app configuration, make sure the specified user accoun ##### Config for group accounts -Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience. +Group accounts are specified using ``. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A won't have the kiosk experience. -- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group will not have the kiosk settings applied. +- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group won't have the kiosk settings applied. ```xml @@ -417,15 +414,16 @@ Group accounts are specified using ``. Nested groups are not supporte -#### [Preview] Global Profile -Global profile is added in Windows 10. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios. +#### [Preview] Global profile -Usage is demonstrated below, by using the new xml namespace and specify GlobalProfile from that namespace. When GlobalProfile is configured, a non-admin account logs in, if this user does not have designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, global profile will be applied for the user. +Global profile is available in Windows 10. If you want everyone who signs into a specific device to be assigned as an access user, even if there's no dedicated profile for that user. Alternatively, perhaps Assigned Access couldn't identify a profile for the user and you want to have a fallback profile. Global profile is designed for these scenarios. -Note: -1. GlobalProfile can only be multi-app profile -2. Only one GlobalProfile can be used in one AssignedAccess Configuration Xml -3. GlobalProfile can be used as the only config, or it can be used among with regular user or group Config. +Usage is demonstrated below, by using the new XML namespace and specifying `GlobalProfile` from that namespace. When you configure `GlobalProfile`, a non-admin account logs in, if this user doesn't have a designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, a global profile is applied for the user. + +> [!NOTE] +> 1. `GlobalProfile` can only be a multi-app profile. +> 2. Only one `GlobalProfile` can be used in one `AssignedAccess` configuration XML. +> 3. `GlobalProfile` can be used as the only config, or it can be used along with regular user or group config. ```xml @@ -487,25 +485,25 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L >[!IMPORTANT] >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`. 2. Choose **Advanced provisioning**. -3. Name your project, and click **Next**. +3. Name your project, and select **Next**. -4. Choose **All Windows desktop editions** and click **Next**. +4. Choose **All Windows desktop editions** and select **Next**. -5. On **New project**, click **Finish**. The workspace for your package opens. +5. On **New project**, select **Finish**. The workspace for your package opens. 6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**. -7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created. +7. In the center pane, select **Browse**. Locate and select the assigned access configuration XML file that you created. ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png) -8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. +8. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. -9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. +9. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. 10. On the **File** menu, select **Save.** @@ -519,22 +517,22 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. -14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. +14. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. - Optionally, you can click **Browse** to change the default output location. + Optionally, you can select **Browse** to change the default output location. -15. Click **Next**. +15. Select **Next**. -16. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +16. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + If you need to cancel the build, select **Cancel**. This action cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. 17. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this action, select **Back** to change the output package name and path, and then select **Next** to start another build. + - If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**. 18. Copy the provisioning package to the root directory of a USB drive. @@ -574,16 +572,16 @@ Provisioning packages can be applied to a device during the first-run experience 1. Sign in with an admin account. 2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation. ->[!NOTE] ->if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. +> [!NOTE] +> If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. -![add a package option.](images/package.png) +![Add a package option.](images/package.png) ### Use MDM to deploy the multi-app configuration Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. -If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely. +If your device is enrolled with an MDM service that supports applying the assigned access configuration, you can use it to apply the setting remotely. The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. @@ -600,23 +598,23 @@ To create a multi-app kiosk that can run mixed reality apps, you must include th ``` -These are in addition to any mixed reality apps that you allow. +These apps are in addition to any mixed reality apps that you allow. -**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user would not have permissions to download and so their setup of the Mixed Reality Portal would fail. +**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user wouldn't have permissions to download and so their setup of the Mixed Reality Portal would fail. After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers. -There is a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen. +There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen. ## Policies set by multi-app kiosk configuration -It is not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience. +It's not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience. -When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. +When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will affect other users on the device. -### Group Policy +### Group policy -The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users. +The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Azure Active Directory users. | Setting | Value | | --- | --- | @@ -652,7 +650,7 @@ Prevent access to drives from My Computer | Enabled - Restrict all drivers ### MDM policy -Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide). +Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system. Setting | Value | System-wide --- | --- | --- From 46f89b216fc2a872193b6a8f470f55ac3f2ec119 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 2 May 2022 19:44:02 -0600 Subject: [PATCH 63/68] Update waas-delivery-optimization-setup.md --- .../do/waas-delivery-optimization-setup.md | 72 +++++++++++++++---- 1 file changed, 59 insertions(+), 13 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 2f0fd3dee0..5408351bda 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -121,28 +121,74 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** | Key | Value | | --- | --- | | File ID | A GUID that identifies the file being processed | -| Priority | Priority of the download; values are **foreground** or **background** | | FileSize | Size of the file | +| FileSizeInCache | Size of the file in the cache | | TotalBytesDownloaded | The number of bytes from any source downloaded so far | | PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | | BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | | BytesfromHTTP | Total number of bytes received over HTTP | -| DownloadDuration | Total download time in seconds | | Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | +| Priority | Priority of the download; values are **foreground** or **background** | +| BytesFromCacheServer | Total number of bytes received from cache server | +| BytesFromLanPeers | Total number of bytes received from peers found on the LAN | +| BytesFromGroupPeers | Total number of bytes received from peers found in the group | +| BytesFromInternetPeers | Total number of bytes received from internet peers | +| BytesToLanPeers | Total number of bytes delivered from peers found on the LAN | +| BytesToGroupPeers | Total number of bytes delivered from peers found in the group | +| BytesToInternetPeers | Total number of bytes delivered from peers found on the LAN | +| DownloadDuration | Total download time in seconds | +| HttpConnectionCount | | +| LanConnectionCount | | +| GroupConnectionCount | | +| InternetConnectionCount | | +| DownloadMode | | +| SourceURL | Http source for the file | +| CacheHost | IP address for the cache server | | NumPeers | Indicates the total number of peers returned from the service. | | PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | | ExpireOn | The target expiration date and time for the file. | -| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | +| IsPinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: -- Number of files downloaded -- Number of files uploaded -- Total bytes downloaded -- Total bytes uploaded -- Average transfer size (download); that is, the number bytes downloaded divided by the number of files -- Average transfer size (upload); the number of bytes uploaded divided by the number of files -- Peer efficiency; same as PercentPeerCaching +| Key | Value | +| --- | --- | +| FilesDownloaded | Number of files downloaded | +| FilesUploaded | Number of files uploaded | +| Files | | +| TotalBytesDownloaded | Total bytes downloaded | +| TotalBytesUploaded | Total bytes uploaded | +| AverageDownloadSize | Average transfer size (download); that is, the number bytes downloaded divided by the number of files | +| AverageUploadSize | Average transfer size (upload); the number of bytes uploaded divided by the number of files | +| DownloadMode | Delivery Optimization Download mode used to deliver file | +| CacheSizeBytes | | +| TotalDiskBytes | | +| AvailableDiskBytes | | +| CpuUsagePct | | +| MemUsageKB | | +| NumberOfPeers | | +| CacheHostConnections | | +| CdnConnections | | +| LanConnections | | +| LinkLocalConnections | | +| GroupConnections | | +| InternetConnections | | +| DownlinkBps | | +| DownlinkUsageBps | | +| UplinkBps | | +| UplinkUsageBps | | +| ForegroundDownloadRatePct | | +| BackgroundDownloadRatePct | | +| UploadRatePct | | +| UplinkUsageBps | | +| ForegroundDownloadRatePct | | +| BackgroundDownloadRatePct | | +| UploadRatePct | | +| UploadCount | | +| ForegroundDownloadCount | | +| ForegroundDownloadsPending | | +| BackgroundDownloadCount | | +| BackgroundDownloadsPending | | Using the `-Verbose` option returns additional information: @@ -188,9 +234,9 @@ With no options, this cmdlet returns these data: - total number of files - number of foreground files - minimum file size for it to be cached -- number of eligible files -- number of files with peers -- number of peering files [how different from the above?] +- number of eligible (larger than the minimum size for peering) files +- number of files that found peers +- number of peering files (the number of files that got at least 1 byte from peers) - overall efficiency - efficiency in the peered files From 5bc6b103880fb5ed978eb7a0eeda96103a6e3ab9 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 2 May 2022 20:22:04 -0700 Subject: [PATCH 64/68] fix MicrosoftDocs/windows-itpro-docs#10366 --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 08ea3e13f3..074b1f2d92 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -371,7 +371,7 @@ On **MDT01**: 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: 1. Name: Set DriverGroup001 2. Task Sequence Variable: DriverGroup001 - 3. Value: Windows 10 x64\\%Manufacturer%\\%Model% + 3. Value: Windows 10 x64\\%Make%\\%Model% 2. Configure the **Inject Drivers** action with the following settings: - Choose a selection profile: Nothing From df1ab9fd51bf069c51090ab0e9d35b48a017e358 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 2 May 2022 20:38:50 -0700 Subject: [PATCH 65/68] remove extra comma --- windows/whats-new/whats-new-windows-10-version-21H1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index a969fcab2e..2fdba9bd26 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -42,7 +42,7 @@ A new [resolved issues](/mem/autopilot/resolved-issues) article is available tha A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action). -Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information,, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). +Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). From b4cc711b3238ae829a98f397647f497dbb3539ff Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 2 May 2022 21:15:35 -0700 Subject: [PATCH 66/68] Acrolinx --- .../import-export-vamt-data.md | 67 +++++++++---------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index 06abb254e6..1e89cb087d 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -1,52 +1,51 @@ --- -title: Import and Export Volume Activation Management Tool (VAMT) Data (Windows 10) -description: Learn how to use the VAMT to import product-activation data from a .cilx or .cil file into SQL Server. -ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f +title: Import and export VAMT data +description: Learn how to use the VAMT to import product-activation data from a file into SQL Server. ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: activation -audience: itpro +ms.technology: windows author: aczechowski -ms.date: 04/25/2017 -ms.topic: article +ms.date: 05/02/2022 +ms.topic: how-to --- -# Import and Export Volume Activation Management Tool (VAMT) Data +# Import and export Volume Activation Management Tool data + +You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a computer information list (`.cilx` or `.cil`) file into SQL Server. Also use VAMT to export product-activation data into a `.cilx` file. A `.cilx` file is an XML file that stores computer and product-activation data. -You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. You can import data or export data during the following scenarios: -- Import and merge data from previous versions of VAMT. -- Export data to perform proxy activations. +- Import and merge data from previous versions of VAMT. +- Export data to perform proxy activations. -**Warning**   -Editing a .cilx file through an application other than VAMT can corrupt the .cilx file; and this method isn't supported. +> [!Warning] +> Editing a `.cilx` file through an application other than VAMT can corrupt the `.cilx` file. This method isn't supported. -## Import VAMT Data +## Import VAMT data -**To import data into VAMT** -1. Open VAMT. -2. In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box. -3. In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**. -4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully. +To import data into VAMT, use the following process: -## Export VAMT Data +1. Open VAMT. +2. In the right-side **Actions** pane, select **Import list** to open the **Import List** dialog box. +3. In the **Import List** dialog box, navigate to the `.cilx` file location, choose the file, and select **Open**. +4. In the **Volume Activation Management Tool** dialog box, select **OK** to begin the import. VAMT displays a progress message while the file is being imported. Select **OK** when a message appears and confirms that the import has completed successfully. -Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file: -1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products. -2. If you want to export only part of the data in a product list, in the product-list view in the center pane, select the products you want to export. -3. In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box. -4. In the **Export List** dialog box, click **Browse** to navigate to the .cilx file. -5. Under **Export options**, select one of the following data-type options: - - Export products and product keys - - Export products only - - Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked. -6. If you've selected products to export, select the **Export selected product rows only** check box. -7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. +## Export VAMT data + +Exporting VAMT data from a VAMT host computer that's not internet-connected is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a `.cilx` file: + +1. In the left-side pane, select a product you want to export data for, or select **Products** if the list contains data for all products. +2. If you want to export only part of the data in a product list, in the product-list view in the center pane, select the products you want to export. +3. In the right-side **Actions** pane on, select **Export list** to open the **Export List** dialog box. +4. In the **Export List** dialog box, select **Browse** to navigate to the `.cilx` file. +5. Under **Export options**, select one of the following data-type options: + - Export products and product keys + - Export products only + - Export proxy activation data only. Selecting this option makes sure that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No personally identifiable information (PII) is contained in the exported `.cilx` file when this selection is checked. +6. If you've selected products to export, select the **Export selected product rows only** check box. +7. Select **Save**. VAMT displays a progress message while the data is being exported. Select **OK** when a message appears and confirms that the export has completed successfully. ## Related articles -- [Perform Proxy Activation](proxy-activation-vamt.md) +[VAMT proxy activation](proxy-activation-vamt.md) From b6f94a21aeb7450a7a96793e540d31f79460e069 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Tue, 3 May 2022 10:06:23 -0600 Subject: [PATCH 67/68] Update whats-new-windows-10-version-1703.md fix link line 170 --- windows/whats-new/whats-new-windows-10-version-1703.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 8b4d2992e1..b1b28d7037 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -167,7 +167,7 @@ You can now reset a forgotten PIN without deleting company managed data or apps For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. -For more details, check out [What if I forget my PIN?](/security/identity-protection/hello-for-business/hello-feature-pin-reset.md). +For more details, check out [What if I forget my PIN?](/security/identity-protection/hello-for-business/hello-feature-pin-reset). ### Windows Information Protection (WIP) and Azure Active Directory (Azure AD) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). From 92011cf372a75e35bc8308b2ca4246f5862d9906 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Tue, 3 May 2022 10:20:00 -0600 Subject: [PATCH 68/68] Update windows/whats-new/whats-new-windows-10-version-1703.md --- windows/whats-new/whats-new-windows-10-version-1703.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index b1b28d7037..43211e6fb7 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -167,7 +167,7 @@ You can now reset a forgotten PIN without deleting company managed data or apps For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. -For more details, check out [What if I forget my PIN?](/security/identity-protection/hello-for-business/hello-feature-pin-reset). +For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). ### Windows Information Protection (WIP) and Azure Active Directory (Azure AD) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).