deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jdsh

Browse Source
This commit is contained in:
jdeckerMS 2017-06-12 06:53:45 -07:00
commit a7c7839f78
34 changed files with 1932 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -1,6 +1,11 @@
{
"redirections": [
{
"source_path": "windows/device-security/windows-security-baselines.md",
"redirect_url": "https://www.microsoft.com/download/details.aspx?id=55319",
"redirect_document_id": false
},
{
"source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md",
"redirect_url": "/education/windows/switch-to-pro-education",
"redirect_document_id": true

6
devices/surface-hub/surfacehub-whats-new-1703.md
View File

@ -11,6 +11,12 @@ localizationpriority: medium
# What's new in Windows 10, version 1703 for Microsoft Surface Hub?
Watch Surface Hub engineer Jordan Marchese present updates to Microsoft Surface Hub with Windows 10, version 1703 (Creators Update).
<a href="http://www.youtube.com/watch?feature=player_embedded&v=R8tX10VIgq0
" target="_blank"><img src="http://img.youtube.com/vi/R8tX10VIgq0/0.jpg"
alt="Watch a video about Creators Update on Surface Hub" width="240" height="180" border="10" /></a>
Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub:
## New settings

137
education/get-started/get-started-with-microsoft-education.md
View File

@ -1,7 +1,7 @@
---
title: Deploy and manage a full cloud IT solution with Microsoft Education
description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
keywords: education, Microsoft Education, Microsoft Education system, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Azure AD, Set up School PCs
keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -27,6 +27,7 @@ Hello, IT administrators! In this walkthrough, we'll show you how you can quickl
- **Office 365 for Education** provides online apps for work from anywhere and desktop apps for advanced functionality, built for working together and available across devices, and it's free for schools, teachers, and students
- **School Data Sync** to help automate the process for importing and integrating School Information System (SIS) data that you can use with Office 365
- **OneNote Class Notebook** to organize course content, create and deliver interactive lessons to some or all students, collaborate and provide private feedback to individual students, and connect with major LMS and SIS partners for assignment workflow
- **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff
- **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop
- **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom
- **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features
@ -43,6 +44,7 @@ Go to the <a href="https://www.microsoft.com/en-us/education" target="_blank">Mi
In this walkthrough, we'll show you the basics on how to:
- Acquire an Office 365 for Education tenant, if you don't already have one
- Import school, student, teacher, and class data using School Data Sync (SDS)
- Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
- Manage apps and settings deployment with Intune for Education
- Acquire additional apps in Microsoft Store for Education
- Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
@ -52,7 +54,7 @@ This diagram shows a high-level view of what we cover in this walkthrough. The n
**Figure 1** - Microsoft Education IT administrator workflow
![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft-education-get-started-workflow.png)
![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft_education_it_getstarted_workflow.png)
## Prerequisites
Complete these tasks before you start the walkthrough:
@ -116,7 +118,7 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
4. Skip ahead and follow the instructions in the walkthrough beginning with [3. Configure Microsoft Store for Education](#3-configure-microsoft-store-for-education).
4. Skip ahead and follow the instructions in the walkthrough beginning with [4. Configure Microsoft Store for Education](#4-configure-microsoft-store-for-education).
## 1. Set up a new Office 365 for Education tenant
@ -131,7 +133,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol
![Create an Office 365 account](images/o365_createaccount.png)
3. Save your sign-in info so you can use it to sign into <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...**
3. Save your sign-in info so you can use it to sign in to <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...**
4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
1. Add your domain name and follow the steps to confirm ownership of the domain.
2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
@ -140,7 +142,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol
You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.
As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [6.3 Complete Office 365 for Education setup](#63-complete-office-365-education-setup) for info.
As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [7.3 Complete Office 365 for Education setup](#73-complete-office-365-education-setup) for info.
## 2. Use School Data Sync to import student data
@ -240,7 +242,7 @@ The Classroom application is retired, but you will need to assign the Classroom
3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
6. In the **License Options** section, check the box to allow users being created to receive an Office 365 license.
6. In the **License Options** section, check the box to enable the Classroom Preview license for all synced students and teachers within the sync profile.
7. Check the **Intune for Education** checkbox to allow users to receive the Intune for Education license and to create the SDS dynamic groups and security groups, which be used within Intune for Education.
8. Click **Next**.
@ -295,35 +297,68 @@ The Classroom application is retired, but you will need to assign the Classroom
That's it for importing sample school data using SDS.
## 3. Configure Microsoft Store for Education
## 3. Enable Microsoft Teams for your school
Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education.
To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school.
**Enable Microsoft Teams for your school**
1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
2. Click **Admin** to go to the Office 365 admin center.
3. Go to **Settings > Services & add-ins**.
4. On the **Services & add-ins** page, select **Microsoft Teams**.
**Figure 14** - Select Microsoft Teams from the list of services & add-ins
![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**.
**Figure 15** - Select the license that you want to configure
![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
**Figure 16** - Turn on Microsoft Teams for your organization
![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
7. Click **Save**.
You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins** getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
## 4. Configure Microsoft Store for Education
You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
**Associate your Microsoft Store account with Intune for Education**
1. Sign into <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
1. Sign in to <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
2. Accept the Microsoft Store for Business and Education Services Agreement.
This will take you to the Microsoft Store for Education portal.
**Figure 14** - Microsoft Store for Education portal
**Figure 17** - Microsoft Store for Education portal
![Microsoft Store for Education portal](images/msfe_store_portal.png)
3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
**Figure 15** - Select management tools from the list of Store settings options
**Figure 18** - Select management tools from the list of Store settings options
![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
**Figure 16** - Activate Intune for Education as the management tool
**Figure 19** - Activate Intune for Education as the management tool
![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png)
Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
## 4. Use Intune for Education to manage groups, apps, and settings
## 5. Use Intune for Education to manage groups, apps, and settings
Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>.
### Example - Set up Intune for Education, buy apps from the Store, and install the apps
@ -351,20 +386,20 @@ Intune for Education provides an **Express configuration** option so you can get
1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
**Figure 17** - Intune for Education dashboard
**Figure 20** - Intune for Education dashboard
![Intune for Education dashboard](images/i4e_portal.png)
2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
3. In the **Welcome to Intune for Education** screen, click **Get started**.
**Figure 18** - Click Get started to set up Intune for Education
**Figure 21** - Click Get started to set up Intune for Education
![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
**Figure 19** - SDS is configured
**Figure 22** - SDS is configured
![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
@ -377,7 +412,7 @@ Intune for Education provides an **Express configuration** option so you can get
> [!TIP]
> At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
>
> **Figure 20** - Click on the buttons to go back to that step
> **Figure 23** - Click on the buttons to go back to that step
>
> ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
@ -390,7 +425,7 @@ Intune for Education provides an **Express configuration** option so you can get
> [!TIP]
> Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
**Figure 21** - Choose the apps that you want to install for the group
**Figure 24** - Choose the apps that you want to install for the group
![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
@ -400,7 +435,7 @@ Intune for Education provides an **Express configuration** option so you can get
8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
**Figure 22** - Expand the settings group to get more details
**Figure 25** - Expand the settings group to get more details
![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
@ -408,20 +443,20 @@ Intune for Education provides an **Express configuration** option so you can get
- In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
- In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
**Figure 23** - Set some additional settings
**Figure 26** - Set some additional settings
![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
**Figure 24** - Review the group, apps, and settings you configured
**Figure 27** - Review the group, apps, and settings you configured
![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
11. Click **Save** to end express configuration.
12. You will see the **You're done!** screen which lets you choose one of two options.
**Figure 25** - All done with Intune for Education express configuration
**Figure 28** - All done with Intune for Education express configuration
![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
@ -438,13 +473,13 @@ Intune for Education provides an **Express configuration** option so you can get
1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
**Figure 26** - Click on **Apps** to see the list of apps for your tenant
**Figure 29** - Click on **Apps** to see the list of apps for your tenant
![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
**Figure 27** - Select the option to add a new Store app
**Figure 30** - Select the option to add a new Store app
![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
@ -463,7 +498,7 @@ Intune for Education provides an **Express configuration** option so you can get
For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
**Figure 28** - Apps inventory in Microsoft Store for Education
**Figure 31** - Apps inventory in Microsoft Store for Education
![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
@ -478,40 +513,40 @@ Now that you've bought the apps, use Intune for Education to specify the group t
1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
**Figure 29** - Groups page in Intune for Education
**Figure 32** - Groups page in Intune for Education
![Groups page in Intune for Education](images/i4e_groupspage.png)
2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page.
**Figure 30** - List of all users in the tenant
**Figure 33** - List of all users in the tenant
![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
**Figure 31** - Edit apps to assign them to users
**Figure 34** - Edit apps to assign them to users
![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select.
**Figure 32** - Select the apps to deploy to the group
**Figure 35** - Select the apps to deploy to the group
![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected.
**Figure 33** - Updated list of assigned apps
**Figure 36** - Updated list of assigned apps
![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
## 5. Set up Windows 10 devices
## 6. Set up Windows 10 devices
### 5.1 Set up devices using Set up School PCs or Windows OOBE
### 6.1 Set up devices using Set up School PCs or Windows OOBE
We recommend using the latest build of Windows 10, version 1703 on your education devices. To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options:
- **Option 1: [Use the Set up School PCs app](#usesetupschoolpcs)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
- **Option 2: [Go through Windows OOBE and join the device to Azure AD](#usewindowsoobandjoinaad)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
@ -551,13 +586,13 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
**Figure 34** - Let's start with region
**Figure 37** - Let's start with region
![Let's start with region](images/win10_letsstartwithregion.png)
3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
**Figure 35** - Select setup for an organization
**Figure 38** - Select setup for an organization
![Select setup for an organization](images/win10_setupforanorg.png)
@ -566,7 +601,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
6. Click **Accept** to go through the rest of device setup.
### 5.2 Verify correct device setup
### 6.2 Verify correct device setup
Verify that the device is set up correctly and boots without any issues.
**Verify that the device was set up correctly**
@ -576,11 +611,11 @@ Verify that the device is set up correctly and boots without any issues.
> [!NOTE]
> It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
**Figure 36** - Sample list of apps for a user
**Figure 39** - Sample list of apps for a user
![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
### 5.3 Verify the device is Azure AD joined
### 6.3 Verify the device is Azure AD joined
Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
**Verify if the device is joined to Azure AD**
@ -588,7 +623,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s
2. Select **Groups** and select **All Devices**.
3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
**Figure 37** - List of all managed devices
**Figure 40** - List of all managed devices
![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
@ -596,23 +631,23 @@ Let's now verify that the device is joined to your organization's Azure AD and s
5. Select **Accounts > Access work or school**.
6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
**Figure 38** - Confirm that the Windows 10 device is joined to Azure AD
**Figure 41** - Confirm that the Windows 10 device is joined to Azure AD
![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
**That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. You can continue follow the rest of the walkthrough to finish setup and complete other tasks.
## 6. Finish setup and other tasks
## 7. Finish setup and other tasks
### 6.1 Update group settings in Intune for Education
### 7.1 Update group settings in Intune for Education
If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps.
1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
**Figure 39** - See the list of available settings in Intune for Education
**Figure 42** - See the list of available settings in Intune for Education
![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
@ -622,7 +657,7 @@ If you need to make changes or updates to any of the apps or settings for the gr
5. Click **Save** or **Discard changes**.
### 6.2 Configure Azure settings
### 7.2 Configure Azure settings
After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
#### Enable many devices to be added by a single person
@ -634,7 +669,7 @@ Follow the steps in this section to enable a single person to add many devices t
2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
3. Select **Azure Active Directory > Users and groups > Device settings**.
**Figure 40** - Device settings in the new Azure portal
**Figure 43** - Device settings in the new Azure portal
![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
@ -651,22 +686,22 @@ Follow the steps in this section to ensure that settings for the each user follo
3. Select **Azure Active Directory > Users and groups > Device settings**.
4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
**Figure 41** - Enable settings to roam with users
**Figure 44** - Enable settings to roam with users
![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
5. Click **Save** to update device settings.
### 6.3 Complete Office 365 for Education setup
### 7.3 Complete Office 365 for Education setup
Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
### 6.4 Add more users
### 7.4 Add more users
After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
### 6.5 Connect other devices to your cloud infrastructure
Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [5. Set up Windows 10 devices](#5-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
### 7.5 Connect other devices to your cloud infrastructure
Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [6. Set up Windows 10 devices](#6-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
> [!NOTE]
> These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
@ -679,7 +714,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
**Figure 42** - Device is now managed by Intune for Education
**Figure 45** - Device is now managed by Intune for Education
![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
@ -689,11 +724,11 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
**Figure 43** - Device is connected to organization's MDM
**Figure 46** - Device is connected to organization's MDM
![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [5.3 Verify the device is Azure AD joined](#53-verify-the-device-is-azure-ad-joined).
6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [6.3 Verify the device is Azure AD joined](#63-verify-the-device-is-azure-ad-joined).
It may take several minutes before the new device shows up so check again later.

BIN
education/get-started/images/microsoft_education_it_getstarted_workflow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 454 KiB

BIN
education/get-started/images/o365_msteams_settings.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
education/get-started/images/o365_msteams_turnon.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
education/get-started/images/o365_settings_services_msteams.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

38
education/index.md
View File

@ -207,6 +207,25 @@ author: CelesteDG
</div>
</a>
</li>
<li>
<a href="/education/windows/use-set-up-school-pcs-app">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
</div>
</div>
<div class="cardText">
<h3>Set up School PCs</h3>
<p>Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.</p>
</div>
</div>
</div>
</div>
</a>
</li>
</ul>
</li>
</ul>
@ -331,6 +350,25 @@ author: CelesteDG
</div>
</a>
</li>
<li>
<a href="/education/windows/use-set-up-school-pcs-app">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
</div>
</div>
<div class="cardText">
<h3>Set up School PCs</h3>
<p>Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.</p>
</div>
</div>
</div>
</div>
</a>
</li>
</ul>
</li>
</ul>

1
education/windows/change-history-edu.md
View File

@ -1,6 +1,7 @@
---
title: Change history for Windows 10 for Education (Windows 10)
description: New and changed topics in Windows 10 for Education
keywords: Windows 10 education documentation, change history
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

2
education/windows/chromebook-migration-guide.md
View File

@ -2,7 +2,7 @@
title: Chromebook migration guide (Windows 10)
description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
keywords: migrate, automate, device
keywords: migrate, automate, device, Chromebook migration
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

6
education/windows/configure-windows-for-education.md
View File

@ -1,7 +1,7 @@
---
title: Windows 10 configuration recommendations for education customers
description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school", "education", "configurations"]
keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations
ms.mktglfcycl: plan
ms.sitesec: library
localizationpriority: high
@ -64,7 +64,7 @@ You can configure Windows through provisioning or management tools including ind
You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
- [Set up School PCs](use-set-up-school-pcs-app.md)
- Intune for Education (coming soon)
- [Intune for Education](https://docs.microsoft.com/en-us/intune-education/available-settings)
## AllowCortana
**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana).
@ -145,7 +145,7 @@ Provide an ad-free experience that is a safer, more private search option for K
### Configurations
#### IP registration for entire school network using Microsoft Edge
Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bicteam@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bingintheclassroom@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
**District information**
- **District or School Name:**

2
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -1,7 +1,7 @@
---
title: Deploy Windows 10 in a school district (Windows 10)
description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices.
keywords: configure, tools, device, school
keywords: configure, tools, device, school district, deploy Windows 10
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu

2
education/windows/deploy-windows-10-in-a-school.md
View File

@ -1,7 +1,7 @@
---
title: Deploy Windows 10 in a school (Windows 10)
description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
keywords: configure, tools, device, school
keywords: configure, tools, device, school, deploy Windows 10
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu

2
education/windows/edu-deployment-recommendations.md
View File

@ -1,7 +1,7 @@
---
title: Deployment recommendations for school IT administrators
description: Provides guidance on ways to customize the OS privacy settings, as well as some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school"]
keywords: Windows 10 deployment, recommendations, privacy settings, school
ms.mktglfcycl: plan
ms.sitesec: library
localizationpriority: high

2
education/windows/education-scenarios-store-for-business.md
View File

@ -1,7 +1,7 @@
---
title: Education scenarios Microsoft Store for Education
description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools.
keywords: ["school", "store for business"]
keywords: school, Microsoft Store for Education, Microsoft education store
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/get-minecraft-for-education.md
View File

@ -1,7 +1,7 @@
---
title: Get Minecraft Education Edition
description: Learn how to get and distribute Minecraft Education Edition.
keywords: school, minecraft
keywords: school, Minecraft, education edition
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/school-get-minecraft.md
View File

@ -1,7 +1,7 @@
---
title: For IT administrators get Minecraft Education Edition
description: Learn how IT admins can get and distribute Minecraft in their schools.
keywords: ["school"]
keywords: Minecraft, Education Edition, IT admins, acquire
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/set-up-students-pcs-to-join-domain.md
View File

@ -1,7 +1,7 @@
---
title: Set up student PCs to join domain
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: school
keywords: school, student PC setup, Windows Configuration Designer
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/set-up-students-pcs-with-apps.md
View File

@ -1,7 +1,7 @@
---
title: Provision student PCs with apps
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: ["shared cart", "shared PC", "school"]
keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-a-test-app-technical.md
View File

@ -1,7 +1,7 @@
---
title: Take a Test app technical reference
description: The policies and settings applied by the Take a Test app.
keywords: take a test, test taking, school
keywords: take a test, test taking, school, policies
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-a-test-multiple-pcs.md
View File

@ -1,7 +1,7 @@
---
title: Set up Take a Test on multiple PCs
description: Learn how to set up and use the Take a Test app on multiple PCs.
keywords: ["take a test", "test taking", "school"]
keywords: take a test, test taking, school, set up on multiple PCs
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-a-test-single-pc.md
View File

@ -1,7 +1,7 @@
---
title: Set up Take a Test on a single PC
description: Learn how to set up and use the Take a Test app on a single PC.
keywords: take a test, test taking, school
keywords: take a test, test taking, school, set up on single PC
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-tests-in-windows-10.md
View File

@ -1,7 +1,7 @@
---
title: Take tests in Windows 10
description: Learn how to set up and use the Take a Test app.
keywords: take a test, test taking, school
keywords: take a test, test taking, school, how to, use Take a Test
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/teacher-get-minecraft.md
View File

@ -1,7 +1,7 @@
---
title: For teachers get Minecraft Education Edition
description: Learn how teachers can get and distribute Minecraft.
keywords: ["school", "minecraft"]
keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/use-set-up-school-pcs-app.md
View File

@ -1,7 +1,7 @@
---
title: Use Set up School PCs app
description: Learn how the Set up School PCs app works and how to use it.
keywords: shared cart, shared PC, school, set up school pcs
keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

2
windows/client-management/mdm/TOC.md
View File

@ -198,6 +198,8 @@
#### [SUPL DDF file](supl-ddf-file.md)
### [SurfaceHub CSP](surfacehub-csp.md)
#### [SurfaceHub DDF file](surfacehub-ddf-file.md)
### [TPMPolicy CSP](tpmpolicy-csp.md)
#### [TPMPolicy DDF file](tpmpolicy-ddf-file.md)
### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
#### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md)
### [Update CSP](update-csp.md)

42
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -11,6 +11,9 @@ author: nickbrower
# Configuration service provider reference
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used overtheair for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used overtheair for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.
For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224).
@ -1164,10 +1167,10 @@ The following tables show the configuration service providers support in Windows
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
@ -2044,6 +2047,34 @@ The following tables show the configuration service providers support in Windows
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[TPMPolicy CSP](tpmpolicy-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
@ -2358,7 +2389,8 @@ The following tables show the configuration service providers support in Windows
 Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 2 - Added in Windows 10, version 1703
- 3 - Added in the next major update to Windows 10
> [!Note]
> You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).

4
windows/client-management/mdm/firewall-csp.md
View File

@ -13,10 +13,12 @@ author: nickbrower
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage both domain joined and non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10.
Firewall configuration commands must be wrapped in an Atomic block in SyncML.
For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/en-us/library/mt620101.aspx).
The following diagram shows the Firewall configuration service provider in tree format.
![firewall csp](images/provisioning-csp-firewall.png)

BIN
windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

41
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -14,6 +14,8 @@ author: nickbrower
# What's new in MDM enrollment and management
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
@ -640,6 +642,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>SmartScreen/EnableAppInstallControl</li>
<li>SmartScreen/EnableSmartScreenInShell</li>
<li>SmartScreen/PreventOverrideForFilesInShell</li>
<li>Start/AllowPinnedFolderDocuments</li>
<li>Start/AllowPinnedFolderDownloads</li>
<li>Start/AllowPinnedFolderFileExplorer</li>
<li>Start/AllowPinnedFolderHomeGroup</li>
<li>Start/AllowPinnedFolderMusic</li>
<li>Start/AllowPinnedFolderNetwork</li>
<li>Start/AllowPinnedFolderPersonalFolder </li>
<li>Start/AllowPinnedFolderPictures</li>
<li>Start/AllowPinnedFolderSettings</li>
<li>Start/AllowPinnedFolderVideos</li>
<li>Start/HideAppList</li>
<li>Start/HideChangeAccountSettings</li>
<li>Start/HideFrequentlyUsedApps</li>
@ -661,6 +673,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>TextInput/AllowKeyboardTextSuggestions</li>
<li>TimeLanguageSettings/AllowSet24HourClock</li>
<li>Update/ActiveHoursMaxRange</li>
<li>Update/AutoRestartDeadlinePeriodInDays</li>
<li>Update/AutoRestartNotificationSchedule</li>
<li>Update/AutoRestartNotificationStyle</li>
<li>Update/AutoRestartRequiredNotificationDismissal</li>
@ -892,6 +905,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>[Policy CSP](policy-configuration-service-provider.md)</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[TPMPolicy CSP](tpmpolicy-csp.md)</td>
<td style="vertical-align:top">New CSP added in Windows 10, version 1703.</td>
</tr>
</tbody>
</table> 
@ -1180,7 +1197,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)</td>
<td style="vertical-align:top">Added a list of registry locations that ingested policies are allowed to write to.</td>
</tr>
<tr class="odd">
<tr class="even">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top">Added the following nodes:
<ul>
@ -1191,6 +1208,28 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Status</li>
</ul>
Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
<tr class="odd">
<td style="vertical-align:top">[TPMPolicy CSP](tpmpolicy-csp.md)</td>
<td style="vertical-align:top">New CSP added in Windows 10, version 1703.</td>
</tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top">
<p>Added the following new policies for Windows 10, version 1703:</p>
<ul>
<li>Start/AllowPinnedFolderDocuments</li>
<li>Start/AllowPinnedFolderDownloads</li>
<li>Start/AllowPinnedFolderFileExplorer</li>
<li>Start/AllowPinnedFolderHomeGroup</li>
<li>Start/AllowPinnedFolderMusic</li>
<li>Start/AllowPinnedFolderNetwork</li>
<li>Start/AllowPinnedFolderPersonalFolder </li>
<li>Start/AllowPinnedFolderPictures</li>
<li>Start/AllowPinnedFolderSettings</li>
<li>Start/AllowPinnedFolderVideos</li>
<li>Update/AutoRestartDeadlinePeriodInDays</li>
</ul>
</td></tr>
</tbody>
</table>

1638
windows/client-management/mdm/policy-configuration-service-provider.md
View File

File diff suppressed because it is too large Load Diff

55
windows/client-management/mdm/tpmpolicy-csp.md Normal file
View File

@ -0,0 +1,55 @@
---
title: TPMPolicy CSP
description: TPMPolicy CSP
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# TPMPolicy CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
The TPMPolicy CSP was added in Windows 10, version 1703.
The following diagram shows the TPMPolicy configuration service provider in tree format.
![tpmpolicy csp](images/provisioning-csp-tpmpolicy.png)
<a href="" id="--device-vendor-msft-tpmpolicy"></a>**./Device/Vendor/MSFT/TPMPolicy**
<p style="margin-left: 20px">Defines the root node.</p>
<a href="" id="isactivezeroexhaust"></a>**IsActiveZeroExhaust**
<p style="margin-left: 20px">Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:</p>
<ul>
<li>There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected. </li>
<li>There should be no traffic during installation of Windows and first logon when local ID is used.</li>
<li>Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.</li>
<li>Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic, telemetry, etc.) to Microsoft.</li>
</ul>
Here is an example:
``` syntax
                <Replace>
                    <CmdID>101</CmdID>
                    <Item>
                        <Target>
                            <LocURI>
                                ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust
                            </LocURI>
                        </Target>
                        <Meta>
<Format>bool</Format>
               <Type>text/plain</Type>
        </Meta>
        <Data>true</Data>
                    </Item>
                </Replace>
```

71
windows/client-management/mdm/tpmpolicy-ddf-file.md Normal file
View File

@ -0,0 +1,71 @@
---
title: TPMPolicy DDF file
description: TPMPolicy DDF file
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# TPMPolicy DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **TPMPolicy** configuration service provider. The TPMPolicy CSP was added in Windows 10, version 1703.
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>TPMPolicy</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/TPMPolicy</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>IsActiveZeroExhaust</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

74
windows/device-security/windows-security-baselines.md
View File

@ -1,74 +0,0 @@
---
title: Windows security baselines (Windows 10)
description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# Windows security baselines
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2012 R2
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
> [!NOTE]
> Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353).
## What are security baselines?
Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
A security baseline is a collection of settings that have a security impact and include Microsofts recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and
customers.
## Why are security baselines needed?
Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 4,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be.
In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats.
To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
## How can you use security baselines?
You can use security baselines to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
## Where can I get the security baselines?
Here's a list of security baselines that are currently available.
> [!NOTE]
> If you want to know what has changed with each security baseline, or if you want to stay up-to-date on whats happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
### Windows 10 security baselines
- [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381)
- [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380)
### Windows Server security baselines
- [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382)
## How can I monitor security baseline deployments?
Microsofts Operation Management Services (OMS) helps you monitor security baseline deployments across your servers. To find out more, check out [Operations Management Suite](https://aka.ms/omssecscm).
You can use [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) to monitor security baseline deployments on client devices within your organization.