From 5dac76b86270098705c0698c0f10e516dfa13e9a Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 15 Sep 2016 10:00:02 -0700 Subject: [PATCH 01/43] updates to topic --- ...repare-your-environment-for-surface-hub.md | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 17ad527a67..304c0c4682 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -16,6 +16,72 @@ localizationpriority: medium This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. +## Surface Hub setup dependencies + +Review these dependencies to make sure Surface Hub features will work in your environment. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DependencyPurpose

Active Directory (if using an on-premises deployment)

The Surface Hub must be able to connect to the domain controller in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.

Microsoft Office 365 (if using an online deployment)

The Surface Hub must have Internet access in order to reach your Office 365 tenant. The device will connect to the Office 365 in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and SIP address.

Device account

The device account is an Active Directory and/or Azure AD account that enables several key features for the Surface Hub. Learn more about device accounts in [Create and test a device account](create-and-test-a-device-account-surface-hub.md).

Exchange and Exchange ActiveSync

The Surface Hub must be able to reach the device account’s Exchange servers. Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.

+

ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled.

Skype for Business

The Surface Hub must be able to reach the device account’s Skype for Business servers. Skype for Business is used for various conferencing features, like video calls, IM, and screen sharing.

Certificate-based authentication

If certificate-based authentication is required to establish a connection with Exchange ActiveSync or Skype for Business, those certificates must be deployed to each Surface Hub.

Dynamic IP

The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address. Network or Internet access is required, depending on the configuration of your topology (on-premises or online respectively) in order to validate the device account.

Proxy servers

If your topology requires a connection to a proxy server to reach Active Directory, Microsoft Online Services, or your Exchange or Skype for Business servers, then you can configure it during first run, or in Settings.

Mobile device management (MDM) solution provider

If you want to manage devices remotely and by groups (apply settings or policies to multiple devices at a time), you must set up a MDM solution and enroll the device to that solution.

Microsoft Operations Management Suite (OMS)

OMS is used to monitor Surface Hub devices.

+ +## Setup process + +| Setup area | Requirements | +| ---------------------------- | ------------------------------------- | +| Find the correct people and resources. | Admins for Exchange, Active Directory, Exchange + ## Create and test a device account From 67a725711cbf256594f56eda474a4bae2c87ce20 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Mon, 19 Sep 2016 13:39:38 -0700 Subject: [PATCH 02/43] updates from PM feedback --- ...repare-your-environment-for-surface-hub.md | 94 ++++++------------- 1 file changed, 29 insertions(+), 65 deletions(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 304c0c4682..2c64a6308e 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -78,89 +78,53 @@ Review these dependencies to make sure Surface Hub features will work in your en ## Setup process -| Setup area | Requirements | -| ---------------------------- | ------------------------------------- | -| Find the correct people and resources. | Admins for Exchange, Active Directory, Exchange +### Work with other admins -## Create and test a device account +Surface Hub interacts with a few different products and services. Depending on the size of your organization, there could be multiple people supporting different products in your environment. You'll want to include people who manage Exchange, Active Directory, Azure Actice Directory, mobile device maanagement (MDM), and network resources in your planning and prep for Surface Hub deployments. +### Create and verify device account -A "device account" is an account that Surface Hub uses in order to access features from Exchange, like email and calendar, and to enable Skype for Business. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. +A device account is an account that Surface Hub uses in order to access features from Exchange, like email and calendar, and to enable Skype for Business. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. -## Check network availability +After you've created your device account, there are a couple of ways to verify that the account. +- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scipts-for-surface-hub.md) later in this guide. +- Run the Lync Windows app from Windows Store. If Lync runs successfully, then Skype for Business will most likely run. +### Check network resources -In order to function properly, the Surface Hub must have access to a wired or wireless network that meets these requirements: +In order to function properly, the Surface Hub must have access to a wired or wireless network that meets the same requirements as every other Skype for Business endpoint in your environment. Overall, a wired connection is preferred: -- Access to your Active Directory or Azure Active Directory (Azure AD) instance, as well as your Microsoft Exchange and Skype for Business servers -- Can receive an IP address using DHCP -- Open ports: - - HTTPS: 443 - - HTTP: 80 +- Access to your Active Directory or Azure Active Directory (Azure AD) instance, as well as your Microsoft Exchange and Skype for Business servers. +- Can receive an IP address using DHCP +- Open ports: + - HTTPS: 443 + - HTTP: 80 +- Access to additional ports are needed, depending on your environment: + - For online envionments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). + - For on-premises istallations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). -A wired connection is preferred. +In order to improve your experience, we collect data. To collect data, we need these sites whitelisted: +- Telemetry client endpoint: https://vortex.data.microsoft.com/ +- Telemetry settings endpoint: https://settings.data.microsoft.com/ -## Certificates +### Prepare for first-run program +There are a few more item to consider before you start the [first-run program](first-run-program-surface-hub.md). +**Create provisioning packages** (optional) - Your Surface Hub may require certificates for ActiveSync, Skype for Business, network usage, or other authentication. To install certificates, you can either create a provisioning package (in order to install at first run, or after first run in Settings), or deploy them through a mobile device management (MDM) solution (after first run only). -Your Surface Hub may require certificates for ActiveSync, Skype for Business, network usage, or other authentication. To install certificates, you can either create a provisioning package (in order to install at first run, or after first run in Settings), or deploy them through a mobile device management (MDM) solution (after first run only). +To install certificates using provisioning packages, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). To install them using MDM, see the documentation for your MDM provider. -To install certificates using provisioning packages, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). To install them using MDM, see the documentation for your MDM solution. +Currently, Surface Hub can use provisioning packages only to install certificates and to install Universal Windows Platform (UWP) apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.You can also use provisioning to sideload apps that don't come from the Windows Store or Windows Store for Business. -## Create provisioning packages +**Manage admin groups** - Every Surface Hub can be configured individually by opening the Settings app on the device. To prevent people who are not administrators from changing settings, the Settings app requires local administrator credentials to open the app and change settings. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. +During first run, you will [set up admins for the device](first-run-program-surface-hub.md#setup-admins)). -Currently, Surface Hub can use provisioning packages only to install certificates and to install Universal Windows Platform (UWP) apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. - -Customers will use provisioning packages to authenticate (for example, to Exchange or Skype for Business), or to sideload apps that don't come from the Windows Store or Windows Store for Business. - -## Know the Exchange server for your device account - - -You should know which Exchange server the device account will use for email and calendar services. The device will attempt to discover this automatically during first run, but if auto-discovery doesn't work, you may need to enter the server info manually. - -### Admin group management - -Every Surface Hub can be configured individually by opening the Settings app on the device. To prevent people who are not administrators from changing settings, the Settings app requires local administrator credentials to open the app and change settings. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. - -## Skype for Business - - -Certificates may be required in order to have the Surface Hub use Skype for Business. - -## Checklist for preparation - - -In order to ensure that your environment is ready for the Surface Hub, verify the items in the following list. - -1. The device account has been created. - - Test this by running: - - - Surface Hub device account validation PowerShell scripts - - Lync Windows app from the Windows Store (if Lync runs successfully, then Skype for Business will most likely run). - -2. Ensure that there is a working network/Internet connection for the device to connect to: - - - It must be able to receive an IP address using DHCP (Surface Hub cannot be configured with a static IP address) - - It must have these ports open: - - - HTTPS: 443 - - HTTP: 80 - - If your network runs through a proxy, you'll need the proxy address or script information as well. - -3. In order to improve your experience, we collect data. To collect data, we need these sites whitelisted: - - Telemetry client endpoint: https://vortex.data.microsoft.com/ - - Telemetry settings endpoint: https://settings.data.microsoft.com/ - -4. Choose the local admin method you want to set up during first run (see [Set up admins for this device](first-run-program-surface-hub.md#setup-admins)). Also, decide whether you'll be using MDM (see [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md)). -5. You've created provisioning packages, as needed. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). -6. Have all necessary information available from the [Setup worksheet](setup-worksheet-surface-hub.md). +**Review and complete Surface Hub setup worksheet** (optional) +When you complete the first-run program for your Surface Hub, there is some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you complete the first-run program. For more information, see [Setup worksheet](setup-worksheet-surface-hub.md). ## In this section - From 6e672c7edc783b90cc40d6e50d03559a20f2e8d1 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 20 Sep 2016 09:47:37 -0700 Subject: [PATCH 03/43] stage revised TOC --- devices/surface/TOC.md | 38 ++++++----- devices/surface/deploy.md | 121 +++++++++++++++++++++++++++++++++ devices/surface/keep-secure.md | 121 +++++++++++++++++++++++++++++++++ devices/surface/update.md | 121 +++++++++++++++++++++++++++++++++ 4 files changed, 384 insertions(+), 17 deletions(-) create mode 100644 devices/surface/deploy.md create mode 100644 devices/surface/keep-secure.md create mode 100644 devices/surface/update.md diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index c06979382a..0c7cfa1edd 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,22 +1,26 @@ # [Surface](index.md) -## [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) -## [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) -## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) -## [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) -## [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) -## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) -## [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md) -## [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) -## [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) -## [Manage Surface UEFI settings](manage-surface-uefi-settings.md) -## [Surface Data Eraser](microsoft-surface-data-eraser.md) -## [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) -### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) -### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) +## [Deploy Surface devices](deploy.md) +### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) +### [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) +### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) +### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) +### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) +### [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md) +#### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) +#### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) +## [Keep Surface devices up-to-date](update.md) +### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) +### [Surface Dock Updater](surface-dock-updater.md) +### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) +### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) +## [Keep Surface devices secure](keep-secure.md) +### [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) +### [Manage Surface UEFI settings](manage-surface-uefi-settings.md) +### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) +### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) +### [Surface Data Eraser](microsoft-surface-data-eraser.md) ## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) -## [Surface Dock Updater](surface-dock-updater.md) -## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) -## [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) + diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md new file mode 100644 index 0000000000..5c299ff83e --- /dev/null +++ b/devices/surface/deploy.md @@ -0,0 +1,121 @@ +--- +title: Surface (Surface) +description: +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: heatherpoulsen +--- + +# Surface + + +## Purpose + + +This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization. + +For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface). + +## In this section + + +
++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TopicDescription

[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.

[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)

Walk through the process of customizing the Surface out-of-box experience for end users in your organization.

[Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)

Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.

[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)

Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.

[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)

Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.

[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)

Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.

[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)

Get guidance and answers to help you perform a network deployment to Surface devices.

[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)

Read about the different methods you can use to manage the process of Surface Dock firmware updates.

[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)

Explore the available options to manage firmware and driver updates for Surface devices.

[Manage Surface UEFI settings](manage-surface-uefi-settings.md)

Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.

[Surface Data Eraser](microsoft-surface-data-eraser.md)

Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.

[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)

See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.

[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)

Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.

[Surface Dock Updater](surface-dock-updater.md)

Get a detailed walkthrough of Microsoft Surface Dock Updater.

[Surface Enterprise Management Mode](surface-enterprise-management-mode.md)

See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. +

[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)

Find out how to perform a Windows 10 upgrade deployment to your Surface devices.

+ +  + +## Related topics + + +[Surface TechCenter](https://technet.microsoft.com/windows/surface) + +[Surface for IT pros blog](http://blogs.technet.com/b/surface/) + +  + +  + + + + + diff --git a/devices/surface/keep-secure.md b/devices/surface/keep-secure.md new file mode 100644 index 0000000000..5c299ff83e --- /dev/null +++ b/devices/surface/keep-secure.md @@ -0,0 +1,121 @@ +--- +title: Surface (Surface) +description: +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: heatherpoulsen +--- + +# Surface + + +## Purpose + + +This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization. + +For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface). + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TopicDescription

[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.

[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)

Walk through the process of customizing the Surface out-of-box experience for end users in your organization.

[Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)

Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.

[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)

Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.

[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)

Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.

[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)

Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.

[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)

Get guidance and answers to help you perform a network deployment to Surface devices.

[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)

Read about the different methods you can use to manage the process of Surface Dock firmware updates.

[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)

Explore the available options to manage firmware and driver updates for Surface devices.

[Manage Surface UEFI settings](manage-surface-uefi-settings.md)

Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.

[Surface Data Eraser](microsoft-surface-data-eraser.md)

Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.

[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)

See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.

[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)

Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.

[Surface Dock Updater](surface-dock-updater.md)

Get a detailed walkthrough of Microsoft Surface Dock Updater.

[Surface Enterprise Management Mode](surface-enterprise-management-mode.md)

See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. +

[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)

Find out how to perform a Windows 10 upgrade deployment to your Surface devices.

+ +  + +## Related topics + + +[Surface TechCenter](https://technet.microsoft.com/windows/surface) + +[Surface for IT pros blog](http://blogs.technet.com/b/surface/) + +  + +  + + + + + diff --git a/devices/surface/update.md b/devices/surface/update.md new file mode 100644 index 0000000000..5c299ff83e --- /dev/null +++ b/devices/surface/update.md @@ -0,0 +1,121 @@ +--- +title: Surface (Surface) +description: +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: heatherpoulsen +--- + +# Surface + + +## Purpose + + +This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization. + +For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface). + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TopicDescription

[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.

[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)

Walk through the process of customizing the Surface out-of-box experience for end users in your organization.

[Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)

Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.

[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)

Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.

[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)

Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.

[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)

Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.

[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)

Get guidance and answers to help you perform a network deployment to Surface devices.

[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)

Read about the different methods you can use to manage the process of Surface Dock firmware updates.

[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)

Explore the available options to manage firmware and driver updates for Surface devices.

[Manage Surface UEFI settings](manage-surface-uefi-settings.md)

Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.

[Surface Data Eraser](microsoft-surface-data-eraser.md)

Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.

[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)

See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.

[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)

Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.

[Surface Dock Updater](surface-dock-updater.md)

Get a detailed walkthrough of Microsoft Surface Dock Updater.

[Surface Enterprise Management Mode](surface-enterprise-management-mode.md)

See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. +

[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)

Find out how to perform a Windows 10 upgrade deployment to your Surface devices.

+ +  + +## Related topics + + +[Surface TechCenter](https://technet.microsoft.com/windows/surface) + +[Surface for IT pros blog](http://blogs.technet.com/b/surface/) + +  + +  + + + + + From 9882eec0c2ddec267594f32adb6171e4ba26541a Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 20 Sep 2016 10:32:47 -0700 Subject: [PATCH 04/43] feedback updates # Conflicts: # devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md --- devices/surface-hub/intro-to-surface-hub.md | 82 +------------------ ...repare-your-environment-for-surface-hub.md | 11 +-- 2 files changed, 9 insertions(+), 84 deletions(-) diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md index ec1712c7a0..212b001d82 100644 --- a/devices/surface-hub/intro-to-surface-hub.md +++ b/devices/surface-hub/intro-to-surface-hub.md @@ -16,7 +16,7 @@ localizationpriority: medium Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device. -### Surface Hub features and interactions with other services +## Surface Hub features and interactions with other services The capabilities of your Surface Hub will depend on what other Microsoft products and technologies are available to it in your infrastructure. The products listed in the following table each support specific features in Surface Hub. @@ -68,90 +68,14 @@ The capabilities of your Surface Hub will depend on what other Microsoft product   - You’ll need to understand how each of these services interacts with Surface Hub. See [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) for details. -### Surface Hub Setup dependencies -Review these dependencies to make sure Surface Hub features will work in your environment. +## Surface Hub setup process - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
DependencyPurpose

Active Directory (if using an on-premises deployment)

The Surface Hub must be able to connect to the domain controller in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.

Microsoft Office 365 (if using an online deployment)

The Surface Hub must have Internet access in order to reach your Office 365 tenant. The device will connect to the Office 365 in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and SIP address.

Device account

The device account is an Active Directory and/or Azure AD account that enables several key features for the Surface Hub. Learn more about device accounts in [Create and test a device account](create-and-test-a-device-account-surface-hub.md).

Exchange and Exchange ActiveSync

The Surface Hub must be able to reach the device account’s Exchange servers. Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.

-

ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled.

Skype for Business

The Surface Hub must be able to reach the device account’s Skype for Business servers. Skype for Business is used for various conferencing features, like video calls, IM, and screen sharing.

Certificate-based authentication

If certificate-based authentication is required to establish a connection with Exchange ActiveSync or Skype for Business, those certificates must be deployed to each Surface Hub.

Dynamic IP

The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address. Network or Internet access is required, depending on the configuration of your topology (on-premises or online respectively) in order to validate the device account.

Proxy servers

If your topology requires a connection to a proxy server to reach Active Directory, Microsoft Online Services, or your Exchange or Skype for Business servers, then you can configure it during first run, or in Settings.

Mobile device management (MDM) solution provider

If you want to manage devices remotely and by groups (apply settings or policies to multiple devices at a time), you must set up a MDM solution and enroll the device to that solution.

Microsoft Operations Management Suite (OMS)

OMS is used to monitor Surface Hub devices.

- -  - -### Surface Hub setup process - -In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Read through all the info before you start. Here’s the general order of things you’ll need to do: +In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need: 1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) 2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md) 3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md) -After you have your Surface Hub running in your organization, you’ll need info about: - -- [Device maintenance and management](manage-surface-hub.md) - -In the unlikely event that you run into problems, see [Troubleshoot Surface Hub](troubleshoot-surface-hub.md). - -  - -  - - - - - diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 2c64a6308e..5e2203341d 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -14,7 +14,9 @@ localizationpriority: medium # Prepare your environment for Microsoft Surface Hub -This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. +This section contains an overview of setup dependencies and the setup process. + +See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. ## Surface Hub setup dependencies @@ -76,7 +78,8 @@ Review these dependencies to make sure Surface Hub features will work in your en -## Setup process +## Prep for Surface Hub set up +Review the info in this section to help you prepare your environment and gather information needed to set up your Surface Hub. ### Work with other admins @@ -112,9 +115,7 @@ There are a few more item to consider before you start the [first-run program](f **Create provisioning packages** (optional) - Your Surface Hub may require certificates for ActiveSync, Skype for Business, network usage, or other authentication. To install certificates, you can either create a provisioning package (in order to install at first run, or after first run in Settings), or deploy them through a mobile device management (MDM) solution (after first run only). -To install certificates using provisioning packages, see [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md). To install them using MDM, see the documentation for your MDM provider. - -Currently, Surface Hub can use provisioning packages only to install certificates and to install Universal Windows Platform (UWP) apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.You can also use provisioning to sideload apps that don't come from the Windows Store or Windows Store for Business. +Currently, Surface Hub can use provisioning packages only to install certificates and to install Universal Windows Platform (UWP) apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. To install them using MDM, see the documentation for your MDM provider. You can also use provisioning to sideload apps that don't come from the Windows Store or Windows Store for Business. **Manage admin groups** - Every Surface Hub can be configured individually by opening the Settings app on the device. To prevent people who are not administrators from changing settings, the Settings app requires local administrator credentials to open the app and change settings. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. From d1ad9d53d9511052db9962205fb58f5da5d7cfd8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 20 Sep 2016 14:35:35 -0700 Subject: [PATCH 05/43] Updated networking table with feedback --- .../keep-secure/create-wip-policy-using-intune.md | 14 +++++++------- .../keep-secure/create-wip-policy-using-sccm.md | 8 ++++---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 7a107e086c..df8c1913a4 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -138,8 +138,8 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the 1. From the **App Rules** area, click **Add**. The **Add App Rule** box appears. - - ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) + + ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. @@ -278,8 +278,8 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* 1. From the **App Rules** area, click **Add**. The **Add App Rule** box appears. - - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) + + ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. @@ -370,8 +370,8 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources - **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` + **With proxy:** contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ Enterprise Network Domain Names (Required) @@ -381,7 +381,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Proxy Servers proxy.contoso.com:80;proxy2.contoso.com:137 - Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.

This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.

This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.

If you have multiple resources, you must separate them using the ";" delimiter. + Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

TThis setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter. Enterprise Internal Proxy Servers diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index c66c433c22..6a3644945f 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -391,18 +391,18 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources - **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` + **With proxy:** contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ Enterprise Network Domain Names (Required) corp.contoso.com,region.contoso.com - Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter. + Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter. Enterprise Proxy Servers proxy.contoso.com:80;proxy2.contoso.com:137 - Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.

This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.

This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.

If you have multiple resources, you must separate them using the ";" delimiter. + Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

TThis setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter. Enterprise Internal Proxy Servers From a44d56df4c902d6c82af0404273448d036f8393f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 20 Sep 2016 14:48:27 -0700 Subject: [PATCH 06/43] Fixed bolding issue --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index df8c1913a4..741dba163e 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -370,7 +370,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources - **With proxy:** contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com + With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 6a3644945f..6eedc8ed68 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -391,7 +391,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources - **With proxy:** contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com + With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ From 1fd08de87b82101054ca6e7fa7bf3cdaa3505c1a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 21 Sep 2016 09:22:09 -0700 Subject: [PATCH 07/43] Fixed broken HTML --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 741dba163e..ad3554faa5 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -371,7 +371,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ Enterprise Network Domain Names (Required) From ae56732e3c33396d41c18ee7fb71d1759d0e5965 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 21 Sep 2016 09:30:08 -0700 Subject: [PATCH 08/43] Updated to fix HTML typo --- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 6eedc8ed68..f6cd7f6688 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -392,7 +392,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ Enterprise Network Domain Names (Required) From e3358d52bb197d02fcc80c985bf2e2f2f511f466 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 21 Sep 2016 09:32:59 -0700 Subject: [PATCH 09/43] Fixed broken HTML formatting --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index ad3554faa5..08f83ae4c2 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -371,7 +371,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ Enterprise Network Domain Names (Required) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index f6cd7f6688..994ce96359 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -392,7 +392,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ Enterprise Network Domain Names (Required) From 13097560e8bc59c8e9346cf3b4dee272485282a4 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 21 Sep 2016 10:13:53 -0700 Subject: [PATCH 10/43] more content --- windows/deploy/windows-10-poc-mdt.md | 8 +- .../deploy/windows-10-poc-sc-config-mgr.md | 298 +++++++++++++++++- 2 files changed, 299 insertions(+), 7 deletions(-) diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md index f347ea5c25..05589e281d 100644 --- a/windows/deploy/windows-10-poc-mdt.md +++ b/windows/deploy/windows-10-poc-mdt.md @@ -47,18 +47,18 @@ Description here. Stop-Process -Name Explorer ``` -## Create a deployment share +## Create a deployment share and reference image 1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: ``` Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso ``` -2. Connect to SRV1 and verify that the Windows Enterprise installation DVD is mounted as driver letter D. +2. Connect to SRV1 and verify that the Windows Enterprise installation DVD is mounted as drive letter D. -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. -4. In the Deployment Workbench console, right-click Deployment Shares and select New Deployment Share. +4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. 5. Use the following settings for the New Deployment Share Wizard: - Deployment share path: **C:\MDTBuildLab**
diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md index 9cbc19e0d6..77244eef9a 100644 --- a/windows/deploy/windows-10-poc-sc-config-mgr.md +++ b/windows/deploy/windows-10-poc-sc-config-mgr.md @@ -142,24 +142,316 @@ Description here. Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. -## Install the Microsoft Deployment Toolkit (MDT) +## Download and install MDT 1. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT) 2013 Update 2](https://www.microsoft.com/en-us/download/details.aspx?id=50407) on SRV1 using the default options. -2. If desired, re-enable IE Enhanced Security Configuration at this time: +2. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: ``` Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 Stop-Process -Name Explorer ``` +## Download MDOP and install DaRT + +1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso) to the C:\VHD directory on the Hyper-V host. + +2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso + ``` +3. Type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" + ``` +4. Install DaRT 10 using default settings. +5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + + ``` + Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" + Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86" + ``` + +## Create a folder structure + +1. Type the following commands at a Windows PowerShell prompt on SRV1: + + ``` + New-Item -ItemType Directory -Path "C:Sources\OSD\Boot" + New-Item -ItemType Directory -Path "C:Sources\OSD\OS" + New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings" + New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding" + New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE + ``` + ## Enable MDT ConfigMgr integration 1. Click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**. -2. Type PS1 next to **Site code**, and then click **Next**. +2. Type **PS1** next to **Site code**, and then click **Next**. 3. Verify **The process completed successfully** is displayed, and then click **Finish**. +## Configure client settings +1. Click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**. +2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar. +3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab. +4. In the console tree, open the **Administration** workspace and click **Client Settings**. +5. In the display pane, double-click **Default Client Settings**. +6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**. + +## Enable PXE on the distribution point + +1. Deterime the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1: + +``` +(Get-NetAdapter "Ethernet").MacAddress +``` +>If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. + +2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. +3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. +4. On the PXE tab, select the following settings: + - Enable PXE support for clients. Click **Yes** in the popup that appears. + - Allow this distribution point to respond to incoming PXE requests + - Enable unknown computer support. Click **OK** in the popup that appears. + - Require a password when computers use PXE + - Password and Confirm password: pass@word1 + - Respond to PXE requests on specific network interfaces: Enter the MAC address determined in the first step of this procedure. +5. Click **OK**. +6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: + + ``` + cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 + + abortpxe.com + bootmgfw.efi + bootmgr.exe + pxeboot.com + pxeboot.n12 + wdsmgfw.efi + wdsnbp.com + ``` +>If these files are not present, type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: + +``` +Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' +``` + +## Create a branding image file + +1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image. +2. Type the following command at an elevated Windows PowerShell prompt: + + ``` + copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp" + ``` + >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. + +## Create a boot image for Configuration Manager + +1. In the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. +2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. + - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later. +3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**. +4. On the Options page, under **Platform** choose **x64**, and click **Next**. +5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**. +6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image. +7. Click **Finish**. +8. Right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**. +9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**. +10. Use the CMTrace application to view the **distmgr.log** file and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ``` + Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + ``` + >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: + + ``` + STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C) + ``` +11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects**, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. +12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. +13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. +14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: + + ``` + cmd /c dir /s /b C:\RemoteInstall\SMSImages + + C:\RemoteInstall\SMSImages\PS100004 + C:\RemoteInstall\SMSImages\PS100005 + C:\RemoteInstall\SMSImages\PS100006 + C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim + C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim + C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim + ``` + + >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. + +## Create a Windows 10 reference image + +If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. Copy the reference image file (REFW10-X64-001.wim) from C:\MDTBuildLab\Captures\REFW10X64-001.wim to C:\Sources\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim. + +If you have not yet created a Windows 10 reference image, complete the following steps. + +1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: + + ``` + Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso + ``` +2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. + +3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. + +4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. + +5. Use the following settings for the New Deployment Share Wizard: + - Deployment share path: **C:\MDTBuildLab**
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT build lab**
+ - Options: click **Next** to accept the default
+ - Summary: click **Next**
+ - Progress: settings will be applied
+ - Confirmation: click **Finish** + +6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. + +7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. + +7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. + +8. Use the following settings for the Import Operating System Wizard: + - OS Type: **Full set of source files**
+ - Source: **D:\\**
+ - Destination: **W10Ent_x64**
+ - Summary: click **Next** + - Confirmation: click **Finish** + +9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library. + +10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: **REFW10X64-001**
+ - Task sequence name: **Windows 10 Enterprise x64 Default Image**
+ - Task sequence comments: **Reference Build**
+ - Template: **Standard Client Task Sequence** + - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Specify Product Key: **Do not specify a product key at this time** + - Full Name: **Contoso** + - Organization: **Contoso** + - Internet Explorer home page: **http://www.contoso.com** + - Admin Password: **Do not specify an Administrator password at this time** + - Summary: click **Next** + - Confirmation: click **Finish** + +11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. + +12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. + +13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. + +14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. + +15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. + +16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. + >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + +17. Click **OK** to complete editing the task sequence. + +18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. + +19. Replace the default rules with the following text: + + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + UserDataLocation=NONE + DoCapture=YES + OSInstall=Y + AdminPassword=pass@word1 + TimeZoneName=Pacific Standard Time + JoinWorkgroup=WORKGROUP + HideShell=YES + FinishAction=SHUTDOWN + DoNotCreateExtraPartition=YES + ApplyGPOPack=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=YES + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=YES + SkipBitLocker=YES + SkipSummary=YES + SkipRoles=YES + SkipCapture=NO + SkipFinalSummary=YES + ``` + +20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: + + ``` + [Settings] + Priority=Default + + [Default] + DeployRoot=\\SRV1\MDTBuildLab$ + UserDomain=CONTOSO + UserID=administrator + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` + +21. Click **OK** to complete the configuration of the deployment share. + +22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. + +23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. + +24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). + + >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + +25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: + + ``` + New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 + Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso + Start-VM REFW10X64-001 + vmconnect localhost REFW10X64-001 + ``` +26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. + +27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. + + Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + + - Install the Windows 10 Enterprise operating system. + - Install added applications, roles, and features. + - Update the operating system using Windows Update (or WSUS if optionally specified). + - Stage Windows PE on the local disk. + - Run System Preparation (Sysprep) and reboot into Windows PE. + - Capture the installation to a Windows Imaging (WIM) file. + - Turn off the virtual machine. + + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. + +## Add a Windows 10 operating system image + +1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: + +``` +New-Item -ItemType Directory -Path "C:Sources\OSD\OS\Windows 10 Enterprise x64" +``` ## Related Topics From 58aeb16136bc3c971b4265db92b21b81d5caa655 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 21 Sep 2016 10:43:06 -0700 Subject: [PATCH 11/43] more content --- windows/deploy/windows-10-poc.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md index 0c09c32918..b0ae64f27e 100644 --- a/windows/deploy/windows-10-poc.md +++ b/windows/deploy/windows-10-poc.md @@ -249,17 +249,17 @@ The lab architecture is summarized in the following diagram: ``` ### Resize VHD -The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 60GB to support imaging tools. +The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 80GB to support installing imaging tools and storing OS images. 1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ``` - Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 60GB + Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 80GB $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax ``` -2. Verify that the mounted VHD drive is resized to 60 GB, and then dismount the drive: +2. Verify that the mounted VHD drive is resized to 80 GB, and then dismount the drive: ``` Get-Volume -DriveLetter $x From 4ac4ea526ce84dab9c9960f61519efb796453199 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 21 Sep 2016 10:55:36 -0700 Subject: [PATCH 12/43] temp --- devices/surface/TOC.md | 23 +++---- devices/surface/deploy.md | 93 +------------------------ devices/surface/keep-secure.md | 121 --------------------------------- devices/surface/update.md | 93 +------------------------ 4 files changed, 15 insertions(+), 315 deletions(-) delete mode 100644 devices/surface/keep-secure.md diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 0c7cfa1edd..eff3b9bb69 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,26 +1,25 @@ # [Surface](index.md) ## [Deploy Surface devices](deploy.md) -### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) -### [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) ### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) -### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) +### [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md) ### [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md) +### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) #### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) #### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) -## [Keep Surface devices up-to-date](update.md) +## [Surface firmware and driver updates](update.md) ### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) -### [Surface Dock Updater](surface-dock-updater.md) -### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) -## [Keep Surface devices secure](keep-secure.md) -### [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) -### [Manage Surface UEFI settings](manage-surface-uefi-settings.md) +### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) +### [Surface Dock Updater](surface-dock-updater.md) +## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) +## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) +## [Manage Surface UEFI settings](manage-surface-uefi-settings.md) ### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) -### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) -### [Surface Data Eraser](microsoft-surface-data-eraser.md) -## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) +## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) +## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) +## [Surface Data Eraser](microsoft-surface-data-eraser.md) diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index 5c299ff83e..7fe0c9a38e 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -1,5 +1,5 @@ --- -title: Surface (Surface) +title: Deploy Surface devices (Surface) description: ms.prod: w10 ms.mktglfcycl: manage @@ -8,100 +8,11 @@ ms.sitesec: library author: heatherpoulsen --- -# Surface +# Deploy Surface devices -## Purpose -This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization. - -For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface). - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.

[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)

Walk through the process of customizing the Surface out-of-box experience for end users in your organization.

[Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)

Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.

[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)

Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.

[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)

Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.

[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)

Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.

[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)

Get guidance and answers to help you perform a network deployment to Surface devices.

[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)

Read about the different methods you can use to manage the process of Surface Dock firmware updates.

[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)

Explore the available options to manage firmware and driver updates for Surface devices.

[Manage Surface UEFI settings](manage-surface-uefi-settings.md)

Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.

[Surface Data Eraser](microsoft-surface-data-eraser.md)

Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.

[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)

See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.

[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)

Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.

[Surface Dock Updater](surface-dock-updater.md)

Get a detailed walkthrough of Microsoft Surface Dock Updater.

[Surface Enterprise Management Mode](surface-enterprise-management-mode.md)

See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. -

[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)

Find out how to perform a Windows 10 upgrade deployment to your Surface devices.

-   ## Related topics diff --git a/devices/surface/keep-secure.md b/devices/surface/keep-secure.md deleted file mode 100644 index 5c299ff83e..0000000000 --- a/devices/surface/keep-secure.md +++ /dev/null @@ -1,121 +0,0 @@ ---- -title: Surface (Surface) -description: -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: surface, devices -ms.sitesec: library -author: heatherpoulsen ---- - -# Surface - - -## Purpose - - -This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization. - -For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface). - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.

[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)

Walk through the process of customizing the Surface out-of-box experience for end users in your organization.

[Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)

Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.

[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)

Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.

[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)

Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.

[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)

Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.

[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)

Get guidance and answers to help you perform a network deployment to Surface devices.

[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)

Read about the different methods you can use to manage the process of Surface Dock firmware updates.

[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)

Explore the available options to manage firmware and driver updates for Surface devices.

[Manage Surface UEFI settings](manage-surface-uefi-settings.md)

Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.

[Surface Data Eraser](microsoft-surface-data-eraser.md)

Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.

[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)

See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.

[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)

Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.

[Surface Dock Updater](surface-dock-updater.md)

Get a detailed walkthrough of Microsoft Surface Dock Updater.

[Surface Enterprise Management Mode](surface-enterprise-management-mode.md)

See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. -

[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)

Find out how to perform a Windows 10 upgrade deployment to your Surface devices.

- -  - -## Related topics - - -[Surface TechCenter](https://technet.microsoft.com/windows/surface) - -[Surface for IT pros blog](http://blogs.technet.com/b/surface/) - -  - -  - - - - - diff --git a/devices/surface/update.md b/devices/surface/update.md index 5c299ff83e..1852692c3e 100644 --- a/devices/surface/update.md +++ b/devices/surface/update.md @@ -1,5 +1,5 @@ --- -title: Surface (Surface) +title: Surface firmware and driver updates (Surface) description: ms.prod: w10 ms.mktglfcycl: manage @@ -8,100 +8,11 @@ ms.sitesec: library author: heatherpoulsen --- -# Surface +# Surface firmware and driver updates -## Purpose -This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization. - -For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface). - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.

[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)

Walk through the process of customizing the Surface out-of-box experience for end users in your organization.

[Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)

Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.

[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)

Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.

[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)

Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.

[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)

Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.

[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)

Get guidance and answers to help you perform a network deployment to Surface devices.

[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)

Read about the different methods you can use to manage the process of Surface Dock firmware updates.

[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)

Explore the available options to manage firmware and driver updates for Surface devices.

[Manage Surface UEFI settings](manage-surface-uefi-settings.md)

Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.

[Surface Data Eraser](microsoft-surface-data-eraser.md)

Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.

[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)

See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.

[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)

Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.

[Surface Dock Updater](surface-dock-updater.md)

Get a detailed walkthrough of Microsoft Surface Dock Updater.

[Surface Enterprise Management Mode](surface-enterprise-management-mode.md)

See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. -

[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)

Find out how to perform a Windows 10 upgrade deployment to your Surface devices.

-   ## Related topics From 3e7e47f292a30190d7f34550022dc42121c761b0 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 21 Sep 2016 11:14:06 -0700 Subject: [PATCH 13/43] restage for review --- devices/surface/index.md | 96 ++++++---------------------------------- 1 file changed, 14 insertions(+), 82 deletions(-) diff --git a/devices/surface/index.md b/devices/surface/index.md index 20b688e39b..e163db015d 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -12,96 +12,28 @@ author: heatherpoulsen # Surface -## Purpose - - This library provides guidance to help you deploy Windows on Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization. For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface). ## In this section +| Topic | Description | +| --- | --- | +| [Deploy Surface devices](deploy.md) | tba | +| [Surface firmware and driver updates](update.md) | tba | +| [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. | +| [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. | +| [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. | +| [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. | +| [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md) | Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device. | +| [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. | + + + + - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)

Find out how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.

[Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)

Walk through the process of customizing the Surface out-of-box experience for end users in your organization.

[Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)

Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.

[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)

Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.

[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)

Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.

[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)

Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.

[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)

Get guidance and answers to help you perform a network deployment to Surface devices.

[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)

Read about the different methods you can use to manage the process of Surface Dock firmware updates.

[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)

Explore the available options to manage firmware and driver updates for Surface devices.

[Manage Surface UEFI settings](manage-surface-uefi-settings.md)

Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.

[Surface Data Eraser](microsoft-surface-data-eraser.md)

Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.

[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)

See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.

[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)

Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.

[Surface Dock Updater](surface-dock-updater.md)

Get a detailed walkthrough of Microsoft Surface Dock Updater.

[Surface Enterprise Management Mode](surface-enterprise-management-mode.md)

See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. -

[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)

Find out how to perform a Windows 10 upgrade deployment to your Surface devices.

  From 91f02e441e61af5ef2c39fec855172fadfd51e28 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 21 Sep 2016 12:51:04 -0700 Subject: [PATCH 14/43] Added new limitations topic --- windows/keep-secure/TOC.md | 1 + .../guidance-and-best-practices-wip.md | 3 +- windows/keep-secure/limitations-with-wip.md | 72 +++++++++++++++++++ 3 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 windows/keep-secure/limitations-with-wip.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 57a7d44fcf..c43b7b759f 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -35,6 +35,7 @@ #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) #### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) +#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) ## [VPN profile options](vpn-profile-options.md) diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md index b64a82a6e0..b91386f0c0 100644 --- a/windows/keep-secure/guidance-and-best-practices-wip.md +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -25,4 +25,5 @@ This section includes info about the enlightened Microsoft apps, including how t |[Windows Information Protection (WIP) overview](wip-enterprise-overview.md) |High-level overview info about why to use WIP, the enterprise scenarios, and how to turn it off. | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. | |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | -|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. | \ No newline at end of file +|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. | +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). | \ No newline at end of file diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md new file mode 100644 index 0000000000..07244d94d6 --- /dev/null +++ b/windows/keep-secure/limitations-with-wip.md @@ -0,0 +1,72 @@ +--- +title: Limitations while using Windows Information Protection (WIP) (Windows 10) +description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP). +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Limitations while using Windows Information Protection (WIP) +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile + +This table provides info about the most common problems you might encounter while running WIP in your organization. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LimitationHow it appearsWorkaround
Enterprise data on USB drives is tied to the device it was protected on.Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption.

Direct Access is incompatible with WIP.Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.We recommend that you use VPN for client access to your intranet resources.

Note
VPN is optional and isn’t required by WIP.

NetworkIsolation Group Policy setting is incompatible with WIP.The NetworkIsolation Group Policy setting has incompatible network settings that can conflict and cause problems with WIP.We recommend that you don’t use the NetworkIsolation Group Policy setting.
Cortana can potentially allow data leakage if it’s on the allowed apps list.Don’t add Cortana to your allowed apps list.
WIP is designed for use by a single user per device.A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.We recommend only having one user per managed device.
Installers copied from an enterprise network file share might not work properly.An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.To fix this, you can: +
    +
  1. Start the installer directly from the file share.

    -OR-

    2. +
  2. Decrypt the locally copied files needed by the installer.

    -OR-

    3. +
  3. Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
    4. +
Changing your primary Corporate Identity isn’t supported.You may experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
Redirected folders with Client Side Caching are not compatible with WIP.Apps might encounter access errors while attempting to read a cached, offline file.Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
From 1ed747d070a2767df48ebe219ec38c20bdb2f5ff Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 21 Sep 2016 12:58:30 -0700 Subject: [PATCH 15/43] remove zombie graphic --- windows/manage/waas-overview.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/windows/manage/waas-overview.md b/windows/manage/waas-overview.md index 458592eaa4..22c34f8e05 100644 --- a/windows/manage/waas-overview.md +++ b/windows/manage/waas-overview.md @@ -95,17 +95,6 @@ When Microsoft officially releases a feature update for Windows 10, that update Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Microsoft will support two CBB builds at a time, plus a 60 day grace period. Each feature update release will be supported and updated for a minimum of 18 months. -Figure 2 outlines an example release cycle for Windows 10 feature updates and shows how updates transition from development to the CB and CBB servicing branches. As shown in the key, the dark blue **Evaluate** region represents the time during which a feature update is in development. These builds are accessible for testing through the Windows Insider Program. For details about how to access pre-released builds by enrolling in the Windows Insider Program, see the section Windows Insider. - -The diamond **Release** on each build represents the point at which Microsoft releases a feature update to the CB servicing branch. It identifies the start of the testing, or **Pilot**, phase. The 4 months in this phase is the approximate amount of time before Microsoft releases the feature update to the CBB servicing branch. The **Deploy and Use** phase represents the broad deployment of the Windows 10 feature update to the clients in the CBB servicing branch. Machines are divided into deployment rings, as discussed in the section Ongoing deployment process. - -Finally, when a build’s support has ended, as represented by the **arrows**, organizations have a 60 day **grace** period to update to a newer release. - -**Figure 2** - -![Example release cycle](images/waas-overview-timeline1.png) - - >[!NOTE] >Organizations can electively delay CB and CBB updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools. From c6a53fe87553c67b16a8363876b983bcc93bb8e6 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 21 Sep 2016 12:59:25 -0700 Subject: [PATCH 16/43] delete zombie graphic from repo --- .../manage/images/waas-overview-timeline1.png | Bin 57236 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/manage/images/waas-overview-timeline1.png diff --git a/windows/manage/images/waas-overview-timeline1.png b/windows/manage/images/waas-overview-timeline1.png deleted file mode 100644 index 1ab6bd6e972e4c041acfd1c27487a45d1db12af1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 57236 zcmbTdbx>SS&@K!?gS)#22@u?a6Wrb1S=`;-gF}EI!QI{6-4}Ovz02=?@2&d&{i@E^ z&Y3yWJJa*@(=**?!{ueg5#jLQz`(!|e@Tcaf`LKAgMoqb!9s&-5)$_zKwsdFisC|G z6%zzUpc_atK^Z|Xux4*1Tx)~@t)up9t}rkJE(GUD3fkM}!!5B|a=sVyV?skv zKUkK#Z1>;()UMC-)z;eSsM6v$lk%YoKfrng!~gIW#ybN9h~ zGZTwzq|1@jS?04H#;Vct9s3>yPf8_p=?}y21gh{Z1RTmbgRF=T0@q{Z9Lg-*KA`str#w?gkp){P*1i9xHHJ11TEB2(8AXif+*Y(b{%?ADSGc29@Gwr{LYKI>BWUDp5<0A8QZ_pUi5?3*Sh@CN70 zze9EE+jU-SW!}>*t{nlOC^&qho1Sc^w=-@v zjaPAj_kH3l*xe_0+vToihJA4zI8&XiEh#c#VHlvnhlSvvAmJ9vaLb|@Bvje&DYPJ z24i91Rjbyp!DKW;qrW!5;UXNWO@+O$;mmIytK#34%l`7doDb>&E3_u%3SmL(e@14f@(kV6~?fC#e=}5PqgVV;sr1= z43k$(GQE`Xzr&|^JquT>8nhkU+WUA%Tpxk^BbqUek8OgA`LUPC#r=c~>t^9d`?hk(|rrzqmNc55LK5R8PVx7y$@2J(>wqMc7V`-srd zOFLCme|PU7lf`Kh6pinMau`4LkCaP$c3Czg8%+7-gw90~t-;tZ*bLKw*ba?ImEUsB z{&2Y*GRNncSe-uHZ`QQ>Pkn#>L|XkxN!8>zd7|1!WX|>DAn`=cvKhf|X;er9t*gf! zMx(7Mh-$YdY|gVek?c|XR{aImARzJ z<+s$QegfyL|55p4U>f_5xYyf`&{)n5(ukx_cA|phfhK1}dU{`6dYayZsO>NC2sjR0 z_QXsrm6iN2#6FJ&+-9cUov`cdsF?vIP6!9O_arfV=U}{VllY0>zEYj@BFvilWVC(R zDB|UE-$oiPb!l29w{HLpTS6jmLnA-Cmx6<4o!vjW0Ia6o>_Xn`4D5dMq)_tD<{MSe zO^sA3EuC|Y9E>bcDP=MQ=s9O~`Q0-MUNsRq?thon1s9ljf!h(glhidquHi2I&x$p$ zH^aF$8T;(T&!hLTVl~U1cZ*3mpMoH+u8Q<_UZse;s>RPkK05B8biLnY5msrIPI+Eo zwVgKXn+`LLw(dfhJO-p%!%>uy2cLdcPIP1Pc&^j2eW_CkIj!J-Pch$k>n%#0r2r9<&GK1!(hrtl_&o zH@jW}U*x)$Hs(oTg+gzh>KN?@j?{MA;6I}FO_2?!akROriFI%*yfL zFt#(JGx9p)55yejcu@kbb1FqQ&!3u}e$!PuI3v1jzA!%C{Cd$JICaNiszT0oJ5AqB zTn-GA5JU+QNL49aG`M;#fE8t%|A!OZH`Q(i<+5&4*3#+pgg5qN0DiybsFsw3QC#QJ z@pvtMd#LMA#D|uV#-Y&vI2}66Z2kB%ir{KAmlL$Q1bV)2Y$c^DD2qFm1u8j{p%6%! z0o!?f<^heHZv?7|Uti7}TU%_Y(ZUrwvO?Eg2oYRhnCYa@mB26T9%M>nHaoMM}h;Vq-k|cE2!g*ZfSWuZOhPL@8~E6s&I6~7wQIF)AE>GSO^R6Fxp^7S`?St zJO_rjM^Em40@tNKc9+sD0J5v9^@eHGxUT689Far9EID z5O!IqTeBj`S!;TSjhEr-RJAD<%y`VLk#U?cZEGwPKv6!BW=Xd5H}>vwW?1E0y?Xj$ zZuz`CxZNVVr#mZWLfCs}uA+jN_sg@NrgCwSLw|=5Y+0=xe|~w{FU5NC=hJV5c7v#&~v#>Jw-vPb^?oidlP87U*Va5iWkq0nJoPHGtmqt zu-!y=^@bc-om+w=PUy;9Vu=T$PSJe7w;n0m{zsh{nL@D2Hhx5LV%J~SaGdA6R#h*$ zMFz2Nlc0@`E^PG3CGkE(?}lg2Pbi1Hyc-yyr5!)Vt9}m0dFKWIFnCdaEhdz@60Pm^ zxTv@+(=WXxC-9Z!-GLB^@6_q>OE{R1unaj8|1DW2U}i71Y4BIm<+i7aM?(+hhb~N3 ztcKoenDdDxU?|tue-K~(f&bNwU6y}G%=vw3Q?JX$mA7J|Hcd2A&1kI&!u~<{L$(l% zI@^P7!|TS;`MtMoFO})aoWOCr0EhY6ocF47QRUerWj#3K!c8cP#jf+=+q=U(n`E0A zJe{iDA6`%1istjmVT|iebpq-f2eufl{XApIfDv8KExpP1thO)NFO#85_B~gedy{Gg zMLMzlx69!zlv-)*Colxg+sRWq_R?9;Oxa$vK(jHfgS80kj~CLsc&3=Y9!B%WCA(Rt zdmW*AeNzT6xz&`@LpqC75#INFF_4Nv)_Oi?fvIha!<@Ut@JtrhIaMJeLbby|KqKVd z2gj6BGu9G6Ie{C^wbV{WacyA5BXv10G5owkBu4E+IYM<%C3-NyqKfrDx4k2~6y zhb7Uk11_@sH&g^pOI)DsX>HYD(rm)NRbr5tyEl^Ub3p>{*#0nO<@;FwD)SB1tPRA7}o5zDlMxp;staEcoqkhX1xUPMawd^n4i|4py zz0y7^MINmn-aWpasD$CKKkn`@s%U0@@h8Tr>{t3|f%$L;3bs9NpQN(0ctR)!cKemI zs6GlQw2)+!+ZERJ@x^jP9Y2f68B5VM?tZM*{w{a(5=?qHk1Vb9B!I^*SG73ds3Sw0 zm)BVg@P6Qj!_M-heShg8ciRuo0Nf!y80|-Ca2`&1UtLRms7$g{w%>n+M#lY8+n*`D z{2nfn4|_=ECHcjCc!rJktR30ZV0i^^j^mYAbL&~_19{!^t_$So#h8}!Rh2e_bot;e zr(q_yk`j?9f$o8lld5^~I14KEJ^HK(HeTj;uWRTUn``N(;jH?E^VHRD_pHjVc+m_t z0PNqupxMF_tJ?mc0xA5slLlZ%XGfS>j!#C6=jE|ftYK%nYxhLrr1Iq5DGy2|C4SiN z3iZHAGlqdj`(BV~$;;V?!N|UzG$SW`>tgxvL6#|BVHAT}bJ)D0DLafw(aZTQ4epcK ziI$@6LDiA|#EVt=uQzeBBeAX4n-p}+`a67(y4_Nn0&h*y~+90^XLXkH;J>Ohz!`uB6i=Z4`On^l;*owj=gy2#L0HT3Y%`-t)Q{h4@`NCtm7bfB)03Sc;V<_~ zxX=9TPL?TPrb_(EK2jRBY+XohpFQ4Jk8{2L^mtL*xU-a4pAZ5~wtMAjKZdHbg}8KiR41}Cc~dz#a5YF+GEob~fF*AKiztTM z_{aN;W*)~uGzWh#YUl-G3eU2G;Oh=C<4!B1Zr=*qyn4Gwpk!^rl1p4xem58vLupTO zb>Js)IseN#Rv$2|ea&O;u?Ds*WDcz=U*JWDdvIo4xp{Mb1SI+aaAJAy(XJgGhuD#v zFV0(YdIDp$Bjd?o@?9rwn@($Hx9ZZFz4v3AjE?m#Eo#88+aEf*{_2PuEN$_F^mz#r z$hr3@eD#*HnOo6;8<|ozP;#fjd7BF1n=W>@RMQN4Bd@s9bxe;puc#Cgu5_}Z9T zLS%1;?y_v5d_8d={GUsur$@UpMmFM=T?~&HFAh*7XO-Mx$@*9|_VRA%?&1EKH~1^~ zR3N*B@IcS45pA6}sIY##NHZ1w+A%?n8tz{nFN~%ZALou7j8Qi-JZg+(>eV!Yw)1)p zI{i+7iQR@_ zP!C_J_51^o`LRFVA8cs8kEl(W(Va%}3Xu@a3gY35O$+xcI z4E0iz3rq&NZoDCgLb;a>Os{MUx@#C*4?{M)+d_WJVF@MT#ohE`Bi@|Ui6CunHF%sl zg%ewLk&&_Ce4XOE?55WH6Ft(*1#%yHXsg{n$#A@LzPR`*iwk>`!;OprZgk{Iol<7~ zHS{X`ma<|Lz)$EH*9vB8F&j)g2}`W(M;Zk}tHlDtk2M+W1t%|kmyuRW(!4H!p%q=7 z+3pba&g04)sVWf0eb_>cw*BESUmI*>fQhrz=z0C`)F0b?8|Szw|Dm6)@f}^ji-Wi*%K=t1U32(1`&c?3@(G?M^IPrF z<5m{(l;&a($Z?~omTEBYUcJM}?F6ACcY9t;N_H5z7_w)eTt4alNZ)ecQBd2I#5By4 z+=U7|9VS9rNO+>biuXt-GX9uYm?NE-7tVP_2FiDQVvkleS$O+N0LAA zl)(*^>qrl^vUMXE%mTzoj#4#QP~$`x?q0r^xSozhUUc_;C68CzQf*HfgRk_7srf=( z(Q)hewUQ5yauF8Fa*2U^L;8xI`r5SvjGw8~g$(PzQH1D_3d54)SLehCaB$R7lOR1f>?k`HBCr`seA8#A<_xlHY`-iL);6JlX6^m6$Wm4FHI8u15${EIv zXP=Vlfx`>m+X6|?>rK0(m^FoG%0=Gd2Lh)spVuqwlG_5hg(LU9#Jk$>ElL76ZL7D7 zo7ojJwb2r+g>owg^l!sOx@wCz*yS@aF@$$ng_-{<%)IM=HZH-Ozz{h%`@G_E9Jw5j zct4jl9}_taLVQqtRmuH0d2&tsw%m`zb6Vbc*G=C(zq9CgJ$URYaGNPvS-d7wSz$F3 z%e(LJR$>L(N{n@8d&-5{)SX|2IOThq@nOy0a>1)6Ai~7URmkxt>#W^O)jr!Q$<9)r z`vegoh^wsFdS?EK#c@sbnV@_)WI|Zn^mGl8?0g^SJZgs_`l~1T^fY2cyijU|r|i+d zY&78N5$p4Eq-*z6N6)Q0YgbtGdDPCUup(CA&SO1|N3-)fr1N+khOkU-=QZFhNI-6WlJh|I?Vs6({G=KA;Omj*8zc65 z`9xrM+(!9_pvObD=d8PW0eJ6Sb!%2$j_Yze#vsBX@zbglZI=5<`?4}t%#Lm0WJ z=1PfA_Q>>x6 zO}D3dkq6dYwM%9UrsBXPGQl7GRjA*q8c50-8IhFNRP@UY9AWk_ zmy5zm!Et%(FxyfBMCuR1&8{MK5)VL zWt~n^UfDQwH91hXop#P~x$l_mL_e$!Nc`aiX=`TKu`^6f9PUQ{MQ+D~_xVvLweAHc z+4e^QGzTPVtcQLhZdEUm(Hy~sb+7)6g6ekHqkaB-=5+i01{7AU|0ydtC8a3mbrm18 z`5_5?#sg&x-#skv^_FuS?@Be-_))1VwPTC5Lj}o$%5U(}hKqC_c0fk$qCrOv=Uw>K`mkhkW zoK<8G(?*$kJ={qXc=o+>UaajXE9PYHaqh{58cuMqFgYxt@ZOB+7@K9I|I23@^!rl; z9_Bt>tA;BUGgcvLuma+G9Eo>!fW94Dfx!V`NS-SrcCwL?L3JwNE&3p@{2$WBKHlqQ z;=|4qgo{iE8Vv)Tn2#-i+3OMK$d3E)9KF!&Q023H*#i6<%zd}uOO(>AL}mjGH1Z)t zw!P;r&@)eOGyC{TyAk4C8)9UHZo1R#yI2%KlmjikJEyggH~c`<^7}puzWOh!$^UoI zhXiuObN&B~53Gi@gqV80^ycj*$04hk>S{WR{?XE-d=7+m*gFrhd% z&p}-otXLPWG@}x488@boR4Ga{?wAd&YuP=>V2P81sC#AKU2k#F>I9vER|KM z(+|^;5^}a`mV+vo@S>~2&wd2H#+<-!G>A(O^E_qwAFo+|9>=Z8*S=HJN=7EA32|S( zJMhs;f=Vq;l{EQXwC<#Tp)OAL95@p}jl27;@i{5pp5`u)&0OE>%_`#f>B&4@7^OZZ z8@-OX4rjprD>(jZyJvFZS&f=sz85cE7Sgl4pt1wc5f4cRrP|bivB-`~Rv! zsEC9gE5+R+?a!<)Gg^X>sW~$otcb8_P@%;X#h(#aP*8@eS?KxDgTP+KI^~-}8bmhg zsXg;GkA>qH!aa{p3a|_mx?)m|gc5~n{%;UrG8(^pt|cW>wtINf(9=kRq1*vn1fNZ( zF8FJxudDv+6tx&9;V7J7D~WAGc!Y;QoXL=CcmWCR$- z4nRE@)s1m3PKv#LDV0PxceN!mu?g+dhINb{!E@m>ccF5P_Uq@mX!zz=Z~381Pv6j zE30u(fb_OyW3o_D`QM_DGaroU#W$hMkYT_X?Uh)H7%lTu+F7Ma`C!M4U=e@L-Zllo z+r#Da>8+|&rYhf95CFe>d#H9AMDhvx*<7&RRfC3u?Og>ZiQTXp4 zgFDsVK&;uV+#hnYCeOlDtn7_Kquc+;LBR(D{BHayZtG>9F$1fu4TK^oRrfKBjCJV5 zItDXH9jQTnyG(c7+R`gtuq=4hRx2!y7%6X~dJ zH8dP3WpLe&9$Mw<4wi{$DUN#)Sk#LB*`?B9N7APk{+$2J# z-q-eqsoRt#UyX5@h*GJ=l`b*Y9#?U>9LK%6 z;uAW}w$yO&j-UL3vAg%DOua#TIH|*%_EVMW^jOMC*xlB@pUKdl@4rtTqe5=8eWGSM zhZZO@AmTzZlhTE#eb{5IG9DLElNT`Duid z9D@v57Ptu+J4vEhKl&_ddye9uWPfzqHg@kheA?kRnmB{GH2oiVpkPHYluOX{tq}@|sEQ(ce1kAe*2~;;xeVAC-*gLO|Hx-?cso+GKvk zvajwmtEif-Oh+xU5K9jPfl$?07)0msPlTkWYs#yv$9+CIoiIPlLP|&mq)B#n26?Ve zZpLEJj09k<%Kqn4v}IvD9_T-5MZZyFs`GznrQK7ti(bpiSY(oja%d6+lC-##jKGA1 z*H4g$20s-as%CylpYq%IlwPJgYcdjgFsnf1*Qq273HY{~@oS(QY1iY53}7EuKI#pH_$_G=~gq}bm=P{v$D zB(i%a-oQSsOPD!hwa+DO+u}wjWx5O(l!`z_2>s7c$WbBRKu!}jxaaaE@Dm#8TL0O- zxjiC(4sp8m*JRYTf_SWy{}xk!42#;q0sgaNY83nK9_HuT8+5Wr*lCJ2IY#K$ej=`F z*>MZ7_vzKDme&9vPh3dSNde*}h{bwaHPR?55E*<8ezI;o)frz!i7ZRnhxsG|{~mdD zaYreX9vx?9s1izw0k@i}JkxoH+%T6pyy!eJq7Nl8tA$E48nm;LHXSEou{iMD6* zfBy(?Q59D*!s#zy$3Zh<3C3X77*lU8flB6cFi`FdXr=K$fL6i{2j1dWBalvRQVf0- zf-(9*`K2U%1qB*;SeTQBE~ns&ngM~=F$PAN`gZSBuB}MEqDVpDuyNP*p3m*sf#Que zMXDTO>3q<<)$7oBEg9n?1-JzspjX4n3L)N{prAnYP?LQULlT)~Z&|EHXNXudHd|H% z#MVk7nPY}51{-UtQ8>vk(bm*HjV3-NR!7EfEudFqsFPijVvjUWQ}EbBac_LAySof1 z$o^FvM!2xVz0Nxk)8Bg=G$6?p7RHcn`>MW*qHv>3$hR>SPGa}BAPSZ&!J&NZL-S<* zswGmCE<>)xpg9%6oDZMdPw__*hFtUp9=qP~@(;mPGwYV$h$V~RG92<(34BSo^00pQ z;jg4@Zo8rw@l_$$wn*V3NL2-;B{NCt@W(m$pfoEpbcvs_#GB};&^Vl z0cEV^yT@+IWd2gV_Qwjs<*K=lvOz5XG8!Q5oK%mk)n_a@~xb=4x|aDY9Cvm>ylijK$@gs-y2`Eie(c*_uL?piI z#(VTj3OwJrhJ{H(Oyp(Coty~KT$l>;+G3!lk)4q_EGr_1OSt~1w<05}5e`#;G79c@ zror5(nXaqCl#hW6&aYZ!I8JzYjTl6%QvYj;?!(xmj_o^&P`$p;1;2i?Et@3?`A3wuPV6nADPi4IAWPANo6G99e3Ox03VDE401Y@`j$a%#}9NKpT24SkCl%=x$` zE1cAh>iLqQ`L14*6bGmM_za-s`8y1hPQU)eZ*|TJr8hL|kC$$;Njv zsJE*U-@_*h8N}@Ekuc>Ai3~;oD0|3aDDeH4=TZmygIO;|BZRd~Huezw?Oxc@c&Y(9 zw%H+e3!eIu^^}tMK;Nxry2HrruJ{7CgYB%UlPJ?Mx5 zTxE*kINgnbOO3<{Li6ttB$>cz6X8v%2l2J(VG#;K>rU0q5OtD}gdf@HX*BS`488ZY z6bB;rXN-e2wxL^oAGBoW?oWLvoK^r`o%nl|TxC3p(Ci+h282|_BsFxvESN%Lja%f`c zb~)i1R+{p^<&v`=7e2cDmGT(_dc~7~$&P~tIm-;{ePoIrpv>f~VV==Hfe_+{Zv%dn zDMn{jj`}Xk=o~!Y+;$&7bBZqdUr1~(g81T%y9ygn@uQxaTq)i7(Bfzr}^g8Wx?DXZ#0x4xt@9xWh?fhAjO=3){t*$82bAz4#j#BrNV)~EN z@RbCD0Q1)m9r`&a-B9qCIqIFFTns`r~kY*|Z^zOm3J}clL zTq2;3#Fg%QU3Wsiq9m^v$`3zrFG!l9@F23sNdY-w(MhsX?*n=-y%SN3Ty#sRSYv`N z!MJhbpwcP-{EsIHQ--p^x>DEvAR>2jbA%y+&$mA!#0+f&`--KhLF@Gz_nYYfViT1Du(v=1eOFl0U3tJsH%0u;=<|@Hcf6| z^+8A4I4a4X(D`9v`HzqFH`OnH1#vv)iyn=g;Uyi;XknM?837@y%nS_-YQqI z8zKnM(x-Pz8z71uws1N+NCTYNbW_K)@xzj&G0%fp)uU2{olClZhKz0d@!JfkqVmP; zS*>>Q9Tm~~OH*w+M<$LK7ZTPD6!oGoS$WmGtf^eVe8iER^c z*&OkM#Jb?XV5@xf zsFA|o=%r!U|Iwff?=!CQhDLw_mT5RCTbX_6Tq z(Xuo`#E%kFu!Ke`e)tqaNzyu%-&!Dpa`|OFSPkb*Sif_}U{2%I)gn@&0TZT049$`L z)H1`*_uZS{nhU7~JG9?oK-f1cl&)~1FImZK>-xlWt7lYTaGP?xY8g!^q2I{6J;d|k zgXlo#9(TjtjIjMX40|bfeY6576-uw|G4ABS*FJd1V*fOE)O2-U37CA_?7@$a`qPd$ zRmYh(oyu)korBG2K8dHzDL(h6_uaZ{@pZ-JvF+`SS(k+LDI2fAdGAZM_XKuS&n#Bo z$p=4r;yq5l6^HC#8Ji8wzE~WqK3!88Ri8BU>Bm+|YHJ}Bv0go$%UM?JGZtDx_~4HK zHTLL)bzciB$(;+={EP5u8b;e^Yx=YS0gl2q@28iumd(7W_^KSsUF@^cBU)mEkL5ns zRQ2nPfsTQL%z;X)2X`L<+0~_wMre;!GI%H^x61{|1%J4-xZjz`iYI6YM zjoB+DQx~e#sL70F!ow?f+XA{juIgbcY)R>*6b~TcPhAzWh`G2@7QMc zL`wqm?Vk8dQk3Z}e(>F?XzlDiWZt9sE;9zDglGmw@to-FC#yeP5`Z zcG%=b3reG|CyGf;1@^0bHz>faBK3GOnHAjKOUrz8ukq;R%pwVomT_YW*E!cOtfhlR z@Y;BB3C!g7@*XvoK2`e@(oooHSsEI&QPFSD&*RV8{NTlf28MES+RtvH+9n4>A^w3(gt~l$d8d&>~(a@{0Mwr zXMUNWH;TRlZrL@Q$UXhO&4pRgF~UQla$L z<~v^Y+d@75j^THKXm?$t6%X1B@!V`;t~tMJrr~mfgx+vMc`e05(VUG6iN)^a%R>vi z5J1ayE;oPkz?3F1wq^w2%4ih$T`OqBvv9G|NRiJVZ0TwfA@TjOBTAMr=J|%F7;0@o z3gN=&{BJ-&C#1GeoW5dzJKbHy1gWuR%FBY|z@CULgH;41E1(pDbkgq{w*4@ z_yn&f7bg?xJFFHeawF-sl^6v^@Um@xora2fM;Wf`I+y>sC(0cg=pP zX6Ru(wNS38k-B0dE8Jk9xKuNJjsfNd8}h1>;W0s;u%n}n)%qLI2%AqX+D`MMocm$+ zZnxR_RX#wEwyW*ts+FiElZzMoE!5cUo*SwiXtan+x8lohT?*o-et{48!FXsfP)|t8 zPNU*sUpl)X=q_&)XPE*vZqhS06+25y@5o?=>;nCnbRP%*r84CbyEMB)n_kkEX?-JE z1vYM}Xvr9FzMW@BC!ee^?Ud+L2|p0bH5T&MsX!4iBf1i?!}i}20vLDXa^z;GSO#OR zAR?Ij0+P7V`eCh_o~!&1CvKvSUKsNxFV9U{w}KfLjUJtIfWx>}SKCiKJvQ}QbK!i` zm3`qOQv7{fjAP=N{K?EZ!F1LfkHy;r5&;(iJo^R@hIFS%MK?5sdgxPA7dupAwh`Oe z!0$N2;LU{OLgK;me!8;g-w%z1L43pbbga!Hp1O(GUp1)(nD-Jm zFMQz4>kEMQ;Ht6<$0YyuwtLYIJ8d=p<#&%u@UVfXz6QDK#yzR(#v5r#&O6+`HVj!k zQCZ6kx#SC&ikvri{xCxC{TzB4eUS!ieI)}av+Qvl%teN5J*r~h-~9BIgk(5#E7HXN zJPfOU=a;7x?Fp#}h5dflWONf;zO0mxz#Ao@86Rjk`gZ<~n7k6&u;56(OU1Sk_-&ex zzb`lYi(oMX%BoE$Mfw4Q23qv?2!zvwjO`<2Gyi;IyY++SZM*YCb$J~&7v1jW1CMkO z@VpIvWY+Hh12}QuN`Xj}rPi-s`1qx99ou0W7&cMaF}7FXB9@U2zuC2Z^|ldP7u-pPY2Q5)F)gxh_R! z?ClE=WU@VG^=htwG6}xV@#@G2#D|SCxaNM$OLz+mq6bgx@`eok_9%Q46th%SP1>|0M+-5;5ndS$l2mr-%F@ud(w9T zy*hXDU(6fzhIIl2GpsTg$R;-tBNi#Dnc_yuMWO9U2H#%Z$wn0c3ZnjBq*bNcO{iQp zc2p4X-zl;m7tz!+!<&tKqYN>ba+ZSIgc)7dM$D6U(IzQfnta#A-a zj93@l+>5E;e~fQ_`$0gIDd;1Hm~!FdFqkpUa(@&Y4Cw$ zN&?Opsr_Jfmt*eRH0L?deouX17U!KfaTzai%4@86<&re?>*0L$ABKnyB=U(1U{?`? z0&Cy4Wwueryk9c-wVDGTHlI}kZZ!ppxNGRw9F9Q%QuwG==yD@Zo#A^zpQed9xS3P(~fQD%Ot0hQzwP2ODe*ko=9)QgJFX8JV+d2 z5UT5*%2|g)SIXz+s!N#JAksUszhzKr!iBX4xcr&frlzOdX-^;-L8yMS1}q+{PN*<; zhpS(bMfdKE?dT-f-1za;irtOL&KdqX3#;Dpy3?$3(6(1H&Wce21w?lYqNBkGcdR>x=Sz zv&W(QA8+CFg1oF_;WsecfO%elHRV_wL@}?;JcAT6_-CGI^(`P~9%55*3Skbrh{7?` z)<=mDjYnxrUoq<9onuM%L|-es4l0%;DBy7g*q(B~9TB@+b9c_k-g(R2iKpqe3O7Tm zEU0q^Rbw&irG}G^ zrH&HhbE{pVIT6LNVVBO(4SpVgMOx`3{&O{=<)n28XaX~xm0h;NA$sW)Ft~q7*@=S? z+fM4_jdqqHT64beOnrYZa67I}ygF*d{s;WGxSo)@GelQ;T~dA?A*2l$A6>E#B3>#F z&rQ-U)UyX>yPZGP+MghXc3Hl;S58&@{8f$b%KL~)E3pfR^ay+870|?I| zZ+-5@1y7g8qwQ={gH{$upk=cPLtHg{^Px73S;=r_?Rye8jSf7`c1{n_^B#76-@=}M zN}urz5Z9+}6y?oDznGSZZlYmlKX*Vkc=1T;nC@aXUrrsAZXt^>JroW<9$4fvT?`B- zJ$!L{PQ+|Fx%7X$ehzngOwgG#yY5o5Z(z+$&op40jh6)w+IpDZ}cF-XOH=f<{YWHy<5XseAgq9rAVc z1~Y$4rxquFY_+KupJpqf_jV;fLmgrQW#h;7YmdB9=^e_!X?oPXjIen-$ z@FnJc!F~gLbIQ8?M$902dVNg9x++$UDw0_?<#U>TCr!hq# z4=5eXbkq1ndY%rNBqX5TN8J6=?efd9g60h5c9Q)yeqL{f3gN|VUbW!zR2%SDVXoB0^k00h$vh{X*~{9X@D`}^h{l&>Mhe;)7j zJx+jtL6IC+NL_a$q=ho8pwTqKUh<_fB0E_85>1psIFALjQl`6w#_4_d{5)RboH6wP z#tsdLqTYbyQhfXQxy9;=Ld<(@>b4D%j;z|>eWX<`-sr!-SN1%G(|1K}f|I&G4J>8R2TQwE^z^@w?ClFOCw~5Pz0oHjZgIR{rb{WV2ott~R5;(6O zip_O3E|XZ5w-8Ero?7smYa)NAF@l<%l32yYK)EqU!fWP1Vi4c)M4z15E>}NV)GnDL zDws_dZjD@BbFaH-G()AkF{bYrS%qJOhQ`mC;5G#bW=OREe4ZqoV31N zD3CE?bwe|R*wSkV_{(;6%X8Otmq9cnso8$)5stT&KPZG|ZktYsI-mmyX`@6K&&NEP zRLI0zg)?RW$8J#Y$f;wj^537B2MpVY!_a&>CNHC*R?NP3d-|Q z4gK{@ichs%b@Gr6w#|p0PaBrN%r*OV`I-lPbBZsoqbKuuToWCXhmKd-Qvs-M`>MH{ zY%e65o6r||9!Z4kXu+-b!T=j|51lHQ%=U;lp1d#FptoF?0-=sSe(t6C^UHP1zWvF- zo@TQvxH=){^|5P0LV{+iFUN}g0vuSVP?U3le&ngFgwHEm%f;*G`KvgA#))KZ6`A|T zuPDvFnsz`6Gkae}3th+}JYT9cvqJpH?nvgjoHH$fJ0$F5c{4)67d>(|3cm6YX_CJc zjG-Qze7lq!)igISE8Y_yQJE>ddPi2yAXH(`?RgW19Pevh@gwP)&kK0dRsi#@G}sNc z7?Z=}=4JmPwc&yNlk#v}mD7F#%Vyw7MMlu7EjjAZgPqYqOgt$=Rf}v_brFBCMeXlD ze>ugWB$t22(cb&zsCDc`8Tj=YDDg$S9^5dI66N8=ILHs}9Gq3HNZ)!NnvB%$fZaXY*?RdlVhCg|kqET_#zOdWEF0ljpb+rz<*|5)oODj3ST-)j~7Tc?F zf}dpBu%m2}{tr{<7#?Ty_Ti?n8{28@#>R$?-FRc$wr#sHHnyEMw#~*?lXv_4zr0^_ z962(X-MR0XYtHj`m7CRnUrOpF_^~^Pvm_5tGy1f5ksZS_#Pw`E=e)rzVY!JBSq>~e zZ$5k;B1U-dsG;!VB7UjSwcH_s^uDW#(immWn)glUW`RDtORCkq>kRqa{slTLdol$X zHOfVqcuSopVXLJNXBds**Y$YY9%$+en*r&{H*oEg3n4>vMfaZn=ClfY6eJ!$jacuE z;=!Bu9(!mb7rY^R;KKQN&9l&Di2|Y)?Uv}iD0Z67yYt0=))#fZ*(_1_B-xY?ZT$LI zkcjg}pQ}sq#wJAmliwc0Nb0lElS7^%(vv68VmBwOsfOX7TDcu!faKKYJ6<#N!;b@K z-12vtRj)7YM658sY&~!iDmd@B&A4#gNj5gcpRR*Tr*F?T5_+7N89LsHkh+iHsyg?4 zoImE|;T9SV{%-a77bz(9KT6@+PI5Wl&{O#23gTP_wf;3Zp852wNpAjLr1VfUwSF2! zhCVF?w^BAKJ&!DEnLg_OE6r=hFCX!m22b8P4V`f7rkUox37D*5zZas!VGgGqx@Q<0 zl*aUsuOQ@>=E@^?J7AavShcZd`|8rXsw>)u+u2D93v}VTo+`yQ%Inhai(;jw|Pq8_~9_>JNbJ^8ZsR-#f{NO@U4cal!%| z$fWWd;gntJAP`68mlat~_P@Y7T243u^~x^2;aOu-M6M^xZ+2m_J)` zAh?~x-4scRAxail>8iRX+}<7?s!dR=D^|XT%gTJ51&4geV)!ECtOIw_mx~=~f5@76 z|L@*woP{`WGgrT1##0+-!O9_;Ks(wf&h#E1kd1H?gnAq?YirB@Q2W#UY|MoF&mCGi z$6xbg%pZL@%Iif>rAaV5)m*4UaZXwGj}%e%Q#O1%i`uS14|8MvKcJU@DMfAzQqSye`XRVGeH>lOyd`kZ3cI`a%mnHPmM_*<@-fr< z`!PnrL2rwK1c)pFAV&cr8#SB2=p}w;KSN0U;(4JgEMZdU=fD_A zg(_+w_ibIQgRHd}Wl~TagxT?BbviO#C{R;d3b}7D#7)a@+5e|TcPydjqE>DZes%}> zdQ@hXm54(CvO~?M;N+e5L;?cOd&g^OS65gYXnyi?Z8YZK;RzP)rP^c{MZNQtiKd0Q z%yu^I6IK}W9bBw4;P@!NYAloifLa7sbe^P`A{fLh>Uu~f1%F!+O76*didgv?VfJ)C zW|p`m8ofzPj6jAhhgmk3hS*PnfO=hZtnPoy?2Fd2{?2*9XUqM5sX#F^KPr%@UDLH3 zN5Bt^rgZ}Lb$L->Mv{L7FXgXHjJ8mRf+B0d$s1jU+v1Nj%SZLLy*99h`?sa}=CvZ4 z9v{@BczP(`12BHsc@Qj2`37!ASxeanT+nX3o>=aIg0xaBq5N z%>SBl^s5m!C0eBgje9kRB)kjS0u)G7ge%Hk5|KuOSVNFV*UEEDl5r4D>g#OBB$~Td zMDXk>5G#He;}b<}j!g6>HTZfS`Uy$AdX?n`PDdET5%M;35x;Ya$8Law%+)Q zm{&iRhuHXHc>;aDfBNghkj~+PzPJd@^74RZe>X0fJ3%R?2`#dG!MZvT&Iwx=3uQPb z`MvJ_!_;Vqh(z>J;>)e%i6{2ifd@!qc1D0iZOSJIT5pB8|)`~ccsCsdWxl@u#V~GzLfpzgUUjdH;Zq&Lr5vy8tBoiI0F&-a= zNQrHG)l$gNm>bM{QzdJp)!vth{|^b$W+sOw`%cR^F?7Jy6+vLcBViDG!eXa0sQ}0KojKvGZNi!w z!E3~~x79TC^%R@pM=tLPxMh>)YxEk(3D`u*Fv;ar$$9N*d<*@ih8^q$z10do3Dnv2 znlt|~n8t9A`Hz280{MvlVuBNe$e31ZNr=HwIQXmMSvM^MyP)o`!44biPY*BBr=24U zc>}p-l6sC<>S*!cu_JcI$D;eHzT+{L1cOvhIyG*GU%$^fQKCEx);|2IwYaoVwRrQS z-}q=kQ_zKYIj%t2_H$_#+m(?*c7?^>Sr7Wv@DhBtt@yPrH}*-F%60|(jWA0vwd7?7$ zThDJZjT%Q=xh#OUsmLW7!{iKxe;diZk#`cocWbi9C?^`Z-xS3#IFwD5_zr(2!ggP* zPzGIU8Hf13EddwLla$u*`+I*0!btIJ8Iz3ahiE4ob;F_H>c+Y;Z{YDM*bVdR6Utj$ z$RN5h!=Ht0LDrCaM7(@gb(2wH?24dCnZ0Bdyh z?;(qh$3cCKP(^}8g8~A>ruiLO!(G#i8RE|GD|x&Of%xRSH3X-kC#RnC-aR4{E@zk- zsXYpMZNDwV$C82JczVUBg3Bj>;*nZ1{Kx{$^O(O4BnaA}rSmmf1b{6;%3uJXB${qd z3c$H2skk~JVJHePuAo5!b94)i%$|3L0y0Tl?WE-7d{Ed4>gm~GN&y$LCGeuAWfAXV z{pmr^HJukh;Mg9zs+*xN)5y5Fb37U{2L{x;AE-Ibg}G8MirC*ko<3jn^l^(qamdjZ zr2sNN6A(H{D~EuCuq3L$ye|3$Y!*>Vd*5(N*57$Yed%@3Eb%9Um&#%hQfbg6UHTy# zRM-QCXYG|@QQ>Da&N0y|vecQ4#_-zEEzvMR671~YimF|7;Ae-j`2un{KkC}<}(kf zF&pU&Qk*ZiaHitE`j+9Pm~Smz@^%dhQB^P&7Go$YC>x{`NU-R?KVNkbxjVA~s|yzK z#}V^0^SBby8Fzq^AoK)vjK!+Ef_j`sfa^v(crIaQL;eaM1Fj7D`V25*RJk8dvMRMw zLoj#Lc7OA7R>9}Hk>Eh9CeqIJNugORtbU^Nz=pK6BDZgkvFDqZHkP$V zz%^hU1hRxFUhRzS+e)xsd|)CK=nTf>%=qS1Dn&AanXE&ADaurYPWO74FL<}Y$i2C+ z=PUiJUOv@G*Uum$c`HI&APc)0+%R6dy?% zqOr~F;OSY>Bx@qhY!OL>Ubkr|#@%N_IQ`5f+3g3&0aDA1mlsc`TZs}IZg>HqsGir# z^J*TgSzp&Ee}gO}xqv(5-R2rF-$)Rv9n8*xH@%K7%89D^KYs!xPgPO^$F|_bh_q)$vR)O{N;0R(4=~X}S+| zyn`@d$eGVFB>|BND6$Ya+zp``k2;G`H!WXRrrPo1jl3aJ?TXl$4T7Q+hZ0XV%i(N5 zI2{Vs9yX5L9cY)SLgm|Lu{_npsRMfYxTVJ^)$OE`zJgqxd16MV>XhD1I4C8)gE6If zj{K^5X?2P?w2mMsZGe}buhd+^gJ@=GevP2TB?y{&MZo*AfOKziRY(Igbdn821aQzNX##W z?l@*_7gI1H3-?5f<o>|MvY5Q#s&Q4OG6%Z>->zZUWg%h+LsidTrAL<6?m4gtSE}(1et_oXe!p^9MyvF0pk*L5E;%(1c1r`#vv7Uk_ zlCC(mNh+PK!|@#)6ewW44@J0Ouf~G;`8(Amh0Ku5?heTo*;-#(wqN@HM3JIL6_oY< zRR4{sT-5b@4OD=&(SZ|wJ{#P^YH5L7R5n^u^EIy|yn;H6IDjWabcR0 zOyKlXd&iY$+i@k4w%-md8Un>>cm3H_Aks#nYNbQ-SR@(@^nH5d{z4Bvay#Jq*G~EdI79jjjrE%v+ zsNMP}Cw;}eOF-k>afQ+KH=qfZVh0OU&43Pn>%6B?pID_Ph9*QBAD#$MOA_Q%6%fMW$acXKy}zstg%7#54J znBc6LL{69{rIU&+yJ9yu7r^&0V^_jsXFchbaA&i<@nb|wP*|&1;){?L$Nd6MS*}I= z8v{V6g$)0@UtxXk?c4<12moLz!yxZFLQn>8ficH0y^9`S5)+W-pv-q~;_}P8#5@zr zfw8VNB3^JNd>#j{AZzq-`LeisG}u1*&+6GZG#4OH|KHS2_t`TSFX4!}G{K66Vo~5H zKEu$8LC{RiY1TL56-lO&VPk>U)6j)!5?T}v7qHj=GuE$Pvlit8T_V3U*ujAuvHj%W z^cGeoIL>_;O%f*7bnf0xoAKA(dFC)ne0K4h3<* z3L6}Z(+_e+WF)f7kBDDzqOb$sx59#WPw@wim!{;7>Hwx#%}8ldrWlLW#gWx{DvTmb z#VD}FR!dMb4QY_q`=6;r5#r0MI4LSB`|aDJ?K|XjowsVYNHBIODLM9iU(AxV3pH5| z^o2*Eb;)OwNs)s&?Fe`LL+c$040qivfOWWa&JiS#upM8Lx^(A)>dobB;8Ie+4>ahE z@k17)6LM5fRQmy8k7g^aDL8?PkfCNS+2);p%lyA>>%Re4-xS1$wtJ!{{M`r--ldaU zW?RoJZTO9 zT>?FU$_TTKBu|)}O@jPJ9Ctwem`#-FtE_4-hgXpd!1d3eKNUHf3HO#3%@&j1?ofUo z51S_`va0U)k9l=iC6W7(Nt=yCGZoPV99N1|hP!;`A$MIKz)a((h|vvTJ&JruacnF2 zsmr3%dSz&~LlZF?N-7DLo!LrTEKI0`9;@a8(PT-u2CgR@c&Sz_alA->`u8e38yY~! z3c7+VqDx1|Fpb1zQd=HDq9W4M$DF7Zx#}OU_i;O=dCfpxRy;^U8FgkIEEsZ`SIHUQDw`07l1 z%ho63J3@bY-2SAi1=?DPPS$Q%vIU>a3WAhAC*CQjMiu?!fiiZWSCdfmAdI<={~eFM zi;i6kds(-#jxVb7Igov3A@owthV03M!=#32=sDO1`56~A2L;N|{61u%+h^CkyojAE zqpF!nSPeEus_q|oM?AbbkG(S+2h|4tt5DoK+Lk|uxrS5q(W+b?_doyQ>W30p3*5sMTowr>Gv z8p?xSM2Y8v-sNJ=Z1~YMqji+0h;_Q2gU-qOYsttBSpRK&8c}O^p7AVsi!py&h{DLO zvUq$g7I$PNXVuB13~eBv6hqj9zl}hi+ck5F*ii<*G4Ko&i(n~lOT=ECVK1aroXA5O zx7nD19M>I#Ca>v-CNC%PFr>~LkNCb zT8fsPT__^*;~9%LCmUSbG-ZL@f%Gr;zy6l97SR`4_-a}wv90d@OGyMTAC_B7-D(@M zDm|4r2Mn1n*Wy28?4l^O5GM0sNu6H4_cF=SxhV4t<2DTMdNY1`Nbk}Ha+;N94M~nq6oquA9{waGo(eC^J z@_HQKY(5wxN&P@#F|SCtRiujLpMIPSoBmn0JcL~G0)&rU9Y|cAop5=29R#k#n$ZE^ zTZ#h?!SwGs72DXpM2r<3&1UM!bdtd&u*+3{E6O?s3l=JxG2Dr@RJdd3UU;r* zWr(6|y+}L(VF?72ykZ$PWZZEZ7`7MrG@0ouF7B~nChP2+s4B4l(qdf#)Pk!YC<|UXcUtX*{nX6&QI1-VE`$9id z8&HMeN$A2s=3LuYi3U|)BX8M=YNp#f9kdBq@5Wu}tb^F! z9EyO$WUq>tM<_&O9j9i6?{Gf!N(13BKp$m)Bw4Abn1EP11f>#-6~_O<*sVPijasvc z<#op(?BgU%*QOuv2P6mGjFgWJMP{W4Z9pAyxG-`|nRmcta6RBshaa=@EM!|6^k>`X(; zp|sQ^BVxb7GGZegllTMP=t1qceU-sd*VQGsXy5sw<8%Pg`Z5IFx_a1Fe-6a}wdiY57Rul-wR-5<4f9qSd9lxzh*nOEUo^^mZ_ z&2WcC<^eB|_~<-#JjpfKN|Cl7S?})YSIzNzY0mUzrcXRyJGvH2y^jmm2~2u9`nlfe z=PB}qHf?1oBF0!j0Vg15X0o<%(LJv$z!4HT4so-!fXd--&q&Eza`#v@VD&?g8BSCK zFj9YT-}=@`+j?{J_j*b}eW#fV8+>dj=N$d0&d&YAK48ab_z~9AmuQK)+2N{jrkEP^ zlIovn_+Q%W33`;o4!&Y!f6lAn7*;K?PhStP#$~mGuN<3QfTig;k+pm^pLXo}7R#b3 z#b6z#?ef(XkPyj^;eMA~Kwn$Ykm4L3Zd_-^b^_vMxNFdT6FD#F|GurIyO@V6qr$cD zC$aYDw&Kqu)D|m=i#m{E=8&Z_JvTyNJU-orjVO8TSLVd4gOVw#+}Ew)+y^tR$IbFy zC()L|D5qHyg^&A^7-jG$dduIMqI_#U;8>)MGr?JuP=-gom;*VpU3-fnBg zvKLCiqHO65O3lRY0$JT@GHa9x%v@%X6J5E_P0k|6(V$w})7q@>R@4heYjetS;9LTE z7MRC;HbAEcQv10|2I}2^=ecHcAs0}Xe!-$Ls z@#@OxmgRNL6Fu|XGC}W;WAC3hqv0wo^dwB#icCtBthJDr5|-|lI$}=G57{6Mkx|ay z1dMi@xi-I(Tb|70X1Q}3c7~_e*5Ql`*!QUTP;Mj3-l`%Zh}kjk>K~L-uBv1+(>4<-iaA_g`GT zBosf(+34Z7_RLo2R`U+%nFcsL@2HFEW8L}`uvKn9f&k1Kn#cEEIn^2e3xX`&P@KxNGV z9>=f#wz$w-KC*9m`oMSLTq3s+9qNf33%6dEOkniCU22eFe@ANDVXuH;_1onAt*aYU|!T)D($w5dT4vb3S-Pe_+J3i#BSw)a-60X&JsU#LuH zyMu|st{O4%TY+5C=@ugP^@FbQ^kGF9cP!hM>v`HyxUA0tI%u(+#QsR{DZ#qbZ$pGR z;89#Uo^pRh_5G2K^Y&vU@KE@!^sxX0aj!-^&uAw~$rBwR?>W4DD=V5R9!EfT{{BAYG|mwC+Y#iMRb?a$xVgH?F< zy#t}WxyRT6oVoYl26+;Bv?>TEUu*w9Z=45#eVhG5ZJ?VY!B4cUk7bEVH$K;#JA{|} z$pQoSO6M9U<(XM*0Ge9%huh=K)yoI!)WPaj?8)K$+%eba$TfaA-Dczb?( zMfkfGh2AH0E=%no`^=bDtGxHCE>EQH17LGXn>pq6@-$(;IG=jqOSxFxY2RNkKpK+f zn?~v^@m9w@%qy49$AiikmTJ&Lj(9q@wPN-mFpGRXik_`vK|zKmna%bi{N_nG45DD* zyZx3hwfa+0#k(EK2&+|#j(3+f#AnR>7KuIFOU|8<2oH0CM%*}L$9~!8>VQq^Fukjl zSX-!Lfp^xykS{-_h3Vh)(uqvj{o0Y5mAPEs?hNnVZfnZ?+#s|{nZt+|SS~i4W-iCO z>JICs&>q92ooxMBEuwEqMaCd3`lS)+It=$IEMN)O&@zr-*z{=ff%8|NJ3nUN-Opxx zwyk#Cq>W{3#7FVg_(jGGy!E0$Ef59GyuqCi?Iq*Xm?H}sv4Jfo{7885s3dBFvf*@j zh)hH={*OA*cxut+45Hi1dgS9n@@lwb# z1z|@Tok~Sg(``%w7CQm7U*@F=eQsW!L2cGgU;>2{GiGOwiy07pa}Y6d5svZnbUT;+ zcY|*Ka5eGr?;nt&Zd*HqhCa7AGO+7@VW{;w=PM1(RDr@g>vM*N&4P{k+2giGdP@m% zo^A_4$=#Twmb1@%E$ScCvFI;W{ieY zYc0K873-QEornh_ljQbLxDu!ZQoO%#=;f(|xq&hDj?{LLThC{H=T-CUkKg?K*F(Jf z9c9AFa6gWV0W`Ro%7%SWYD)Z_{NdCihrM`^wnWFh$D)X_Ps33il7|MDpTF@Zb8+wQ z=elQ!j6g#YPVd1qCVn{=>vvpICIA;4*~MMXq^Ek?z6)+v#%)Kp3Chwm?@nCvm?IBg z#j&=9D|W4f|H&8{y|dhc_LEZe1{ON%rdxC@>g^7iAGlN z30Xk(4(z>wNp~U|)36b;*W0sc(S&u8oygV&lzC&IWk6VeYmpn-Xo(&1^?K}Iy(i{4 zlYT)9})4*34F`c?jJ+@%eY~2ZwkAlxuIto%*X`u z+Mu|$ZUr;7f|BF>x{kL!W)TmoM+CTt11p)!z({x>R z*>)S4!&<8W>LvNXbabv${5RSZ+cyh*DPdyvLZq&nvoZ^~cw|3XrwJGey$?f3`PHr# z{6Ostv!T(8HckCY$@syS1Pr?AhS7krNACcI)TZs&52nF^OU99TG1zi!JyW$D{hxjs zB*l&@roQkwNjl?8s5QvD?NxaA8$73mifeG--Rh z7pj0Rq_MZ2E7Q}sLq!AY>2sLk-{57KP;K$g26Mhcwk8Chj5z!4R+%D=w;0GIK>Nx` z)-3pQEr!|C|JBR6(LAhP3yc@!pUQoVyql;LZT$L4B^FsikD%8$*w2@ve}PyNQD>~Q zg_--ob@jI@-VNNRF%Jt7@%&#Ffn-7DJZp$}9|!ObW&rM9v4++bdkPwfRS;RQ-dCz@ zkKqnn?qlFSmOyNp-Vd0fiNZiV+Y{8+Cl`m8&*;oXhOF{OdSmIH^5FAGNeW;?5Ce8+ z5W{sCIKqzr2@MV%Mr)qZ-G58bKOS!4>Ivz3B#b2vYTx^eo^Yi1_BmUgpfNqRZlJ?x zDAKbDB(8*pN)cx?ktq?4_ah?g{e_nJdF{x2?dl70>p7fzm&kZe#3x4;cV885!l5k^ zUWhcERxYNGM}D36+0U4_f~o{&cPPPLltxU55}Pc@bB7B%VI8I0$8{Uq@RSlw6I(&F*pm58i0b#F`DoE2Z4>?s_5xag^)%O1@ZTP5=#5ZURe1R_5Ls^*c|;3#@D?(53>EB9 zsrthz;LL(l$WCERPP_zlZHM6HxE97Htg*JbI%hZ6N8^FYz@9`a)W9%WsZVz>>9yrM{w;>vsb%PFSR$_JPh zDd<*0*SRlSc&{Cp`I^;0wuLdvCX@?}I<+cW1tWM4Jgw1ED2eu8z6`)7!a4623U~s| z%Yy>f0Ykl)h7EYvk5lS9t3j~4!4U!um$3BlM=apoQ`LA7M2hYH!Lp)?q@SDEr?9xo z(2zd@ARNA{WBMp1`%{ADHhl=D^m*9o?(k$=(b7Rlm&bG+iuZ4eF_nie_5+3_RmsTx zm^4@psO>_r1#ML9A!Rz!i(A>>WuyqZ)i6S$ZU!1RZm#oOL{wGuoM*m&W+l4y#&@Lv zj@4?59QjCb@Ji{_Tv3G%#=aLrxA-0n2}vH1FO@mLk--t6@>uCaQOKhVN1fPjv|0dv z3nY49HSh|QI>m*xi`1$uSD?u~yN>5tW-;7rfTJ5vfNT|LNeq+?Dd59S zR?uUXgJQ^BOB%+8Ob#v&KM9TwHw@QiJM2Z*ktF;4$b#|t3uBL@b3j8h& zJ8ypDac2W|37FrYH)M2L|MsCeY+%7|?|8-bq43>__;zCy*hkaNO#C9nR#VTyYgvC3 zB=&oATK_0jYBj9&HLtj@h-@j^Q9vt}5d?3j_>SU6y7$_FQ()aANF14xu4Ucx%>IYN zmRY64eb#qSJe_jXLO7j%a-eR#?hS_aghX=u-_55wl&}lUfMBes4kmOV=uDz5? zOHk(E-VNVFKYY=z>&J$Xou>`Y-SN`H?fMO`-3Y{Erx==$m|W!dM$1Z4XTdj2B|$-Q z*o6Xa%TcwdlRv>ZpMRxs1v@Ok;V|JH_J2VS`q=mq@D)!$^LVtBAN?oq-;8^*Xr}t@ zadC({$4r`yeC)LjrypOA9^AIC6L`3bW&)hjlXIaWQYcC9 zI^X_`0?)puPLPBN2s?6G0ZeZR6?Udd&hEI|_-n>rgcMG@YZ5+lGnWmE9nJqyeXgch zJr0t%&&NinG;5JQc<>VTe2Ck^L)rsN$5%2Z*novcmdeB%fgpu9gs*7Cf;c8Hwy#ummTxO*0#to~_ zB3m@^0)|;O51wSsom=O}3Hd&E^_ap{Pdbe`AsdJgN6rVCYYR*^@&LJ+w(LIP|M9W> z@ew;nu((})Yjj=hWiT7gCfn-4+x=rHw7!4-uy$W_;>p+o5o`y;&# zWr9o&x`zsV|63}%0W$n=mu?o~cXup#F9+h^DQ!>Yz5MlBjO>gfy z7}>H_7MDM0Imjo6c6Rdv1E%#iciiAU1$|)pjSB%nx%EpiXW-oH8f#&1q{E!nPANmv zjQJ0dW8Bd`BUQb}Hg{AcpC@yq_C15>rydN&#w}rh6y^;!F`6F~q@4hqPwfh90+mpE zPA7$Db{lyKHoY^ zGf-uAxqbuR>e;IC5BQq7;9VW^#c-d2mg-y=^rws15pukwtT{bN+uo|{zLdT{BYSgn zAZ+>i@e`J$XX04692mU~9^I~%f^1z*Fd4VxFv}u$qj-f=KccAlf170 zm$^uZQTq-rLfUR!dynBYjGm5jdwAnOMca-HqAA9@L9hoV9x_m@Z(bgGBZ1!3RoED( z1YI-?_T{fG$$F~$p&O1IcbBYNSs;FCMG-}?cbIu2QU@J9?~D5J$02L5s|Jg zt1B#rq0MCb&szv%tv))wxcP!U4~0yklvlVUZjrIa5o$!7dYxtpJp6Wu4!plOTYybK^yJg6UCcM}i{ zP6S9Q$;u>dO(hBxJMoZ1W{wgCW}e2-8z;3wvg-t z>faCAEE95kxrqHuz==GC0x%Um6j_40(Sm80A<#!}u+8XPvhoCmHe@e3Sx<~O?Nk-$ zmR-jVFT|r;D^X>3*hmsyyS~)^x8!z9O~!4o17Z70fxxUqg*6O9W=&e`^y?oS!wNKN zUi*$>IvS0+CC|V*xxg{rf8q|2x|Y+F5IcIDv1ZUl)CDw1S^T$%iF_>N-Ewa<=e+9gT;)?(7WFP{^4 z(yo+5{q#}bhabQ+N@Fm97Evm6O4l+08d4@Q`!xF~8PxS%nlR1zmxx8i_lc=}Jq_3m zW=1FK+1qnv5yTvPCQeVD3EX%iCCLxMhE>Rvzo|HDc=1*e2@6m*MT%o02U2dHF$uXl zw=(ES*$z5mPVz@@$qM~-Jy~08(HEU@VKQ9#(US|8gc_ri!R8Lc{^vRAd#sP&WjDV~%VLifemt*DssD0`K1w2GpkXl#yFLJENh4X}zudd# zgTp-Z{^p7QIOw^0O1j;7+z7>pBdH2SdRwo=?F-)#$6cp(!+?ziKKYX)^xmBCuQ1TT zflrT9kf*vKNzlN>o%rtTUKr6-jn8@?@I3mQALjDK_C_1EPlJv zzn-_%=LAA6*Bg1ausuxIn-P!TAHJm3Vg%cS^_i3INWM!5-5VGN5PdH|^uX|>XzWf2 zE+F~pg&NvtDRQr(U*JAV>VBw3*4jyoKU8}=) z*&d^=xMfS0)uzkIk(M?KU?=YDW1-;CzXtq#DFx!TBgq=_;CgIv^FW) z>%_Upz>Os@i3F^D#Oce#M%pg#QRsKkh!bJJ{k~o#h6r`FT-33b7&Ss6am1Fa_NASw zQ(?W=_vh2mt^RJT*XF?dK-l)|n9s~Q=94%}+t=24I6zr{spD>!(@2q|2h&66BVv^` zTp{~b0B#G1OTBVuk`JNCvL)NS#Td9g>~ADXT!ODThoq8A6yk*>{Ob&B6mLV9F>&uq zA4%Ip5S%p@>3SY!AeVLeGg`H&eBlSQEpyPsFDKaex=m8s!GmqG{v+>g(yAN|5#FFrm!=CPq`oUNh8EaU=2 zK+sPSq-xvmi=={W&Sq!dN(lFCGeb`*wG@AgX+CE#_QZg%km85z`a1PZqK#PGo|mU6 za_^V~JJA~yRH1jX&p|>kur%)RynLMM8QX&+vvtQ2IK47+kNbPkdwxM}`%=L>aQ22j z1+^Y;as(P$zVmHSXRwHM-FFi(ego6_XoGboZ)GSyT)SN)GkFMBe&y#B=F zTXj=d)tlfgYG9~E_!H&ZWcobfCC4DkQYBf~l06Ri%5HKykx|%Wv&nczmjxhJ2yeH*%}AO+%HXB9;uV0dqPqnA0Gj?dVji@}|{J3a5)fXa0ImJ3R1_UDN#0dOb?kYJT}{ejQv+y5>zw7#>d=ck*-< zc#S(NfRl8Y8N#z5*c2Wc{a*)111r`q& zt0E3~9I2NpvG;v-32%Z1?n9rPVFxcY7oPv&;7>+L)!7UoeMW32U7x{N+Pf?LRkhzp z7G%L6$riO2kAm^9@k4oUij#B#ft%nRE3xMj1^-=XLaX!Crg_zUIRrcbM#=2T7C!jE z5;G#mr)toDKF4a~@h$R}cZ%%<{L7*^y$1ec79l)K1)-&x)`tK|Sa|VG*m|EVl$uaY zdq@1ZeAc$(+^;i1Wi`(N$M+0$9_(@&p^rRwPaaZKy3Pj|jY6L>rdK7J=cFRcX#eHF zKW(sP$sI4%;%aO@fL*>1pLMr>xa@985_Zm~g+*K)##bYUr;4tp)6)&m>y`4E>mMZV zhQ*+IQAwQI=KsitxG?a)Kq$@1fX^ntPC8;Uei{N!hers!8p$V^pI#)m@I+Oy^CVKp z=7CuvWck9#DB@m(FI#|HBDX<=5t?dn7L#Z6(5~JT6NUu*i_EFCq|@t^Na#39HuB)! znC1|fC(jF!bJAc9QMm#Y6!1#fF&%b6x!fAY8|7t>jP}uho(N8e#)u0uaC+>Ia~d%` zL(wqYKF*!4cOM<7HDoC>nOoA}+MD5v9bPe$>(5Yl3#WeX_++;!2ptw(OA5h*EL3A1 z%CRL9daxvw(By#>4lrCUm=3tK-GD5eMBK@6f#5!uurR=e0(Jy_RUpM2k^Zae-YiKN zW%mIG?zJcpRjzVZfp=^aY_&GM_q$7xh1I{zjtXgb@*7rA7|7BAnO^;g)m$;wa`|AV zt3P#zgRqL}TX*)4FjhXy+tEd)sQj$gZH(TN`NwJ~km3dyer=ZenFVWAe7|wZk`*{Yp5Ad4ul^5t8k@d{ zJE$Q)9^TkN4K}D#grML#=Za7%AViW-R6YwG(@Fob0Rvg@-X8Gp=}PV(2N`YIDnq`5 z8Y&c0(@a<=95o@%|3;Lvh7OKCWgvGEhz)&V8Shw;mX-3!0t+##vYK`CLAgE~x}N^Y z|5~{L?E9?QPT-&l&CTHoF7pY^fq3KXU)^z$aeiy52HB2_EwppqmGtvqr;yVT$x?w~ zM~>u_YnWxjj$|^GA5~zI8+ylCbK4Pb;pP$inM@)Uk%c-mpomBCL~^zfjVS`{QS~Vcu6b%Jm3 z+%rQbcmV%7$9*%^U@ZfQH^Lryi4i}DFU%)S>bE=>Z{FPX^dbOx$;05=kh}c8BQp%@ zWN9!rQjXNVt7&q$bLREI8E-VPZuI^Ii!S=Vj~*UAgnfP~Y`WGDg`5y`H2OYy+T&J_ zE@7$qj&{w0EsdSgJ*BJ33i5bmE=3kiIRKI_3VK_^P|gJszGF8RT>58M5lzyGcY<5cAi5eCr#f$BexF8ItU%9fu$~_DH!^0=Y6y*uS-eEX-otKZ2Z6JX&Pf z$8OGiica7yB`=Tjbuj5@CH&u)(4bWjcwRPyJZ+c>(8TNIjFvFbQ(UFl`UZw1_2T1+ z*I$iX7>hQ1RFG5l=O!$xfX~Bn4DWMq<>r2g=xP)IQcBWX6(B77;+> zJ8Z-rFp+2QH~D7e?)g`^7eAlA4oG)}Dbaz~H>0;cH`YOcdEcC z+hWayovZ)H-djJl)qM}RK%uz1ySuvwcL?s@;_mM56n6{mQna`im*VbDap}$b`Oe&# z`#;?C(@7?inVjssX6?P#v!1=^N@>S7gO!%8Wq%jRv3p*4Zs?*fyGWKi8mefss_SUt z{{oc5B*ycRO(z>(8?zfc!b$z#1dF7~qU4E*X`1nEwO;0$+a-}_u+&4DEn5jx4Y7mQ z?L!zxq2t^2WH)dEVA^tqWdp2dlip78>3C%tO(rne!iX8fumcF&NUtx~r2D_=*x!=B zrGDbr;S0X3+Bk~jS6_xJzy?P8;wTL;pG)su&XJk`=k&VU%%D*~2JyWpqQ%Z7t6&Q6 znzOi5AnHokD;70DV@R*^*N|Q41uK-@R;eIBwMr` z1d?*el#P2OH`OOpNVPxcusuvWoA#Rc%e+jKShhBba3bBFTrCiV<;`;QF$2D6^5f0U z9>{#JBouhdJNUCmwytZ3Q=_{SGC}f_P2F&g+m-ncT^K2~j5n@)z(Vf~Z|^eH8!X#l z>mYKlk2SlD(2FBjmV|oYGFgB5LIBn*g~RW|g18!uZCY0Tx#HH0HuMY2s>WQ-2Ve3A z-hNHPIx6aBlCjI6xC}V<>Ovppq13w2gnK1_R6uXrem&!X{z8s)VNBzp5MG+>1$_i_ z5A}S`AZql7om58aW)I*;=?o68tAJn=qUx39lx@vl6c18*4Ifs4%}D#wsA1D3P4U$bSA;|A^%a~2nR4LMXAvm^Ylekt7P{sT7`cC60%NC^(2@B+cP^-VW%*=}Qyl%m!XH!J3%; zAIu_PXsS}DeOU!+16~PdTNx3oUs*dN%XOfPmPLfoG3#SC4+1k7011w#{XtcSXw&|* zmEfc=&Y=gJK(;Jdz$;jZ3pU35L648wR3COg+^vGabeiex^>SU*<}39hmS9)7s{M^}%00>he%VCCT^)sUOpl6@AvUihC*M#beJo99y#F!F~1cBG+5 z!@%UjY1KWNz9&#eJzExxr4?b&o3WYveu`hUtiTuo3s?|wlEHO*VQQ3!Lx=Oh@4sz$ zO}7TLuyA$NwCr%ve@Y=WWP8<%gea!JjgQL%ST^o;b!OfOjB%|sW5|WYFL7J*K ziBpQGb*vj!Q_tOB_eV2+neDX_r95@wIWt4V+H?G$n&m%uM*fuLKYDSfzwm$b;*&Eu zMuNg_E`<$T(QpuQHPp%G3U#nw_RV`-l{+Nx?+&y2(5ZU3pgl8AVYvVjE)1+g2K20aMx0gYW8}}EetoE*FT^e=V-&Xf{I&vb4RY1&DDB8<^gA0Gf{T1i(!5m z(6*aD26l&2kE(0c}o)GsD1c8*ssLhdSI)vqeg#qT+DVE%;C}l zcffzvE0@9lK$LZe*x@h(UevUV5Pm~Ns&2$Prs!pFcrguWZ-S51^EUU(rM*u&y85F7 z9h3H?1u&NzB~2c-i8UIXZfkNl>@Evv`U+khrZWB*RQ%p)m(e8E5z`8?1;4_YV(ZiN3Okvw`3vl+Z z>9ud(WeD~3w}?og%~fxTEfqt(znja%F1f>MgdTfR)h>ZTf+uz)o{nwwrXptPAeJJg z4X#}~DZa+)mvnDM^%DQkZP<2bSOI?xP3u?!3v=74xbBi=Nhd`tOvjM*f6BFwSEg>W zkR%?ah#D>We2!p3_L_<7p(l=hJD#eg^zg-5H%_|*v_}?@q~u~mRReJ(_KKGeCbqnKokQ`sfVT6oY2kk|B=9lPp`>_!< zY$4<%kSXg`Z+Iv(v-P_aB7;IilSvB<%z^iwIYFuB~MWC z@J8Hih!s-tW5w>6Yn(12$5>R=v&!ILwM1%I|KK~1q<=m>EAlek80G7ILkKHwQn6qF zC4~X?l$7w&g)gFP31i!oq5P%41ky2R3lQ>j!N=mZ6mRdiyv7->9CJ;h#@ee(>-$Ch zkJHQyGxwLo^MC7<0+fpjk%adHgT%hk-62}|Y14plXdQ2nI_TT)MWd2%GA<@uVJ5Ar zvt|cIuG} zG;ekm-Q(ZaVx6AlMDPv_#U2>!XSnr3qj5FHW71#?R1?N_a>n!8i%8<=*2(=_T=v!X zNBL<~SP7nBIqXFn;PrKc4rlpQEzP`4hyd$B-7Dm;)Aqh2K?Ht!CjYWKp}7NuUfrEo~aR!6KsY9xlW zzO6*T;QWV26z#)>7lW!3ivt6}MmZEF3T7&b96j2-9dlAKbIxdaYB1urzjJ{Xd#cmh zN#beXN>LbvE9b(IQaAl%l`erqrlJt- z^0LPB!QD;zQ%l!CD5%u^-=4li^jKlUo6PY(Q8Vg2c=xK!j2F8@=@Wah$9HQ?&xeXH?nRoIrCK5jDjxO zx}SGq2LIlnHa<}KTi~m@In{p2P~6?e zdPG#JprcTt>(cqAgJA}8BIczCvkpg~$Zw99hMjU$6J{4`2M?${Jt7|z4H%}@Me_jt%g_YD%iS=99 z`|_@{vpcxtU^He{E*jRX;fY@Ca9q%ISn1mAFpm^8(%TCTGX7Z``yD#IGEvfL&ESLZ-0f~yXcLp)`@$3y!MCAe?bz=RNw{~uGz2` zm;OSLMa&?3CvQ0x%K!57n;JGr$Dxyf-=|T>TNZ!Eztkl<2KUO3-b~|#P(Q(KtBASp z{bM;5=C_?%Q{5iC7xRp$;2NeSQ0P!e2-*AB6cuot9z%w?y?7ci2Ldx^Mv29CkrOJt zOh+5`)$ZZ9Pd|L9$@4i5TbMhKlXx#an)nd>q{b-V^kj$9fyO5byPPy0_d21^1G$=uX= zP#Bb~JXR0F$>913b1(U5z>*gmn>D8yrO2Ik*NUBY>!aPX({oh=u?Kj|WndGnXsUI4 zA$bj0@Wi=;EW`G8G@hv_(bP+QqoH!tCJ}>X>RTwhvym$rn}|ppD-JK|+WRG;SL&wT zQT$Y#QdP(j?XN77sS4f?30N+M1tsNJriN7VtY}#bXC@L|GUc2MJ&khHqSl- z$h&r>qrWMJt`N#kHEzQ7KE6u8X_R%a_d8*U1ZF}t58Ze7D3al6&9uE)`wH|e?;}&R z+_a%GliRG7zakKs<*EO_x#I? zUblZ*F&llU;m4P!e5qcZA}I($-0a>_)Lun|fB^tr{PCTNU$VkEibvb$sKYyD*4(cy z>;FhT$7iUwB&BcR))9!s@9I5R4>^sQ5+L4)aCzibdDn}b0lf5s;BvwMfdG$>q4OTM z_q(~F>)pR6($|b|Igt|*S9!&E&8G`xAfG$LmMI;`;~)&cdPsxz0fqW`Wb0TZ&I&so zmFi?zT#Z#DL8FHxUf|1QMW)axwb19Hy1Y9B`giB`+x=XcxSSh|-nT|{S|VQPFJEy? z?A>L1md`x)7F4R7Zh~0{4Nrc_(V~nrwLgS(o@B*27%MC|MCOSl1_;sqtW{1C7`R$kGVYCfm|MrZ;UqA%wN#z_CR zxBMZb)eZw8{y8}Q`72FV^hD7kr^&RctTLm~n0I*5VOhtY*+)v;^yXpZ;c+zG{gm@$MI#gQGwQ-oeB69EA8t)2 z$c}O+gUcPD#;;-+zsM|=D8^U3guPT(95U)wg7Tt8#`Il;yRQ>YPuJ}mFx99!gG*W{q&1Gy;go(5n*}(i~BElYKizu#L>^$~)K>5 zO8JzzwZjvKb z(Tn^1fH}_J#Kz6tCO*zvKn~<@NA-Cc7dw4q5c)hpmrW+q$lIZ?sXSv$smizE7-t!I zmwy{OM=lP$hGNR|MYQS-q(1t5(&G;~YyCCLDqb>eF|={IvOgaAkLg+xE*uzJhRXVR zPBis?BM*-xOjivW#3eOKpuTq)uDCW#c!<3Qye(&~Hq}Dm76?OC_x5}#Q0yZ5=fAJc z{0mr{3M;r&rDwD|@Zp&srcX;6Nw}>OEGVKETO(BAmu-N%JOa`znJ7TY!LI|M7Tp0hhSS97m#H&e!`_lm=uE$2u+U>7a%G?j3{Gi(w~WxrZ^^6PF@aE z9(aBAYmKt0!Nlz=$?2(>s@0T$=m&;I74nj?qxh}DHd(8+NSiP_VQ;aGSG%U^{s(80 zH_+2A&<16LQNaW#OkFviy@7!bKbn+WKB#}48|rwJ8=vL|`)-6ybY{}9els6?zQZQP zc9@WyQa-P#pok?-e-o#LS?=Frh|mF7*IAqaUB&{vDdKi%HZ+I1W`1>?V`+d0RhLu> zi#~ru*q>z`7;$SZxFbuCHP~C|L5!%Tpt+q{@)=QjYNbFNNPph^?b$`E2k*n`HUIj`Z+ z2u5a0^LgfP`t#0GtVuH-yZaqr!~035A#-K~Sz}9beHmYmvA1yQR*m$fJGsW8tE{5>6TP67u)Z|y*<7}(ya2Z;(d%I$_?t34m<1#LB?4@aE4}yph!HfwV;40aL4bI2#g%K!Sr+S2cac zJ1S$CL-%mnm_%5C#u}cGDHVp<(|dWq0bZF876XH=wgQ_MkdSe0_3tW+`2J6h9w4F` zZuG!@{2p^wFAbK|XB(7B{jHUBp-3eU zjk{u9?a7~=XX^pJJBQIkzWIA?!Y&8uvf&5IhOLLKFx~fUu38^PUpwGL9WWAJCSfKu zjN#e8Xei6pJxX@aT!m@anB^ofkD7$&-)Q1(B&YRGSJ@Iqal#Rn-NlBOsUeMH5B5%gTnRB(~(k8rQ z-G@yB%KR--Om-@dj|&^v5M6OLLcNV02L?0+O?igDK)GK$z=S-TUHKrL8b{f{Q_Kjv z;%)gjHXiiR%`epO`2lbZd?&kPCmTu>j{P>?#;o<&mWtS5NvCy!*TG?ek_Kfc!?-ST zupD6lK;??2z6or%XB>6Uh);!Zp&)to5+-@KLu^_v|7alOS-Ao&tCvrQCE1ni7wCjB zXhU$;lP1*R^8n>J%u}iuKW%iU4sr)Mw^?4c_ zu2NF>R_A@8u=&bBi~rzb&@>T$-2Q61c$#drWG?mt9wx;xHeq~Vut!}L7wEZ^==r@> zj_YTkKp2K6-f??7#Rc;IL;_ED$2jea5o|2cJjx{7es8?diKRi;!HVySZ!+V3>tw*4 zy(StfilX?F8zzocMC%cJu`zX)N~`QzDH69psoz4Cg#g~cs{M85msE{(?`chj_fM{$ zK(+M!DCm@1Es2NT-HF6s$CU$*c_eZ9H!KNw+bFg7xp+c1mIkhub}vH2OX(t|WmQ(@ zJs$q>W;W=>vXd=l>kjT;wTTHZ5&<&d>X|k^QFJX0ON9>~5;$ua9=MhEE^>bqT(rboc9{nStkFGToFjg=EOE zr-%Vdf0!l|=9f5ieAhRL23_ioq#e%k*zde9^hxIT1vB0#E8DLmR{k!+`GIFdc7KfO zup3}0HL)slPI8})cRN0g_HX+`h&vAdl*!Jtkv15YKHe+BpR{?0oH!3E>Xez?4Npgw zNJhXwE+sm$Exs15 zf+osd-z4*C)?m*p*5F6~_WLIWB*0$z;1mS5LSl|Q1g((17Ugp0#OpM5!zuj0-o0G; zjNvzSTy*F)PuXcIABp8YmuGXob6#!i#j^e3I9jUl^}Db*k0bM_PS#57jN<4JCh4g0 zZ$Tn0c#hV(6j*ZR!b!#c$c2pktiYN6amw|*-}kR2R_%hl#V8Q1iP{Pfnapo5Q~ENt z=_#Tjt$2b4;+3k`9}2cTrUqVKn>Y6Y=Gn;>i3Tmv(?%xM&7>I z%7Jd=EFx8uQ{549*;&e#bT2aQy0r+SCMm@B;ra=ry?AF-sAq%+e43XU{d-@H0p~^c zdl0nw+MDW1w_0OWVpy%8aKCM>B`bMDI8>lB+#A3yJ;|R)lCE)H;A-#{=K8@>4=o*x zH@M{De5q^J+VH>(#LrC@=*e?5d#9BzRz_$Fo^?^9rBnBl);8}Z zt*|0lDuq+=C#<<}r5#pw%NoAT$Rd5X)&=wM-%qumH#M6wR`yQdYY#aE2Z}ajr`>*) z<)Np4iDQ6oJ#_?D+x1W3ucM_S2mYNS4o)iN-Ji!Grqg3A#fs?_ zgVv8NgUaC>lwSl^QQw|s9PcN;eMSw(env-Q`k1Z-_GXaH*5t);;v+j%5kkr0yuFE9 zncWmVdR>*l$SO6Dn`8`v;4=*0Xaw3O2RfGm2j5v~&Cf1rce)jf#c%8M-p~6*P3QJt zZzk@K_wzh)Z9SEN_d+_A9MsIy!8sKHVWT7k(UpN030(=-F?V_DdUu(phBdt2Uo|0=K9tWQ~{^fkgGt?dBW zoeG6^`b*)gO6TKf!+)17*Zg6Q{QDFpR0-#6o8r|KGyiU2Af0ChYod|_Uy}-e3;Zua z_DMdzYE`3O8wjCo3%d%D@HMjG>AuWg}>|DLIa)uCJ0{tpZ4?{qZBoP(Zbm0=%;)2X`6#n{R zjU4gY4lqPI4<+l~e#L_uCwA0P2j>e#*X@TyBz%Wfb!$V*Ctx6q;u8t~bM!$XW1Y5m zGu^yp5*mmk;ah>|W3+jkvSh)#S4G%2SY2Ny;eNW5QY>@5^-sFJj^69~1JhD+sh^I} za_LOq@99S=u&!cnVa8*x!`w*9{y|e#X@#<;b6AfEkLv{N_uTvJ_&Xl}*WuStT5fjn z+&POGc?WR(XqPvF?>^hpZj3fodwRrM4xVH^6|Hau|MMuCQ4zWVF& z*<;+pLY8c))s;u9h9%f|o-&wCI{u=#cC;SXK0^DhTnQ=*sRCQrw?)D-95&Ws>yIvd zbgC~b?d2R~Q^9vnYw$!APNm(uQyASJS<&9zW#ysd9Q-;Ma1~kg3rMXNFB<1W7H0nx zCz%iJVSfFO0MT=qV&!|X{C$03qz_dHf}Ljj%Hye4?d08Aia;sooQaa%VjX$RIs4YX z5td(F!&6?#$F+>q-eN;B{fKU@Bz@%|lOiKmE(c5v%qf)UTSPn#$1KQWMpgF#G$W z9)5;aXn8gsNr$Kk${!tLd5)2!boOGGw7Ww?s^{v zsvB8_R@1rp%e8G)zPMowtSXtQQvMpf>Vpu+_PyAjgckW<;ma=?vg1H?_xrK@gbgl+ z^e!$aR}kuI=aMif(v^ls2Yk-M2cEYZ_pUcj%|82e(S~Z8hnw{*PB!Y;1V5>~T1JX> z{NKK{jC<^$CI*Ct=P)Ma*eEds0g;;Ol$vtsaVR}HpmchwmCviHK%qm~*kO$bQH+R63-kG6Yvhh7A5Wuf7RKQp;kY9j-B?)IEdWThQ!kHQ|(; zM|reYU{2J$)Bmm-S%v{o#CMM=l8XxeB zKG-CEC|iM=u4UrySx@J0Pi0N$`)bOl@pB~p2;Bq6WYLJ3$pM|~XmX7Zpd7{gx1UVT zUiS{nk-nQOcHTFx;APUu#R>sBe{VVJbrA8t{Q5lAX@O$Km``q4=?a)X;C?7;4JdR0 z0Y%WUJ^*kd=@?tJ*ZwCCL(m*VNCV+`-<*CZV)R8r&-IH5a6xOrQBr6V) z)(olor=EA#TB=}rl4hb&5o?@Yx>X?;l$vj~aCK322g_<#@0`brfK-@yx!)i{#>tZjk`e9H0fM)=iFlJ&GF;w#4X>yc{?(FjgUV$ z;(vPaOIB)=i%Ihp-O9mk0M$)km{i%@{s@{YGMdB%L9j2~nS1J%90a>X!sB~jPTl2T z=4j@4=Y%;dsFhy7k1RP_XO5D6S8w(rw83?doS{{g+#3Ht)9^$uGj0hK zx1bAYp1BI4{p2^=T9h9KL^jOCR{V3s!kH3;fw^38UdA_Ubl>L(cQM3;Oawe%K|~-; zOP|&uI!)ag&K3C+Xw?XPIaWL)xn8Rpi*U8VV|xhJn5)mgOiq$NRtrU8sk%X|`usc9 z3Fr&5L=|V|Q`;QJ^L|%PhwXg=qztTaI>)eu7gZZsXZ8UrYY3HF#KLc-F<4XZ) z_vzx!2pPj20k>~BWP)fk091KluLD|92#CD19srH*YSF{CPV2sv?mr=*xktk?+w?NcMUN=svtX%HMD z1nB4=I2gB*dVR~X#2Yxoj`=}i>4d%U>EC=m;nKRBp$Q#6;LaW2P${k;ni5Z9KO7g9<_5o*Axpoun;Dw+dt6xtUC^66^`9}XY*RuQK3&i&V`qc2vcn?D8C)P?mD)J z^Q={{^~Z;GI1X8rj1SPiRopgs5g+-+p+2PFD!7O3OP8o#w3r(9-@b*MS8CgTA+kjj zf!J8fut5)J3;P8hLU2I2zW0|cQA(R};J);G_81&PbtpulIH0fcS)@`%yc+4Sz7UiMPM=^=XfqQ60%YbX1%`3{;w}#n-_b-%wD%DV2rwD%*P->+N)%z(Hv>AyK0r z1;s0KrFqw!X@6b&kK(@{mURBU_%>8gi-hrO%|8^jUP#W!9Md4?sP?^iew3Jv=w;3m z(IwxOsB3fTDZ$y*kNoDvHGlG*RBN}h77DUJx{G}jjG`(oP#+~)$^%C%O3LYhs~SKb zd#j2~aB26+as`;p0Bh-97I8Zs(nvZ!I_f}7uC})({_aJefTT&%5PppQiFIj8;e`mu z_L&i047VeYwJQd?T5Ms$B~1l4yN*diR;y9m*B)`-dfs=uD?BC|c!B+b9E}=Lzw!|2 zW<|%e{jSb_TEfNv;!s%%3W0;A71%{$d;NC#!P=*QkYl6FP~Xo*#HZXv;zL10Q8y(` zNQ-pVFj=w~DPGb9lJM`DH#<;Ftj?5z>5vv20rOP~fJJ~%M2jC1MRc~VKch4s)HBo_ zD(P*bu@_5HcFvrMn0NqzLw2zqmG!>I!*il}XJOMsD9F!<5wcVSZ+L>fWUf_-Kzd6U zwt3N9$b~3{G>ei@-PU}DdtQeCU9HIriJuSes^c=P3!^?7lm#MF-|SgEM4;rIiIJuI z?0|fAZ`8s2YW~&lQ=*&wlF+M6qTV4+Vlj7-`$;PYW8 zT4H*8yhMc-J>PDly~hQFGBqWwX_x!@Kna-)iTP=|C>SW&aHT@CHbjUQ&1T@l*X;7Xvh(v%Kz4u}{Qx z=;PLH1NnUQqKa@p&4*XmH4E#prD{`@i*s^{1_-g~j{GvY%9oWR36(9j(%Q~jx<)mB zx`GgJccwV8M$2Nt2Astcn=}wb$DcEnU6Cv?yrmJji)pWXNa6pbQmSR_V~rE>*YCH8 zv2HU=C&$u$O}b*M#Qe=%d^N9LiFsdj9#8=V%Y;Mh@j`{_QecnKih_OB*2e@}Pi-{( zB$uk2D7CF+c9W!7J35m;!A^f06Ci!auWQM0UHPMLdyi}dY}~Gxy~4z-M?urouBx+U zRZQ1$VWANJnhaP(S_Ibtggvs|FWDO6aq<}ZIxvKe9RNzmPmpwPUOOp-7t&2cKc4*YhM6={XTAN{(J(XX`sbwaC|VhD&>UQ_rZ7;a($>SUEaoHbpX-+VgChMY&WE_o?zYh1x9iae*}%U~c~}Ui8AUKARMwebM{!PJ zm!RHyjy0C_-VNj$iHhw7X~SJh1ypu~xA8 zqM1>9saU%n2#`qW81;#j4vp4c%*?DAO34#x`ObJa?AS2F1O5qe58nim7CW2P9&}o} zaSS`H$8WE9dO|6{!vhCEY|wI5BLYt`NgZ`TB~Dczt*ECcY_R~6nZs$X5v%}$ijhLH z#b_;c=d@VYaMt$Wg$8J)YH2jdnOPnwsfX#rOVzrJQoLE=*W~B>_fg2v;>b7`7_Kej zIj%n#T4N5JA{lf&#T~I;UY5Pk@c(5#E*26k<&WAe?Wdj!vfpNgNOv`V(j-#N#K(>99*5S@<}DVV`Js0Rq3e29#Vn0^5e0~V+-cwJ3=N?*Tl+~# zW42a1i1yBD#Czi94i;L?tA>zVhHRM}R$YBiZpAMPI6!ZMAfFfpRv>(F886RgFab*1 zNN+Vi>~P`WZ}miI(_73mEY&i~4Z331=Pum17 zILvn5Yq*@9---4Xmd{UiD!A(HRVTgKFO2nOr?XhrF8jT`4UwgQvW6M&ZkJ`7eYm8$ z<)Tuk-RVMW0A0W;;9<N=B;``+3f|NKlTT23*VKyd%_$(*kUdF{&nSdC`io) z>JTRzs66072?ksvr_;hPTKbMYjAYF;Z?Xl?LyfvSCcAuor-Lr>k=|idA@$pzsYj+)`wdUg%A4qLe%o9_NQ&aZp?2mrmuD9(FgfL)+#1c1)5vk>f zLQD-~Yx#SC`#|!!oiV8Or~%*dT60sE-n;3@0*o#Dv!cAJ+H5}&=k;Al9T65=m3OXy zLhSzw^`6dTJE?k5lN|^6?yGHc@hpZKEyn=$J0uJU`%QvC<C?cWLhIN^F;wB=G!7A!JJ2fjeo5X>&^VcH zPE#iOMO+T2H|QwVd}_?Q3Bco0vfFKGB}86{z!-M6OK@RGQ4tJI*VlwF5=mzp-lcU{ zjGS6fFZ+bzE%RgIlKeqesc|*eCPQd8(qchxRc!KIhBog2b$u~xOD}rvV>F#|8G~#L zCptgKB#ea!&qz>@l?MP8nF4SC33zX4z54B#l^)FuzEJ_`2xNmrbOzWg8$Jtw4Z#PC z+=rRr%+_)uK@vfP$@VU`&t7jQ*fJW*U@FdKBM`RkfP`5jX(UQTjlyM)<+6A zhyfKj*5p>~WYbn7B!3dZY@(Sm$nI*2YHuf`zOb7bVQcxCI}to=U`FfFxd&9Nl8&rX zaqQ6gn`CjpbV_J%{&NOyZkNkL&F;`_5PfdMHxK$nU@N-CW2 zNtquql_vg|B`fowxv`yua`j&?cXnvDA& zB>$UQ%;?v@<=>Zjzvr+PA!jetUbs=V!OV=;C|4+*DNbxGvc1Xr1-%KK+(z z=c#=Dd}N1%kpMkLv`j+$-&ow~Crim@B8WG=>{J&DxTb%e^e%B;U$4G73!$($EEC(7 z1%f)IkF5k7KvSXQ8hsKT*)W7x1cm}uL-K2l}TDFU$}C+ zXhe-UC1-;?uG5-DuR{NJnz;n+E=+BG!%#n`!6;DYG1N|9)n(CY(-o9qr)U1iV>I~W zn=@Lk)L!v=OPEu)m4Ax7ea&z9@fPvjEr|OV;W&blqIi4tnj#9=AH7u=YE&OFYlddGHJ+X?^*Lrr!)C6L*@R#JbUxeWRjgjo$yOIF@af}1rJyMO zvXfLV2|9n0SFmmLSHN#`WR~>yCieKT2wq5j2}Rf|oqh27Lbs(`E4((e4{x&m!^Mlb zR)lA*bv?WZ!PC#r`}+2)nmPulalFRyk5kKh20XQWAn>P}0WesVuQIPIbtPDqik*5VV_VDURO*E#t9$@4kd0z;)ghQ`ckw?{JPsL@aIwFrRF5E1?^1Yw!yA~m#LsKvUaHQq_Y8aDGXg>n(4`-;k4-H$=#NyUyj1UNw)&MbS4{P3{h+2>u(?m=;$ED%F8`un zUmKN1A3z`Y-esAzAEvlpsD@>Fpy<9L3ydm8EKR8g|}hs zA>ZIPPo1L0&Pa5Kjp;0eeiC!2!mnrDj!)FOmabaLeI7Zg2wA*iAf-WO{KbfiJdk`} z)v!h=8KV{swFqSRt^T(B2L=b+7qTT)DA)w)AJd&_x@b(kl`xBgqg2%aWc5K-M$8B3 zPRdygmN2e~9eDWuLJaArjXPj(c=2rE2_Y3Aml3B+I~sa!(anNV;z4otLLn+r54ZQI z%wu;ueBo))~Oe}R! z;PH*3qE0*Vd4Umx?RnhuA7-h~2&x8GS^i`n9YVQTasrg1y=HedzFJvQb-0r0I8Yil zcWfIuU2viDT^RXvL|hTEYI`|!FY^)`pCX(bzZtkFuLUxEjSmu@rrO#O@cI3tj44K( z)qAbInV``wUpv?F`hde6-1bf?VzkS^Rh`?Eoy@}>=p=oLwc?pZ>df6ExoveIq#khek zyIWIB{y#G53RQ%5xQtgj2cgkds=MiwreY)Fsqv>4)43ZM(^pfwNF!Ia_++8Apzi zT6*`;N%D15wvWoZ%6{*JZet4lO@h*rwA`2F8?Bo0xJmYEnU|; zZ`I|}1}<*arTTH|a)|pAn4NNktdOOE$g?MZ{|`8%i`-~lt&9@?UQEV{xPF$(o1We( zqC7+m_HsuSBi%;Ab=xm&1Ulm)nIJL_w1iy@_{WVV$LTsGGo2skuF}?ps!(-KXdR`^ z#P?L08j_8?F;F=q$2fZI3M2LfX1^*1HFi@AuR=U{TDS>YmnRFM?dzXh_YmO4`sh## zxzL8=&`vYTLzsll4CG^R7$5;w65% zSx|#=ARlc$qE)7AQbvvqH_TBVM)A}G?}7$TooS5d54?M|g2{wS;dD4<8BOpq&M!HYAwZP#bB9YLr`CA-VYz%3*b#g0VH81R*${>|qNaTVxBW2XKh zaN05G^k=EwbiN?+oAqBx_3v&9!G^~u)OE&TTG8P9x+V1`UwEIh4UyU;(c2CYJ-X)= z+pS;TsS)OHzx9M3285V&JCV2lpW@E)FRJg0_eh9HN#_94(jX;`bjU~y9nu|&fRYLl z(w)*U#LzIHLzlEj$IziP%)rob2fz1s|Al)V&67Q^J?DJZntk^Bv)AH>$Cj9X3!idk zb%@5;ok>|4%HS5Xo;KdHS@NCQ`2Dg}ABK#SkV3{yAkvPNSCLd{tA`U}%qp0bU{kCM z=g9%zDX3SVHZRQlj0V=|ZFM7UonR}RH_fQkM$0->WK3v4@#E;WV&wd|aQRIQcA_$5 zvTIXv2L}tE$%JH`(fHF@TI$Ny)t~$xik=tU@Re*w=bHDPgrX^v ztF7BvHNI(RPPBuqhKrx#qvvA>UA$|SjQAUcx%C3_SaP@Pds#gpLs{jF`p&Lb?0m3yuEA=|;#1Ss3ZlFD zmColkx*lhC{9J6yOH)I!CakZs8u~*cctV^6lLw$TJAe4RP0s=V6?M&wNzTD4e_WGC z?e|U;)(jWMry}P+VW*+%Hfs;e2o+ld_6+sPNHt8w{X)`d@zfN=DW-F&>bFnu9-~yJ z^_#)IhY5(yc($tqiT+)IX5lYc2Hz3Jj?|>?gKr59e{e^P+P1o!Dp@+p_vI*jb;6m< zKyjuEW5aXOLlS4G3NLpnXKzP8KGOeQ96iROx3AP&;Z=I>&l@e8v>~7I8mZv4jOp_2 z(n8#?F_=wE37^vB#u39?stKcc$%y%QF1U`^K>Y>lonMHDJ7mW=?5WH(;(NC8eZN4C_X!gvX)-0=LHTRV>9;a5$T)+xj+XbY5Z2@O7boFaD?$x{4Ia@w~%z1d4j@cM!0 z)oT4S>!Uwi0Ap^s8!)7#kz)r_ywRPZZBd`lP_uui28+~#kGo2#TE9##6307=#14-+ z-Y%@$MP2h1ZlN$9Hoo4Z-T3OnAd`eR!Ms<3qq4L)b#kOw7&yPxjM#!R%ruJO3xicokGo#i57pXe|dLpH8?qPd2SCYldFC* z`Y>fE4nz0i{j$zZLNeC&8Wp3ES$_4R_(}WrFJgh6t#HK2v1h`B4Aq&m6d=GC+L;WG z?dyB4-)*A*If|b;B%xcvvipz9SmP^7x3)i=*xV54$1g0F=jeVCAy4|=+n$)xHfU5ROP8SPL{(0zVr?z!-e!+Ml=tM8{WeoTh44y|^(%}nU_v7Ak z@Xlux!KveGA=1lWhE)l$;`wWNvD9!+TdoLjXoqMc10A->~X!Xp+U%7WK>IH zHe*k4{HpF;#dkskxNe0XG)@lNU?~^*zwYyH#rExtl-T>=)`lIzPCdTog#D$wg)_U6 zJXMMVv)F5X#Cy-o({co;ko))7OQ$pcqLbk?gnyzK;qR>IM}All<#aq{Zg)t4Qzn2v zC}f0q_>29kXD5`WnM~-{%-wimW{M=e?_tDlan>9sKl2{!CnVT)S6t8uyniE!N3XJ8 zfp6Y{D2eUpc(DKa_of~F+qHFSncJuIel8X#w3AA^MDSJ(hFE&InRBb@_YaV1nD{2x zTJW8!pJ@Psy5)9E=Nh%w4Gl*SORvcj0PZl{U|zHgEr0dC8d%N0^4!y}$7U-xF(s#b zw&CZ^-=Sy(X6f^qz)X#Bl5u#TSKMPWy(=f@FukO3uL8@{*YJ{^YkAE@oET z_C&$5oHI9iasB4sjvyrnGE71{EkGJ8cniPBf(PXYw(EG}Zw|&c-OvlIZM0CUQbhZu zc!fr5=O{J%h1aeGX+CISF7zI7x;R~I95-oPpIbZQYw^U(2M#gL8y&61V*CWt9@!j{ zzxSc7T_BrwV=XqYSGLL2{zysB-`<*Z?cnv-$|c|`Xs@=)*-Niby6U!iY9pg(hV8X_ z`1IUtl@;TaP)#DK3c%&5TZ~um33 zh3<45S`3Dt3?ltGiF>O{3cB_lL6&=ohk^sANqaF;8Pz*NR|}%DQi5IvQ`FZ&rH8pjG>VZtqiI4h zPDTs*RKas^I_ya+$}en92)AcyhfjZS4XgtUd6>QK2AnINQR;N@ZTq#zH7>Gws z%+LKUD|nc)ydN(&MtS#o%SIA5lkD`M&{K}i(4@HAKo4&w5%6gYBV>c-aQd;LX`mtg zc!Trt6bdD>?3(s*7pf9cssV`J_SRE>kuR1JKi^KsqZ3%_23d-+6=+fqdC^Ve+^l)Q z0Pu&Gui1Vz7Js&3RpezbMYcZM1E=4%ptLc5>ElNrflUG&x2rCSU=UH zr_7-qkrR38|YI8*h^Q`Yibs}a*(rLfxaJG9;KrMy~{V#9$ulA=aE zvwW{C6$>&|A@Zq=a#&7)^}&y4V}sP8Q&y>im3j=IArk@m+>+sLt|6P(qhJTi;JQF3 zrh?|ZtF{k|g!uH)of zRFJ+GrF2irrj?=D6wp`Ks{+IG3R1RNkStUwe`?UM&YTXMk26KIm5<#-g=<47)~xYI zX0C5zQF*9IF>?8v7}-1>io(A~)Tm6e^3_!Imp@}YE8UpxY4fktKXnO zJt9QWD?#?6cEs}L`VnMlP?>H#^D@O}BR$_Ol`Pj@ zDyaORo+~bMvl#?~S;iV*if5aH(`d>MYuRES$QX&Hh=K5njNk1)l-LxFZ?b(=3;Qk{x>Y9(nB{nHCgjy|p_6D9sW!IWw}l1dn4r=f)vu8oWz z^faD%jOt@OPN-Afw1$#Q_J6#k8}_N7}4L%S@!kaghahda)WOLADflIq(?hBD`PRqR$T^ zLjr%!b>|#k4EWrrqZ2re6W&e+Ghv;X+az@3#E5cXB>}9DKLPJG;Ep*Cxud1*@ z4l|;PCC&O@)iSljJt!KVMG9-`R?`s~8;6`oLr+{4+O^rAp2X?|0Z4) z4TB^;&GyK*t7mU`&yJ`9o7N|fbNdnx8`mI`%J~*;WVTZX$qaUlDR(CYlJsstfB)?_ z1Usprx4LaTK5*v-zPkArAN7Op;Yoxs&%=ada^CocO!T2gkDh11wfa$gtGR%60VaMN zimDB)0oovHcHk2_aBR069#gnxc8F~+--hkMok;3GPWygEFruiaO#kH+b4G$&-!@g- z7x(t12sU(E$b{_r*XEEMOK^_BocPptL#oFtAoJnY3lH**IYB+l{$3>!QaOnRx=-i~ zh0ak!eQ2aq)aLAL2L^Ct-?&$pfub|SVm`4HbRRgKnKu{sGHYWGww!N8c5W@Rkp;MC zg(^wzqV0_{2kQTUWL(^b36nNlf9j1!Jita{L3;}4=Y?z@?H-u1dx;^)%$^Z%+MZCp zAZi&Oj01aMM}*s)gV$z>q0xa-AZ(Lk{eBwgc{HUl37OX$#EGqRSh|PI*(mOcZj1jN zoT;@zQ2GZRt41fE*@DcsCZ8X(5>KgNY)2>yo@K7qNRG^l#5XHwZxq9y=o2sL>Upmp zJts^$rBA`aCE~SbLi-n6FN~g)87E9aU3bPF`by&x`7!F5*TRSUe`)pN*~>)rlB)j7 z6`}>`R&qj!^7yFbg`f1yhyh{~THpQN{9|O;G7;)hfGL=4g0?>U(m((ODE##$NnTnepOLn}tQRUO0vJ(*BpkJWTam zS!|z5s%lwJ2Cb`!C(*ZX(_#4QP+qht*cXPwQZn2-uS2!BEvm>o){{ILkM_b>pRPBM zxE}oiDG0iFv*~}Zs-ZE$VRafPzqa%jkihS&SPX*#e|@fGGTW_0z>}<1(A<{k%Mvg* z<6g7>xNSA;_EiPkn5elonp$$_wGeC87Hd4gMX<*Ytn-b14Q+gu#uS)fxxHwWzwL`Q zxM666Fhs9{TJ9jmsiPEvznZ@E;`>d5`F9sbUeQY{fg#vUeo9D$G3DG_v(JwXBzXV| zqWc}GVwBzA_FbOJ7e%P6F+>*ZPOg*Up~ZT2Xpi<_lc#n8Q=(jM^1#|gKTC4394EV- zL>wJ=enFtt4W3<34 zQpuZ-7K5!cWr`&$c0>#R3q#e_MWZq!uT~VkO;ILde?$9!-<4cb7Lhq(66I~Rp7~BH zNNZW~@qbftqE^(Yj~G0PBc3S)R@0yGsYY?2HzUzM=4rS*t4P!g6{RKOr+SN5Z~Xs; zMBWb(Kig (_AaoN-?`WL!m`4RH0`%Pk$hc7GGKSjkIq~C*jwD=S#Li+D&>*}~> zvsv;cyprSJ6%1PpwyJ|Z_C4voR&uv=9`iT#9vd*e^u`l+UX=e*`OL7XR#oH5 z;V0(xdID9g^!G*{rP_4iJSbdb$iVt46@B;$GBMPT=lfNTC10S? zWi}c#WYD#X@339na`7yTXglaFrF1(fONm=h2o3qETcK2A77lTzTr@zoh zWHEP*?YeJ9F06!0z()b+_69}N0&}n@3$tp0Hejc$$oEtn$6(2yk5BrL z)pfpLZE;KHh#;C~fyAz!D9Ig0+Z~QlhF5W{{G#Kq>{-P^SO1XhU^J|Zxf}6u_Ba^} zQgVavxR|1z%H$wKw4{$IuUAWDYUT((Y<)IKNXQDWXGjkR%D^!p-K?J>qK-Pu3DmID z!On2qpLtAEiK=Y>X^iGxV@M=d^a~`Zrr&Yk!qtjr|ET9mLij<4?r3Y=#j(K(D(z4` z8t?t#TOsg*4+VNF{o85a@pQKMpJcik-!VFYtTo=C@++sf0}ji{?@Pw`f7goPM@KAT zYl+8NlQISpXHq18Z#KyZcHo2t%O}*+{C<)MwQqwM`Ko%mPH=Lrzgzhs36=5xLb07L ztXXkQqCgyKD zB5HJ*iycp_G;Fha;d`|)yZwx?y!o9U;9O*D!z?lt>t^;?8?>(Qu^3;ZiYbh6KYStB z|GXuToWg*aI$~ubiJgi5YeC&$XdP0b!7ZCufi*hI{Rj1S8BytnD(4dK*|t_p1G9Iu zI}3q4CO_~-+dcS|W43U&PE>2*HMV_jdwf2H260+j<3G%-2L4GeA`sAA|1bBDXpevJ p(Z7GN%*^Vv_on#&51&Yn?w|@G!C?VWE*R)bO-W0!>gAi@{{y-&C&vH) From d6dfbc61703a641f3a7666f752380b863381ca82 Mon Sep 17 00:00:00 2001 From: isaiahng Date: Wed, 21 Sep 2016 13:18:36 -0700 Subject: [PATCH 17/43] Update prepare-your-environment-for-surface-hub.md (#205) * Update prepare-your-environment-for-surface-hub.md * Update prepare-your-environment-for-surface-hub.md * Update prepare-your-environment-for-surface-hub.md * Update prepare-your-environment-for-surface-hub.md * Update prepare-your-environment-for-surface-hub.md * Update prepare-your-environment-for-surface-hub.md * Update prepare-your-environment-for-surface-hub.md * Update prepare-your-environment-for-surface-hub.md * Update prepare-your-environment-for-surface-hub.md --- ...repare-your-environment-for-surface-hub.md | 133 +++++------------- 1 file changed, 38 insertions(+), 95 deletions(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 5e2203341d..ef33102a3f 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -14,115 +14,58 @@ localizationpriority: medium # Prepare your environment for Microsoft Surface Hub -This section contains an overview of setup dependencies and the setup process. +This section contains an overview of setup dependencies and the setup process. Review the info in this section to help you prepare your environment and gather information needed to set up your Surface Hub. -See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. -## Surface Hub setup dependencies +## Review infrastructure dependencies +Review these dependencies to make sure Surface Hub features will work in your IT infrastructure. -Review these dependencies to make sure Surface Hub features will work in your environment. +| Dependency | Purpose | +|-------------------------------------------------------|-------------------------------------------------------| +| Active Directory or Azure Active Directory (Azure AD) |

The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.

You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. | +| Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync |

Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.

ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. | +| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing. | +| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | +| Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | +| Network and Internet access |

In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. | - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
DependencyPurpose

Active Directory (if using an on-premises deployment)

The Surface Hub must be able to connect to the domain controller in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.

Microsoft Office 365 (if using an online deployment)

The Surface Hub must have Internet access in order to reach your Office 365 tenant. The device will connect to the Office 365 in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and SIP address.

Device account

The device account is an Active Directory and/or Azure AD account that enables several key features for the Surface Hub. Learn more about device accounts in [Create and test a device account](create-and-test-a-device-account-surface-hub.md).

Exchange and Exchange ActiveSync

The Surface Hub must be able to reach the device account’s Exchange servers. Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.

-

ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled.

Skype for Business

The Surface Hub must be able to reach the device account’s Skype for Business servers. Skype for Business is used for various conferencing features, like video calls, IM, and screen sharing.

Certificate-based authentication

If certificate-based authentication is required to establish a connection with Exchange ActiveSync or Skype for Business, those certificates must be deployed to each Surface Hub.

Dynamic IP

The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address. Network or Internet access is required, depending on the configuration of your topology (on-premises or online respectively) in order to validate the device account.

Proxy servers

If your topology requires a connection to a proxy server to reach Active Directory, Microsoft Online Services, or your Exchange or Skype for Business servers, then you can configure it during first run, or in Settings.

Mobile device management (MDM) solution provider

If you want to manage devices remotely and by groups (apply settings or policies to multiple devices at a time), you must set up a MDM solution and enroll the device to that solution.

Microsoft Operations Management Suite (OMS)

OMS is used to monitor Surface Hub devices.

+Additionally, note that Surface Hub requires the following open ports: +- HTTPS: 443 +- HTTP: 80 -## Prep for Surface Hub set up -Review the info in this section to help you prepare your environment and gather information needed to set up your Surface Hub. +Depending on your environment, access to additional ports may be needed: +- For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +- For on-premises installations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). -### Work with other admins - -Surface Hub interacts with a few different products and services. Depending on the size of your organization, there could be multiple people supporting different products in your environment. You'll want to include people who manage Exchange, Active Directory, Azure Actice Directory, mobile device maanagement (MDM), and network resources in your planning and prep for Surface Hub deployments. - -### Create and verify device account - -A device account is an account that Surface Hub uses in order to access features from Exchange, like email and calendar, and to enable Skype for Business. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. - -After you've created your device account, there are a couple of ways to verify that the account. -- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scipts-for-surface-hub.md) later in this guide. -- Run the Lync Windows app from Windows Store. If Lync runs successfully, then Skype for Business will most likely run. - -### Check network resources - -In order to function properly, the Surface Hub must have access to a wired or wireless network that meets the same requirements as every other Skype for Business endpoint in your environment. Overall, a wired connection is preferred: - -- Access to your Active Directory or Azure Active Directory (Azure AD) instance, as well as your Microsoft Exchange and Skype for Business servers. -- Can receive an IP address using DHCP -- Open ports: - - HTTPS: 443 - - HTTP: 80 -- Access to additional ports are needed, depending on your environment: - - For online envionments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). - - For on-premises istallations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). - -In order to improve your experience, we collect data. To collect data, we need these sites whitelisted: +Microsoft collects telemetry to help improve your Surface Hub experience. Add these sites to your allow list: - Telemetry client endpoint: https://vortex.data.microsoft.com/ - Telemetry settings endpoint: https://settings.data.microsoft.com/ -### Prepare for first-run program + +## Work with other admins + +Surface Hub interacts with a few different products and services. Depending on the size of your organization, there could be multiple people supporting different products in your environment. You'll want to include people who manage Exchange, Active Directory (or Azure Active Directory), mobile device management (MDM), and network resources in your planning and prep for Surface Hub deployments. + + +## Create and verify device account + +A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. + +After you've created your device account, there are a couple of ways to verify that it's setup correctly. +- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scipts-for-surface-hub.md) later in this guide. +- Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. + + +## Prepare for first-run program There are a few more item to consider before you start the [first-run program](first-run-program-surface-hub.md). -**Create provisioning packages** (optional) - Your Surface Hub may require certificates for ActiveSync, Skype for Business, network usage, or other authentication. To install certificates, you can either create a provisioning package (in order to install at first run, or after first run in Settings), or deploy them through a mobile device management (MDM) solution (after first run only). +**Create provisioning packages** (optional) - Use provisioning packages to add certificates, customize settings and install apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. You can [install provisioning packages at first-run](first-run-program-surface-hub.md#first-page). -Currently, Surface Hub can use provisioning packages only to install certificates and to install Universal Windows Platform (UWP) apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. To install them using MDM, see the documentation for your MDM provider. You can also use provisioning to sideload apps that don't come from the Windows Store or Windows Store for Business. - -**Manage admin groups** - Every Surface Hub can be configured individually by opening the Settings app on the device. To prevent people who are not administrators from changing settings, the Settings app requires local administrator credentials to open the app and change settings. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. - -During first run, you will [set up admins for the device](first-run-program-surface-hub.md#setup-admins)). +**Setup admin groups** - Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins)). **Review and complete Surface Hub setup worksheet** (optional) -When you complete the first-run program for your Surface Hub, there is some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you complete the first-run program. For more information, see [Setup worksheet](setup-worksheet-surface-hub.md). +When you go through the first-run program for your Surface Hub, there's some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you go through the first-run program. For more information, see [Setup worksheet](setup-worksheet-surface-hub.md). + ## In this section From 47a60796907de015c9431f197b5e727254eb1d55 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 21 Sep 2016 14:42:18 -0700 Subject: [PATCH 18/43] updates to prep and intro topic --- devices/surface-hub/intro-to-surface-hub.md | 53 ------------------- ...repare-your-environment-for-surface-hub.md | 14 ++--- .../setup-worksheet-surface-hub.md | 2 +- 3 files changed, 9 insertions(+), 60 deletions(-) diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md index 212b001d82..eb48a1fb78 100644 --- a/devices/surface-hub/intro-to-surface-hub.md +++ b/devices/surface-hub/intro-to-surface-hub.md @@ -15,62 +15,9 @@ localizationpriority: medium Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device. - -## Surface Hub features and interactions with other services - -The capabilities of your Surface Hub will depend on what other Microsoft products and technologies are available to it in your infrastructure. The products listed in the following table each support specific features in Surface Hub. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ScenarioRequirement

One-touch meeting join, meetings calendar, and email (for example, sending whiteboards)

Device account with Microsoft Exchange 2013 or later, or Exchange Online and a network connection to where the account is hosted.

Meetings using Skype for Business

Device account with Skype for Business (Lync Server 2013 or later) or Skype for Business Online, and a network connection so the account can be accessed.

Web browsing through Microsoft Edge

Internet connectivity.

Remote and multi-device management

Supported mobile device management (MDM) solutions (Microsoft Intune, System Center 2012 R2 Configuration Manager, or supported third-party solution).

Group-based local management (directory of employees who can manage a device)

Active Directory or Azure Active Directory (Azure AD).

Universal Windows app installation

Windows Imaging and Configuration Designer (ICD) or supported MDM solutions (Intune, Configuration Manager, or supported third-party solution).

OS updates

Internet connectivity or Windows Server Update Services (WSUS).

Device monitoring and health

Microsoft Operations Management Suite (OMS).

-   You’ll need to understand how each of these services interacts with Surface Hub. See [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) for details. - ## Surface Hub setup process In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need: diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index ef33102a3f..1be646ae79 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -38,8 +38,8 @@ Depending on your environment, access to additional ports may be needed: - For on-premises installations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). Microsoft collects telemetry to help improve your Surface Hub experience. Add these sites to your allow list: -- Telemetry client endpoint: https://vortex.data.microsoft.com/ -- Telemetry settings endpoint: https://settings.data.microsoft.com/ +- Telemetry client endpoint: `https://vortex.data.microsoft.com/` +- Telemetry settings endpoint: `https://settings.data.microsoft.com/` ## Work with other admins @@ -56,14 +56,16 @@ After you've created your device account, there are a couple of ways to verify t - Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. -## Prepare for first-run program +## Prepare for first-run program There are a few more item to consider before you start the [first-run program](first-run-program-surface-hub.md). -**Create provisioning packages** (optional) - Use provisioning packages to add certificates, customize settings and install apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. You can [install provisioning packages at first-run](first-run-program-surface-hub.md#first-page). +### Create provisioning packages (optional) +You can use provisioning packages to add certificates, customize settings and install apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. You can [install provisioning packages at first-run](first-run-program-surface-hub.md#first-page). -**Setup admin groups** - Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins)). +### Set up admin groups +Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins)). -**Review and complete Surface Hub setup worksheet** (optional) +### Review and complete Surface Hub setup worksheet** (optional) When you go through the first-run program for your Surface Hub, there's some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you go through the first-run program. For more information, see [Setup worksheet](setup-worksheet-surface-hub.md). diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md index 49b0f51d45..a77cf5850f 100644 --- a/devices/surface-hub/setup-worksheet-surface-hub.md +++ b/devices/surface-hub/setup-worksheet-surface-hub.md @@ -33,7 +33,7 @@ You should fill out one list for each Surface Hub you need to configure, althoug

If your network uses a proxy for network and/or Internet access, you must provide a script or server/port information.

-

Proxy script: http://contoso/proxy.pa
+

Proxy script: http://contoso/proxy.pa
- OR -
Server and port info: 10.10.10.100, port 80

From 60e771f2b9ecee958f1b37fd024c4887f6821177 Mon Sep 17 00:00:00 2001 From: isaiahng Date: Wed, 21 Sep 2016 15:47:05 -0700 Subject: [PATCH 19/43] Update prepare-your-environment-for-surface-hub.md --- devices/surface-hub/prepare-your-environment-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 1be646ae79..1e0440958f 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -65,7 +65,7 @@ You can use provisioning packages to add certificates, customize settings and in ### Set up admin groups Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins)). -### Review and complete Surface Hub setup worksheet** (optional) +### Review and complete Surface Hub setup worksheet (optional) When you go through the first-run program for your Surface Hub, there's some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you go through the first-run program. For more information, see [Setup worksheet](setup-worksheet-surface-hub.md). From 3ee6215071b3f90c0cd379084005492f6c29bfa7 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 07:07:17 -0700 Subject: [PATCH 20/43] Changed proxy reference from 137 to 443 --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- windows/keep-secure/create-wip-policy-using-sccm.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 7a107e086c..0b829ac6ce 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -380,7 +380,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Proxy Servers - proxy.contoso.com:80;proxy2.contoso.com:137 + proxy.contoso.com:80;proxy2.contoso.com:443 Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.

This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.

This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.

If you have multiple resources, you must separate them using the ";" delimiter. diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index c66c433c22..ef5f223a2c 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -401,7 +401,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Proxy Servers - proxy.contoso.com:80;proxy2.contoso.com:137 + proxy.contoso.com:80;proxy2.contoso.com:443 Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.

This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.

This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.

If you have multiple resources, you must separate them using the ";" delimiter. From 71526b64627469f9572760f9dbfecd6f64658bec Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 22 Sep 2016 07:44:09 -0700 Subject: [PATCH 21/43] update new parent topics --- devices/surface/deploy.md | 13 ++++++- devices/surface/index.md | 4 +-- .../surface/manage-surface-uefi-settings.md | 7 +++- .../surface-enterprise-management-mode.md | 34 +++++++++++++------ devices/surface/update.md | 12 +++++-- 5 files changed, 53 insertions(+), 17 deletions(-) diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index 7fe0c9a38e..517aca2f0b 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -1,6 +1,6 @@ --- title: Deploy Surface devices (Surface) -description: +description: Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices @@ -10,6 +10,17 @@ author: heatherpoulsen # Deploy Surface devices +Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. + +## In this section + +| Topic | Description | +| --- | --- | +| [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) | Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.| +| [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)| Find out how to perform a Windows 10 upgrade deployment to your Surface devices. | +| [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.| +| [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)| Get guidance and answers to help you perform a network deployment to Surface devices.| +| [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)| See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. | diff --git a/devices/surface/index.md b/devices/surface/index.md index e163db015d..39305ac4af 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -20,8 +20,8 @@ For more information on planning for, deploying, and managing Surface devices in | Topic | Description | | --- | --- | -| [Deploy Surface devices](deploy.md) | tba | -| [Surface firmware and driver updates](update.md) | tba | +| [Deploy Surface devices](deploy.md) | Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. | +| [Surface firmware and driver updates](update.md) | Find out how to download and manage the latest firmware and driver updates for your Surface device. | | [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. | | [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. | | [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. | diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index 246334a4d4..a34215254f 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -14,7 +14,8 @@ author: miladCA Current and future generations of Surface devices, including Surface Pro 4 and Surface Book, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings. ->**Note:**  Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI. +>[!NOTE] +>Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI. You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot. @@ -137,3 +138,7 @@ Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as sh ![Exit Surface UEFI and restart the device](images/manage-surface-uefi-fig8.png "Exit Surface UEFI and restart the device") *Figure 8. Click Restart Now to exit Surface UEFI and restart the device* + +## Related topics + +[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) \ No newline at end of file diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 981d6dae06..3361d3002c 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -13,7 +13,8 @@ author: jobotto Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal. ->**Note**:  SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings). +>[!NOTE] +>SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM. @@ -25,7 +26,8 @@ The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown i *Figure 1. Microsoft Surface UEFI Configurator* ->**Note**:  Windows 10 is required to run Microsoft Surface UEFI Configurator +>[!NOTE] +>Windows 10 is required to run Microsoft Surface UEFI Configurator You can use the Microsoft Surface UEFI Configurator tool in three modes: @@ -36,7 +38,7 @@ You can use the Microsoft Surface UEFI Configurator tool in three modes: #### Download Microsoft Surface UEFI Configurator -You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center. +You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center. ### Configuration package @@ -48,7 +50,8 @@ Surface UEFI configuration packages are the primary mechanism to implement and m See the [Surface Enterprise Management Mode certificate requirements](#surface-enterprise-management-mode-certificate-requirements) section of this article for more information about the requirements for the SEMM certificate. ->**Note**:  You can also specify a UEFI password with SEMM that is required to view the **Security**, **Devices**, **Boot Configuration**, or **Enterprise Management** pages of Surface UEFI. +>[!NOTE] +>You can also specify a UEFI password with SEMM that is required to view the **Security**, **Devices**, **Boot Configuration**, or **Enterprise Management** pages of Surface UEFI. After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device. @@ -85,7 +88,8 @@ You can configure the following advanced settings with SEMM: * Display of the Surface UEFI **Devices** page * Display of the Surface UEFI **Boot** page ->**Note**:  When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5. +>[!NOTE] +>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5. ![Certificate thumbprint display](images\surface-ent-mgmt-fig5-success.png "Certificate thumbprint display") @@ -113,11 +117,13 @@ In some scenarios, it may be impossible to use a Surface UEFI reset package. (Fo When you use the process on the **Enterprise Management** page to reset SEMM on a Surface device, you are provided with a Reset Request. This Reset Request can be saved as a file to a USB drive, copied as text, or read as a QR Code with a mobile device to be easily emailed or messaged. Use the Microsoft Surface UEFI Configurator Reset Request option to load a Reset Request file or enter the Reset Request text or QR Code. Microsoft Surface UEFI Configurator will generate a verification code that can be entered on the Surface device. If you enter the code on the Surface device and click **Restart**, the device will be unenrolled from SEMM. ->**Note**:  A Reset Request expires two hours after it is created. +>[!NOTE] +>A Reset Request expires two hours after it is created. ## Surface Enterprise Management Mode certificate requirements ->**Note**:  The SEMM certificate is required to perform any modification to SEMM or Surface UEFI settings on enrolled Surface devices. If the SEMM certificate is corrupted or lost, SEMM cannot be removed or reset. Manage your SEMM certificate accordingly with an appropriate solution for backup and recovery. +>[!NOTE] +>The SEMM certificate is required to perform any modification to SEMM or Surface UEFI settings on enrolled Surface devices. If the SEMM certificate is corrupted or lost, SEMM cannot be removed or reset. Manage your SEMM certificate accordingly with an appropriate solution for backup and recovery. Packages created with the Microsoft Surface UEFI Configurator tool are signed with a certificate. This certificate ensures that after a device is enrolled in SEMM, only packages created with the approved certificate can be used to modify the settings of UEFI. The following settings are recommended for the SEMM certificate: @@ -132,8 +138,9 @@ Packages created with the Microsoft Surface UEFI Configurator tool are signed wi It is also recommended that the SEMM certificate be authenticated in a two-tier public key infrastructure (PKI) architecture where the intermediate certification authority (CA) is dedicated to SEMM, enabling certificate revocation. For more information about a two-tier PKI configuration, see [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348). ->**Note**:  You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios. - To use this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate with a password of `12345678`.

The certificate generated by this script is not recommended for production environments. +>[!NOTE] +>You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios. + > To use this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate with a password of `12345678`.

The certificate generated by this script is not recommended for production environments. ``` if (-not (Test-Path "Demo Certificate")) { New-Item -ItemType Directory -Force -Path "Demo Certificate" } @@ -160,4 +167,11 @@ $TestUefiV2 | Export-PfxCertificate -Password $pw -FilePath "Demo Certificate\Te For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must be exported with the private key and with password protection. Microsoft Surface UEFI Configurator will prompt you to select the SEMM certificate file (.pfx) and certificate password when it is required. ->**Note**:  For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick. +>[!NOTE] +>For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick. + +## Related topics + +[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) + +[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) \ No newline at end of file diff --git a/devices/surface/update.md b/devices/surface/update.md index 1852692c3e..3e00c77e71 100644 --- a/devices/surface/update.md +++ b/devices/surface/update.md @@ -1,6 +1,6 @@ --- title: Surface firmware and driver updates (Surface) -description: +description: Find out how to download and manage the latest firmware and driver updates for your Surface device. ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices @@ -10,14 +10,20 @@ author: heatherpoulsen # Surface firmware and driver updates +Find out how to download and manage the latest firmware and driver updates for your Surface device. +## In this section - +| Topic | Description | +| --- | --- | +| [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.| +| [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.| +| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.| +| [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|   ## Related topics - [Surface TechCenter](https://technet.microsoft.com/windows/surface) [Surface for IT pros blog](http://blogs.technet.com/b/surface/) From c39cef9c635378c667ac335d173867a89748b63a Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 22 Sep 2016 07:56:19 -0700 Subject: [PATCH 22/43] add child links --- devices/surface/microsoft-surface-deployment-accelerator.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index 169358ad9a..9c4d792a9d 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -115,6 +115,10 @@ This version is the original release of SDA. This version of SDA includes suppor * Windows 8.1 - +## Related topics + +[Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) + +[Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) From 9dc17a174aad221c380d0b06d1bbac83cb59f096 Mon Sep 17 00:00:00 2001 From: Seth Moore Date: Thu, 22 Sep 2016 08:26:49 -0700 Subject: [PATCH 23/43] Make protocol limitations more explicit Previously, the doc incorrectly stated some things were not allowed at all. These are allowed, just not with sign-on credentials. --- windows/keep-secure/credential-guard.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 55180bcbe5..068f9e099f 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -30,7 +30,9 @@ Credential Guard isolates secrets that previous versions of Windows stored in th For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. -Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption. +Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases. + +Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used. Here's a high-level overview on how the LSA is isolated by using virtualization-based security: From ffcfed9c30ebdf6a6cb60484f9d15260a6e50ce8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 08:59:23 -0700 Subject: [PATCH 24/43] Changed may to might --- windows/keep-secure/limitations-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 07244d94d6..d30082e0f4 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -61,7 +61,7 @@ This table provides info about the most common problems you might encounter whil Changing your primary Corporate Identity isn’t supported. - You may experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access. + You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access. Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. From a4e2e856ca23be8f2214945c33fc0074147a2e87 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 22 Sep 2016 09:01:34 -0700 Subject: [PATCH 25/43] correct paths for 4 policies --- .../windows/set-up-school-pcs-technical.md | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 6fdf7e3da3..4b9241bd11 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -193,14 +193,6 @@ The **Set up School PCs** app produces a specialized provisioning package that m

Admin Templates>Windows Components

-

Do not show Windows Tips

Enabled

- -

Turn off Microsoft consumer experiences

Enabled

- -

Microsoft Passport for Work

Disabled

- -

Prevent the usage of OneDrive for file storage

Enabled

-

Admin Templates>Windows Components>Biometrics

Allow the use of biometrics

Disabled

@@ -209,6 +201,11 @@ The **Set up School PCs** app produces a specialized provisioning package that m

Allow domain users to log on using biometrics

Disabled

+Admin Templates>Windows Components>Cloud Content +

Do not show Windows Tips

Enabled

+ +

Turn off Microsoft consumer experiences

Enabled

+

Admin Templates>Windows Components>Data Collection and Preview Builds

Toggle user control over Insider builds

Disabled

@@ -235,10 +232,18 @@ The **Set up School PCs** app produces a specialized provisioning package that m

Configure corporate home pages

Enabled, about:blank

+

Admin Templates > Windows Components > OneDrive

+ +

Prevent the usage of OneDrive for file storage

Enabled

+

Admin Templates > Windows Components > Search

Allow Cortana

Disabled

+

Admin Templates > Windows Components > Windows Hello for Business

+ +

Use Windows Hello for Business

Disabled

+

Windows Settings > Security Settings > Local Policies > Security Options

Accounts: Block Microsoft accounts

**Note** Microsoft accounts can still be used in apps.

Enabled

From 7e032436e2dc83835eef46b9182c38dd959b1319 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 09:02:28 -0700 Subject: [PATCH 26/43] Removed Azure AD reference --- windows/manage/manage-cortana-in-enterprise.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md index 36b77add2e..ff1aec9da2 100644 --- a/windows/manage/manage-cortana-in-enterprise.md +++ b/windows/manage/manage-cortana-in-enterprise.md @@ -56,7 +56,7 @@ Set up and manage Cortana by using the following Group Policy and mobile device |Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.

**Note**
This setting only applies to Windows 10 for desktop devices. | |Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). | |None |System/AllowLocation |Specifies whether to allow app access to the Location service.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). | -|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

Use this setting if you only want to support Azure AD in your organization. | +|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps. | |Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. | |Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.

**Note**
This setting only applies to Windows 10 Mobile. | |User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. | From 240f2c57dca0f0ebc8d8941e705d4cf78e64ae1d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 22 Sep 2016 09:06:13 -0700 Subject: [PATCH 27/43] removed extra ) --- devices/surface-hub/prepare-your-environment-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 1e0440958f..7008921d95 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -63,7 +63,7 @@ There are a few more item to consider before you start the [first-run program](f You can use provisioning packages to add certificates, customize settings and install apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. You can [install provisioning packages at first-run](first-run-program-surface-hub.md#first-page). ### Set up admin groups -Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins)). +Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins). ### Review and complete Surface Hub setup worksheet (optional) When you go through the first-run program for your Surface Hub, there's some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you go through the first-run program. For more information, see [Setup worksheet](setup-worksheet-surface-hub.md). From c1b4c901aecddd485be14430b484c3a2297598d5 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 22 Sep 2016 09:07:04 -0700 Subject: [PATCH 28/43] typo in link causing build errors --- devices/surface-hub/prepare-your-environment-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 7008921d95..0872e5b054 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -52,7 +52,7 @@ Surface Hub interacts with a few different products and services. Depending on t A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. After you've created your device account, there are a couple of ways to verify that it's setup correctly. -- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scipts-for-surface-hub.md) later in this guide. +- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. - Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. From a7082a06081020ae8c80c3a7571426d6c4145980 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 22 Sep 2016 09:13:15 -0700 Subject: [PATCH 29/43] fixing link --- .../surface-hub/prepare-your-environment-for-surface-hub.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 1e0440958f..128c83e930 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -52,8 +52,8 @@ Surface Hub interacts with a few different products and services. Depending on t A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. After you've created your device account, there are a couple of ways to verify that it's setup correctly. -- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scipts-for-surface-hub.md) later in this guide. -- Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. +- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. +- Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. ## Prepare for first-run program From d51322ac578523a2e5b38a114f26020b6edcf501 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 22 Sep 2016 09:51:09 -0700 Subject: [PATCH 30/43] delete extra table row --- education/windows/set-up-school-pcs-technical.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 4b9241bd11..0eabc87c57 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -191,8 +191,6 @@ The **Set up School PCs** app produces a specialized provisioning package that m

Turn off the advertising ID

Enabled

-

Admin Templates>Windows Components

-

Admin Templates>Windows Components>Biometrics

Allow the use of biometrics

Disabled

From f384c159dd41e0b8872ec22fb8a0a7e71b21a5c3 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 10:02:33 -0700 Subject: [PATCH 31/43] Added info about Cortana --- windows/keep-secure/limitations-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index d30082e0f4..9863a66944 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -41,7 +41,7 @@ This table provides info about the most common problems you might encounter whil Cortana can potentially allow data leakage if it’s on the allowed apps list. - + Some files might become unexpectedly encrypted after searches. Cortana can search and provide results on enterprise documents and locations. Don’t add Cortana to your allowed apps list. From daf00e41cc2e12f40c2364aea51790430870a917 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 11:36:36 -0700 Subject: [PATCH 32/43] Added one last limitation --- windows/keep-secure/limitations-with-wip.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 9863a66944..cb394d0ba4 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -69,4 +69,8 @@ This table provides info about the most common problems you might encounter whil Apps might encounter access errors while attempting to read a cached, offline file. Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business. + + You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. + A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**. + Open File Explorer and change the file ownership to **Personal** before you upload. From bd9c0db23dfc75ce7b29ae1fbb11b9d3ece71c20 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 22 Sep 2016 11:38:17 -0700 Subject: [PATCH 33/43] deleted files --- windows/deploy/windows-10-poc-mdt.md | 548 -------------- .../deploy/windows-10-poc-sc-config-mgr.md | 645 ----------------- windows/deploy/windows-10-poc.md | 683 ------------------ 3 files changed, 1876 deletions(-) delete mode 100644 windows/deploy/windows-10-poc-mdt.md delete mode 100644 windows/deploy/windows-10-poc-sc-config-mgr.md delete mode 100644 windows/deploy/windows-10-poc.md diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md deleted file mode 100644 index 05589e281d..0000000000 --- a/windows/deploy/windows-10-poc-mdt.md +++ /dev/null @@ -1,548 +0,0 @@ ---- -title: Placeholder (Windows 10) -description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay ---- - -# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit - -**Applies to** - -- Windows 10 - -**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). Please complete all steps in the prerequisite guide before attempting the procedures in this guide. - -The PoC environment is a virtual network running on Hyper-V with three virtual machines: -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. - -This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. - -## In this guide - -Description here. - -## Install the Microsoft Deployment Toolkit (MDT) - -1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: - - ``` - $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 - Stop-Process -Name Explorer - ``` -2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT) 2013 Update 2](https://www.microsoft.com/en-us/download/details.aspx?id=50407) on SRV1 using the default options. - -3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1607. Installation might require several minutes to acquire all components. - -3. If desired, re-enable IE Enhanced Security Configuration: - - ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 - Stop-Process -Name Explorer - ``` - -## Create a deployment share and reference image - -1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso - ``` -2. Connect to SRV1 and verify that the Windows Enterprise installation DVD is mounted as drive letter D. - -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. - -4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -5. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTBuildLab**
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
- - Confirmation: click **Finish** - -6. Expand the Deployment Shares node, and then expand MDT build lab. - -7. Right-click the Operating Systems node, and then click New Folder. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. - -7. Right-click the Windows 10 folder created in the previous step, and then click **Import Operating System**. - -8. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
- - Summary: click **Next** - - Confirmation: click **Finish** - -9. For purposes of this test lab, we will not add applications (such as Microsoft Office) to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library. - -10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
- - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** - -11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. - -13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. - -14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. - -15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. - -16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -17. Click **OK** to complete editing the task sequence. - -18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. - -19. Replace the default rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard Time - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=YES - ``` - -20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=administrator - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -21. Click **OK** to complete the configuration of the deployment share. - -22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. - -23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. - -24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - ->Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: - - ``` - New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB - Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 - Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso - Start-VM REFW10X64-001 - vmconnect localhost REFW10X64-001 - ``` -26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. - -27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. - - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine. - - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server. The file name is **REFW10X64-001.wim**. - - ## Deploy a Windows 10 image using MDT - -This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT. - -1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard: - - **Deployment share path**: C:\MDTProd - - **Share name**: MDTProd$ - - **Deployment share description**: MDT Production - - **Options**: accept the default - -2. Click **Finish** and verify the new deployment share was added successfully. - -3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values. - -4. Right-click the Windows 10 folder created in the previous step, and then click **Import Operating System**. - -5. On the **OS Type** page, choose **Custom image file** and then click **Next**. - -6. On the Image page, browse to the C:\MDTBuildLab\Captures\REFW10X64-001.wim file created in the previous procedure, click **Open**, and then click **Next**. - -7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. - -8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**. - -9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, and then click **Finish**. - -10. In the Operating Systems > Windows 10 node, double-click the operating system that was added to view its Properties. Change the Operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. - -### Create the deployment task sequence - -1. Using the Deployment Workbench, select Task Sequences in the MDT Production node, and create a folder named **Windows 10**. - -2. Right-click the Windows 10 folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W10-X64-001 - - Task sequence name: Windows 10 Enterprise x64 Custom Image - - Task sequence comments: Production Image - - Select Template: Standard Client Task Sequence - - Select OS: Windows 10 Enterprise x64 Custom Image - - Specify Product Key: Do not specify a product key at this time - - Full Name: Contoso - - Organization: Contoso - - Internet Explorer home page: http://www.contoso.com - - Admin Password: pass@word1 - -### Configure the MDT production deployment share - -1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: - - ``` - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force - copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force - ``` -2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click Properties. - -3. Click the **Rules** tab and replace the rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - OSDComputername=#Left("PC-%SerialNumber%",7)# - AdminPassword=pass@word1 - JoinDomain=contoso.com - DomainAdmin=administrator - DomainAdminDomain=CONTOSO - DomainAdminPassword=pass@word1 - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - EventService=http://SRV1:9800 - ``` - **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini. - - >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified. - -4. Click **Edit Bootstap.ini** and replace text in the file with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTProd$ - UserDomain=CONTOSO - UserID=administrator - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` -5. Click **OK** when finished. - -### Update the deployment share - -1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**. - -2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete. - -3. Click **Finish** when the update is complete. - -### Enable deployment monitoring - -1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**. - -2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. - -3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/). - -4. Close Internet Explorer. - -### Configure Windows Deployment Services - -1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall" - WDSUTIL /Set-Server /AnswerClients:All - ``` - -2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**. - -3. In the Windows Deployment Services console, expand Servers, expand SRV1.contoso.com, right-click **Boot Images**, and then click **Add Boot Image**. - -4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image. - -### Deploy the client image - -1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. **Note**: Do not disable the *internal* network interface. To disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` - -2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: - - ``` - New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - ``` - >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. - -3. Start the new VM and connect to it: - - ``` - Start-VM PC2 - vmconnect localhost PC2 - ``` -4. When prompted, hit ENTER to start the network boot process. - -5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. - -6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Enable-NetAdapter "Ethernet 2" - ``` -7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. -8. When OS installation is complete, the system will reboot automatically and begin configuring devices. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator. - -9. Turn off the PC2 VM before starting the next section. To turn off the VM, right-click **Start**, point to **Shut down or sign out**, and then click **Shut down**. - -### Refresh a computer with Windows 10 - -This topic will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). - -1. Create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName BeginState - ``` - -2. Sign on to PC1 using the CONTOSO\Administrator account. - - >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. - -3. Open an elevated command prompt on PC1 and type the following: - - ``` - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` - **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. - -4. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. - -5. Choose **Do not back up the existing computer** and click **Next**. - - **Note**: The USMT will still back up the computer. - -6. Lite Touch Installation will perform the following actions: - - Back up user settings and data using USMT. - - Install the Windows 10 Enterprise X64 operating system. - - Update the operating system via Windows Update. - - Restore user settings and data using USMT. - - You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. - -7. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system. - -8. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Checkpoint-VM -Name PC1 -SnapshotName RefreshState - ``` -9. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false - Start-VM PC1 - vmconnect localhost PC1 - ``` -10. Sign in to PC1 using the contoso\administrator account. - -### Replace a computer with Windows 10 - -At a high level, the computer replace process consists of:
-- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.
-- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored. - -#### Create a backup-only task sequence - -1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**. -2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. -3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-Item -Path C:\MigData -ItemType directory - New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE - icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' - ``` -4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. -5. Name the new folder **Other**, and complete the wizard using default options. -6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: - - **Task sequence ID**: REPLACE-001 - - **Task sequence name**: Backup Only Task Sequence - - **Task sequence comments**: Run USMT to backup user data and settings - - **Template**: Standard Client Replace Task Sequence -7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings. -8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence. - -#### Run the backup-only task sequence - -1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: - - ``` - whoami - ``` -2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt: - - ``` - Remove-Item c:\minint -recurse - Remove-Item c:\_SMSTaskSequence -recurse - Restart-Computer - ``` -2. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: - - ``` - cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs - ``` -3. Complete the deployment wizard using the following: - - **Task Sequence**: Backup Only Task Sequence - - **User Data**: Specify a location: **\\SRV1\MigData$\PC1** - - **Computer Backup**: Do not back up the existing computer. -4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. -5. Verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. -6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: - - ``` - PS C:\> dir C:\MigData\PC1\USMT - - Directory: C:\MigData\PC1\USMT - - Mode LastWriteTime Length Name - ---- ------------- ------ ---- - -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG - ``` -#### Deploy PC3 - -1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: - - ``` - New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - ``` -2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Disable-NetAdapter "Ethernet 2" -Confirm:$false - ``` -3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Start-VM PC3 - vmconnect localhost PC3 - ``` -4. When prompted, press ENTER for network boot. - -6. On PC3, ue the following settings for the Windows Deployment Wizard: - - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - - **Move Data and Settings**: Do not move user data and settings - - **User Data (Restore)**: Specify a location: **\\SRV1\MigData$\PC1** -5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: - - ``` - Enable-NetAdapter "Ethernet 2" - ``` -7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. - -#### Troubleshooting logs, events, and utilities - -Deployment logs are available on the client computer in the following locations: -- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS -- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS -- After deployment: %WINDIR%\TEMP\DeploymentLogs - -You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**. - -Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012) - -## Related Topics - -[Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)
-[Prepare for deployment with MDT 2013](prepare-for-windows-deployment-with-mdt-2013.md) - -  - - - - - diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md deleted file mode 100644 index 9f6e7605fb..0000000000 --- a/windows/deploy/windows-10-poc-sc-config-mgr.md +++ /dev/null @@ -1,645 +0,0 @@ ---- -title: Placeholder (Windows 10) -description: Deploy Windows 10 in a test lab using System Center Configuration Manager -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay ---- - -# Deploy Windows 10 in a test lab using System Center Configuration Manager - -**Applies to** - -- Windows 10 - -**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). Please complete all steps in the prerequisite guide before attempting the procedures in this guide. - -If you have already completed [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), you can skip some steps of this guide, such as installation of MDT. - -The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): -- **DC1**: A contoso.com domain controller, DNS server, and DHCP server. -- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. - -This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work. - ->Multiple features and services are installed on SRV1 in this guide. If less than 4 GB of RAM is allocated to SRV1, some procedures will require more time to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1 to 2 GB and 1 GB respectively, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. - -## In this guide - -Description here. - -## Install prerequisites - -1. Before installing System Center Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ - ``` - - >If the request to add features fails, retry the installation by typing the command again. - -2. Download [SQL Server 2012 SP2](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. -3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso - ``` - - This command mounts the .ISO file to drive D on SRV1. - -4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server 2012 SP2: - - ``` - D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms - ``` - Installation might take several minutes. When installation is complete, the following output will be displayed: - - ``` - Microsoft (R) SQL Server 2014 12.00.5000.00 - Copyright (c) Microsoft Corporation. All rights reserved. - - Microsoft (R) .NET Framework CasPol 2.0.50727.7905 - Copyright (c) Microsoft Corporation. All rights reserved. - - Success - Microsoft (R) .NET Framework CasPol 2.0.50727.7905 - Copyright (c) Microsoft Corporation. All rights reserved. - - Success - ``` -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow - New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow - New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow - ``` -6. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt: - - ``` - $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 - Stop-Process -Name Explorer - ``` -7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1607. Installation might require several minutes to acquire all components. - -## Install System Center Configuration Manager - -1. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1, double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished. - -2. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: - - ``` - Get-Service Winmgmt - - Status Name DisplayName - ------ ---- ----------- - Running Winmgmt Windows Management Instrumentation - - Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed - - ComputerName : 192.168.0.2 - RemoteAddress : 192.168.0.2 - RemotePort : 135 - AllNameResolutionResults : - MatchingIPsecRules : - NetworkIsolationContext : Internet - InterfaceAlias : Ethernet - SourceAddress : 192.168.0.2 - NetRoute (NextHop) : 0.0.0.0 - PingSucceeded : True - PingReplyDetails (RTT) : 0 ms - TcpTestSucceeded : True - ``` - You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**. - - If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. - -2. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt: - - ``` - cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe - ``` -3. Provide the following in the System Center Configuration Manager Setup Wizard: - - **Before You Begin**: Read the text and click *Next*. - - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. - - Click **Yes** in response to the popup window. - - **Product Key**: Choose **Install the evaluation edition of this Product**. - - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox. - - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page. - - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**. - - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**. - - use default settings for all other options - - **Usage Data**: Read the text and click **Next**. - - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use). - - **Settings Summary**: Review settings and click **Next**. - - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. - - Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. - -## Download and install MDT - -1. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT) 2013 Update 2](https://www.microsoft.com/en-us/download/details.aspx?id=50407) on SRV1 using the default options. - -2. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: - - ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 - Stop-Process -Name Explorer - ``` - -## Download MDOP and install DaRT - -1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso) to the C:\VHD directory on the Hyper-V host. - -2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso - ``` -3. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi" - ``` -4. Install DaRT 10 using default settings. -5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64" - Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86" - ``` - -## Create a folder structure - -1. Type the following commands at a Windows PowerShell prompt on SRV1: - - ``` - New-Item -ItemType Directory -Path "C:Sources\OSD\Boot" - New-Item -ItemType Directory -Path "C:Sources\OSD\OS" - New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings" - New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding" - New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT" - New-Item -ItemType Directory -Path "C:\Logs" - New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE - New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE - ``` - -## Enable MDT ConfigMgr integration - -1. Click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**. -2. Type **PS1** next to **Site code**, and then click **Next**. -3. Verify **The process completed successfully** is displayed, and then click **Finish**. - -## Configure client settings - -1. Click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**. -2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar. -3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab. -4. In the console tree, open the **Administration** workspace and click **Client Settings**. -5. In the display pane, double-click **Default Client Settings**. -6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**. - -## Enable PXE on the distribution point - -1. Deterime the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - (Get-NetAdapter "Ethernet").MacAddress - ``` - >If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. - -2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. -3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. -4. On the PXE tab, select the following settings: - - Enable PXE support for clients. Click **Yes** in the popup that appears. - - Allow this distribution point to respond to incoming PXE requests - - Enable unknown computer support. Click **OK** in the popup that appears. - - Require a password when computers use PXE - - Password and Confirm password: pass@word1 - - Respond to PXE requests on specific network interfaces: Enter the MAC address determined in the first step of this procedure. -5. Click **OK**. -6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: - - ``` - cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 - - abortpxe.com - bootmgfw.efi - bootmgr.exe - pxeboot.com - pxeboot.n12 - wdsmgfw.efi - wdsnbp.com - ``` - >If these files are not present, type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: - - ``` - Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' - ``` - -## Create a branding image file - -1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image. -2. Type the following command at an elevated Windows PowerShell prompt: - - ``` - copy "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" "C:\Sources\OSD\Branding\contoso.bmp" - ``` - >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. - -## Create a boot image for Configuration Manager - -1. In the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. -2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. - - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later. -3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**. -4. On the Options page, under **Platform** choose **x64**, and click **Next**. -5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**. -6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image. -7. Click **Finish**. -8. Right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**. -9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**. -10. Use the CMTrace application to view the **distmgr.log** file and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' - ``` - >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: - - ``` - STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C) - ``` -11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects**, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. -12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. -13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. -14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: - - ``` - cmd /c dir /s /b C:\RemoteInstall\SMSImages - - C:\RemoteInstall\SMSImages\PS100004 - C:\RemoteInstall\SMSImages\PS100005 - C:\RemoteInstall\SMSImages\PS100006 - C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim - C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim - C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim - ``` - - >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. - -## Create a Windows 10 reference image - -If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. Copy the reference image file (REFW10-X64-001.wim) from C:\MDTBuildLab\Captures\REFW10X64-001.wim to C:\Sources\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim. - -If you have not yet created a Windows 10 reference image, complete the following steps. - -1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: - - ``` - Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso - ``` -2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. - -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. - -4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. - -5. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTBuildLab**
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
- - Confirmation: click **Finish** - -6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. - -7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. - -7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. - -8. Use the following settings for the Import Operating System Wizard: - - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
- - Summary: click **Next** - - Confirmation: click **Finish** - -9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library. - -10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
- - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - - Specify Product Key: **Do not specify a product key at this time** - - Full Name: **Contoso** - - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** - - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** - -11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. - -12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. - -13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. - -14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. - -15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. - -16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. - -17. Click **OK** to complete editing the task sequence. - -18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. - -19. Replace the default rules with the following text: - - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - UserDataLocation=NONE - DoCapture=YES - OSInstall=Y - AdminPassword=pass@word1 - TimeZoneName=Pacific Standard Time - JoinWorkgroup=WORKGROUP - HideShell=YES - FinishAction=SHUTDOWN - DoNotCreateExtraPartition=YES - ApplyGPOPack=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=YES - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=YES - SkipBitLocker=YES - SkipSummary=YES - SkipRoles=YES - SkipCapture=NO - SkipFinalSummary=YES - ``` - -20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - - ``` - [Settings] - Priority=Default - - [Default] - DeployRoot=\\SRV1\MDTBuildLab$ - UserDomain=CONTOSO - UserID=administrator - UserPassword=pass@word1 - SkipBDDWelcome=YES - ``` - -21. Click **OK** to complete the configuration of the deployment share. - -22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. - -23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. - -24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - - >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. - -25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: - - ``` - New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB - Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 - Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso - Start-VM REFW10X64-001 - vmconnect localhost REFW10X64-001 - ``` -26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. - -27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. - - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: - - - Install the Windows 10 Enterprise operating system. - - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). - - Stage Windows PE on the local disk. - - Run System Preparation (Sysprep) and reboot into Windows PE. - - Capture the installation to a Windows Imaging (WIM) file. - - Turn off the virtual machine. - - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. - -## Add a Windows 10 operating system image - -1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - New-Item -ItemType Directory -Path "C:Sources\OSD\OS\Windows 10 Enterprise x64" - cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" - ``` - -2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. - -3. On the Data Source page, under **Path:**, type **\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. - -4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. - -5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. - -6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. - -## Create a task sequence - -1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. - -2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. - -3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. - -4. On the Details page, enter the following settings:
- - Join a domain: contoso.com
- - Account: click **Set**
- - User name: contoso\administrator
- - Password: pass@word1
- - Confirm password: pass@word1
- - Click **OK**
- - Windows Settings
- - User name: Contoso
- - Organization name: Contoso
- - Product key: \
- - Administrator Account: Enable the account and specify the local administrator password
- - Password: pass@word1
- - Confirm password: pass@word1
- - Click Next
- -5. On the Capture Settings page, accept the default settings and click **Next**. - -6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package and then click **Next**. - -7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\SRV1\Sources$\OSD\MDT\MDT 2013**, and then click **Next**. - -8. On the MDT Details page, next to **Name:** type **MDT 2013** and then click **Next**. - -9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, and then click **Next**. - -10. On the Deployment Method page, accept the default settings and click **Next**. - -11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package** and then click **Next**. - -12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 8 10.0.14393.0** package, and then click **Next**. - -13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type \\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings, and then click **Next**. - -14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**. - -15. On the Sysprep Package page, click **Next** twice. - -16. On the Confirmation page, click **Finish**. - -## Edit the task sequence - -1. In the Configuration Manager console, in the Software Library workspace, click Task Sequences, right-click Windows 10 Enterprise x64, and then click Edit. - -2. Scroll down to the Install group and click Set Variable for Drive Letter. - -3. Change the Value under OSDPreserveDriveLetter from False to True, and click Apply. - -4. In the **State Restore** group, click **Set Status 5**, click **Add**, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**. - -5. Configure the **Request State Store** action that was just added with the following settings:
- - Request state storage location to: **Restore state from another computer**
- - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
- - Options tab: Select the **Continue on error** checkbox.
- - Add Condition: **Task Sequence Variable**:
- - Variable: **USMTLOCAL**
- - Condition: **not equals**
- - Value: **True**
- - Click **OK**.
- - Click **Apply**
. - -6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. - -7. Configure the **Release State Store** action that was just added with the following settings:
- - Options tab: Select the **Continue on error** checkbox.
- - Add Condition: **Task Sequence Variable**:
- - Variable: **USMTLOCAL**
- - Condition: **not equals**
- - Value: **True**
- - Click **OK**.
- - Click **OK**
. - - -## Finalize the operating system configuration - -1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. - -2. Use the following settings for the New Deployment Share Wizard: - - Deployment share path: **C:\MDTProduction**
- - Share name: **MDTProduction$**
- - Deployment share description: **MDT Production**
- - Options: click **Next** to accept the default
- - Summary: click **Next**
- - Progress: settings will be applied
- - Confirmation: click **Finish** - -3. Right-click the **MDT Production** deployment share, and click **Properties**. - -4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. - -5. Type the following command at an elevated Windows PowerShell prompt on SRV1: - - ``` - notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini" - ``` -6. Replace the contents of the file with the following text: - - ``` - [Settings] - Priority=Default - Properties=OSDMigrateConfigFiles,OSDMigrateMode - - [Default] - DoCapture=NO - ComputerBackupLocation=NONE - MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com - OSDMigrateMode=Advanced - OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* - OSDMigrateConfigFiles=Miguser.xml,Migapp.xml - SLSHARE=\\SRV1\Logs$ - EventService=http://SRV1:9800 - ApplyGPOPack=NO - ``` -7. In the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. - -8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. - -9. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -10. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. - -## Create a deployment for the task sequence - -1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. - -2. On the General page, next to **Collection**, click **Browse** and select the **All Unknown Computers** collection, then click **Next**. - -3. On the Deployment Settings page, use the following settings:
- - Purpose: Available
- - Make available to the following: Only media and PXE
- - Click Next.
-4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. - -5. Click **Close**. - -## Deploy Windows 10 using PXE and Configuration Manager - -1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 - Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 - Start-VM PC3 - vmconnect localhost PC3 - ``` -2. Press ENTER when prompted to start the network boot service. - -3. In the Task Sequence Wizard, provide the password: pass@word1, and then click Next. - -4. The Windows 10 Enterprise x64 task sequence is selected, click Next. - -- ok I have an error that PS100001 cannot be located on a distribution point. -- I tried going to content status and this seems to bhe the USMT and it says it is successfully distributed -- I tried software library, boot images, and distribute these - this didn't help -- I tried software library, application management, packages, distribute content but the distributon point isn't showing up. This is likely the problem. - -## Related Topics - -  - -  - - - - - diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md deleted file mode 100644 index b0ae64f27e..0000000000 --- a/windows/deploy/windows-10-poc.md +++ /dev/null @@ -1,683 +0,0 @@ ---- -title: Deploy Windows 10 in a test lab (Windows 10) -description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay ---- - -# Step by step guide: Deploy Windows 10 in a test lab - -**Applies to** - -- Windows 10 - -If you are interested in upgrading to Windows 10 and want to know more about the upgrade process, then keep reading... - -Do you have a computer running Windows 8 or later with 16GB of RAM? If so, then you have everything you need to set up a Windows 10 test lab. You can even clone computers from your network and see exactly what happens when they are upgraded to Windows 10. - -## In this guide - -This guide provides step-by-step instructions for configuring a proof of concept (PoC) environment where you can deploy Windows 10. The PoC enviroment is configured using Hyper-V and a minimum amount of resources. Simple to use Windows PowerShell commands are provided for setting up the test lab. - -The following topics and procedures are provided in this guide: - -- [Hardware and software requirements](#hardware-and-software-requirements): Prerequisites to complete this guide.
-- [Lab setup](#lab-setup): A description and diagram of the PoC environment that is configured.
-- [Configure the PoC environment](#configure-the-poc-environment): Step by step guidance for the following procedures: - - [Verify support and install Hyper-V](#verify-support-and-install-hyper-v): Verify that installation of Hyper-V is supported, and install the Hyper-V server role. - - [Download VHD and ISO files](#download-vhd-and-iso-files): Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host. - - [Convert PC to VHD](#convert-pc-to-vhd): Convert a physical computer on your network to a VHDX file and prepare it to be used on the Hyper-V host. - - [Resize VHD](#resize-vhd): Increase the storage capacity for one of the Windows Server VMs. - - [Configure Hyper-V](#configure-hyper-v): Create virtual switches, determine available RAM for virtual machines, and add virtual machines. - - [Configure VHDs](#configure-vhds): Start virtual machines and configure all services and settings. - -The following optional topics are also available: -- [Appendix A: Configuring Hyper-V on Windows Server 2008 R2](#appendix-a-configuring-hyper-v-on-windows-server-2008-r2): Information about using this guide with a Hyper-V host running Windows Server 2008 R2. -- [Appendix B: Verify the configuration](#appendix-b-verify-the-configuration): Verify and troubleshoot network connectivity and services in the PoC environment. - -When you have completed the steps in this guide, see the following topics for step by step instructions to deploy Windows 10 using the PoC environment under common scenarios with current deployment tools: - -- [Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md) -- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) - -## Hardware and software requirements - -One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. - -The second computer is used to clone and mirror a client computer (computer 2) from your corporate network to the POC environment. Alternatively, you can use an arbitrary VM to represent this computer, therefore this computer is not required to complete the lab. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
**Computer 1** (required)**Computer 2** (recommended)
RoleHyper-V hostClient computer
DescriptionThis computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VHD for upgrade demonstration purposes.
OSWindows 8/8.1/10 or Windows Server 2012/2012 R2/2016*Windows 7 or a later
EditionEnterprise, Professional, or EducationAny
Architecture64-bitAny
RAM8 GB RAM (16 GB recommended)Any
Disk50 GB available hard disk space (100 GB recommended)Any
CPUSLAT-Capable CPUAny
NetworkInternet connectionAny
- ->Retaining applications and settings during the upgrade process requires that architecture (32 or 64-bit) is the same before and after the upgrade. - -*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. The performance and features of the Hyper-V role are also much improved on later operating systems. If your host must be running Windows Server 2008 R2, see [Appendix A: Configuring Hyper-V settings on 2008 R2](#appendix-a-configuring-hyper-v-on-windows-server-2008-r2). - -The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. - -## Lab setup - -- The Hyper-V host computer (computer 1) is configured to host four VMs on a private, proof of concept network. - - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. - - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. -- Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. - -The lab architecture is summarized in the following diagram: - -![PoC](images/poc.png) - -**Note**: ->If you have an existing Hyper-V host, you can use this host if desired and skip the Hyper-V installation section in this guide. - ->The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts. - -## Configure the PoC environment - -### Procedures in this section - -[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
-[Download VHD and ISO files](#download-vhd-and-iso-files)
-[Convert PC to VHD](#convert-pc-to-vhd)
-[Resize VHD](#resize-vhd)
-[Configure Hyper-V](#configure-hyper-v)
-[Convert PC to VHD](#convert-pc-to-vhd)
-[Configure VHDs](#configure-vhds)
- -### Verify support and install Hyper-V - -1. Verify that the computer supports Hyper-V. - - Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. To verify your computer supports SLAT, open an administrator command prompt, type systeminfo, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. - - See the following example: - - ``` - C:\>systeminfo - ... - Hyper-V Requirements: VM Monitor Mode Extensions: Yes - Virtualization Enabled In Firmware: Yes - Second Level Address Translation: Yes - Data Execution Prevention Available: Yes - ``` - In this example, the computer supports SLAT and Hyper-V. - - If one or more requirements are evaluated as "No" then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the "Virtualization Enabled In Firmware" setting from "No" to "Yes." The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. - - You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/en-us/library/cc731397.aspx) tool, or you can download the [coreinfo](http://technet.microsoft.com/en-us/sysinternals/cc835722) utility and run it, as shown in the following example: - - ``` - C:\>coreinfo -v - - Coreinfo v3.31 - Dump information on system CPU and memory topology - Copyright (C) 2008-2014 Mark Russinovich - Sysinternals - www.sysinternals.com - - Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz - Intel64 Family 6 Model 42 Stepping 7, GenuineIntel - Microcode signature: 0000001B - HYPERVISOR - Hypervisor is present - VMX * Supports Intel hardware-assisted virtualization - EPT * Supports Intel extended page tables (SLAT) - ``` - - Note: A 64-bit operating system is requried to run Hyper-V. - -2. Enable Hyper-V. - - The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: - - ``` - Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All - ``` - When you are prompted to restart the computer, choose Yes. The computer might restart more than once. - - You can also install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** (client OS), or using Server Manager's **Add Roles and Features Wizard** (server OS), as shown below: - - ![hyper-v feature](images/hyper-v-feature.png) - - ![hyper-v](images/svr_mgr2.png) - -### Download VHD and ISO files - -1. Create a directory on your Hyper-V host named C:\VHD and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the C:\VHD directory. - - **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. - - After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. - - ![VHD](images/download_vhd.png) - -2. Rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is not required, but is done to make the filename simpler to recognize. -3. Copy the VHD to a second file also in the C:\VHD directory and name this VHD **2012R2-poc-2.vhd**. -4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the C:\VHD directory on your Hyper-V host. During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English VHD is chosen. You can choose a different version if desired. Note that Windows 10 in-place upgrade is only possible if the source operating system and installation media are both 32-bit or both 64-bit, so you should download the file version that corresponds to the version of your source computer for upgrade testing. -5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simpler to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. - - The following commands and output display the procedures described in this section: - - ``` - C:\>mkdir VHD - - C:\>cd VHD - - C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd - - C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd - 1 file(s) copied. - - C:\VHD ren *.iso w10-enterprise.iso - C:\VHD>dir /B - 2012R2-poc-1.vhd - 2012R2-poc-2.vhd - w10-enterprise.iso - ``` - -### Convert PC to VHD - -**Important**:Before you convert a PC to VHD, verify that you have access to a local administrator account on the computer. Alternatively you can use a domain account with administrative rights if these credentials are cached on the computer and your domain policy allows the use of cached credentials for login. - ->For purposes of the test lab, you must use a PC with a single hard drive that is assigned a drive letter of C:. Systems with multiple hard drives or non-standard configurations can also be upgraded using PC refresh and replace scenarios, but these systems require more advanced deployment task sequences than those used in this lab. - -1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy disk2vhd.exe to a flash drive or other location that is accessible from the computer you wish to convert. - >Note: You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media. -2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select checkboxes next to the volumes you wish to copy and specify a location to save the resulting VHD or VHDX file. If your Hyper-V host is running Windows Server 2008 R2 you must choose VHD, otherwise choose VHDX. -4. Click **Create** to start creating a VHDX file. - - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. - -5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: - - ``` - C:\vhd>dir /B - 2012R2-poc-1.vhd - 2012R2-poc-2.vhd - w10-enterprise.iso - w7.VHDX - ``` -### Resize VHD - -The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 80GB to support installing imaging tools and storing OS images. - -1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - - ``` - Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 80GB - $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter - Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax - ``` - -2. Verify that the mounted VHD drive is resized to 80 GB, and then dismount the drive: - - ``` - Get-Volume -DriveLetter $x - Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd - ``` - -### Configure Hyper-V - -Note: The Hyper-V Windows PowerShell module is not available on Windows Server 2008 R2. For more information, see [Appendix A: Configuring Hyper-V settings on 2008 R2](#appendix-a-configuring-hyper-v-on-windows-server-2008-r2). - -**Important**:You should take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy, then right-clicking and selecting paste. - -Instructions to "type" commands provided in this guide can be typed, but in most cases the preferred method is to copy and paste these commands. - -1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": - >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is "**already bound to the Microsoft Virtual Switch protocol.**" In this case, choose one of the following options:
-    a) Remove the existing external virtual switch, then add the poc-external switch
-    b) Rename the existing external switch to "poc-external"
-    c) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
- If you choose b) or c), then do not run the second command below. - - ``` - New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network" - New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and $_.NdisPhysicalMedium -eq 14}).Name -Notes "PoC External" - ``` - >Also, since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. This is automated in the example here by filtering for active ethernet adapters using the Get-NetAdapter cmdlet. If your Hyper-V host has multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the specific value needed for the -NetAdapterName option. This value corresponds to the name of the network interface you wish to use. - -2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: - - ``` - (Get-Counter -Counter @("\Memory\Available MBytes")).countersamples.cookedvalue - ``` - >This command will display the megabytes of RAM available. On a Hyper-V host computer with 16 GB of physical RAM installed, 12,000 MB of RAM or greater should be available if the computer is not also running other applications. If the computer has less than 12,000 MB of available RAM, try closing applications to free up more memory. - -3. Determine the available memory for VMs by dividing the available RAM by 4. For example: - - ``` - (Get-Counter -Counter @("\Memory\Available MBytes")).countersamples.cookedvalue/4 - 2775.5 - ``` - In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. - -4. At the elevated Windows PowerShell prompt, type the following command to create three new VMs. The fourth VM will be added later. - >**Important**: Replace the value of 2700MB in the first command below with the RAM value that you calculated in the previous step: - - ``` - $maxRAM = 2700MB - New-VM –Name "DC1" –VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal - Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20 - Enable-VMIntegrationService –Name "Guest Service Interface" -VMName DC1 - New-VM –Name "SRV1" –VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal - Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external" - Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80 - Enable-VMIntegrationService –Name "Guest Service Interface" -VMName SRV1 - New-VM –Name "PC1" –VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal - Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20 - Enable-VMIntegrationService –Name "Guest Service Interface" -VMName PC1 - ``` - -### Configure VHDs - -1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first VM by typing the following command: - - ``` - Start-VM DC1 - ``` -2. Wait for the VM to complete starting up, and then connect to it either using the Hyper-V Manager console (virtmgmt.msc) or using an elevated command prompt on the Hyper-V host: - - ``` - vmconnect localhost DC1 - ``` -3. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of **pass@word1**, and click **Finish**. -4. Sign in to DC1 using the local administrator account. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. -5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: - - ``` - Rename-Computer DC1 - New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2 - Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2 - ``` - >The default gateway at 192.168.0.2 will be configured later in this guide. -6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt: - - ``` - Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools - ``` - -7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt: - - ``` - Restart-Computer - ``` - -8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string: - - ``` - $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force - Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force - ``` - Ignore any warnings that are displayed. The computer will automatically reboot upon completion. -9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and supress the post-DHCP-install alert: - - ``` - Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest - Add-WindowsFeature -Name DHCP -IncludeManagementTools - netsh dhcp add securitygroups - Restart-Service DHCPServer - Add-DhcpServerInDC dc1.contoso.com 192.168.0.1 - Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2 - ``` -10. Next, add a DHCP scope and set option values: - - ``` - Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active - Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force - ``` - >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. -11. Add a user account to the contoso.com domain that can be used with client computers: - - ``` - New-ADUser -Name "User1" -UserPrincipalName user1 -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true - ``` -12. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already existed on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: - - ``` - Get-DnsServerForwarder - ``` - The following output should be displayed: - ``` - UseRootHint : True - Timeout(s) : 3 - EnableReordering : True - IPAddress : 192.168.0.2 - ReorderedIPAddress : 192.168.0.2 - ``` - If this output is not displayed, you can use the following command to add SRV1 as a forwarder: - ``` - Add-DnsServerForwarder -IPAddress 192.168.0.2 - ``` -13. Minimize the DC1 VM window but **do not stop** the VM. - - Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. - -14. Using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: - ``` - Start-VM PC1 - vmconnect localhost PC1 - ``` -15. Sign on to PC1 using an account that has local administrator rights. - - >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. -16. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. - - ![PoC](images/installing-drivers.png) - - >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. - -17. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. -18. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. - - To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." - - ``` - ipconfig - - Windows IP Configuration - - Ethernet adapter Local Area Connection 3: - Connection-specific DNS Suffix . : contoso.com - Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18 - Ipv4 Address. . . . . . . . . . . : 192.168.0.101 - Subnet Mask . . . . . . . . . . . : 255.255.255.0 - Default Gateway . . . . . . . . . : 192.168.0.2 - - ping dc1.contoso.com - - Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data: - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - Reply from 192.168.0.1: bytes=32 time<1ms TTL=128 - - nltest /dsgetdc:contoso.com - DC: \\DC1 - Address: \\192.168.0.1 - Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8 - Dom Name: CONTOSO - Forest Name: contoso.com - Dc Site Name: Default-First-Site-Name - Our Site Name: Default-First-Site-Name - Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000 - ``` ->If PC1 is running Windows 7, enhanced session mode is not available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. - -19. Open an elevated Windows PowerShell ISE window on the Hyper-V host and type the following commands in the (upper) script editor pane: - - ``` - (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0) - $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force - $user = "contoso\administrator" - $cred = New-Object System.Management.Automation.PSCredential($user,$pass) - Add-Computer -DomainName contoso.com -Credential $cred - Restart-Computer - ``` -20. Click **File**, click **Save As**, and save the commands as **c:\VHD\ps1.ps1** on the Hyper-V host. -21. In the (lower) terminal input window, type the following command to copy the script to PC1 using integration services: - - ``` - Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1" –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host - ``` - >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. -22. On PC1, type the following commands at an elevated Windows PowerShell prompt: - - ``` - Get-Content c:\pc1.ps1 | powershell.exe -noprofile - - ``` - - >PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. We have not also renamed PC1 to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. - -23. After PC1 restarts, sign in to the contoso.com domain with the (user1) account you created in step 11 of this section. - >The settings that will be used to migrate user data specifically select only accounts that belong to the CONTOSO domain. If you wish to test migration of user data and settings with an account other than the user1 account, you must copy this account's profile to the user1 profile. -24. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. -25. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: - - ``` - Start-VM SRV1 - vmconnect localhost SRV1 - ``` -26. Accept the default settings, read license terms and accept them, provide an administrator password of **pass@word1**, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. -27. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. -28. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: - - ``` - Rename-Computer SRV1 - New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24 - Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2 - Restart-Computer - ``` -29. Wait for the computer to restart, then type or paste the following commands at an elevated Windows PowerShell prompt: - - ``` - $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force - $user = "contoso\administrator" - $cred = New-Object System.Management.Automation.PSCredential($user,$pass) - Add-Computer -DomainName contoso.com -Credential $cred - Restart-Computer - ``` -30. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands: - - ``` - Install-WindowsFeature -Name DNS -IncludeManagementTools - Install-WindowsFeature -Name WDS -IncludeManagementTools - Install-WindowsFeature -Name Routing -IncludeManagementTools - ``` -31. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. - - To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: - - ``` - Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias - - IPAddress InterfaceAlias - --------- -------------- - 10.137.130.118 Ethernet 2 - 192.168.0.2 Ethernet - ``` - In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. - -32. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: - - ``` - Install-RemoteAccess -VpnType Vpn - cmd /c netsh routing ip nat install - cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL - cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE - cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE - ``` -33. The DNS service on SRV1 also needs to resolve hosts in the contoso.com domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: - - ``` - Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1 - ``` -34. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: - - ``` - ping www.microsoft.com - ``` - If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. - - **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: - - ``` - Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses - ``` -35. If DNS and routing are both working correctly, you will see the following on DC1 and PC1: - - ``` - PS C:\> ping www.microsoft.com - - Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data: - Reply from 23.222.146.170: bytes=32 time=3ms TTL=51 - Reply from 23.222.146.170: bytes=32 time=2ms TTL=51 - Reply from 23.222.146.170: bytes=32 time=2ms TTL=51 - Reply from 23.222.146.170: bytes=32 time=1ms TTL=51 - - Ping statistics for 23.222.146.170: - Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), - Approximate round trip times in milli-seconds: - Minimum = 1ms, Maximum = 3ms, Average = 2ms - ``` -36. Verify that all three VMs can reach each other, and the Internet. See [Appendix B: Verify the configuration](#appendix-b-verify-the-configuration) for more information. -37. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: - - ``` - slmgr -rearm - Restart-Computer - ``` - -## Appendix A: Configuring Hyper-V on Windows Server 2008 R2 - -If your Hyper-V host is running Windows Server 2008 R2, several of the steps in this guide will not work because they use the Hyper-V Module for Windows PowerShell, which is not available on Windows Server 2008 R2. - -To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. - -An example that uses Hyper-V WMI to create a virtual switch on Windows Server 2008 R2 is provided below. Converting all Hyper-V module commands used in this guide to Hyper-V WMI is beyond the scope of the guide. If you must use a Hyper-V host running Windows Server 2008 R2, the steps in the guide can be accomplished by using the Hyper-V Manager console. - -``` -$SwitchFriendlyName = "poc-internal" -$InternalEthernetPortFriendlyName = $SwitchFriendlyName -$InternalSwitchPortFriendlyName = "poc" -$SwitchName = [guid]::NewGuid().ToString() -$InternalSwitchPortName = [guid]::NewGuid().ToString() -$InternalEthernetPortName = [guid]::NewGuid().ToString() -$NumLearnableAddresses = 1024 -$ScopeOfResidence = "" -$VirtualSwitchManagementService = gwmi Msvm_VirtualSwitchManagementService -namespace "root\virtualization" -$Result = $VirtualSwitchManagementService.CreateSwitch($SwitchName, $SwitchFriendlyName, $NumLearnableAddresses, $ScopeOfResidence) -$Switch = [WMI]$Result.CreatedVirtualSwitch -$Result = $VirtualSwitchManagementService.CreateSwitchPort($Switch, $InternalSwitchPortName, $InternalSwitchPortFriendlyName, $ScopeOfResidence) -$InternalSwitchPort = [WMI]$Result.CreatedSwitchPort -$Result = $VirtualSwitchManagementService.CreateInternalEthernetPortDynamicMac($InternalEthernetPortName, $InternalEthernetPortFriendlyName) -$InternalEthernetPort = [WMI]$Result.CreatedInternalEthernetPort -$query = "Associators of {$InternalEthernetPort} Where ResultClass=CIM_LanEndpoint" -$InternalLanEndPoint = gwmi -namespace root\virtualization -query $query -$Result = $VirtualSwitchManagementService.ConnectSwitchPort($InternalSwitchPort, $InternalLanEndPoint) -$filter = "SettingID='" + $InternalEthernetPort.DeviceID +"'" -$NetworkAdapterConfiguration = gwmi Win32_NetworkAdapterConfiguration -filter $filter -``` -To install Hyper-V on Windows Server 2008 R2, you can use the Add-WindowsFeature cmdlet: - -``` -Add-WindowsFeature -Name Hyper-V -``` -For more information about the Hyper-V Manager interface in Windows Server 2008 R2, see [Hyper-V](https://technet.microsoft.com/library/cc730764.aspx) in the Windows Server TechNet Library. - -## Appendix B: Verify the configuration - -Use the following procedures to verify that the PoC environment is configured properly and working as expected. - -1. On DC1, open an elevated Windows PowerShell prompt and type the following commands: - - ``` - Get-Service NTDS,DNS,DHCP - DCDiag -a - Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A - Get-DnsServerForwarder - Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com - Get-DhcpServerInDC - Get-DhcpServerv4Statistics - ipconfig /all - ``` - **Get-Service** displays a status of "Running" for all three services.
- **DCDiag** displays "passed test" for all tests.
- **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
- **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
- **Resolve-DnsName** displays public IP address results for www.microsoft.com.
- **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
- **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
- **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. - -2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: - - ``` - Get-Service DNS,RemoteAccess - Get-DnsServerForwarder - Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com - ipconfig /all - netsh int ipv4 show address - ``` - **Get-Service** displays a status of "Running" for both services.
- **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
- **Resolve-DnsName** displays public IP address results for www.microsoft.com.
- **ipconfig** displays a primary DNS suffix of contoso.com. The suffix search list contains contoso.com and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
- **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. - -3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: - - ``` - whoami - hostname - nslookup www.microsoft.com - ping -n 1 dc1.contoso.com - tracert www.microsoft.com - ``` - **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
- **hostname** displays the name of the local computer, for example W7PC-001.
- **nslookup** displays the DNS server used for the query, and the results of the query. For example, server dc1.contoso.com, address 192.168.0.1, Name e2847.dspb.akamaiedge.net.
- **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be diplayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
- **tracert** displays the path to reach the destination, for example srv1.contoso.com [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. - -## Related Topics - -[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) -  - -  - - - - - From d5ef1fd4256bf8c6c06e21d7a279b928b8df283b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 11:59:05 -0700 Subject: [PATCH 34/43] Updated Cortana text, waiting for approval --- windows/keep-secure/limitations-with-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index cb394d0ba4..baeed3415a 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -41,8 +41,8 @@ This table provides info about the most common problems you might encounter whil Cortana can potentially allow data leakage if it’s on the allowed apps list. - Some files might become unexpectedly encrypted after searches. Cortana can search and provide results on enterprise documents and locations. - Don’t add Cortana to your allowed apps list. + Some files might become unexpectedly encrypted after an employee performs a search using Cortana while it's on the allowed apps list. Regardless whether Cortana is on the allowed list, your employees will still be able to use Cortana to search and provide results on enterprise documents and locations. + We don’t recommend adding Cortana to your allowed apps list. WIP is designed for use by a single user per device. From e0b72280bd5c300ff61ec7b89d2fcfe0770dbe93 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 22 Sep 2016 13:25:24 -0700 Subject: [PATCH 35/43] added font streaming GP --- ...ating-system-components-to-microsoft-services.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8306da4b5d..83ea150608 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -63,7 +63,7 @@ See the following table for a summary of the management settings for Windows 10 | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | -| [5. Font streaming](#font-streaming) | | | | ![Check mark](images/checkmark.png) | | +| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | | [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | @@ -113,7 +113,7 @@ See the following table for a summary of the management settings for Windows Ser | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | -| [5. Font streaming](#font-streaming) | | | ![Check mark](images/checkmark.png) | | +| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | @@ -137,7 +137,7 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | | ![Check mark](images/checkmark.png) | | -| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | +| [5. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [12. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | | [17. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | | [19. Teredo](#bkmk-teredo) | | | ![Check mark](images/checkmark.png) | @@ -268,10 +268,13 @@ To prevent Windows from retrieving device metadata from the Internet, apply the Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. -To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. +If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**. > [!NOTE] -> After you apply this registry setting, you must restart the device for it to take effect. +> After you apply this policy, you must restart the device for it to take effect. + +If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. + ### 6. Insider Preview builds From d0eb64e4864b999143881146804ad73d2f6a672e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 13:36:22 -0700 Subject: [PATCH 36/43] Fixed HTML --- windows/keep-secure/limitations-with-wip.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index baeed3415a..c7cc2666e0 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -73,4 +73,5 @@ This table provides info about the most common problems you might encounter whil You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**. Open File Explorer and change the file ownership to **Personal** before you upload. + From d8d19bdda95c977b96603c2ed7db1a4ace988cde Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 13:44:01 -0700 Subject: [PATCH 37/43] Updated to reflect changes to networking and limitations --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 5de6b76a7a..6dc8ea8b8c 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,9 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md | New or changed topic | Description | | --- | --- | +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) | New | +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. | +|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. | | [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs | | [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate | From cfb9c194b9a5f854de770e01f9fac51ac1673f64 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 23 Sep 2016 12:56:16 -0700 Subject: [PATCH 38/43] adding localizationpriority YAML metadata --- browsers/internet-explorer/ie11-deploy-guide/index.md | 1 + browsers/internet-explorer/ie11-ieak/index.md | 1 + devices/surface/index.md | 1 + 3 files changed, 3 insertions(+) diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md index b1b9d3ce0b..f26bdcd631 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/index.md +++ b/browsers/internet-explorer/ie11-deploy-guide/index.md @@ -6,6 +6,7 @@ ms.prod: ie11 ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3 title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros) ms.sitesec: library +localizationpriority: low --- diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index b0c1e0c9fe..00b9d78815 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -6,6 +6,7 @@ ms.prod: ie11 ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros) ms.sitesec: library +localizationpriority: low --- diff --git a/devices/surface/index.md b/devices/surface/index.md index 39305ac4af..1b70df3e57 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -2,6 +2,7 @@ title: Surface (Surface) description: ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04 +localizationpriority: high ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices From 065d4745ccc70e57d67f3589bb7cfac8019ca9cc Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 23 Sep 2016 14:35:54 -0700 Subject: [PATCH 39/43] removing duplicate localizationpriority YAML metadata --- ...tion-to-deploy-with-windows-10-using-configuration-manager.md | 1 - .../deploy-windows-10-with-the-microsoft-deployment-toolkit.md | 1 - ...ouch-installation-of-windows-10-with-configuration-manager.md | 1 - .../replace-a-windows-7-computer-with-a-windows-10-computer.md | 1 - 4 files changed, 4 deletions(-) diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 4e7b504b13..30ed33ca81 100644 --- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -6,7 +6,6 @@ keywords: deployment, task sequence, custom, customize ms.prod: w10 localizationpriority: high ms.mktglfcycl: deploy -localizationpriority: high ms.sitesec: library author: mtniehaus --- diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md index 4963952ab4..b5bd6bcf7a 100644 --- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md @@ -7,7 +7,6 @@ ms.prod: w10 ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library -localizationpriority: high author: mtniehaus ms.pagetype: mdt --- diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 499573e6a0..4f25bc9987 100644 --- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -6,7 +6,6 @@ keywords: install, configure, deploy, deployment ms.prod: w10 localizationpriority: high ms.mktglfcycl: deploy -localizationpriority: high ms.sitesec: library author: mtniehaus --- diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md index 9a3311910e..c4d80c812b 100644 --- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -7,7 +7,6 @@ ms.prod: w10 ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library -localizationpriority: high ms.pagetype: mdt author: mtniehaus --- From 883f13d19720d55137f4e7848fc1817aa2742ef4 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 23 Sep 2016 16:07:28 -0700 Subject: [PATCH 40/43] Tweaked the intro text --- .../manage/appv-deploying-microsoft-office-2013-with-appv.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md index 90cdcd48d7..c492e3a97e 100644 --- a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md @@ -14,7 +14,7 @@ ms.prod: w10 **Applies to** - Windows 10, version 1607 -Use the information in this article to use Microsoft Application Virtualization (App-V), or later versions, to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V. +Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V. This topic contains the following sections: From 23d06d225da66b96d39538698b3a38b7e367b483 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 23 Sep 2016 17:40:03 -0700 Subject: [PATCH 41/43] Tweaked links --- windows/manage/appv-deploying-appv.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/manage/appv-deploying-appv.md b/windows/manage/appv-deploying-appv.md index 53ad22d7a7..d9b76d330e 100644 --- a/windows/manage/appv-deploying-appv.md +++ b/windows/manage/appv-deploying-appv.md @@ -30,6 +30,11 @@ App-V supports a number of different deployment options. Review this topic for i This section provides a deployment checklist that can be used to assist with installing App-V. +- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
+[Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) + + These sections describe how to use App-V to deliver Microsoft Office as a virtualized application to computers in your organization. + ## Other Resources for Deploying App-V From 9cb85d75d589167a9c48750c8691c958f2c71e3b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 23 Sep 2016 18:29:03 -0700 Subject: [PATCH 42/43] Updated cortana text from final PM review --- windows/keep-secure/limitations-with-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index c7cc2666e0..ad98fc7971 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -41,8 +41,8 @@ This table provides info about the most common problems you might encounter whil Cortana can potentially allow data leakage if it’s on the allowed apps list. - Some files might become unexpectedly encrypted after an employee performs a search using Cortana while it's on the allowed apps list. Regardless whether Cortana is on the allowed list, your employees will still be able to use Cortana to search and provide results on enterprise documents and locations. - We don’t recommend adding Cortana to your allowed apps list. + If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft. + We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app. WIP is designed for use by a single user per device. From b702b3f061119a27b687b0a6788d11a81db4b5b7 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 23 Sep 2016 21:49:28 -0700 Subject: [PATCH 43/43] Changed ordered list to unordered list --- windows/keep-secure/limitations-with-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index ad98fc7971..947cee9c66 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -53,11 +53,11 @@ This table provides info about the most common problems you might encounter whil Installers copied from an enterprise network file share might not work properly. An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action. To fix this, you can: -
    +
    • Start the installer directly from the file share.

      -OR-

    • Decrypt the locally copied files needed by the installer.

      -OR-

    • Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
      • -
+ Changing your primary Corporate Identity isn’t supported.