Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.
+Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.
MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.
diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index 62d404f9d4..c85858a2d0 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -28,12 +28,12 @@ Bulk enrollment is an efficient way to set up a large number of devices to be ma On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain. -On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. +On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. > [!NOTE] > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone environment. -> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console. +> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console. > - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. > - Bulk Token creation is not supported with federated accounts. @@ -53,14 +53,14 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. 1. Open the WCD tool. -2. Click **Advanced Provisioning**. +2. Select **Advanced Provisioning**.  -3. Enter a project name and click **Next**. -4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**. -5. Skip **Import a provisioning package (optional)** and click **Finish**. +3. Enter a project name and select **Next**. +4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**. +5. Skip **Import a provisioning package (optional)** and select **Finish**. 6. Expand **Runtime settings** > **Workplace**. -7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**. +7. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". 8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings: @@ -74,8 +74,8 @@ Using the WCD, create a provisioning package using the enrollment information re  9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -10. When you're done adding all the settings, on the **File** menu, click **Save**. -11. On the main menu, click **Export** > **Provisioning package**. +10. When you're done adding all the settings, on the **File** menu, select **Save**. +11. On the main menu, select **Export** > **Provisioning package**.  12. Enter the values for your package and specify the package output location. @@ -83,7 +83,7 @@ Using the WCD, create a provisioning package using the enrollment information re    -13. Click **Build**. +13. Select **Build**.  14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). @@ -94,13 +94,13 @@ Using the WCD, create a provisioning package using the enrollment information re Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. 1. Open the WCD tool. -2. Click **Advanced Provisioning**. -3. Enter a project name and click **Next**. +2. Select **Advanced Provisioning**. +3. Enter a project name and select **Next**. 4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. -5. Skip **Import a provisioning package (optional)** and click **Finish**. +5. Skip **Import a provisioning package (optional)** and select **Finish**. 6. Specify the certificate. 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. - 2. Enter a **CertificateName** and then click **Add**. + 2. Enter a **CertificateName** and then select **Add**. 3. Enter the **CertificatePasword**. 4. For **CertificatePath**, browse and select the certificate to be used. 5. Set **ExportCertificate** to False. @@ -109,7 +109,7 @@ Using the WCD, create a provisioning package using the enrollment information re  7. Specify the workplace settings. 1. Got to **Workplace** > **Enrollments**. - 2. Enter the **UPN** for the enrollment and then click **Add**. + 2. Enter the **UPN** for the enrollment and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". 3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings: @@ -120,32 +120,32 @@ Using the WCD, create a provisioning package using the enrollment information re - **Secret** - the certificate thumbprint. For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). 8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -9. When you're done adding all the settings, on the **File** menu, click **Save**. +9. When you're done adding all the settings, on the **File** menu, select **Save**. 10. Export and build the package (steps 10-13 in the procedure above). 11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 12. Apply the package to your devices. ## Apply a provisioning package -Here's the list of topics about applying a provisioning package: +Here's the list of articles about applying a provisioning package: -- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet. -- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN -- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below +- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) +- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) +- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below ## Apply a package from the Settings menu 1. Go to **Settings** > **Accounts** > **Access work or school**. -2. Click **Add or remove a provisioning package**. -3. Click **Add a package**. +2. Select **Add or remove a provisioning package**. +3. Select **Add a package**. ## Validate that the provisioning package was applied 1. Go to **Settings** > **Accounts** > **Access work or school**. -2. Click **Add or remove a provisioning package**. +2. Select **Add or remove a provisioning package**. You should see your package listed. -## Retry logic in case of a failure +## Retry logic if there's a failure If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. @@ -155,9 +155,9 @@ It will also retry to apply the provisioning each time it's launched, if started In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)). -## Other provisioning topics +## Other provisioning articles -Here are links to step-by-step provisioning topics in Technet. +Here are links to step-by-step provisioning articles: - [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps) - [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index 8725bda82d..04d9be81f2 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -38,10 +38,10 @@ Config lock will be available for all Windows Professional and Enterprise Editio Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on. -The steps to turn on config lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows: +The steps to turn on config lock using Microsoft Intune are as follows: 1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune. -1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**. +1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**. 1. Select the following and press **Create**: - **Platform**: Windows 10 and later - **Profile type**: Templates diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 0dd98cccd4..99a1cc804d 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -15,7 +15,7 @@ ms.topic: overview Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. -Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist. +Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. This downgrade may appear to save costs due to standardization. But, you typically save more if you don't downgrade, and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist. Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. @@ -114,7 +114,7 @@ MDM with Intune provide tools for applying Windows updates to client computers i There are various steps you can take to begin the process of modernizing device management in your organization: -**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Endpoint Manager](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune. +**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Intune](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune. **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 49a866ecb5..0bacf6f8d2 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -73,13 +73,13 @@ This node specifies the username for a new local user account. This setting can This node specifies the password for a new local user account. This setting can be managed remotely. Supported operation is Add. -GET operation isn't supported. This setting will report as failed when deployed from the Endpoint Manager. +GET operation isn't supported. This setting will report as failed when deployed from Intune. **Users/_UserName_/LocalUserGroup** This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. Supported operation is Add. -## Related topics +## Related articles [Configuration service provider reference](index.yml) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 454ca55f69..58e6ece757 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -25,7 +25,7 @@ The table below shows the applicability of Windows: Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot. -Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although, WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. +Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. The following example shows the ApplicationControl CSP in tree format. @@ -150,9 +150,9 @@ Scope is dynamic. Supported operation is Get. Value type is char. -## Microsoft Endpoint Manager Intune Usage Guidance +## Microsoft Intune Usage Guidance -For customers using Intune standalone or hybrid management with Microsoft Endpoint Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). +For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). ## Generic MDM Server Usage Guidance @@ -329,6 +329,6 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa Get-CimInstance -Namespace $namespace -ClassName $policyClassName ``` -## Related topics +## Related articles [Configuration service provider reference](index.yml) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index b4811cb896..27b86f10fb 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -59,7 +59,7 @@ manager: aaroncz This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. -When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must follow this format, even in the UI: +When entering a list of TLS endpoints in Microsoft Intune, you must follow this format, even in the UI: `` @@ -107,6 +107,6 @@ This policy setting provides the string that is to be used to name a network. Th -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 0b4918cbd6..90c733a3d0 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -123,13 +123,13 @@ For more information, visit [Install Quick Assist](https://support.microsoft.com Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5. -1. Go to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) and navigate to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**. +1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**. 1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com). 1. Select **Manage** / **Settings** and turn on **Show offline apps**. 1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not. 1. Search for **Quick Assist** and select it from the Search results. 1. Choose the **Offline** license and select **Get the app** -1. From the Intune portal (Endpoint Manager admin center) choose **Sync**. +1. In the Endpoint Manager admin center, choose **Sync**. 1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list. 1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link. 1. Assign the app to the required group of devices and choose **Review + save** to complete the application install.