deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-20 17:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox

Browse Source
This commit is contained in:
jdeckerMS 2016-04-07 07:00:30 -07:00
commit a83d5d79b0
57 changed files with 791 additions and 2192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
windows/deploy/activate-forest-by-proxy-vamt.md
View File

@ -9,32 +9,23 @@ author: jdeckerMS
--- ---
# Activate by Proxy an Active Directory Forest # Activate by Proxy an Active Directory Forest
You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that does not have Internet access. ADBA enables certain volume products to inherit activation from the domain. You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that does not have Internet access. ADBA enables certain volume products to inherit activation from the domain.
**Important**   **Important**  
ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host key (CSVLK). To use ADBA, one or more KMS Host keys (CSVLK) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host key (CSVLK). To use ADBA, one or more KMS Host keys (CSVLK) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
 
In a typical proxy-activation scenario, the VAMT host computer distributes a product key to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. If you use this activation method, only the VAMT host computer needs to have Internet access. In a typical proxy-activation scenario, the VAMT host computer distributes a product key to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. If you use this activation method, only the VAMT host computer needs to have Internet access.
**Note**   **Note**  
For workgroups that are isolated from any larger network, you can still perform an AD forest activation. This requires installing a second instance of VAMT on a computer in the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. You can also activate by proxy a KMS Host key (CSVLK) in the core network if you do not want the host computer to connect to Microsoft over the Internet. For workgroups that are isolated from any larger network, you can still perform an AD forest activation. This requires installing a second instance of VAMT on a computer in the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. You can also activate by proxy a KMS Host key (CSVLK) in the core network if you do not want the host computer to connect to Microsoft over the Internet.
 
## Requirements ## Requirements
Before performing proxy activation, ensure that the network and the VAMT installation meet the following requirements: Before performing proxy activation, ensure that the network and the VAMT installation meet the following requirements:
- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup.
1. There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup. - VAMT has administrative permissions to the Active Directory domain.
2. VAMT has administrative permissions to the Active Directory domain. **To perform an Active Directory forest proxy activation**
### To Perform an Active Directory Forest Proxy Activation
1. Open VAMT. 1. Open VAMT.
@ -49,13 +40,11 @@ Before performing proxy activation, ensure that the network and the VAMT install
**Important**   **Important**  
If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
 
6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then click **Open**. If you are activating an AD forest in an isolated workgroup, save the .cilx file to a removable media device. 6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then click **Open**. If you are activating an AD forest in an isolated workgroup, save the .cilx file to a removable media device.
7. Click **Install Key**. 7. Click **Install Key**.
8. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
9. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane. 9. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
@ -74,15 +63,4 @@ Before performing proxy activation, ensure that the network and the VAMT install
VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
## Related topics ## Related topics
- [Add and Remove Computers](add-remove-computers-vamt.md)
[Add and Remove Computers](add-remove-computers-vamt.md)
 
 

27
windows/deploy/activate-forest-vamt.md
View File

@ -9,18 +9,12 @@ author: jdeckerMS
--- ---
# Activate an Active Directory Forest Online # Activate an Active Directory Forest Online
You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain. You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain.
**Important**   **Important**  
ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products. ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
 
## Requirements ## Requirements
Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
- VAMT is installed on a host computer that has Internet access. - VAMT is installed on a host computer that has Internet access.
@ -29,7 +23,8 @@ Before performing online activation, ensure that the network and the VAMT instal
- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node. - The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
### To Perform an Online Active Directory Forest Activation
**To perform an online Active Directory forest activation**
1. Open VAMT. 1. Open VAMT.
@ -44,8 +39,6 @@ Before performing online activation, ensure that the network and the VAMT instal
**Important**   **Important**  
If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed. If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
 
6. Click **Install Key**. 6. Click **Install Key**.
7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. 7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
@ -53,17 +46,5 @@ Before performing online activation, ensure that the network and the VAMT instal
The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane. The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane.
## Related topics ## Related topics
- [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
- [Add and Remove Computers](add-remove-computers-vamt.md)
[Scenario 1: Online Activation](scenario-online-activation-vamt.md)
[Add and Remove Computers](add-remove-computers-vamt.md)
 
 

41
windows/deploy/activate-using-active-directory-based-activation-client.md
View File

@ -10,8 +10,6 @@ author: CFaw
--- ---
# Activate using Active Directory-based activation # Activate using Active Directory-based activation
**Applies to** **Applies to**
- Windows 10 - Windows 10
@ -44,9 +42,9 @@ The process proceeds as follows:
3. Client computers are activated by receiving the activation object from a domain controller during startup. 3. Client computers are activated by receiving the activation object from a domain controller during startup.
![active directory-based activation flow](images/volumeactivationforwindows81-10.jpg) ![Active Directory-based activation flow](images/volumeactivationforwindows81-10.jpg)
**Figure 10**. The Active Directory-based activation flow **Figure 10**. The Active Directory-based activation flow
For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
@ -57,14 +55,10 @@ Clients that are activated with Active Directory-based activation will maintain
When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
## Step-by-step configuration: Active Directory-based activation ## Step-by-step configuration: Active Directory-based activation
**Note**   **Note**  
You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings. You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings.
  **To configure Active Directory-based activation on Windows Server 2012 R2, complete the following steps:**
To configure Active Directory-based activation on Windows Server 2012 R2, complete the following steps:
1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. 1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
@ -72,39 +66,37 @@ To configure Active Directory-based activation on Windows Server 2012 R2, comp
3. Add the Volume Activation Services role, as shown in Figure 11. 3. Add the Volume Activation Services role, as shown in Figure 11.
![image of menu](images/volumeactivationforwindows81-11.jpg) ![Adding the Volume Activation Services role](images/volumeactivationforwindows81-11.jpg)
**Figure 11**. Adding the Volume Activation Services role **Figure 11**. Adding the Volume Activation Services role
4. Click the link to launch the Volume Activation Tools (Figure 12). 4. Click the link to launch the Volume Activation Tools (Figure 12).
![image of menu](images/volumeactivationforwindows81-12.jpg) ![Launching the Volume Activation Tools](images/volumeactivationforwindows81-12.jpg)
**Figure 12**. Launching the Volume Activation Tools **Figure 12**. Launching the Volume Activation Tools
5. Select the **Active Directory-Based Activation** option (Figure 13). 5. Select the **Active Directory-Based Activation** option (Figure 13).
![image of menu](images/volumeactivationforwindows81-13.jpg) ![Selecting Active Directory-Based Activation](images/volumeactivationforwindows81-13.jpg)
**Figure 13**. Selecting Active Directory-Based Activation **Figure 13**. Selecting Active Directory-Based Activation
6. Enter your KMS host key and (optionally) a display name (Figure 14). 6. Enter your KMS host key and (optionally) a display name (Figure 14).
![image of menu](images/volumeactivationforwindows81-14.jpg) ![Entering your KMS host key](images/volumeactivationforwindows81-14.jpg)
**Figure 14**. Entering your KMS host key **Figure 14**. Entering your KMS host key
7. Activate your KMS host key by phone or online (Figure 15). 7. Activate your KMS host key by phone or online (Figure 15).
![image of menu](images/volumeactivationforwindows81-15.jpg) ![Choosing how to activate your product](images/volumeactivationforwindows81-15.jpg)
**Figure 15**. Choosing how to activate your product **Figure 15**. Choosing how to activate your product
8. After activating the key, click **Commit**, and then click **Close**. 8. After activating the key, click **Commit**, and then click **Close**.
## Verifying the configuration of Active Directory-based activation ## Verifying the configuration of Active Directory-based activation
To verify your Active Directory-based activation configuration, complete the following steps: To verify your Active Directory-based activation configuration, complete the following steps:
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. 1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
@ -119,21 +111,8 @@ To verify your Active Directory-based activation configuration, complete the fol
6. Scroll down to the **Windows activation** section, and verify that this client has been activated. 6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
**Note**   **Note**<br>
If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmrg.vbs /dlv** command also indicates whether KMS has been used. If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmrg.vbs /dlv** command also indicates whether KMS has been used.
 
## See also ## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md) - [Volume Activation for Windows 10](volume-activation-windows-10.md)
 
 

40
windows/deploy/activate-using-key-management-service-vamt.md
View File

@ -10,8 +10,6 @@ author: jdeckerMS
--- ---
# Activate using Key Management Service # Activate using Key Management Service
**Applies to** **Applies to**
- Windows 10 - Windows 10
@ -35,8 +33,6 @@ There are three possible scenarios for volume activation of Windows 10 or Windo
- Host KMS on a computer running an earlier version of Windows - Host KMS on a computer running an earlier version of Windows
## Key Management Service in Windows 10 ## Key Management Service in Windows 10
Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7. Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers. Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
@ -57,22 +53,16 @@ To enable KMS functionality, a KMS key is installed on a KMS host; then, the hos
For more information, see the information for Windows 7 in [Deploy KMS Activation](http://go.microsoft.com/fwlink/p/?LinkId=717032). For more information, see the information for Windows 7 in [Deploy KMS Activation](http://go.microsoft.com/fwlink/p/?LinkId=717032).
## Key Management Service in Windows Server 2012 R2 ## Key Management Service in Windows Server 2012 R2
Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Sever 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Sever 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
**Note**   **Note**  
You cannot install a client KMS key into the KMS in Windows Server. You cannot install a client KMS key into the KMS in Windows Server.
 
This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden. This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
**Note**   **Note**  
If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](http://go.microsoft.com/fwlink/p/?LinkId=620687). If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](http://go.microsoft.com/fwlink/p/?LinkId=620687).
 
**Configure KMS in Windows Server 2012 R2** **Configure KMS in Windows Server 2012 R2**
1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials. 1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
@ -81,13 +71,13 @@ If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise,
3. Add the Volume Activation Services role, as shown in Figure 4. 3. Add the Volume Activation Services role, as shown in Figure 4.
![image of menu](images/volumeactivationforwindows81-04.jpg) ![Adding the Volume Activation Services role in Server Manager](images/volumeactivationforwindows81-04.jpg)
**Figure 4**. Adding the Volume Activation Services role in Server Manager **Figure 4**. Adding the Volume Activation Services role in Server Manager
4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). 4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
![image of menu](images/volumeactivationforwindows81-05.jpg) ![Launching the Volume Activation Tools](images/volumeactivationforwindows81-05.jpg)
**Figure 5**. Launching the Volume Activation Tools **Figure 5**. Launching the Volume Activation Tools
@ -95,13 +85,13 @@ If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise,
This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
![image of menu](images/volumeactivationforwindows81-06.jpg) ![Configuring the computer as a KMS host](images/volumeactivationforwindows81-06.jpg)
**Figure 6**. Configuring the computer as a KMS host **Figure 6**. Configuring the computer as a KMS host
6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). 6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
![image of menu](images/volumeactivationforwindows81-07.jpg) ![Installing your KMS host key](images/volumeactivationforwindows81-07.jpg)
**Figure 7**. Installing your KMS host key **Figure 7**. Installing your KMS host key
@ -109,45 +99,37 @@ If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise,
8. After the product key is installed, you must activate it. Click **Next** (Figure 8). 8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
![image of menu](images/volumeactivationforwindows81-08.jpg) ![Activating the software](images/volumeactivationforwindows81-08.jpg)
**Figure 8**. Activating the software **Figure 8**. Activating the software
The KMS key can be activated online or by phone. See Figure 9. The KMS key can be activated online or by phone. See Figure 9.
![image of menu](images/volumeactivationforwindows81-09.jpg) ![Choosing to activate online](images/volumeactivationforwindows81-09.jpg)
**Figure 9**. Choosing to activate online **Figure 9**. Choosing to activate online
Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met. Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met.
## Verifying the configuration of Key Management Service ## Verifying the configuration of Key Management Service
You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message. You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
**Note**   **Note**  
If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2. If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
 
To verify that KMS volume activation works, complete the following steps: To verify that KMS volume activation works, complete the following steps:
1. On the KMS host, open the event log and confirm that DNS publishing is successful. 1. On the KMS host, open the event log and confirm that DNS publishing is successful.
2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER. 2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.<p>
The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information. 3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.<p>
The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr /dlv**, and then press ENTER.
The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](http://go.microsoft.com/fwlink/p/?LinkId=733639). For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](http://go.microsoft.com/fwlink/p/?LinkId=733639).
## Key Management Service in earlier versions of Windows ## Key Management Service in earlier versions of Windows
If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps: If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed. 1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
@ -161,8 +143,6 @@ If you have already established a KMS infrastructure in your organization for an
For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](http://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=626590). For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](http://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=626590).
## See also ## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md) - [Volume Activation for Windows 10](volume-activation-windows-10.md)
   

28
windows/deploy/activate-windows-10-clients-vamt.md
View File

@ -10,8 +10,6 @@ author: jdeckerMS
--- ---
# Activate clients running Windows 10 # Activate clients running Windows 10
**Applies to** **Applies to**
- Windows 10 - Windows 10
@ -28,7 +26,9 @@ author: jdeckerMS
After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works. After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer. If activation or reactivation is required, the following sequence occurs: Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
If activation or reactivation is required, the following sequence occurs:
1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals. 1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
@ -39,12 +39,9 @@ Enterprise edition images and installation media should already be configured wi
If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart. If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
## How Key Management Service works ## How Key Management Service works
KMS uses a clientserver topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP. KMS uses a clientserver topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
### Key Management Service activation thresholds ### Key Management Service activation thresholds
You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met. You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more. A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
@ -54,7 +51,6 @@ When KMS clients are waiting for the KMS to reach the activation threshold, they
In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated. In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated.
### Activation count cache ### Activation count cache
To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one. To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days. However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
@ -62,19 +58,15 @@ However, the KMS host only caches twice the number of client IDs that are requir
The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size. The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
### Key Management Service connectivity ### Key Management Service connectivity
KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements. KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
### Key Management Service activation renewal ### Key Management Service activation renewal
KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computers activation is renewed, the activation validity interval begins again. KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computers activation is renewed, the activation validity interval begins again.
### Publication of the Key Management Service ### Publication of the Key Management Service
The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts. The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
### Client discovery of the Key Management Service ### Client discovery of the Key Management Service
By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it. By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters. Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
@ -84,35 +76,30 @@ If the KMS host that a client computer selects does not respond, the KMS client
By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way. By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
### Domain Name System server configuration ### Domain Name System server configuration
The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update. The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records. The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
### Activating the first Key Management Service host ### Activating the first Key Management Service host
KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers. KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
### Activating subsequent Key Management Service hosts ### Activating subsequent Key Management Service hosts
Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organizations KMS key by calling a Microsoft Volume [Licensing Activation Center](http://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception. Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organizations KMS key by calling a Microsoft Volume [Licensing Activation Center](http://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
## How Multiple Activation Key works ## How Multiple Activation Key works
A MAK is used for one-time activation with Microsofts hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organizations exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit. A MAK is used for one-time activation with Microsofts hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organizations exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
You can activate computers by using a MAK in two ways: You can activate computers by using a MAK in two ways:
- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16. - **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
![mak independent activation](images/volumeactivationforwindows81-16.jpg) ![MAK independent activation](images/volumeactivationforwindows81-16.jpg)
**Figure 16**. MAK independent activation **Figure 16**. MAK independent activation
- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17. - **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
![mak proxy activation](images/volumeactivationforwindows81-17.jpg) ![MAK proxy activation with the VAMT](images/volumeactivationforwindows81-17.jpg)
**Figure 17**. MAK proxy activation with the VAMT **Figure 17**. MAK proxy activation with the VAMT
@ -121,19 +108,14 @@ A MAK is recommended for computers that rarely or never connect to the corporate
You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment. You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
### Multiple Activation Key architecture and activation ### Multiple Activation Key architecture and activation
MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet. MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID. In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
## Activating as a standard user ## Activating as a standard user
Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.” Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
## See also ## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md) - [Volume Activation for Windows 10](volume-activation-windows-10.md)
   

11
windows/deploy/active-directory-based-activation-overview.md
View File

@ -9,13 +9,9 @@ author: CFaw
--- ---
# Active Directory-Based Activation Overview # Active Directory-Based Activation Overview
Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the companys domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain. Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the companys domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain.
## Active Directory-Based Activation Scenarios ## Active Directory-Based Activation Scenarios
VAMT enables IT Professionals to manage and activate the Active Directory-Based Activation object. Activation can be performed by using a scenario such as the following: VAMT enables IT Professionals to manage and activate the Active Directory-Based Activation object. Activation can be performed by using a scenario such as the following:
- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the Active Directory-Based Activation Object a name. - Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the Active Directory-Based Activation Object a name.
@ -23,11 +19,8 @@ VAMT enables IT Professionals to manage and activate the Active Directory-Based
- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the Active Directory-Based Activation Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. - Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the Active Directory-Based Activation Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function.
## Related topics ## Related topics
- [How to Activate an Active Directory Forest Online](http://go.microsoft.com/fwlink/p/?LinkId=246565)
- [How to Proxy Activate an Active Directory Forest](http://go.microsoft.com/fwlink/p/?LinkId=246566)
[How to Activate an Active Directory Forest Online](http://go.microsoft.com/fwlink/p/?LinkId=246565)
[How to Proxy Activate an Active Directory Forest](http://go.microsoft.com/fwlink/p/?LinkId=246566)
   

28
windows/deploy/add-manage-products-vamt.md
View File

@ -9,33 +9,15 @@ author: jdeckerMS
--- ---
# Add and Manage Products # Add and Manage Products
This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network. This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network.
## In this Section ## In this Section
|Topic |Description |
<table> |------|------------|
<colgroup> |[Add and Remove Computers](add-remove-computers-vamt.md) |Describes how to add client computers to VAMT. |
<col width="50%" /> |[Update Product Status](update-product-status-vamt.md) |Describes how to update the status of product license. |
<col width="50%" /> |[Remove Products](remove-products-vamt.md) |Describes how to remove a product from the product list. |
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>[Add and Remove Computers](add-remove-computers-vamt.md)</p></td>
<td align="left"><p>Describes how to add client computers to VAMT.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Update Product Status](update-product-status-vamt.md)</p></td>
<td align="left"><p>Describes how to update the status of product license.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Remove Products](remove-products-vamt.md)</p></td>
<td align="left"><p>Describes how to remove a product from the product list.</p></td>
</tr>
</tbody>
</table>
   

26
windows/deploy/add-remove-computers-vamt.md
View File

@ -9,15 +9,11 @@ author: jdeckerMS
--- ---
# Add and Remove Computers # Add and Remove Computers
You can add computers that have any of the supported Windows or Office products installed to a Volume Activation Management Tool (VAMT) database by using the **Discover products** function. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. You can remove computers from a VAMT database by using the **Delete** function. After you add the computers, you can add the products that are installed on the computers by running the **Update license status** function. You can add computers that have any of the supported Windows or Office products installed to a Volume Activation Management Tool (VAMT) database by using the **Discover products** function. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. You can remove computers from a VAMT database by using the **Delete** function. After you add the computers, you can add the products that are installed on the computers by running the **Update license status** function.
Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information see [Configure Client Computers](configure-client-computers-vamt.md). Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information see [Configure Client Computers](configure-client-computers-vamt.md).
## To add computers to a VAMT database ## To add computers to a VAMT database
1. Open VAMT. 1. Open VAMT.
2. Click **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box. 2. Click **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box.
@ -38,16 +34,12 @@ Before adding computers, ensure that the Windows Management Instrumentation (WMI
To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane. To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane.
![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif)
**Important**   **Important**  
Note that this step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function. This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function.
 
![vamt find a computer dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif)
## To add products to VAMT ## To add products to VAMT
1. In the **Products** list, select the computers that need to have their product information added to the VAMT database. 1. In the **Products** list, select the computers that need to have their product information added to the VAMT database.
2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box. 2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
@ -64,20 +56,14 @@ Before adding computers, ensure that the Windows Management Instrumentation (WMI
6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. 6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
**Note**   **Note**  
If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
 
## To remove computers from a VAMT database ## To remove computers from a VAMT database
You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, click **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database. You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, click **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database.
## Related topics ## Related topics
- [Add and Manage Products](add-manage-products-vamt.md)
[Add and Manage Products](add-manage-products-vamt.md)
   

25
windows/deploy/add-remove-product-key-vamt.md
View File

@ -9,13 +9,9 @@ author: jdeckerMS
--- ---
# Add and Remove a Product Key # Add and Remove a Product Key
Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database. Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database.
## To Add a Product Key ## To Add a Product Key
1. Open VAMT. 1. Open VAMT.
2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu. 2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
@ -28,26 +24,11 @@ Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSV
- To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**. - To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
**Note**   **Note**  
If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
 
## Remove a Product Key ## Remove a Product Key
- To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network. - To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network.
## Related topics ## Related topics
- [Manage Product Keys](manage-product-keys-vamt.md)
[Manage Product Keys](manage-product-keys-vamt.md)
 
 

6
windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md
View File

@ -10,8 +10,6 @@ author: jdeckerMS
--- ---
# Appendix: Information sent to Microsoft during activation # Appendix: Information sent to Microsoft during activation
**Applies to** **Applies to**
- Windows 10 - Windows 10
@ -71,15 +69,11 @@ When you activate a computer running Windows 10, the following information is s
Standard computer information is also sent, but your computers IP address is only retained temporarily. Standard computer information is also sent, but your computers IP address is only retained temporarily.
## Use of information ## Use of information
Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers. Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers.
For additional details, see [Windows 10 Privacy Statement](http://go.microsoft.com/fwlink/p/?LinkId=619879). For additional details, see [Windows 10 Privacy Statement](http://go.microsoft.com/fwlink/p/?LinkId=619879).
## See also ## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md) - [Volume Activation for Windows 10](volume-activation-windows-10.md)
   

37
windows/deploy/change-history-for-deploy-windows-10.md
View File

@ -9,39 +9,24 @@ author: CFaw
--- ---
# Change history for Deploy Windows 10 # Change history for Deploy Windows 10
This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## December 2015 ## December 2015
| New or changed topic | Description |
|----------------------|-------------|
| New or changed topic | Description | | [Activate using Key Management Service](activate-using-key-management-service-vamt.md) | Updated |
|-------------------------------------------------------------------------------------------|-------------| | [Windows 10 edition upgrade](windows-10-edition-upgrades.md) | Updated |
| [Activate using Key Management Service](activate-using-key-management-service-vamt.md) | Updated |
| [Windows 10 edition upgrade](windows-10-edition-upgrades.md) | Updated |
 
## November 2015 ## November 2015
| New or changed topic | Description |
|----------------------|-------------|
| New or changed topic | Description | | [Windows 10 edition upgrade](windows-10-edition-upgrades.md) | New |
|---------------------------------------------------------------|-------------|
| [Windows 10 edition upgrade](windows-10-edition-upgrades.md) | New |
 
## Related topics ## Related topics
- [Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md) - [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
[Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
   

46
windows/deploy/configure-client-computers-vamt.md
View File

@ -9,8 +9,6 @@ author: jdeckerMS
--- ---
# Configure Client Computers # Configure Client Computers
To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers: To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers:
- An exception must be set in the client computer's firewall. - An exception must be set in the client computer's firewall.
@ -22,11 +20,7 @@ Organizations where the VAMT will be widely used may benefit from making these c
**Important**   **Important**  
This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](http://go.microsoft.com/fwlink/p/?LinkId=182933). This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](http://go.microsoft.com/fwlink/p/?LinkId=182933).
 
## Configuring the Windows Firewall to allow VAMT access ## Configuring the Windows Firewall to allow VAMT access
Enable the VAMT to access client computers using the **Windows Firewall** Control Panel: Enable the VAMT to access client computers using the **Windows Firewall** Control Panel:
1. Open Control Panel and double-click **System and Security**. 1. Open Control Panel and double-click **System and Security**.
@ -41,23 +35,19 @@ Enable the VAMT to access client computers using the **Windows Firewall** Contro
6. Click **OK**. 6. Click **OK**.
**Warning**   **Warning**  
By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below. By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below.
 
## Configure Windows Firewall to allow VAMT access across multiple subnets ## Configure Windows Firewall to allow VAMT access across multiple subnets
Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel: Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel:
![vamt firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif) ![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif)
1. Open the Control Panel and double-click **Administrative Tools**. 1. Open the Control Panel and double-click **Administrative Tools**.
2. Click **Windows Firewall with Advanced Security**. 2. Click **Windows Firewall with Advanced Security**.
3. For each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private), make the changes listed in steps a-c: 3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
- Windows Management Instrumentation (ASync-In) - Windows Management Instrumentation (ASync-In)
@ -65,28 +55,24 @@ Enable the VAMT to access client computers across multiple subnets using the **W
- Windows Management Instrumentation (WMI-In) - Windows Management Instrumentation (WMI-In)
1. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel. 4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel.
2. Right-click the desired rule and select **Properties** to open the **Properties** dialog box. 5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box.
3. On the **General** tab, select the **Allow the connection** checkbox. - On the **General** tab, select the **Allow the connection** checkbox.
4. On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need. - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need.
5. On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
For more info, see [How to configure RPC dynamic port allocation to work with firewalls](http://go.microsoft.com/fwlink/p/?LinkId=182911). For more info, see [How to configure RPC dynamic port allocation to work with firewalls](http://go.microsoft.com/fwlink/p/?LinkId=182911).
## Create a registry value for the VAMT to access workgroup-joined computers ## Create a registry value for the VAMT to access workgroup-joined computer
**Caution**   **Caution**  
This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](http://go.microsoft.com/fwlink/p/?LinkId=182912). This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](http://go.microsoft.com/fwlink/p/?LinkId=182912).
 
On the client computer, create the following registry key using regedit.exe. On the client computer, create the following registry key using regedit.exe.
1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` 1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
@ -99,14 +85,10 @@ On the client computer, create the following registry key using regedit.exe.
**Value Data: 1** **Value Data: 1**
**Note**   **Note**  
To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client. To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client.
 
## Deployment options ## Deployment options
There are several options for organizations to configure the WMI firewall exception for computers: There are several options for organizations to configure the WMI firewall exception for computers:
- **Image.** Add the configurations to the master Windows image deployed to all clients. - **Image.** Add the configurations to the master Windows image deployed to all clients.
@ -120,9 +102,7 @@ There are several options for organizations to configure the WMI firewall except
The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception. The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception.
## Related topics ## Related topics
- [Install and Configure VAMT](install-configure-vamt.md)
[Install and Configure VAMT](install-configure-vamt.md)
   

22
windows/deploy/import-export-vamt-data.md
View File

@ -9,8 +9,6 @@ author: jdeckerMS
--- ---
# Import and Export VAMT Data # Import and Export VAMT Data
You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. You can import data or export data during the following scenarios: You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. You can import data or export data during the following scenarios:
- Import and merge data from previous versions of VAMT. - Import and merge data from previous versions of VAMT.
@ -20,12 +18,9 @@ You can use the Volume Activation Management Tool (VAMT) to import product-activ
**Warning**   **Warning**  
Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported. Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported.
 
## Import VAMT Data ## Import VAMT Data
**To import data into VAMT**
To import data into VAMT:
1. Open VAMT. 1. Open VAMT.
@ -36,8 +31,6 @@ To import data into VAMT:
4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully. 4. In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully.
## Export VAMT Data ## Export VAMT Data
Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file: Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file:
1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products. 1. In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products.
@ -61,15 +54,4 @@ Exporting VAMT data from a non-Internet-connected VAMT host computer is the firs
7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully. 7. Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
## Related topics ## Related topics
- [Perform Proxy Activation](proxy-activation-vamt.md)
[Perform Proxy Activation](proxy-activation-vamt.md)
 
 

85
windows/deploy/index.md
View File

@ -9,82 +9,27 @@ author: CFaw
--- ---
# Deploy Windows 10 # Deploy Windows 10
Learn about deploying Windows 10 for IT professionals. Learn about deploying Windows 10 for IT professionals.
## In this section ## In this section
|Topic |Description |
<table> |------|------------|
<colgroup> |[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
<col width="50%" /> |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
<col width="50%" /> |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
</colgroup> |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
<thead> |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
<tr class="header"> |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
<th align="left">Topic</th> |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
<th align="left">Description</th> |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
</tr> |[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. |
</thead> |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. |
<tbody> |[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
<tr class="odd"> |[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
<td align="left"><p>[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)</p></td>
<td align="left"><p>This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)</p></td>
<td align="left"><p>To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)</p></td>
<td align="left"><p>This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)</p></td>
<td align="left"><p>If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)</p></td>
<td align="left"><p>The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)</p></td>
<td align="left"><p>The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Windows 10 edition upgrade](windows-10-edition-upgrades.md)</p></td>
<td align="left"><p>With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Deploy Windows To Go in your organization](deploy-windows-to-go.md)</p></td>
<td align="left"><p>This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)</p></td>
<td align="left"><p>Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)</p></td>
<td align="left"><p>Sideload line-of-business apps in Windows 10.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Volume Activation [client]](volume-activation-windows-10.md)</p></td>
<td align="left"><p>This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)</p></td>
<td align="left"><p>Learn about the tools available to deploy Windows 10.</p></td>
</tr>
</tbody>
</table>
 
## Related topics ## Related topics
- [Windows 10 and Windows 10 Mobile](../index.md)
[Windows 10 and Windows 10 Mobile](../index.md)
   

35
windows/deploy/install-configure-vamt.md
View File

@ -9,40 +9,17 @@ author: jdeckerMS
--- ---
# Install and Configure VAMT # Install and Configure VAMT
This section describes how to install and configure the Volume Activation Management Tool (VAMT). This section describes how to install and configure the Volume Activation Management Tool (VAMT).
## In this Section ## In this Section
|Topic |Description |
|------|------------|
<table> |[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
<colgroup> |[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
<col width="50%" /> |[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>[VAMT Requirements](vamt-requirements.md)</p></td>
<td align="left"><p>Provides system requirements for installing VAMT on a host computer.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Install VAMT](install-vamt.md)</p></td>
<td align="left"><p>Describes how to get and install VAMT.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure Client Computers](configure-client-computers-vamt.md)</p></td>
<td align="left"><p>Describes how to configure client computers on your network to work with VAMT.</p></td>
</tr>
</tbody>
</table>
 
## Related topics ## Related topics
- [Introduction to VAMT](introduction-vamt.md)
[Introduction to VAMT](introduction-vamt.md)
   

21
windows/deploy/install-kms-client-key-vamt.md
View File

@ -9,14 +9,12 @@ author: jdeckerMS
--- ---
# Install a KMS Client Key # Install a KMS Client Key
You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation. You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation.
**Note**   **Note**  
By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
  **To install a KMS Client key**
1. Open VAMT. 1. Open VAMT.
@ -38,20 +36,9 @@ By default, volume license editions of Windows Vista, Windows® 7, Windows 8,
8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**. 8. Select the **Automatically select an AD or KMS client key** option and then click **Install Key**.
VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
The same status is shown under the **Status of Last Action** column in the product list view in the center pane. The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
## Related topics ## Related topics
- [Perform KMS Activation](kms-activation-vamt.md)
[Perform KMS Activation](kms-activation-vamt.md)
 
 

14
windows/deploy/install-product-key-vamt.md
View File

@ -9,10 +9,10 @@ author: jdeckerMS
--- ---
# Install a Product Key # Install a Product Key
You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK). You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
**To install a Product key**
1. Open VAMT. 1. Open VAMT.
2. In the left-side pane, click the product that you want to install keys onto. 2. In the left-side pane, click the product that you want to install keys onto.
@ -37,15 +37,11 @@ You can use the Volume Activation Management Tool (VAMT) to install retail, Mult
The same status is shown under the **Status of Last Action** column in the product list view in the center pane. The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
**Note**   **Note**  
Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right Volume License Key for Windows](http://go.microsoft.com/fwlink/p/?linkid=238382). Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right Volume License Key for Windows](http://go.microsoft.com/fwlink/p/?linkid=238382).
 
## Related topics ## Related topics
- [Manage Product Keys](manage-product-keys-vamt.md)
[Manage Product Keys](manage-product-keys-vamt.md)
   

21
windows/deploy/install-vamt.md
View File

@ -9,39 +9,26 @@ author: jdeckerMS
--- ---
# Install VAMT # Install VAMT
This topic describes how to install the Volume Activation Management Tool (VAMT). This topic describes how to install the Volume Activation Management Tool (VAMT).
## Install VAMT ## Install VAMT
You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740) for Windows 10. You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740) for Windows 10.
**Important**   **Important**  
VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
 
**Note**   **Note**  
The VAMT Microsoft Management Console snap-in ships as an x86 package. The VAMT Microsoft Management Console snap-in ships as an x86 package.
 
**Note**  
After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can download a free copy of Microsoft SQL Server Express and create a new database into which you can import the CIL. To install SQL Server Express: After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can download a free copy of Microsoft SQL Server Express and create a new database into which you can import the CIL. To install SQL Server Express:
1. Install the Windows ADK. 1. Install the Windows ADK.
2. Ensure that **Volume Activation Management Tool** and **Microsoft® SQL Server® 2012 Express** are selected to be installed. 2. Ensure that **Volume Activation Management Tool** and **Microsoft® SQL Server® 2012 Express** are selected to be installed.
3. Click **Install**. 3. Click **Install**.
 
## Select a Database ## Select a Database
**Using a SQL database installed during ADK setup** **Using a SQL database installed during ADK setup**
If SQL Server 2012 Express was installed during ADK setup, the default database name will be **ADK**.By default, VAMT is configure to use a SQL database that is installed on the local machine during ADK setup and displays the server name as **.\\ADK**. If the SQL database was installed on another machine, you must configure the database to allow remote connections and you must provide the corresponding server name. If a new VAMT database needs to be created, provide a name for the new database. If SQL Server 2012 Express was installed during ADK setup, the default database name will be **ADK**.By default, VAMT is configure to use a SQL database that is installed on the local machine during ADK setup and displays the server name as **.\\ADK**. If the SQL database was installed on another machine, you must configure the database to allow remote connections and you must provide the corresponding server name. If a new VAMT database needs to be created, provide a name for the new database.
@ -51,8 +38,6 @@ If SQL Server 2012 Express was installed during ADK setup, the default database
You must configure SQL installation to allow remote connections and you must provide the corresponding server name in the format: *Machine Name\\SQL Server Name*. If a new VAMT database needs to be created, provide a name for the new database. You must configure SQL installation to allow remote connections and you must provide the corresponding server name in the format: *Machine Name\\SQL Server Name*. If a new VAMT database needs to be created, provide a name for the new database.
## Uninstall VAMT ## Uninstall VAMT
To uninstall VAMT via the **Programs and Features** Control Panel: To uninstall VAMT via the **Programs and Features** Control Panel:
1. Open the **Control Panel** and select **Programs and Features**. 1. Open the **Control Panel** and select **Programs and Features**.
@ -60,9 +45,7 @@ To uninstall VAMT via the **Programs and Features** Control Panel:
2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. 2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
## Related topics ## Related topics
- [Install and Configure VAMT](install-configure-vamt.md)
[Install and Configure VAMT](install-configure-vamt.md)
   

30
windows/deploy/introduction-vamt.md
View File

@ -9,18 +9,12 @@ author: jdeckerMS
--- ---
# Introduction to VAMT # Introduction to VAMT
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012. The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
**Note**   **Note**  
VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
 
## In this Topic ## In this Topic
- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) - [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) - [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
@ -29,39 +23,31 @@ VAMT can be installed on, and can manage, physical or virtual instances. VAMT ca
- [VAMT User Interface](#bkmk-userinterface) - [VAMT User Interface](#bkmk-userinterface)
## <a href="" id="bkmk-managingmak"></a>Managing Multiple Activation Key (MAK) and Retail Activation ## Managing Multiple Activation Key (MAK) and Retail Activation
You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. - **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. - **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
## <a href="" id="bkmk-managingkms"></a>Managing Key Management Service (KMS) Activation ## Managing Key Management Service (KMS) Activation
In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010. In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.
VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise Environment ## Enterprise Environment
VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
![vamt in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg) ![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg)
In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection. In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
## <a href="" id="bkmk-userinterface"></a>VAMT User Interface ## VAMT User Interface
The following screenshot shows the VAMT graphical user interface. The following screenshot shows the VAMT graphical user interface.
![screenshot of the vamt user interface](images/vamtuserinterfaceupdated.jpg) ![VAMT user interface](images/vamtuserinterfaceupdated.jpg)
VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
@ -76,9 +62,7 @@ VAMT provides a single, graphical user interface for managing activations, and f
- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. - **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
## Related topics ## Related topics
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
[VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
   

7
windows/deploy/kms-activation-vamt.md
View File

@ -9,13 +9,9 @@ author: jdeckerMS
--- ---
# Perform KMS Activation # Perform KMS Activation
The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products. The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products.
## Requirements ## Requirements
Before configuring KMS activation, ensure that your network and VAMT installation meet the following requirements: Before configuring KMS activation, ensure that your network and VAMT installation meet the following requirements:
- KMS host is set up and enabled. - KMS host is set up and enabled.
@ -28,8 +24,9 @@ Before configuring KMS activation, ensure that your network and VAMT installatio
- VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
## To configure computers for KMS activation ## To configure devices for KMS activation
**To configure devices for KMS activation**
1. Open VAMT. 1. Open VAMT.

20
windows/deploy/local-reactivation-vamt.md
View File

@ -9,8 +9,6 @@ author: jdeckerMS
--- ---
# Perform Local Reactivation # Perform Local Reactivation
If you reinstall Windows® or Microsoft® Office 2010 on a computer that was initially activated using proxy activation (MAK, retail, or CSLVK (KMS host)), and have not made significant changes to the hardware, use this local reactivation procedure to reactivate the program on that computer. If you reinstall Windows® or Microsoft® Office 2010 on a computer that was initially activated using proxy activation (MAK, retail, or CSLVK (KMS host)), and have not made significant changes to the hardware, use this local reactivation procedure to reactivate the program on that computer.
Local reactivation relies upon data that was created during the initial proxy activation and stored in the Volume Activation Management Tool (VAMT) database. The database contains the installation ID (IID) and confirmation ID (Pending CID). Local reactivation uses this data to reapply the CID and reactivate those products. Reapplying the same CID conserves the remaining activations on the key. Local reactivation relies upon data that was created during the initial proxy activation and stored in the Volume Activation Management Tool (VAMT) database. The database contains the installation ID (IID) and confirmation ID (Pending CID). Local reactivation uses this data to reapply the CID and reactivate those products. Reapplying the same CID conserves the remaining activations on the key.
@ -18,10 +16,9 @@ Local reactivation relies upon data that was created during the initial proxy ac
**Note**   **Note**  
During the initial proxy activation, the CID is bound to a digital “fingerprint”, which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft. During the initial proxy activation, the CID is bound to a digital “fingerprint”, which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft.
 
## To Perform a Local Reactivation ## To Perform a Local Reactivation
**To perform a local reactivation**
1. Open VAMT. Make sure that you are connected to the desired database. 1. Open VAMT. Make sure that you are connected to the desired database.
@ -43,7 +40,7 @@ During the initial proxy activation, the CID is bound to a digital “fingerprin
8. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. 8. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
9. VAMT displays the **Apply Confirmation ID** dialog box. VAMT displays the **Apply Confirmation ID** dialog box.
10. If you are using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID. 10. If you are using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID.
@ -52,15 +49,4 @@ During the initial proxy activation, the CID is bound to a digital “fingerprin
12. Click **OK**. 12. Click **OK**.
## Related topics ## Related topics
- [Manage Activations](manage-activations-vamt.md)
[Manage Activations](manage-activations-vamt.md)
 
 

43
windows/deploy/manage-activations-vamt.md
View File

@ -9,45 +9,18 @@ author: jdeckerMS
--- ---
# Manage Activations # Manage Activations
This section describes how to activate a client computer, by using a variety of activation methods. This section describes how to activate a client computer, by using a variety of activation methods.
## In this Section ## In this Section
|Topic |Description |
<table> |------|------------|
<colgroup> |[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
<col width="50%" /> |[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. |
<col width="50%" /> |[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). |
</colgroup> |[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
<tbody> |[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. |
<tr class="odd"> |[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. |
<td align="left"><p>[Perform Online Activation](online-activation-vamt.md)</p></td>
<td align="left"><p>Describes how to activate a client computer over the Internet.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Perform Proxy Activation](proxy-activation-vamt.md)</p></td>
<td align="left"><p>Describes how to perform volume activation for client products that do not have Internet access.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Perform KMS Activation](kms-activation-vamt.md)</p></td>
<td align="left"><p>Describes how perform volume activation using the Key Management Service (KMS).</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Perform Local Reactivation](local-reactivation-vamt.md)</p></td>
<td align="left"><p>Describes how to reactivate an operating system or Office program that was reinstalled.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Activate an Active Directory Forest Online](activate-forest-vamt.md)</p></td>
<td align="left"><p>Describes how to use Active Directory-Based Activation to online activate an Active Directory forest.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md)</p></td>
<td align="left"><p>Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet.</p></td>
</tr>
</tbody>
</table>
   

29
windows/deploy/manage-product-keys-vamt.md
View File

@ -9,34 +9,15 @@ author: jdeckerMS
--- ---
# Manage Product Keys # Manage Product Keys
This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database. This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database.
## In this Section ## In this Section
|Topic |Description |
<table> |------|------------|
<colgroup> |[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. |
<col width="50%" /> |[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. |
<col width="50%" /> |[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. |
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>[Add and Remove a Product Key](add-remove-product-key-vamt.md)</p></td>
<td align="left"><p>Describes how to add a product key to the VAMT database.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Install a Product Key](install-product-key-vamt.md)</p></td>
<td align="left"><p>Describes how to install a product key for specific product.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Install a KMS Client Key](install-kms-client-key-vamt.md)</p></td>
<td align="left"><p>Describes how to install a GVLK (KMS client) key.</p></td>
</tr>
</tbody>
</table>
   
   

34
windows/deploy/manage-vamt-data.md
View File

@ -9,37 +9,11 @@ author: jdeckerMS
--- ---
# Manage VAMT Data # Manage VAMT Data
This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT). This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
## In this Section ## In this Section
|Topic |Description |
<table> |------|------------|
<colgroup> |[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. |
<col width="50%" /> |[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. |
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>[Import and Export VAMT Data](import-export-vamt-data.md)</p></td>
<td align="left"><p>Describes how to import and export VAMT data.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md)</p></td>
<td align="left"><p>Describes how to access Windows PowerShell and how to import the VAMT PowerShell module.</p></td>
</tr>
</tbody>
</table>
 
 
 

4
windows/deploy/monitor-activation-client.md
View File

@ -10,8 +10,6 @@ author: CFaw
--- ---
# Monitor activation # Monitor activation
**Applies to** **Applies to**
- Windows 10 - Windows 10
@ -41,8 +39,6 @@ You can monitor the success of the activation process for a computer running Win
- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section. - The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section.
## See also ## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md) - [Volume Activation for Windows 10](volume-activation-windows-10.md)
   

33
windows/deploy/online-activation-vamt.md
View File

@ -9,13 +9,9 @@ author: jdeckerMS
--- ---
# Perform Online Activation # Perform Online Activation
You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key. You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key.
## Requirements ## Requirements
Before performing online activation, ensure that the network and the VAMT installation meet the following requirements: Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
- VAMT is installed on a central computer that has network access to all client computers. - VAMT is installed on a central computer that has network access to all client computers.
@ -29,7 +25,7 @@ Before performing online activation, ensure that the network and the VAMT instal
The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs. The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
## To Perform an Online Activation ## To Perform an Online Activation
**To perform an online activation**
1. Open VAMT. 1. Open VAMT.
@ -51,28 +47,13 @@ The product keys that are installed on the client products must have a sufficien
8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. 8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
The same status is shown under the **Status of Last Action** column in the products list view in the center pane. The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
**Note**   **Note**  
Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation. Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
  **Note**
You can use online activation to select products that have different key types and activate the products at the same time.
**Note**  
You can use online activation to select products that have different key types and activate the products at the same time.
 
## Related topics ## Related topics
- [Manage Activations](manage-activations-vamt.md)
[Manage Activations](manage-activations-vamt.md)
 
 

127
windows/deploy/plan-for-volume-activation-client.md
View File

@ -10,8 +10,6 @@ author: jdeckerMS
--- ---
# Plan for volume activation # Plan for volume activation
**Applies to** **Applies to**
- Windows 10 - Windows 10
@ -33,27 +31,20 @@ During the activation process, information about the specific installation is ex
**Note**   **Note**  
The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets. The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets.
 
## Distribution channels and activation ## Distribution channels and activation
In general, Microsoft software is obtained through three main channels: retail, original equipment manufacturer (OEM), and volume licensing agreements. Different activations methods are available through each channel. Because organizations are free to obtain software through multiple channels (for example, buying some at retail and others through a volume licensing program) most organizations choose to use a combination of activation methods. In general, Microsoft software is obtained through three main channels: retail, original equipment manufacturer (OEM), and volume licensing agreements. Different activations methods are available through each channel. Because organizations are free to obtain software through multiple channels (for example, buying some at retail and others through a volume licensing program) most organizations choose to use a combination of activation methods.
### Retail activations ### Retail activations
The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available. The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys. Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys.
### Original equipment manufacturer ### Original equipment manufacturer
Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required. Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required.
OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled. OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled.
### Volume licensing ### Volume licensing
Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer: Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer:
- Have the license preinstalled through the OEM. - Have the license preinstalled through the OEM.
@ -67,11 +58,7 @@ Volume licensing is also available through certain subscription or membership pr
**Note**   **Note**  
Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions. Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
 
## Activation models ## Activation models
For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps. For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps.
With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose: With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose:
@ -93,10 +80,7 @@ Telephone activation is primarily used in situations where a computer is isolate
**Note**   **Note**  
A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative. A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative.
 
### Multiple activation key ### Multiple activation key
A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS. A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS.
To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation. To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation.
@ -106,7 +90,6 @@ In the simplest terms, a MAK acts like a retail key, except that a MAK is valid
Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](http://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft. Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](http://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft.
### Key Management Service ### Key Management Service
With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services. With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services.
Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user. Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
@ -116,34 +99,28 @@ The KMS requires a minimum number of computers (physical computers or virtual ma
Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely would more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide. Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely would more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide.
### Active Directory-based activation ### Active Directory-based activation
Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device. Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the companys domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence. Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the companys domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence.
## Network and connectivity ## Network and connectivity
A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur. A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur.
### Core network ### Core network
Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network. Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network.
In the core network, a centralized KMS solution is usually recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8. In the core network, a centralized KMS solution is usually recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8.
A typical core network that includes a KMS host is shown in Figure 1. A typical core network that includes a KMS host is shown in Figure 1.
![core network](images/volumeactivationforwindows81-01.jpg) ![Typical core network](images/volumeactivationforwindows81-01.jpg)
**Figure 1**. Typical core network **Figure 1**. Typical core network
### Isolated networks ### Isolated networks
In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues. In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues.
**Isolated for security** **Isolated for security**<p>
Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization. Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization.
If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds. If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds.
@ -154,12 +131,11 @@ If the isolated network cannot communicate with the core networks KMS server,
If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network. If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network.
![kms host isolated network](images/volumeactivationforwindows81-02.jpg) ![New KMS host in an isolated network](images/volumeactivationforwindows81-02.jpg)
**Figure 2**. New KMS host in an isolated network **Figure 2**. New KMS host in an isolated network
**Branch offices and distant networks** **Branch offices and distant networks**
From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options: From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options:
- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain. - **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain.
@ -171,13 +147,11 @@ From mining operations to ships at sea, organizations often have a few computers
- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option. - **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option.
### Disconnected computers ### Disconnected computers
Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network. Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network.
If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet). If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet).
### Test and development labs ### Test and development labs
Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately. Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately.
If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide. If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide.
@ -185,86 +159,24 @@ If you have ensured that your test or development copies of the operating system
In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days. In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days.
## Mapping your network to activation methods ## Mapping your network to activation methods
Now its time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination. Now its time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination.
**Table 1**. Criteria for activation methods **Table 1**. Criteria for activation methods
<table> |Criterion |Activation method |
<colgroup> |----------|------------------|
<col width="33%" /> |Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation |
<col width="33%" /> |Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days<p><strong>Note</strong><br>The core network must meet the KMS activation threshold. |KMS (central) |
<col width="33%" /> |Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) |MAM |
</colgroup> |Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) |
<thead> |Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) |
<tr class="header"> |Number of computers in isolated networks where the KMS activation threshold is not met |MAK |
<th align="left">Criterion</th> |Number of computers in test and development labs that will not be activated |None|
<th align="left">Activation method</th> |Number of computers that do not have a retail volume license |Retail (online or phone) |
<th align="left">Number of computers</th> |Number of computers that do not have an OEM volume license |OEM (at factory) |
</tr> |Total number of computer activations<p><strong>Note</strong><br>This total should match the total number of licensed computers in your organization. | |
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network.</p></td>
<td align="left"><p>Active Directory-based activation</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days</p>
<p><strong>Note</strong>: The core network must meet the KMS activation threshold.</p></td>
<td align="left"><p>KMS (central)</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold)</p></td>
<td align="left"><p>MAM</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>Number of computers in semi-isolated networks that have connectivity to the KMS in the core network</p></td>
<td align="left"><p>KMS (central)</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>Number of computers in isolated networks where the KMS activation threshold is met</p></td>
<td align="left"><p>KMS (local)</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>Number of computers in isolated networks where the KMS activation threshold is not met</p></td>
<td align="left"><p>MAK</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>Number of computers in test and development labs that will not be activated</p></td>
<td align="left"><p>None</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>Number of computers that do not have a retail volume license</p></td>
<td align="left"><p>Retail (online or phone)</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>Number of computers that do not have an OEM volume license</p></td>
<td align="left"><p>OEM (at factory)</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>Total number of computer activations</p>
<p><strong>Note</strong>: This total should match the total number of licensed computers in your organization.</p></td>
<td align="left"><p></p></td>
<td align="left"><p></p></td>
</tr>
</tbody>
</table>
 
## Choosing and acquiring keys ## Choosing and acquiring keys
When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways: When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways:
- Go to the **Product Keys** section of the [Volume Licensing Service Center](http://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License. - Go to the **Product Keys** section of the [Volume Licensing Service Center](http://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License.
@ -272,13 +184,11 @@ When you know which keys you need, you must obtain them. Generally speaking, vol
- Contact your [Microsoft Activation Center](http://go.microsoft.com/fwlink/p/?LinkId=618264). - Contact your [Microsoft Activation Center](http://go.microsoft.com/fwlink/p/?LinkId=618264).
### KMS host keys ### KMS host keys
A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Support Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools. A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Support Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools.
A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation. A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation.
### Generic volume licensing keys ### Generic volume licensing keys
When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys. When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys.
Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. Note that the GLVK will not activate the software against Microsoft activation servers, only against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential. Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. Note that the GLVK will not activate the software against Microsoft activation servers, only against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential.
@ -286,12 +196,9 @@ Installation media from Microsoft for Enterprise editions of the Windows operati
Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](http://technet.microsoft.com/library/jj612867.aspx). Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](http://technet.microsoft.com/library/jj612867.aspx).
### Multiple activation keys ### Multiple activation keys
You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT. You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT.
## Selecting a KMS host ## Selecting a KMS host
The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers. The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers.
KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista. KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
@ -316,13 +223,11 @@ The flow of KMS activation is shown in Figure 3, and it follows this sequence:
8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again. 8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again.
![kms activation flow](images/volumeactivationforwindows81-03.jpg) ![KMS activation flow](images/volumeactivationforwindows81-03.jpg)
**Figure 3**. KMS activation flow **Figure 3**. KMS activation flow
## See also ## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md) - [Volume Activation for Windows 10](volume-activation-windows-10.md)
   

15
windows/deploy/proxy-activation-vamt.md
View File

@ -9,20 +9,14 @@ author: jdeckerMS
--- ---
# Perform Proxy Activation # Perform Proxy Activation
You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that do not have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key. You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that do not have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key.
In a typical proxy-activation scenario, the VAMT host computer distributes a MAK to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. Using this activation method, only the VAMT host computer needs Internet access. In a typical proxy-activation scenario, the VAMT host computer distributes a MAK to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. Using this activation method, only the VAMT host computer needs Internet access.
**Note**   **Note**  
For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet. For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet. 
 
## Requirements ## Requirements
Before performing proxy activation, ensure that your network and the VAMT installation meet the following requirements: Before performing proxy activation, ensure that your network and the VAMT installation meet the following requirements:
- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup. - There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup.
@ -37,6 +31,7 @@ The product keys that are installed on the client products must have a sufficien
## To Perform Proxy Activation ## To Perform Proxy Activation
**To perform proxy activation**
1. Open VAMT. 1. Open VAMT.
@ -62,12 +57,12 @@ The product keys that are installed on the client products must have a sufficien
8. If you are activating products that require administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** checkbox. 8. If you are activating products that require administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** checkbox.
9. Click OK. 9. Click **OK**.
10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you will be prompted to enter the credentials. 10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you will be prompted to enter the credentials.
**Note**   **Note**  
You can use proxy activation to select products that have different key types and activate the products at the same time. You can use proxy activation to select products that have different key types and activate the products at the same time.
   

8
windows/deploy/remove-products-vamt.md
View File

@ -9,11 +9,9 @@ author: jdeckerMS
--- ---
# Remove Products # Remove Products
To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane. To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane.
To delete one or more products: **To delete one or more products**
1. Click a product node in the left-side pane. 1. Click a product node in the left-side pane.
@ -34,9 +32,7 @@ To delete one or more products:
7. On the **Confirm Delete Selected Products** dialog box, click **OK**. 7. On the **Confirm Delete Selected Products** dialog box, click **OK**.
## Related topics ## Related topics
- [Add and Manage Products](add-manage-products-vamt.md)
[Add and Manage Products](add-manage-products-vamt.md)
   

78
windows/deploy/scenario-online-activation-vamt.md
View File

@ -9,8 +9,6 @@ author: jdeckerMS
--- ---
# Scenario 1: Online Activation # Scenario 1: Online Activation
In this scenario, the Volume Activation Management Tool (VAMT) is deployed in the Core Network environment. VAMT is installed on a central computer that has network access to all of the client computers. Both the VAMT host and the client computers have Internet access. The following illustration shows a diagram of an online activation scenario for Multiple Activation Keys (MAKs). You can use this scenario for online activation of the following key types: In this scenario, the Volume Activation Management Tool (VAMT) is deployed in the Core Network environment. VAMT is installed on a central computer that has network access to all of the client computers. Both the VAMT host and the client computers have Internet access. The following illustration shows a diagram of an online activation scenario for Multiple Activation Keys (MAKs). You can use this scenario for online activation of the following key types:
- Multiple Activation Key (MAK) - Multiple Activation Key (MAK)
@ -25,11 +23,9 @@ In this scenario, the Volume Activation Management Tool (VAMT) is deployed in th
The Secure Zone represents higher-security Core Network computers that have additional firewall protection. The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
![vamt firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg) ![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg)
## In This Topic ## In This Topic
- [Install and start VAMT on a networked host computer](#bkmk-partone) - [Install and start VAMT on a networked host computer](#bkmk-partone)
- [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo) - [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo)
@ -48,25 +44,20 @@ The Secure Zone represents higher-security Core Network computers that have addi
- [Activate the client products](#bkmk-partnine) - [Activate the client products](#bkmk-partnine)
## <a href="" id="bkmk-partone"></a>Part 1: Install and Start VAMT on a Networked Host Computer ## <a href="" id="bkmk-partone"></a>Step 1: Install and start VAMT on a networked host computer
1. Install VAMT on the host computer. 1. Install VAMT on the host computer.
2. Click the VAMT icon in the **Start** menu to open VAMT. 2. Click the VAMT icon in the **Start** menu to open VAMT.
## <a href="" id="bkmk-parttwo"></a>Part 2: Configure the Windows Management Instrumentation Firewall Exception on Target Computers ## <a href="" id="bkmk-parttwo"></a>Step 2: Configure the Windows Management Instrumentation firewall exception on target computers
- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md). - Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
**Note**   **Note**  
To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
 
## <a href="" id="bkmk-partthree"></a>Part 3: Connect to a VAMT Database
## <a href="" id="bkmk-partthree"></a>Step 3: Connect to a VAMT database
1. If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located. 1. If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located.
@ -74,8 +65,7 @@ To retrieve product license status, VAMT must have administrative permissions on
3. If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md) 3. If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md)
## <a href="" id="bkmk-partfour"></a>Part 4: Discover ## <a href="" id="bkmk-partfour"></a>Step 4: Discover products
1. In the left-side pane, in the **Products** node Products, click the product that you want to activate. 1. In the left-side pane, in the **Products** node Products, click the product that you want to activate.
@ -93,11 +83,9 @@ To retrieve product license status, VAMT must have administrative permissions on
4. Click **Search**. 4. Click **Search**.
When the search is complete, the products that VAMT discovers appear in the product list view in the center pane. When the search is complete, the products that VAMT discovers appear in the product list view in the center pane.
## <a href="" id="bkmk-partfive"></a>Part 5: Sort and Filter the List of Computers
## <a href="" id="bkmk-partfive"></a>Step 5: Sort and filter the list of computers
You can sort the list of products so that it is easier to find the computers that require product keys to be activated: You can sort the list of products so that it is easier to find the computers that require product keys to be activated:
1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**. 1. On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**.
@ -114,29 +102,23 @@ You can sort the list of products so that it is easier to find the computers tha
5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane. 5. Click **Filter**. VAMT displays the filtered list in the product list view in the center pane.
## <a href="" id="bkmk-partsix"></a>Part 6: Collect Status Information from the Computers in the List ## <a href="" id="bkmk-partsix"></a>Step 6: Collect status information from the computers in the list
To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods:
- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. - To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key.
- To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. - To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
To collect status information from the selected computers: **To collect status information from the selected computers**
1. In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**. 1. In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**.
2. VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. 2. VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane.
**Note**   **Note**  
If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
 
## <a href="" id="bkmk-partseven"></a>Part 7: Add Product Keys and Determine the Remaining Activation Count
## <a href="" id="bkmk-partseven"></a>Step 7: Add product keys and determine the remaining activation count
1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box. 1. Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys: 2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys:
@ -147,17 +129,13 @@ If a computer has more than one supported product installed, VAMT adds an entry
The keys that you have added appear in the **Product Keys** list view in the center pane. The keys that you have added appear in the **Product Keys** list view in the center pane.
**Important**   **Important**  
If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs. If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
 
## <a href="" id="bkmk-parteight"></a>Part 8: Install the Product Keys
## <a href="" id="bkmk-parteight"></a>Step 8: Install the product keys
1. In the left-side pane, click the product that you want to install keys on to. 1. In the left-side pane, click the product that you want to install keys on to.
2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Part 5: Sort and filter the list of computers](#bkmk-partfive). 2. If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#bkmk-partfive).
3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product. 3. In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
@ -169,14 +147,10 @@ If you are activating many products with a MAK, refresh the activation count of
The same status appears under the **Status of Last Action** column in the product list view in the center pane. The same status appears under the **Status of Last Action** column in the product list view in the center pane.
**Note**   **Note**  
Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](http://go.microsoft.com/fwlink/p/?linkid=238382) Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](http://go.microsoft.com/fwlink/p/?linkid=238382)
 
## <a href="" id="bkmk-partnine"></a>Part 9: Activate the Client Products
## <a href="" id="bkmk-partnine"></a>Step 9: Activate the client products
1. Select the individual products that you want to activate in the list-view pane. 1. Select the individual products that you want to activate in the list-view pane.
2. On the menu bar, click **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also click **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option. 2. On the menu bar, click **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also click **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option.
@ -187,15 +161,13 @@ Product key installation will fail if VAMT finds mismatched key types or edition
5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed. 5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed.
**Note**   **Note**  
Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM. Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network.
  RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
## Related topics ## Related topics
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
[VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
   

17
windows/deploy/sideload-apps-in-windows-10.md
View File

@ -9,15 +9,11 @@ author: CFaw
--- ---
# Sideload LOB apps in Windows 10 # Sideload LOB apps in Windows 10
**Applies to** **Applies to**
- Windows 10 - Windows 10
- Windows 10 Mobile - Windows 10 Mobile
Sideload line-of-business apps in Windows 10.
"Line-of-Business" (LOB) apps are present in a wide range of businesses and organizations. Organizations value these apps because they solve problems unique to each business. "Line-of-Business" (LOB) apps are present in a wide range of businesses and organizations. Organizations value these apps because they solve problems unique to each business.
When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1 When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1
@ -31,8 +27,6 @@ In Windows 10, sideloading is different than in earlier versions of Windows:
- Devices do not have to be joined to a domain - Devices do not have to be joined to a domain
## Requirements ## Requirements
Here's what you'll need to have: Here's what you'll need to have:
- Devices need to be unlocked for sideloading (unlock policy enabled) - Devices need to be unlocked for sideloading (unlock policy enabled)
@ -50,8 +44,6 @@ And here's what you'll need to do:
- Install the app - use PowerShell to install the app package. - Install the app - use PowerShell to install the app package.
## How do I sideload an app on desktop ## How do I sideload an app on desktop
You can sideload apps on managed or unmanaged devices. You can sideload apps on managed or unmanaged devices.
**To turn on sideloading for managed devices** **To turn on sideloading for managed devices**
@ -74,17 +66,14 @@ You can sideload apps on managed or unmanaged devices.
3. Import the certificate to the **Trusted Root Certification Authorities** folder. 3. Import the certificate to the **Trusted Root Certification Authorities** folder.
-Or- -OR-
You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package to a Windows 10 device, see runtime instructions on [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=619162). You can use a runtime provisioning package to import a security certificate. For information about applying a provisioning package to a Windows 10 device, see runtime instructions on [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=619162).
**To install the app** **To install the app**
- From the folder with the appx package, run the PowerShell `Add-AppxPackage` command to install the appx package. - From the folder with the appx package, run the PowerShell `Add-AppxPackage` command to install the appx package.
## How do I sideload an app on mobile ## How do I sideload an app on mobile
You can sideload apps on managed or unmanaged devices. You can sideload apps on managed or unmanaged devices.
**To turn on sideloading for a managed device** **To turn on sideloading for a managed device**
@ -115,7 +104,7 @@ You can sideload apps on managed or unmanaged devices.
- From an email, tap a xap, appx, or appx bundle package. - From an email, tap a xap, appx, or appx bundle package.
-Or- -OR-
With your mobile device tethered to a desktop, click a xap, appx, or appx bundle package from the files system to install the app. With your mobile device tethered to a desktop, click a xap, appx, or appx bundle package from the files system to install the app.

25
windows/deploy/update-product-status-vamt.md
View File

@ -9,8 +9,6 @@ author: jdeckerMS
--- ---
# Update Product Status # Update Product Status
After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database. After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md). To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
@ -18,11 +16,7 @@ To retrieve license status, VAMT must have administrative permissions on all sel
**Note**   **Note**  
The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated. The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
 
## Update the license status of a product ## Update the license status of a product
1. Open VAMT. 1. Open VAMT.
2. In the **Products** list, select one or more products that need to have their status updated. 2. In the **Products** list, select one or more products that need to have their status updated.
@ -31,23 +25,12 @@ The license-status query requires a valid computer name for each system queried.
4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**. 4. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane. VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
**Note**   **Note**  
If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view. If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
   
## Related topics ## Related topics
- [Add and Manage Products](add-manage-products-vamt.md)
[Add and Manage Products](add-manage-products-vamt.md)
 
 

52
windows/deploy/update-windows-10-images-with-provisioning-packages.md
View File

@ -10,8 +10,6 @@ author: jdeckerMS
--- ---
# Update Windows 10 images with provisioning packages # Update Windows 10 images with provisioning packages
**Applies to** **Applies to**
- Windows 10 - Windows 10
@ -30,8 +28,6 @@ Rather than wiping a device and applying a new system image when you need to cha
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012). For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
## Advantages ## Advantages
- You can configure new devices without reimaging. - You can configure new devices without reimaging.
- Works on both mobile and desktop devices. - Works on both mobile and desktop devices.
@ -43,11 +39,9 @@ For details about the settings you can customize in provisioning packages, see [
- Ensure compliance and security before a device is enrolled in MDM. - Ensure compliance and security before a device is enrolled in MDM.
## Create package ## Create package
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). 1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`).
2. Choose **New provisioning package**. 2. Choose **New provisioning package**.
@ -70,8 +64,6 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
**Tip**   **Tip**  
You can make changes to existing packages and change the version number to update previously applied packages. You can make changes to existing packages and change the version number to update previously applied packages.
 
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. 11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
@ -79,25 +71,21 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
**Important**   **Important**  
We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
  12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
Optionally, you can click **Browse** to change the default output location.
12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**. 13. Click **Next**.
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. 14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. 15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: 16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
@ -115,21 +103,16 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
- NFC (mobile only) - NFC (mobile only)
## Add package to image ## Add package to image
**To add a provisioning package to Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)** **To add a provisioning package to Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)**
- Follow the steps in the "To build an image for Windows 10 for desktop editions" section in [Use the Windows ICD command-line interface]( http://go.microsoft.com/fwlink/p/?LinkId=617371). - Follow the steps in the "To build an image for Windows 10 for desktop editions" section in [Use the Windows ICD command-line interface]( http://go.microsoft.com/fwlink/p/?LinkId=617371).
**To add a provisioning package to a Windows 10 Mobile image** **To add a provisioning package to a Windows 10 Mobile image**
- Follow the steps in the "To build an image for Windows 10 Mobile or Windows 10 IoT Core (IoT Core)" section in [Use the Windows ICD command-line interface]( http://go.microsoft.com/fwlink/p/?LinkId=617371). - Follow the steps in the "To build an image for Windows 10 Mobile or Windows 10 IoT Core (IoT Core)" section in [Use the Windows ICD command-line interface]( http://go.microsoft.com/fwlink/p/?LinkId=617371).<p>
The provisioning package is placed in the FFU image and is flashed or sector written to the device. During device setup time, the provisioning engine starts and consumes the packages.
The provisioning package is placed in the FFU image and is flashed or sector written to the device. During device setup time, the provisioning engine starts and consumes the packages.
## Learn more ## Learn more
- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651) - [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651)
- [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921) - [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
@ -137,15 +120,4 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922) - [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
## Related topics ## Related topics
- [Configure devices without MDM](../manage/configure-devices-without-mdm.md)
[Configure devices without MDM](../manage/configure-devices-without-mdm.md)
 
 

16
windows/deploy/use-the-volume-activation-management-tool-client.md
View File

@ -10,8 +10,6 @@ author: jdeckerMS
--- ---
# Use the Volume Activation Management Tool # Use the Volume Activation Management Tool
**Applies to** **Applies to**
- Windows 10 - Windows 10
@ -35,8 +33,6 @@ The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Wi
In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature. In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
## Activating with the Volume Activation Management Tool ## Activating with the Volume Activation Management Tool
You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios: You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios:
- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. - **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
@ -46,26 +42,20 @@ You can use the VAMT to complete the activation process in products by using MAK
By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations. By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations.
## Tracking products and computers with the Volume Activation Management Tool ## Tracking products and computers with the Volume Activation Management Tool
The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing. The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
![image of menu](images/volumeactivationforwindows81-18.jpg) ![VAMT showing the licensing status of multiple computers](images/volumeactivationforwindows81-18.jpg)
**Figure 18**. The VAMT showing the licensing status of multiple computers **Figure 18**. The VAMT showing the licensing status of multiple computers
## Tracking key usage with the Volume Activation Management Tool ## Tracking key usage with the Volume Activation Management Tool
The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage. The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
![image of menu](images/volumeactivationforwindows81-19.jpg) ![VAMT showing key types and usage](images/volumeactivationforwindows81-19.jpg)
**Figure 19**. The VAMT showing key types and usage **Figure 19**. The VAMT showing key types and usage
## Other Volume Activation Management Tool features ## Other Volume Activation Management Tool features
The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as: The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query. - **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
@ -81,8 +71,6 @@ For more information, see:
- [VAMT Step-by-Step Scenarios](http://go.microsoft.com/fwlink/p/?LinkId=618267) - [VAMT Step-by-Step Scenarios](http://go.microsoft.com/fwlink/p/?LinkId=618267)
## See also ## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md) - [Volume Activation for Windows 10](volume-activation-windows-10.md)
   

49
windows/deploy/use-vamt-in-windows-powershell.md
View File

@ -9,19 +9,17 @@ author: jdeckerMS
--- ---
# Use VAMT in Windows PowerShell # Use VAMT in Windows PowerShell
The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool. The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool.
**To Install PowerShell 3.0** **To install PowerShell 3.0**
- VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=218356). - VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkId=218356).
**To Install the Windows Assessment and Deployment Kit** **To install the Windows Assessment and Deployment Kit**
- In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK). - In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK).
**To Prepare the VAMT PowerShell Environment** **To prepare the VAMT PowerShell environment**
1. To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**. 1. To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**.
@ -32,73 +30,56 @@ The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to p
- The x86 version of the PowerShell ISE is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\_ise.exe - The x86 version of the PowerShell ISE is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\_ise.exe
  2. For all supported operating systems you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located.
2. For all supported operating systems you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located. For example, if the Windows ADK is installed in the default location of C:\\Program Files(x86)\\Windows Kits\\10, type For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type:
``` syntax ``` ps1
cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0” cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0”
``` ```
3. Import the VAMT PowerShell module. To import the module, type the following at a command prompt: 3. Import the VAMT PowerShell module. To import the module, type the following at a command prompt:
``` syntax ``` syntax
Import-Module .\VAMT.psd1 Import-Module .\VAMT.psd1
``` ```
Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`.
**Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`.
## To Get Help for VAMT PowerShell cmdlets ## To Get Help for VAMT PowerShell cmdlets
You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type: You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type:
``` syntax ``` ps1
get-help <cmdlet name> -all get-help <cmdlet name> -all
``` ```
For example, type: For example, type:
``` syntax ``` ps1
get-help get-VamtProduct -all get-help get-VamtProduct -all
``` ```
**Warning**   **Warning**
The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](http://go.microsoft.com/fwlink/p/?LinkId=242278). The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](http://go.microsoft.com/fwlink/p/?LinkId=242278).
  **To view VAMT PowerShell Help sections**
**To View VAMT PowerShell Help Sections**
1. To get the syntax to use with a cmdlet, type the following at a command prompt: 1. To get the syntax to use with a cmdlet, type the following at a command prompt:
``` syntax ``` ps1
get-help <cmdlet name> get-help <cmdlet name>
``` ```
For example, type: For example, type:
``` syntax ``` ps1
get-help get-VamtProduct get-help get-VamtProduct
``` ```
2. To see examples using a cmdlet, type: 2. To see examples using a cmdlet, type:
``` syntax ``` ps1
get-help <cmdlet name> -examples get-help <cmdlet name> -examples
``` ```
For example, type: For example, type:
``` syntax ``` ps1
get-help get-VamtProduct -examples get-help get-VamtProduct -examples
``` ```
 
 

107
windows/deploy/vamt-requirements.md
View File

@ -9,104 +9,29 @@ author: jdeckerMS
--- ---
# VAMT Requirements # VAMT Requirements
This topic includes info about the product key and system requirements for VAMT.
## Product Key Requirements ## Product Key Requirements
The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys. The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys.
<table> |Product key type |Where to obtain |
<colgroup> |-----------------|----------------|
<col width="50%" /> |<ul><li>Multiple Activation Key (MAK)</li><li>Key Management Service (KMS) host key (CSVLK)</li><li>KMS client setup keys (GVLK)</li></ul> |Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](http://go.microsoft.com/fwlink/p/?LinkId=227282). |
<col width="50%" /> |Retail product keys |Obtained at time of product purchase. |
</colgroup>
<thead>
<tr class="header">
<th align="left">Product Key Type</th>
<th align="left">Where to Obtain</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><ul>
<li><p>Multiple Activation Key (MAK)</p></li>
<li><p>Key Management Service (KMS) host key (CSVLK)</p></li>
<li><p>KMS client setup keys (GVLK)</p></li>
</ul></td>
<td align="left"><p>Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](http://go.microsoft.com/fwlink/p/?LinkId=227282).</p></td>
</tr>
<tr class="even">
<td align="left"><p>Retail product keys</p></td>
<td align="left"><p>Obtained at time of product purchase.</p></td>
</tr>
</tbody>
</table>
 
## System Requirements ## System Requirements
The following table lists the system requirements for the VAMT host computer. The following table lists the system requirements for the VAMT host computer.
<table> |Item |Minimum system requirement |
<colgroup> |-----|---------------------------|
<col width="50%" /> |Computer and Processor |1 GHz x86 or x64 processor |
<col width="50%" /> |Memory |1 GB RAM for x86 or 2 GB RAM for x64 |
</colgroup> |Hard Disk |16 GB available hard disk space for x86 or 20 GB for x64 |
<tbody> |External Drive|Removable media (Optional) |
<tr class="odd"> |Display |1024x768 or higher resolution monitor |
<td align="left"><p>Computer and Processor</p></td> |Network |Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS |
<td align="left"><p>1 GHz x86 or x64 processor</p></td> |Operating System |Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. |
</tr> |Additional Requirements |<ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](http://go.microsoft.com/fwlink/p/?LinkId=218356).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
<tr class="even">
<td align="left"><p>Memory</p></td>
<td align="left"><p>1 GB RAM for x86 or 2 GB RAM for x64</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Hard Disk</p></td>
<td align="left"><p>16 GB available hard disk space for x86 or 20 GB for x64</p></td>
</tr>
<tr class="even">
<td align="left"><p>External Drive</p></td>
<td align="left"><p>Removable media (Optional)</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Display</p></td>
<td align="left"><p>1024x768 or higher resolution monitor</p></td>
</tr>
<tr class="even">
<td align="left"><p>Network</p></td>
<td align="left"><p>Connectivity to remote computers via Windows® Management Instrumentation (TCP/IP) and Microsoft® Activation Web Service on the Internet via HTTPS</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Operating System</p></td>
<td align="left"><p>Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Additional Requirements</p></td>
<td align="left"><ul>
<li><p>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</p></li>
<li><p>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server® 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](http://go.microsoft.com/fwlink/p/?LinkId=218356).</p></li>
<li><p>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
## Related topics ## Related topics
- [Install and Configure VAMT](install-configure-vamt.md)
[Install and Configure VAMT](install-configure-vamt.md)
 
 

34
windows/deploy/vamt-step-by-step.md
View File

@ -9,40 +9,18 @@ author: jdeckerMS
--- ---
# VAMT Step-by-Step Scenarios # VAMT Step-by-Step Scenarios
This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started. This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started.
## In this Section ## In this Section
|Topic |Description |
<table> |------|------------|
<colgroup> |[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
<col width="50%" /> |[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. |
<col width="50%" /> |[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>[Scenario 1: Online Activation](scenario-online-activation-vamt.md)</p></td>
<td align="left"><p>Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md)</p></td>
<td align="left"><p>Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md)</p></td>
<td align="left"><p>Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation.</p></td>
</tr>
</tbody>
</table>
 
## Related topics ## Related topics
- [Introduction to VAMT](introduction-vamt.md)
[Introduction to VAMT](introduction-vamt.md)
   

62
windows/deploy/volume-activation-management-tool.md
View File

@ -9,8 +9,6 @@ author: jdeckerMS
--- ---
# Volume Activation Management Tool (VAMT) Technical Reference # Volume Activation Management Tool (VAMT) Technical Reference
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems: VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
@ -32,58 +30,20 @@ VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the W
**Important**   **Important**  
VAMT is designed to manage volume activation for: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Microsoft Office 2010, and Microsoft Office 2013. Computers installed with volume editions of **Windows XP** or **Windows Server 2003** cannot be managed using VAMT. However, Office 2010 and Office 2013 products installed on these two operating systems can still be managed. VAMT is designed to manage volume activation for: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Microsoft Office 2010, and Microsoft Office 2013. Computers installed with volume editions of **Windows XP** or **Windows Server 2003** cannot be managed using VAMT. However, Office 2010 and Office 2013 products installed on these two operating systems can still be managed.
 
VAMT is only available in an EN-US (x86) package. VAMT is only available in an EN-US (x86) package.
## In this Section ## In this Section
|Topic |Description |
|------|------------|
<table> |[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
<colgroup> |[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. |
<col width="50%" /> |[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
<col width="50%" /> |[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
</colgroup> |[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
<tbody> |[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. |
<tr class="odd"> |[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
<td align="left"><p>[Introduction to VAMT](introduction-vamt.md)</p></td> |[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
<td align="left"><p>Provides a description of VAMT and common usages.</p></td> |[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
</tr>
<tr class="even">
<td align="left"><p>[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md)</p></td>
<td align="left"><p>Describes Active Directory-Based Activation scenarios.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Install and Configure VAMT](install-configure-vamt.md)</p></td>
<td align="left"><p>Describes how to install VAMT and use it to configure client computers on your network.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Add and Manage Products](add-manage-products-vamt.md)</p></td>
<td align="left"><p>Describes how to add client computers into VAMT.</p>
<p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Manage Product Keys](manage-product-keys-vamt.md)</p></td>
<td align="left"><p>Describes how to add and remove a product key from VAMT.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Manage Activations](manage-activations-vamt.md)</p></td>
<td align="left"><p>Describes how to activate a client computer by using a variety of activation methods.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Manage VAMT Data](manage-vamt-data.md)</p></td>
<td align="left"><p>Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[VAMT Step-by-Step Scenarios](vamt-step-by-step.md)</p></td>
<td align="left"><p>Provides step-by-step instructions for using VAMT in typical environments.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[VAMT Known Issues](vamt-known-issues.md)</p></td>
<td align="left"><p>Lists known issues in VAMT.</p></td>
</tr>
</tbody>
</table>
   

2
windows/deploy/volume-activation-windows-10.md
View File

@ -10,8 +10,6 @@ author: jdeckerMS
--- ---
# Volume Activation for Windows 10 # Volume Activation for Windows 10
**Applies to** **Applies to**
- Windows 10 - Windows 10

76
windows/deploy/windows-10-deployment-scenarios.md
View File

@ -11,16 +11,12 @@ author: CFaw
# Windows 10 deployment scenarios # Windows 10 deployment scenarios
**Applies to** **Applies to**
- Windows 10 - Windows 10
To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
## In-place upgrade ## In-place upgrade
For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
@ -32,32 +28,37 @@ Because existing applications are preserved through the process, the upgrade pro
There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. - Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
- Changing from legacy BIOS to UEFI booting. Some organizations deployed earlier versions of Windows on UEFI-enabled systems, leveraging the legacy BIOS capabilities of these systems. Because changing from legacy BIOS to UEFI requires changing the hardware configuration, disk configuration, and OS configuration, this is not possible using in-place upgrade.
**Note**  Windows 10 does not require UEFI, so it would work fine to upgrade a system using legacy BIOS emulation. Some Windows 10 features, such as Secure Boot, would not be available after doing this.
  - Changing from legacy BIOS to UEFI booting. Some organizations deployed earlier versions of Windows on UEFI-enabled systems, leveraging the legacy BIOS capabilities of these systems. Because changing from legacy BIOS to UEFI requires changing the hardware configuration, disk configuration, and OS configuration, this is not possible using in-place upgrade.
<p>**Note**<br>Windows 10 does not require UEFI, so it would work fine to upgrade a system using legacy BIOS emulation. Some Windows 10 features, such as Secure Boot, would not be available after doing this.
- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. - Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
- Devices that use third-party disk encryption software. While devices encrypted with BitLocker can easily be upgraded, more work is necessary for third-party disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process (check with your ISV to see if they have instructions), but if not available a traditional deployment would be needed. - Devices that use third-party disk encryption software. While devices encrypted with BitLocker can easily be upgraded, more work is necessary for third-party disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process (check with your ISV to see if they have instructions), but if not available a traditional deployment would be needed.
- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. - Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.
- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. - Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.
## Dynamic provisioning ## Dynamic provisioning
For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this.
The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
- Changing the Windows edition with a single reboot. For organizations that have Software Assurance for Windows, it is easy to change a device from Windows 10 Pro to Windows 10 Enterprise, just by specifying an appropriate product or setup key. When the device restarts, all of the Windows 10 Enterprise features will be enabled. - Changing the Windows edition with a single reboot. For organizations that have Software Assurance for Windows, it is easy to change a device from Windows 10 Pro to Windows 10 Enterprise, just by specifying an appropriate product or setup key. When the device restarts, all of the Windows 10 Enterprise features will be enabled.
- Configuring the device with VPN and Wi-Fi connections that may be needed to gain access to organization resources. - Configuring the device with VPN and Wi-Fi connections that may be needed to gain access to organization resources.
- Installation of additional apps needed for organization functions. - Installation of additional apps needed for organization functions.
- Configuration of common Windows settings to ensure compliance with organization policies. - Configuration of common Windows settings to ensure compliance with organization policies.
- Enrollment of the device in a mobile device management (MDM) solution, such as Microsoft Intune. - Enrollment of the device in a mobile device management (MDM) solution, such as Microsoft Intune.
There are two primary dynamic provisioning scenarios: There are two primary dynamic provisioning scenarios:
- **Azure Active Directory (Azure AD) Join with automatic mobile device management (MDM) enrollment.** In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. - **Azure Active Directory (Azure AD) Join with automatic mobile device management (MDM) enrollment.** In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed.
- **Provisioning package configuration.** Using the [Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](../manage/configure-devices-without-mdm.md). - **Provisioning package configuration.** Using the [Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](../manage/configure-devices-without-mdm.md).
Either way, these scenarios can be used to enable “choose your own device” (CYOD) programs where the organizations users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). Either way, these scenarios can be used to enable “choose your own device” (CYOD) programs where the organizations users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
@ -65,8 +66,6 @@ Either way, these scenarios can be used to enable “choose your own device” (
While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts.
## Traditional deployment ## Traditional deployment
New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
@ -74,72 +73,61 @@ With the release of Windows 10, all of these tools are being updated to fully s
The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary: The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:
- **New computer.** A bare-metal deployment of a new machine. - **New computer.** A bare-metal deployment of a new machine.
- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). - **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). - **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
**New computer** ###New computer
This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
The deployment process for the new machine scenario is as follows: The deployment process for the new machine scenario is as follows:
1. Start the setup from boot media (CD, USB, ISO, or PXE). 1. Start the setup from boot media (CD, USB, ISO, or PXE).
2. Wipe the hard disk clean and create new volume(s). 2. Wipe the hard disk clean and create new volume(s).
3. Install the operating system image. 3. Install the operating system image.
4. Install other applications (as part of the task sequence). 4. Install other applications (as part of the task sequence).
After taking these steps, the computer is ready for use. After taking these steps, the computer is ready for use.
**Computer refresh** ###Computer refresh
A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
The deployment process for the wipe-and-load scenario is as follows: The deployment process for the wipe-and-load scenario is as follows:
1. Start the setup on a running operating system. 1. Start the setup on a running operating system.
2. Save the user state locally. 2. Save the user state locally.
3. Wipe the hard disk clean (except for the folder containing the backup). 3. Wipe the hard disk clean (except for the folder containing the backup).
4. Install the operating system image. 4. Install the operating system image.
5. Install other applications. 5. Install other applications.
6. Restore the user state. 6. Restore the user state.
After taking these steps, the machine is ready for use. After taking these steps, the machine is ready for use.
**Computer replace** ###Computer replace
A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
The deployment process for the replace scenario is as follows: The deployment process for the replace scenario is as follows:
1. Save the user state (data and settings) on the server through a backup job on the running operating system. 1. Save the user state (data and settings) on the server through a backup job on the running operating system.
2. Deploy the new computer as a bare-metal deployment. 2. Deploy the new computer as a bare-metal deployment.
**Note**  In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. **Note**<br>In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
 
## Related topics ## Related topics
- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=620230)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) - [Windows setup technical reference](http://go.microsoft.com/fwlink/p/?LinkId=619357)
- [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=619358)
[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=620230) - [UEFI firmware](http://go.microsoft.com/fwlink/p/?LinkId=619359)
[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
[Windows setup technical reference](http://go.microsoft.com/fwlink/p/?LinkId=619357)
[Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=619358)
[UEFI firmware](http://go.microsoft.com/fwlink/p/?LinkId=619359)
 
 

45
windows/deploy/windows-10-edition-upgrades.md
View File

@ -9,8 +9,6 @@ author: CFaw
--- ---
# Windows 10 edition upgrade # Windows 10 edition upgrade
**Applies to** **Applies to**
- Windows 10 - Windows 10
@ -20,49 +18,36 @@ With Windows 10, you can quickly upgrade from one edition of Windows 10 to ano
The following table shows the methods you can use to upgrade editions of Windows 10. The following table shows the methods you can use to upgrade editions of Windows 10.
| | | | | | | | |Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
|---------------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------| |-------|-----------|-----------------|----------------|-----------------|----------------|--------|
| Method | Home &gt; Pro | Home &gt; Education | Pro &gt; Education | Pro &gt; Enterprise | Ent &gt; Education | Mobile &gt; Mobile Enterprise | | Using mobile device management (MDM) |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |
| Using mobile device management (MDM) | ![unsupported](images/crossmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | | Using a provisioning package |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |
| Using a provisioning package | ![unsupported](images/crossmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | | Using a command-line tool |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |
| Using a command-line tool | ![unsupported](images/crossmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | | Entering a product key manually |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |
| Entering a product key manually | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | | Purchasing a license from the Windows Store |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |
| Purchasing a license from the Windows Store | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) | ![unsupported](images/crossmark.png) | ![unsupported](images/crossmark.png) | ![unsupported](images/crossmark.png) | ![unsupported](images/crossmark.png) |
  **Note**<br>Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
**Note**  Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
 
## Upgrade using mobile device management (MDM) ## Upgrade using mobile device management (MDM)
- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907).
- To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907).
To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907).
To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907).
## Upgrade using a provisioning package ## Upgrade using a provisioning package
The Windows Imaging and Configuration Designer (ICD) tool is included in the Windows Assessment and Deployment Kit (ADK) for Windows 10. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) The Windows Imaging and Configuration Designer (ICD) tool is included in the Windows Assessment and Deployment Kit (ADK) for Windows 10. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
To use Windows ICD to create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. - To use Windows ICD to create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
To use Windows ICD to create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. - To use Windows ICD to create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
For more info on creating and applying a provisioning package using Windows ICD, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=533700). For more info on creating and applying a provisioning package using Windows ICD, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=533700).
## Upgrade using a command-line tool ## Upgrade using a command-line tool
You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10: You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10:
`changepk.exe /ProductKey <enter your new product key here>` `changepk.exe /ProductKey <enter your new product key here>`
## Upgrade by manually entering a product key ## Upgrade by manually entering a product key
If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually. If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.
**To manually enter a product key** **To manually enter a product key**
@ -76,19 +61,17 @@ If you are upgrading only a few devices, you may want to enter a product key for
4. Follow the on-screen instructions. 4. Follow the on-screen instructions.
## Upgrade by purchasing a license from the Windows Store ## Upgrade by purchasing a license from the Windows Store
If you do not have a product key, you can upgrade your edition of Windows 10 through the Windows Store. If you do not have a product key, you can upgrade your edition of Windows 10 through the Windows Store.
**To upgrade through the Windows Store** **To upgrade through the Windows Store**
1. From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut. 1. From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut.
2. Click **Go to Store**. 2. Click **Go to Store**.
3. Follow the on-screen instructions. 3. Follow the on-screen instructions.
**Note**  If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Windows Store, click [here](ms-windows-store://windowsupgrade/). **Note**<br>If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Windows Store, click [here](ms-windows-store://windowsupgrade/).
   

114
windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
View File

@ -1,72 +1,50 @@
--- ---
title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10) title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10)
description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker Group Policy. description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker Group Policy.
ms.assetid: B50DB35D-A2A9-4B78-A95D-A1B066E66880 ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
keywords: ["EDP", "Enterprise Data Protection", "protected apps", "protected app list"] keywords: ["EDP", "Enterprise Data Protection", "protected apps", "protected app list"]
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library
author: brianlic-msft author: eross-msft
--- ---
# Add multiple apps to your enterprise data protection (EDP) Protected Apps list # Add multiple apps to your enterprise data protection (EDP) Protected Apps list
**Applies to:** **Applies to:**
- Windows 10 Insider Preview - Windows 10 Insider Preview
- Windows 10 Mobile Preview - Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
Add multiple apps to your enterprise data protection (EDP) **Protected Apps** list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker Group Policy. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/?LinkID=691330). Add multiple apps to your enterprise data protection (EDP) **Protected Apps** list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker Group Policy. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
**Important**   **Important**  
Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy. Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
If you only want to add one app at a time, you can follow the instructions in the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. If you only want to add one app at a time, you can follow the instructions in the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic.
 
**To add Universal Windows Platform (UWP) apps** **To add Universal Windows Platform (UWP) apps**
1. Go to the AppLocker Group Policy UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**. 1. Go to the AppLocker Group Policy UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
2. Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**. 2. Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.<p>
The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder. 3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.<p>
You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box. 4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.<p>
This name should be easily recognizable, such as *EDP_UniversalApps_Rules*.
You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users. 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.<p>
**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.<p>
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**. **Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
This name should be easily recognizable, such as *EDP\_UniversalApps\_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
**Important**  
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
 
**Note**  
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
 
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules. 6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.<p>
**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
**Important**  Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
@ -76,59 +54,40 @@ If you only want to add one app at a time, you can follow the instructions in th
11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**. 11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/StoreApp EXE`. 12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/StoreApp EXE`
13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad. 13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
14. Copy the text that has a **Type** of Appx, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example: 14. Copy the text that has a **Type** of Appx, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
``` syntax ```
<RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection> <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
``` ```
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**. 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
**To add Classic Windows applications** **To add Classic Windows applications**
1. Go to the AppLocker Group Policy UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**. 1. Go to the AppLocker Group Policy UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
2. Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**. 2. Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.<p>
The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder. 3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.<p>
You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box. 4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.<p>
This name should be easily recognizable, such as *EDP_ClassicApps_Rules*.
You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users. 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.<p>
**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.<p>
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**. **Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
This name should be easily recognizable, such as *EDP\_ClassicApps\_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
**Important**  
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
 
**Note**  
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass EDP by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
 
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules. 6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.<p>
**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
**Important**  Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
@ -138,19 +97,24 @@ If you only want to add one app at a time, you can follow the instructions in th
11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**. 11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/EXE`. 12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/EXE`
13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad. 13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
14. Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example: 14. Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
``` syntax ```
<RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection> <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
``` ```
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**. 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
##Related topics
- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
   

7
windows/keep-secure/block-untrusted-fonts-in-enterprise.md
View File

@ -20,8 +20,7 @@ There are 3 ways to use this feature:
- **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging. - **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging.
- **Audit.** Turns on event logging, but doesnt block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.<p> - **Audit.** Turns on event logging, but doesnt block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.<p>**Note**<br>If you arent quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
**Note**<br>If you arent quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). - **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts).
@ -94,9 +93,9 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa
**To fix your apps by excluding processes** **To fix your apps by excluding processes**
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, youd use `HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. 1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, youd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature.](#turn-on-and-use-the-blocking-untrusted-fonts-feature) 2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature).
   

158
windows/keep-secure/create-edp-policy-using-intune.md
View File

@ -43,11 +43,11 @@ After youve installed and set up Intune for your organization, you must creat
3. Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. 3. Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
![microsoft intune: new policy creation screen](images/intune-createnewpolicy.png) ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png)
4. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. 4. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![microsoft intune: required name and optional description fields](images/intune-namedescription.png) ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-namedescription.png)
## Add individual apps to your Protected App list ## Add individual apps to your Protected App list
During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
@ -66,7 +66,7 @@ The steps to add your apps are based on the type of app it is; either a Universa
**To find the Publisher and Product name values for Microsoft Store apps without installing them** **To find the Publisher and Product name values for Microsoft Store apps without installing them**
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.<p> 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.<p>
**Note**<br>If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic. **Note**<br>If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
@ -82,14 +82,14 @@ The steps to add your apps are based on the type of app it is; either a Universa
} }
``` ```
4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
<p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. <p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
<p>For example:<br> <p>For example:<br>
``` json ``` json
{ {
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
} }
``` ```
![microsoft intune: add a universal windows app to the protected apps list](images/intune-addapps.png) ![Microsoft Intune: Add a UWP app to the Protected Apps list](images/intune-addapps.png)
**To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones** **To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**
@ -122,30 +122,53 @@ The steps to add your apps are based on the type of app it is; either a Universa
<p>A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**. <p>A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
2. Click **Desktop App**, pick the options you want (see table), and then click **OK**. 2. Click **Desktop App**, pick the options you want (see table), and then click **OK**.
<table>
<tr>
<th>Option</th>
<th>Manages</th>
</tr>
<tr>
<td>All fields left as "*"</td>
<td>All files signed by any publisher. (Not recommended.)</td>
</tr>
<tr>
<td><strong>Publisher</strong> selected</td>
<td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
<td>All files for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</td>
<td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong> selected</td>
<td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</td>
<td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</td>
<td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
|Option |Manages | ![Microsoft Intune: Add a Classic Windows app to the Protected Apps list](images/intune-add-desktop-app.png)
|-------|--------|
|All fields left as “*”| All files signed by any publisher. (Not recommended.) |
|**Publisher** selected | All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps. |
|**Publisher** and **Product Name** selected |All files for the specified product, signed by the named publisher. |
|**Publisher**, **Product Name** and **File Name** selected |Any version of the named file or package for the specified product, signed by the named publisher.|
|**Publisher**, **Product Name**, **File Name**, and **File Version, Exactly** selected |Specified version of the named file or package for the specified product, signed by the named publisher. |
|**Publisher**, **Product Name**, **File Name**, and **File Version, And above** selected |Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened. |
|**Publisher**, **Product Name**, **File Name**, and **File Version, And below** selected |Specified version or older releases of the named file or package for the specified product, signed by the named publisher. |
![microsoft intune: add a classic windows app to the protected apps list](images/intune-add-desktop-app.png)
If youre unsure about what to include for the publisher, you can run this PowerShell command: If youre unsure about what to include for the publisher, you can run this PowerShell command:
``` syntax ``` ps1
Get-AppLockerFileInformation -Path "<path of the exe>" Get-AppLockerFileInformation -Path "<path of the exe>"
``` ```
Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
In this example, you'd get the following info: In this example, you'd get the following info:
``` syntax ``` json
Path Publisher Path Publisher
---- --------- ---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
@ -165,7 +188,7 @@ If you're running into compatibility issues where your app is incompatible with
4. Copy the text that has a **Type** of Appx, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example: 4. Copy the text that has a **Type** of Appx, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
``` syntax ```
<RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection> <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
``` ```
@ -181,7 +204,7 @@ If you're running into compatibility issues where your app is incompatible with
4. Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example: 4. Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
``` syntax ```
<RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection> <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
``` ```
@ -191,15 +214,30 @@ If you're running into compatibility issues where your app is incompatible with
After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode. After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
<table>
<tr>
<th>Mode</th>
<th>Description</th>
</tr>
<tr>
<td>Block</td>
<td>EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.</td>
</tr>
<tr>
<td>Override</td>
<td>EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459).</td>
</tr>
<tr>
<td>Silent</td>
<td>EDP runs silently, logging inappropriate data sharing, without blocking anything.</td>
</tr>
<tr>
<td>Off</td>
<td>EDP is turned off and doesn't help to protect or audit your data.</td>
</tr>
</table>
|Mode |Description | ![Microsoft Intune: Add the protection level for your Protected Apps list](images/intune-encryption-level.png)
|-----|------------|
|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise. |
|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything. |
|Off |EDP is turned off and doesn't help to protect or audit your data.|
<p>
![microsoft intune: add protection level for protected apps list](images/intune-encryption-level.png)
## Define your enterprise-managed identity domains ## Define your enterprise-managed identity domains
Specify your companys enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list. Specify your companys enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
@ -207,8 +245,8 @@ Specify your companys enterprise identity, expressed as your primary internet
You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com. You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed. This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
<p>
![microsoft intune: add primary internet domain for your enterprise identity](images/intune-primary-domain.png) ![Microsoft Intune: Add the primary internet domain for your enterprise identity](images/intune-primary-domain.png)
**To add your primary domain** **To add your primary domain**
@ -224,24 +262,52 @@ After you've added a protection mode to your apps, you'll need to decide where t
**To specify where your protected apps can find and send enterprise data on the network** **To specify where your protected apps can find and send enterprise data on the network**
1. Add additional network locations your apps can access by clicking **Add**, typing a description into the **Description** box, and then choosing your location type, including:<p> 1. Add additional network locations your apps can access by clicking **Add**, typing a description into the **Description** box, and then choosing your location type, including:
<table>
<tr>
<th>Network location type</th>
<th>Format</th>
<th>Description</th>
</tr>
<tr>
<td>Enterprise Cloud Domain</td>
<td>contoso.sharepoint.com,proxy1.contoso.com|<br>office.com|proxy2.contoso.com</td>
<td>Specify the cloud resources traffic to restrict to your protected apps.<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the &#x7C; delimiter. Include the "|" delimiter just before the "|" if you dont use proxies. For example: [URL,Proxy]|[URL,Proxy].</td>
</tr>
<tr>
<td>Enterprise Network Domain</td>
<td>domain1.contoso.com,domain2.contoso.com</td>
<td>Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the "," delimiter.<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks.</td>
</tr>
<tr>
<td>Enterprise Proxy Server</td>
<td>domain1.contoso.com:80;domain2.contoso.com:137</td>
<td>Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the ";" delimiter.<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants.</td>
</tr>
<tr>
<td>Enterprise Internal Proxy Server</td>
<td>proxy1.contoso.com;proxy2.contoso.com</td>
<td>Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv4 Range</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</td>
<td>Specify the addresses for a valid IPv4 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
</tr>
<tr>
<td>Enterprise IPv6 Range</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Specify the addresses for a valid IPv6 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
</tr>
</table>
|Network location type |Format |Description | ![Microsoft Intune: Choose the primary domain and the other network locations for protected apps](images/intune-networklocation.png)
|----------------------|----------------|----------------------|
|Enterprise Cloud Domain |contoso.sharepoint.com,proxy1.contoso.com&#x7C;office.com&#x7C;proxy2.contoso.com|Specify the cloud resources traffic to restrict to your protected apps.<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the &#x7C; delimiter. Include the &#x7C; delimiter just before the &#x7C; if you dont use proxies. For example: [URL,Proxy]&#x7C;[URL,Proxy]. |
|Enterprise Network Domain |domain1.contoso.com,domain2.contoso.com |Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the `,` delimiter.<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks. |
|Enterprise Proxy Server |domain1.contoso.com:80;domain2.contoso.com:137 |Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the `;` delimiter.<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants. |
|Enterprise Internal Proxy Server |proxy1.contoso.com;proxy2.contoso.com |Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the `;` delimiter. |
|Enterprise IPv4 Range |**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254 | Specify the addresses for a valid IPv4 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the `-` delimiter between start and end of a range, and the `,` delimiter to separate ranges. |
|Enterprise IPv6 Range |**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |Specify the addresses for a valid IPv6 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the `-` delimiter between start and end of a range, and the `,` delimiter to separate ranges.
![microsoft intune: choose the primary domain and the other network locations for protected apps](images/intune-networklocation.png)
2. Add as many locations as you need, and then click **OK**.<p>The **Add or Edit Enterprise Network Locations box** closes. 2. Add as many locations as you need, and then click **OK**.<p>The **Add or Edit Enterprise Network Locations box** closes.
3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.<p>Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.<p> 3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.<p>Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.<p>
![microsoft intune: specify your data recovery certificate for your policy](images/intune-data-recovery.png) ![Microsoft Intune: Specify a data recovery certificate for your policy](images/intune-data-recovery.png)
## Choose your optional EDP-related settings ## Choose your optional EDP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional EDP settings. After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional EDP settings.
@ -254,14 +320,18 @@ After you've decided where your protected apps can access enterprise data on you
- **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone. - **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
![microsoft intune: optional edp settings](images/intune-edpsettings.png) ![Microsoft Intune: Optional EDP settings](images/intune-edpsettings.png)
2. Click **Save Policy**. 2. Click **Save Policy**.
## Related topics ## Related topics
- [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) - [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) - [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
   
   

401
windows/keep-secure/create-edp-policy-using-sccm.md
View File

@ -1,93 +1,82 @@
--- ---
title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10) title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10)
description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: 85B99C20-1319-4AA3-8635-C1A87B244529 ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
keywords: ["EDP", "Enterprise Data Protection", "SCCM", "System Center Configuration Manager", Configuration Manager"]
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library
author: brianlic-msft author: eross-msft
--- ---
# Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager # Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager
**Applies to:** **Applies to:**
- Windows 10 Insider Preview - Windows 10 Insider Preview
- Windows 10 Mobile Preview - Windows 10 Mobile Preview
- System Center Configuration Manager (version 1511 or later) - System Center Configuration Manager (version 1511 or later)
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
## In this topic: ## In this topic:
- [Add an EDP policy](#add-an-edp-policy)
- [Choose which apps can access your enterprise data](#choose-which-apps-can-access-your-enterprise-data)
- [Add an EDP policy](#add-edp-policy-sccm) - [Manage the EDP protection level for your enterprise data](#manage-the-edp-protection-level-for-your-enterprise-data)
- [Choose which apps can access your enterprise data](#choose-apps-sccm) - [Define your enterprise-managed identity domains](#define-your-enterprise-managed-identity-domains)
- [Manage the EDP protection level for your enterprise data](#protect-level-sccm) - [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data)
- [Define your enterprise-managed identity domains](#define-identity-domain) - [Choose your optional EDP-related settings](#choose-your-optional-EDP-related-settings)
- [Choose where apps can access enterprise data](#choose-where-apps-sccm) - [Review your configuration choices in the Summary screen](#review-your-configuration-choices-in-the-summary-screen)
- [Choose your optional EDP-related settings](#optional-settings)
- [Review your configuration choices in the **Summary** screen](#summary-page)
- [Deploy the EDP policy](#deploy-policy-sccm)
## <a href="" id="add-edp-policy-sccm"></a>Add an EDP policy
- [Deploy the EDP policy](#deploy-the-edp-policy)
## Add an EDP policy
After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy. After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
**To create a configuration item for EDP** **To create a configuration item for EDP**
1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. 1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
![system center configuration manager, configuration items screen](images/edp-sccm-addpolicy.png) ![System Center Configuration Manager, Configuration Items screen](images/edp-sccm-addpolicy.png)
2. Click the **Create Configuration Item** button. 2. Click the **Create Configuration Item** button.<p>
The **Create Configuration Item Wizard** starts.
The **Create Configuration Item Wizard** starts. ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/edp-sccm-generalscreen.png)
![create configuration item wizard, defining the configuration item and choosing the configuration type](images/edp-sccm-generalscreen.png)
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**. 4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
- **Settings for devices managed with the Configuration Manager client &gt; Windows 10** option - **Settings for devices managed with the Configuration Manager client:** Windows 10
-OR- -OR-
- **Settings for devices managed without the Configuration Manager client &gt; Windows 8.1 and Windows 10** option - **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. 5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
![create configuration item wizard, choosing the supported platforms for the policy](images/edp-sccm-supportedplat.png) ![Create Configuration Item wizard, choose the supported platforms for the policy](images/edp-sccm-supportedplat.png)
6. On the **Device Settings** screen, click **Enterprise Data Protection**, and then click **Next**. 6. On the **Device Settings** screen, click **Enterprise Data Protection**, and then click **Next**.
![create configuration item wizard, choosing to add the enterprise data protection settings](images/edp-sccm-devicesettings.png) ![Create Configuration Item wizard, choose the enterprise data protection settings](images/edp-sccm-devicesettings.png)
The **Configure Enterprise Data Protection settings** page appears, where you'll configure your policy for your organization.
## <a href="" id="choose-apps-sccm"></a>Choose which apps can access your enterprise data
The **Configure Enterprise Data Protection settings** page appears, where you'll configure your policy for your organization.
## Choose which apps can access your enterprise data
During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps or unprotected network locations. During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps or unprotected network locations.
The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Classic Windows application. The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Classic Windows application.
**Important**   **Important**<br>EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data leaks during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data leaks during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
 
**To add a UWP app** **To add a UWP app**
@ -97,7 +86,7 @@ EDP-aware apps are expected to prevent enterprise data from going to unprotected
**To find the Publisher and Product name values for Microsoft Store apps without installing them** **To find the Publisher and Product name values for Microsoft Store apps without installing them**
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
@ -105,7 +94,7 @@ EDP-aware apps are expected to prevent enterprise data from going to unprotected
The API runs and opens a text editor with the app details. The API runs and opens a text editor with the app details.
``` syntax ``` json
{ {
"packageIdentityName": "Microsoft.Office.OneNote", "packageIdentityName": "Microsoft.Office.OneNote",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
@ -113,293 +102,189 @@ EDP-aware apps are expected to prevent enterprise data from going to unprotected
``` ```
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of the **Add app** box, and then click **OK**. 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of the **Add app** box, and then click **OK**.
<p>**Important**<br>If you dont see the **Product Name** box, it could mean that your tenant is not on the latest build and that you need to wait until it's upgraded. Same applies if you see the **AppId** box. The **AppId** box has been removed in the latest build and should disappear (along with any entries) when your tenant is upgraded.
<p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<br>  
**Important**   ```
If you dont see the **Product Name** box, it could mean that your tenant is not on the latest build and that you need to wait until it's upgraded. Same applies if you see the **AppId** box. The **AppId** box has been removed in the latest build and should disappear (along with any entries) when your tenant is upgraded.
 
**Important**  
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
 
``` syntax
{ {
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
} }
``` ```
![create configuration item wizard, adding a universal app](images/edp-sccm-adduniversalapp.png) ![Create Configuration Item wizard, add a Universal Windows Platform (UWP) app](images/edp-sccm-adduniversalapp.png)
**To add a Classic Windows application** **To add a Classic Windows application**
1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.** 1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
<p>A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
2. Click **Desktop App**, pick the options you want (see table), and then click **OK**. 2. Click **Desktop App**, pick the options you want (see table), and then click **OK**.
<table> <table>
<colgroup> <tr>
<col width="50%" /> <th>Option</th>
<col width="50%" /> <th>Manages</th>
</colgroup> </tr>
<thead> <tr>
<tr class="header"> <td>All fields left as “*”</td>
<th align="left">Option</th> <td>All files signed by any publisher. (Not recommended.)</td>
<th align="left">Manages</th> </tr>
</tr> <tr>
</thead> <td><strong>Publisher</strong> selected</td>
<tbody> <td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
<tr class="odd"> </tr>
<td align="left"><p>All fields left as “*”</p></td> <tr>
<td align="left"><p>All files signed by any publisher. (Not recommended.)</p></td> <td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
</tr> <td>All files for the specified product, signed by the named publisher.</td>
<tr class="even"> </tr>
<td align="left"><p><strong>Publisher</strong> selected</p></td> <tr>
<td align="left"><p>All files signed by the named publisher.</p> <td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</td>
<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</p></td> <td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr> </tr>
<tr class="odd"> <tr>
<td align="left"><p><strong>Publisher</strong> and <strong>Product Name</strong> selected</p></td> <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong>, selected</td>
<td align="left"><p>All files for the specified product, signed by the named publisher.</p></td> <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr> </tr>
<tr class="even"> <tr>
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</p></td> <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</td>
<td align="left"><p>Any version of the named file or package for the specified product, signed by the named publisher.</p></td> <td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr> </tr>
<tr class="odd"> <tr>
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong>, selected</p></td> <td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</td>
<td align="left"><p>Specified version of the named file or package for the specified product, signed by the named publisher.</p></td> <td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr> </tr>
<tr class="even">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</p></td>
<td align="left"><p>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.</p>
<p>This option is recommended for enlightened apps that weren't previously enlightened.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</p></td>
<td align="left"><p>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</p></td>
</tr>
</tbody>
</table> </table>
  If youre unsure about what to include for the publisher, you can run this PowerShell command:
If youre unsure about what to include for the publisher, you can run this PowerShell command: ```ps1
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
``` syntax In this example, you'd get the following info:
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. ``` json
Path Publisher
In this example, you'd get the following info: ---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
``` syntax ```
Path Publisher Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
![create configuration item wizard, adding a desktop app](images/edp-sccm-adddesktopapp.png)
## <a href="" id="protect-level-sccm"></a>Manage the EDP protection level for your enterprise data
![Create Configuration Item wizard, add a Classic Windows app](images/edp-sccm-adddesktopapp.png)
## Manage the EDP-protection level for your enterprise data
After you've added the apps you want to protect with EDP, you'll need to apply an app management mode. After you've added the apps you want to protect with EDP, you'll need to apply an app management mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
<table> |Mode |Description |
<colgroup> |-----|------------|
<col width="50%" /> |Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise. |
<col width="50%" /> |Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
</colgroup> |Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything. |
<thead> |Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.
<tr class="header"> <p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
<th align="left">Mode</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><strong>Block</strong></td>
<td align="left"><p>EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.</p></td>
</tr>
<tr class="even">
<td align="left"><strong>Override</strong></td>
<td align="left"><p>EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459).</p></td>
</tr>
<tr class="odd">
<td align="left"><strong>Silent</strong></td>
<td align="left"><p>EDP runs silently, logging inappropriate data sharing, without blocking anything.</p></td>
</tr>
<tr class="even">
<td align="left"><strong>Off</strong>
<p>(Not recommended)</p></td>
<td align="left"><p>EDP is turned off and doesn't help to protect or audit your data.</p>
<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.</p></td>
</tr>
</tbody>
</table>
 
![create configuration item wizard, choosing the app management mode](images/edp-sccm-appmgmt.png)
## <a href="" id="define-identity-domain"></a>Define your enterprise-managed identity domains
![Create Configuration Item wizard, choose your EDP-protection level](images/edp-sccm-appmgmt.png)
## Define your enterprise-managed identity domains
Specify your companys enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list. Specify your companys enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com. You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed. This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
![configuration manager: add primary internet domain for your enterprise identity](images/sccm-primary-domain.png) ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/sccm-primary-domain.png)
**To add your primary domain** **To add your primary domain**
- Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*. - Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.<p>
If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
## <a href="" id="choose-where-apps-sccm"></a>Choose where apps can access enterprise data
## Choose where apps can access enterprise data
After you've added a management level to your protected apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range. After you've added a management level to your protected apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
**To specify where your protected apps can find and send enterprise data on the network** **To specify where your protected apps can find and send enterprise data on the network**
1. Add additional network locations your apps can access by clicking **Add**, and then choosing your location type, including: 1. Add additional network locations your apps can access by clicking **Add**, and then choosing your location type, including:
<table> <table>
<colgroup> <tr>
<col width="33%" /> <th>Network location type</th>
<col width="33%" /> <th>Format</th>
<col width="33%" /> <th>Description</th>
</colgroup> </tr>
<thead> <tr>
<tr class="header"> <td>Enterprise Cloud Domain</td>
<th align="left">Network location type</th> <td>contoso.sharepoint.com,proxy1.contoso.com|<br>office.com|proxy2.contoso.com</td>
<th align="left">Format</th> <td>Specify the cloud resources traffic to restrict to your protected apps.<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the &#x7C; delimiter. Include the "|" delimiter just before the "|" if you dont use proxies. For example: [URL,Proxy]|[URL,Proxy].</td>
<th align="left">Description</th> </tr>
</tr> <tr>
</thead> <td>Enterprise Network Domain</td>
<tbody> <td>domain1.contoso.com,domain2.contoso.com</td>
<tr class="odd"> <td>Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the "," delimiter.<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks.</td>
<td align="left"><p>Enterprise Cloud Domain</p></td> </tr>
<td align="left"><p>contoso.sharepoint.com,proxy1.contoso.com|office.com|proxy2.contoso.com</p></td> <tr>
<td align="left"><p>Specify the cloud resources traffic to restrict to your protected apps.</p> <td>Enterprise Proxy Server</td>
<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic, from your <strong>Enterprise Internal Proxy Server</strong> policy. If you have multiple resources, you must use the &quot;|&quot; delimiter. Include the &quot;,&quot; delimiter just before the &quot;|&quot; if you dont use proxies. For example: <code>URL[,Proxy]|URL[,Proxy]</code>.</p></td> <td>domain1.contoso.com:80;domain2.contoso.com:137</td>
</tr> <td>Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the ";" delimiter.<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants.</td>
<tr class="even"> </tr>
<td align="left"><p>Enterprise Network Domain</p></td> <tr>
<td align="left"><p>domain1.contoso.com,domain2.contoso.com</p></td> <td>Enterprise Internal Proxy Server</td>
<td align="left"><p>Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the &quot;,&quot; delimiter.</p> <td>proxy1.contoso.com;proxy2.contoso.com</td>
<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks.</p></td> <td>Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the ";" delimiter.</td>
</tr> </tr>
<tr class="odd"> <tr>
<td align="left"><p>Enterprise Proxy Server</p></td> <td>Enterprise IPv4 Range</td>
<td align="left"><p>domain1.contoso.com:80;domain2.contoso.com:137</p></td> <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</td>
<td align="left"><p>Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the &quot;;&quot; delimiter.</p> <td>Specify the addresses for a valid IPv4 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants.</p></td> </tr>
</tr> <tr>
<tr class="even"> <td>Enterprise IPv6 Range</td>
<td align="left"><p>Enterprise Internal Proxy Server</p></td> <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td align="left"><p>proxy1.contoso.com;proxy2.contoso.com</p></td> <td>Specify the addresses for a valid IPv6 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges.</td>
<td align="left"><p>Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the &quot;;&quot; delimiter.</p></td> </tr>
</tr>
<tr class="odd">
<td align="left"><p>Enterprise IPv4 Range</p></td>
<td align="left"><p><strong>Starting IPv4 Address:</strong> 3.4.0.1</p>
<p><strong>Ending IPv4 Address:</strong> 3.4.255.254</p>
<p><strong>Custom URI:</strong> 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</p></td>
<td align="left"><p>Specify the addresses for a valid IPv4 value range within your intranet.</p>
<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the &quot;-&quot; delimiter between start and end of a range, and the &quot;,&quot; delimiter to separate ranges.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enterprise IPv6 Range</p></td>
<td align="left"><p><strong>Starting IPv6 Address:</strong></p>
<p>2a01:110::</p>
<p><strong>Ending IPv6 Address:</strong> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff</p>
<p><strong>Custom URI:</strong> 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</p></td>
<td align="left"><p>Specify the addresses for a valid IPv6 value range within your intranet.</p>
<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the &quot;-&quot; delimiter between start and end of a range, and the &quot;,&quot; delimiter to separate ranges.</p></td>
</tr>
</tbody>
</table> </table>
  ![Create Configuration Item wizard, specify the network locations that can be accessed by the protected apps](images/edp-sccm-primarydomain2.png)
![create configuration item wizard, specifying the network locations that can be accessed by the apps](images/edp-sccm-primarydomain2.png) 2. Add as many locations as you need, and then click **OK**.<p>
The **Add or Edit Enterprise Network Locations box** closes.
2. Add as many locations as you need, and then click **OK**.
The **Add or Edit Enterprise Network Locations box** closes.
3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.
Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the[Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
## <a href="" id="optional-settings"></a>Choose your optional EDP-related settings
3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.<p>
Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the[Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
## Choose your optional EDP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional EDP settings. After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional EDP settings.
**To add your optional settings** **To add your optional settings**
- Choose to set any or all of the optional EDP-related settings: - Choose to set any or all of the optional EDP-related settings:
- **Block the user from decrypting data that was created or edited by the apps configured above.** Clicking **No**, or leaving the setting blank, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **Yes** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted. - **Block the user from decrypting data that was created or edited by the apps configured above.** Clicking **No**, or leaving the setting blank, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **Yes** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted.
- **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone. - **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
![create configuration item wizard, choosing additional optional settings for enterprise data protection](images/edp-sccm-optsettings.png) ![Create Configuration Item wizard, choose additional optional settings for enterprise data protection](images/edp-sccm-optsettings.png)
## <a href="" id="summary-page"></a>Review your configuration choices in the Summary screen
## Review your configuration choices in the Summary screen
After you've finished configuring your policy, you can review all of your info on the **Summary** screen. After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
**To view the Summary screen** **To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.<p>
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy. ![Create Configuration Item wizard, review the Summary screen before creating the policy](images/edp-sccm-summaryscreen.png)
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
![create configuration item wizard, reviewing the summary screen before creating the policy](images/edp-sccm-summaryscreen.png)
## <a href="" id="deploy-policy-sccm"></a>Deploy the EDP policy
## Deploy the EDP policy
After youve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: After youve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
- [Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224)
[Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/?LinkId=708224) - [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225)
- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
[How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/?LinkId=708225)
[How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/?LinkId=708226)
## Next steps
Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
## Related topics ## Related topics
- [System Center Configuration Manager and Endpoint Protection (Version 1511)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
[System Center Configuration Manager and Endpoint Protection (Version 1511)](http://go.microsoft.com/fwlink/?LinkId=717372) - [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
[TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/?LinkId=691623)
[Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/?LinkId=691624)
   

55
windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
View File

@ -1,38 +1,38 @@
--- ---
title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10) title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10)
description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
ms.assetid: D0EABA4F-6D7D-4AE4-8044-64680A40CF6B ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
keywords: ["EDP", "Enterprise Data Protection"] keywords: ["EDP", "Enterprise Data Protection"]
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library
author: brianlic-msft author: eross-msft
--- ---
# Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune # Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune
**Applies to:** **Applies to:**
- Windows 10 Insider Preview - Windows 10 Insider Preview
- Windows 10 Mobile Preview - Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
## Create your VPN policy using Microsoft Intune ## Create your VPN policy using Microsoft Intune
Follow these steps to create the VPN policy you want to use with EDP. Follow these steps to create the VPN policy you want to use with EDP.
**To create your VPN policy** **To create your VPN policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. 1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.![microsoft intune: new policy creation screen](images/intune-vpn-createpolicy.png) 2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.![microsoft intune: title and description for your policy](images/intune-vpn-titledescription.png) ![Microsoft Intune: Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png)
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png)
4. In the **VPN Settings** area, type the following info: 4. In the **VPN Settings** area, type the following info:
@ -44,47 +44,44 @@ Follow these steps to create the VPN policy you want to use with EDP.
- **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN). - **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN).
![microsoft intune: vpn settings area of the new policy](images/intune-vpn-vpnsettings.png) ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png)
5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**. 5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.<p>
It's your choice whether you check the box to **Remember the user credentials at each logon**.
It's your choice whether you check the box to **Remember the user credentials at each logon**. ![Microsoft Intune: Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png)
![microsoft intune: authentication method for your vpn system](images/intune-vpn-authentication.png)
6. You can leave the rest of the default or blank settings, and then click **Save Policy**. 6. You can leave the rest of the default or blank settings, and then click **Save Policy**.
## Deploy your VPN policy using Microsoft Intune ## Deploy your VPN policy using Microsoft Intune
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy. After youve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy.
**To deploy your VPN policy** **To deploy your VPN policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. 1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. 2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
The added people move to the **Selected Groups** list on the right-hand pane.
The added people move to the **Selected Groups** list on the right-hand pane. ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png)
![microsoft intune, group selection for policy deployment](images/intune-deploy-vpn.png) 3. After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
The policy is deployed to the selected users' devices.
3. After you've picked all of the employees and groups that should get the policy, click **OK**.
The policy is deployed to the selected users' devices.
## Link your EDP and VPN policies and deploy the custom configuration policy ## Link your EDP and VPN policies and deploy the custom configuration policy
The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies
**To link your VPN policy** **To link your VPN policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. 1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.![microsoft intune: new policy creation screen](images/intune-vpn-customconfig.png) 2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.![microsoft intune: title and description for your policy](images/intune-vpn-edpmodeid.png) ![Microsoft Intune: Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png)
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-edpmodeid.png)
4. In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info. 4. In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info.
@ -94,11 +91,11 @@ The final step to making your VPN configuration work with EDP, is to link your t
- **Data type.** Pick the **String** data type. - **Data type.** Pick the **String** data type.
- **OMA-URI.** Type ./Vendor/MSFT/VPNv2/*&lt;your\_edp\_policy\_name&gt;*/EdpModeId, replacing *&lt;your\_edp\_policy\_name&gt;* with the name you gave to your EDP policy. For example, ./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId. - **OMA-URI.** Type `./Vendor/MSFT/VPNv2/<your_edp_policy_name>/EdpModeId`, replacing *&lt;your\_edp\_policy\_name&gt;* with the name you gave to your EDP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId`.
- **Value.** Your fully-qualified domain that should be used by the OMA-URI setting. - **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
![microsoft intune: oma-uri settings area of the new policy](images/intune-vpn-omaurisettings.png) ![Microsoft Intune: Fill in the OMA-URI Settings for the EdpModeID setting](images/intune-vpn-omaurisettings.png)
6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.** 6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**

33
windows/keep-secure/deploy-edp-policy-using-intune.md
View File

@ -1,23 +1,21 @@
--- ---
title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: After youve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. description: After youve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.assetid: 9C4A01E7-0B1C-4F15-95D0-0389F0686211 ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
keywords: ["EDP", "Enterprise Data Protection"] keywords: ["EDP", "Enterprise Data Protection", "Intune"]
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library
author: brianlic-msft author: eross-msft
--- ---
# Deploy your enterprise data protection (EDP) policy using Microsoft Intune # Deploy your enterprise data protection (EDP) policy using Microsoft Intune
**Applies to:** **Applies to:**
- Windows 10 Insider Preview - Windows 10 Insider Preview
- Windows 10 Mobile Preview - Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
After youve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. After youve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
@ -25,24 +23,21 @@ After youve created your enterprise data protection (EDP) policy, you'll need
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. 1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
![microsoft intune configuration policies screen, showing the manage deployment link](images/intune-managedeployment.png) ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png)
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. 2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
The added people move to the **Selected Groups** list on the right-hand pane.
The added people move to the **Selected Groups** list on the right-hand pane. ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png)
![microsoft intune, group selection for policy deployment](images/intune-groupselection.png) 3. After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
The policy is deployed to the selected users' devices.
3. After you've picked all of the employees and groups that should get the policy, click **OK**.
The policy is deployed to the selected users' devices.
## Related topics ## Related topics
- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
-[Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) - [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
[General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
   

2
windows/keep-secure/enlightened-microsoft-apps-and-edp.md
View File

@ -1,7 +1,7 @@
--- ---
title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10) title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
ms.assetid: 17C85EA3-9B66-4B80-B511-8F277CB4345F ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
keywords: ["EDP", "Enterprise Data Protection"] keywords: ["EDP", "Enterprise Data Protection"]
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: explore ms.mktglfcycl: explore

36
windows/keep-secure/guidance-and-best-practices-edp.md
View File

@ -1,51 +1,29 @@
--- ---
title: General guidance and best practices for enterprise data protection (EDP) (Windows 10) title: General guidance and best practices for enterprise data protection (EDP) (Windows 10)
description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP). description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
ms.assetid: AA94E733-53BE-49A7-938D-1660DEAF52B0 ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
keywords: ["EDP", "Enterprise Data Protection"] keywords: ["EDP", "Enterprise Data Protection"]
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library
author: brianlic-msft author: eross-msft
--- ---
# General guidance and best practices for enterprise data protection (EDP) # General guidance and best practices for enterprise data protection (EDP)
**Applies to:** **Applies to:**
- Windows 10 Insider Preview - Windows 10 Insider Preview
- Windows 10 Mobile Preview - Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
This section includes info about the enlightened Microsoft apps, including how to add them to your **Protected Apps** list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP). This section includes info about the enlightened Microsoft apps, including how to add them to your **Protected Apps** list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
## In this section ## In this section
|Topic |Description |
|------|------------|
<table> |[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. |
<colgroup> |[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. |
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)</p></td>
<td align="left"><p>Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your <strong>Protected Apps</strong> list.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)</p></td>
<td align="left"><p>We've come up with a list of suggested testing scenarios that you can use to test EDP in your company.</p></td>
</tr>
</tbody>
</table>
   

37
windows/keep-secure/overview-create-edp-policy.md
View File

@ -1,51 +1,28 @@
--- ---
title: Create an enterprise data protection (EDP) policy (Windows 10) title: Create an enterprise data protection (EDP) policy (Windows 10)
description: Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. description: Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: D2059E74-94BD-4E54-AB59-1A7B9B52BDC6 ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library
author: brianlic-msft author: eross-msft
--- ---
# Create an enterprise data protection (EDP) policy # Create an enterprise data protection (EDP) policy
**Applies to:** **Applies to:**
- Windows 10 Insider Preview - Windows 10 Insider Preview
- Windows 10 Mobile Preview - Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
## In this section ## In this section
|Topic |Description |
|------|------------|
<table> |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
<colgroup> |[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |Configuration Manager (version 1511 or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)</p></td>
<td align="left"><p>Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)</p></td>
<td align="left"><p>Configuration Manager (version 1511 or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.</p></td>
</tr>
</tbody>
</table>
   
   

2
windows/keep-secure/protect-enterprise-data-using-edp.md
View File

@ -26,7 +26,7 @@ Youll need this software to run EDP in your enterprise:
|Operating system | Management solution | |Operating system | Management solution |
|-----------------|---------------------| |-----------------|---------------------|
|Windows 10 Insider Preview | Microsoft Intune<br>-OR-<br>System Center Configuration Manager (version 1511 or later)<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [Custom URI - Policy CSP](http://go.microsoft.com/fwlink/?LinkID=733963) documentation.| |Windows 10 Insider Preview | Microsoft Intune<br>-OR-<br>System Center Configuration Manager (version 1511 or later)<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [Custom URI - Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=733963) documentation.|
## How EDP works ## How EDP works
EDP helps address your everyday challenges in the enterprise. Including: EDP helps address your everyday challenges in the enterprise. Including:

167
windows/keep-secure/testing-scenarios-for-edp.md
View File

@ -1,167 +1,40 @@
--- ---
title: Testing scenarios for enterprise data protection (EDP) (Windows 10) title: Testing scenarios for enterprise data protection (EDP) (Windows 10)
description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
ms.assetid: 53DB29D2-D99D-4DB6-B494-90E2B3962CA2 ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
author: brianlic-msft keywords: ["EDP", "Enterprise Data Protection"]
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: eross-msft
--- ---
# Testing scenarios for enterprise data protection (EDP) # Testing scenarios for enterprise data protection (EDP)
**Applies to:** **Applies to:**
- Windows 10 Insider Preview - Windows 10 Insider Preview
- Windows 10 Mobile Preview - Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
## Testing scenarios ## Testing scenarios
You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization. You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
<table> |Scenario |Processes |
<colgroup> |---------|----------|
<col width="33%" /> |Automatically encrypt files from enterprise apps |<ol><li>Start an unmodified (for example, EDP-unaware) line-of-business app that's on your **Protected Apps** list and then create, edit, write, and save files.</li><li>Make sure that all of the files you worked with from the EDP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon.<p>**Note**<br>Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.</li></ol> |
<col width="33%" /> |Block enterprise data from non-enterprise apps |<ol><li>Start an app that doesn't appear on your **Protected Apps** list, and then try to open an enterprise-encrypted file.<p>The app shouldn't be able to access the file.</li><li>Try double-clicking or tapping on the enterprise-encrypted file.<p>If your default app association is an app not your **Protected Apps** list, you should get an **Access Denied** error message.</li></ol> |
<col width="33%" /> |Copy and paste from enterprise apps to non-enterprise apps |<ol><li>Copy (CTRL+C) content from an app on your **Protected Apps** list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your **Protected Apps** list.<p>You should see an EDP-related warning box, asking you to click either **Got it** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't pasted into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Got it**, and try to paste the content again.<p>The content is pasted into the non-enterprise app.</li><li>Try copying and pasting content between apps on your **Protected Apps** list.<p>The content should copy and paste between apps without any warning messages.</li></ol> |
</colgroup> |Drag and drop from enterprise apps to non-enterprise apps |<ol><li>Drag content from an app on your **Protected Apps** list, and then try to drop the content into an app that doesn't appear on your **Protected Apps** list.<p>You should see an EDP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't dropped into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.<p>The content is dropped into the non-enterprise app.</li><li>Try dragging and dropping content between apps on your **Protected Apps** list.<p>The content should move between the apps without any warning messages.</li></ol> |
<thead> |Share between enterprise apps and non-enterprise apps |<ol><li>Open an app on your **Protected Apps** list, like Microsoft Photos, and try to share content with an app that doesn't appear on your **Protected Apps** list, like Facebook.<p>You should see an EDP-related warning box, asking you to click either **Share Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't shared into Facebook.</li><li>Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.<p>The content is shared into Facebook.</li><li>Try sharing content between apps on your **Protected Apps** list.<p>The content should share between the apps without any warning messages.</li></ol> |
<tr class="header"> |Use the **Encrypt to** functionality |<ol><li>Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.<p>EDP should encrypt the file to your Enterprise Identity.</li><li>Make sure that the newly encrypted file has a **Lock** icon.</li><li>In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.</li><li>Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.<p>The file should be decrypted and the **Lock** icon should disappear.</li></ol> |
<th align="left">Scenario</th> |Verify that Windows system components can use EDP |<ol><li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.</li><li>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon</li><li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the **Protected Apps** list.<p>**Note**<br>Most Windows-signed components like Windows Explorer (when running in the users context), should have access to enterprise data.<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your **Protected Apps** list.</li></ol> |
<th align="left">Processes</th> |Use EDP on FAT/exFAT systems |<ol><li>Start an app that uses the FAT or exFAT file system and appears on your **Protected Apps** list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
<th align="left">Notes</th> |Use EDP on NTFS systems |<ol><li>Start an app that uses the NTFS file system and appears on your **Protected Apps** list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
</tr> |Unenroll client devices from EDP |<ul><li>Unenroll a device from EDP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.<p>The device should be removed and all of the enterprise content for that managed account should be gone.<p>**Important**<br>Unenrolling a device revokes and erases all of the enterprise data for the managed account.</li></ul> |
</thead> |Verify that app content is protected when a Windows 10 Mobile phone is locked |<ul><li>Check that protected app data doesn't appear on the **Lock** screen of a Windows 10 Mobile phone</li></ul> |
<tbody>
<tr class="odd">
<td align="left"><p>Automatically encrypt files from enterprise apps</p></td>
<td align="left"><ol>
<li><p>Start an unmodified (for example, EDP-unaware) line-of-business app that's on your <strong>Protected Apps</strong> list and then create, edit, write, and save files.</p></li>
<li><p>Make sure that all of the files you worked with from the EDP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</p></li>
<li><p>Open File Explorer and make sure your modified files are appearing with a <strong>Lock</strong> icon.</p></li>
</ol></td>
<td align="left"><p>Be aware that some file types, like .exe and .dll, along with some file paths, like <code>%windir%</code> and <code>%programfiles%</code>, are excluded from automatic encryption.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Block enterprise data from non-enterprise apps</p></td>
<td align="left"><ol>
<li><p>Start an app that doesn't appear on your <strong>Protected Apps</strong> list, and then try to open an enterprise-encrypted file.</p>
<p>The app shouldn't be able to access the file.</p></li>
<li><p>Try double-clicking or tapping on the enterprise-encrypted file.</p>
<p>If your default app association is an app not your <strong>Protected Apps</strong> list, you should get an <strong>Access Denied</strong> error message.</p></li>
</ol></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>Copy and paste from enterprise apps to non-enterprise apps</p></td>
<td align="left"><ol>
<li><p>Copy (CTRL+C) content from an app on your <strong>Protected Apps</strong> list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your <strong>Protected Apps</strong> list.</p>
<p>You should see an EDP-related warning box, asking you to click either <strong>Got it</strong> or <strong>Cancel</strong>.</p></li>
<li><p>Click <strong>Cancel</strong>.</p>
<p>The content isn't pasted into the non-enterprise app.</p></li>
<li><p>Repeat Step 1, but this time click <strong>Got it</strong>, and try to paste the content again.</p>
<p>The content is pasted into the non-enterprise app.</p></li>
<li><p>Try copying and pasting content between apps on your <strong>Protected Apps</strong> list.</p>
<p>The content should copy and paste between apps without any warning messages.</p></li>
</ol></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left"><p>Drag and drop from enterprise apps to non-enterprise apps</p></td>
<td align="left"><ol>
<li><p>Drag content from an app on your <strong>Protected Apps</strong> list, and then try to drop the content into an app that doesn't appear on your <strong>Protected Apps</strong> list.</p>
<p>You should see an EDP-related warning box, asking you to click either <strong>Drag Anyway</strong> or <strong>Cancel</strong>.</p></li>
<li><p>Click <strong>Cancel</strong>.</p>
<p>The content isn't dropped into the non-enterprise app.</p></li>
<li><p>Repeat Step 1, but this time click <strong>Drag Anyway</strong>, and try to drop the content again.</p>
<p>The content is dropped into the non-enterprise app.</p></li>
<li><p>Try dragging and dropping content between apps on your <strong>Protected Apps</strong> list.</p>
<p>The content should move between the apps without any warning messages.</p></li>
</ol></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>Share between enterprise apps and non-enterprise apps</p></td>
<td align="left"><ol>
<li><p>Open an app on your <strong>Protected Apps</strong> list, like Microsoft Photos, and try to share content with an app that doesn't appear on your <strong>Protected Apps</strong> list, like Facebook.</p>
<p>You should see an EDP-related warning box, asking you to click either <strong>Share Anyway</strong> or <strong>Cancel</strong>.</p></li>
<li><p>Click <strong>Cancel</strong>.</p>
<p>The content isn't shared into Facebook.</p></li>
<li><p>Repeat Step 1, but this time click <strong>Share Anyway</strong>, and try to share the content again.</p>
<p>The content is shared into Facebook.</p></li>
<li><p>Try sharing content between apps on your <strong>Protected Apps</strong> list.</p>
<p>The content should share between the apps without any warning messages.</p></li>
</ol></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left"><p>Use the <strong>Encrypt to</strong> functionality</p></td>
<td align="left"><ol>
<li><p>Open File Explorer on the desktop, right-click a decrypted file, and then click <strong>Encrypt to</strong> from the <strong>Encrypt to</strong> menu.</p>
<p>EDP should encrypt the file to your Enterprise Identity.</p></li>
<li><p>Make sure that the newly encrypted file has a <strong>Lock</strong> icon.</p></li>
<li><p>In the <strong>Encrypted to</strong> column of File Explorer on the desktop, look for the enterprise ID value.</p></li>
<li><p>Right-click the encrypted file, and then click <strong>Not encrypted</strong> from the <strong>Encrypt to</strong> menu.</p>
<p>The file should be decrypted and the <strong>Lock</strong> icon should disappear.</p></li>
</ol></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>Verify that Windows system components can use EDP</p></td>
<td align="left"><ol>
<li><p>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.</p></li>
<li><p>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</p></li>
<li><p>Open File Explorer and make sure your modified files are appearing with a <strong>Lock</strong> icon</p></li>
<li><p>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the <strong>Protected Apps</strong> list.</p></li>
</ol></td>
<td align="left"><p>Most Windows-signed components like Windows Explorer (when running in the users context), should have access to enterprise data.</p>
<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your <strong>Protected Apps</strong> list.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Use EDP on FAT/exFAT systems</p></td>
<td align="left"><ol>
<li><p>Start an app that uses the FAT or exFAT file system and appears on your <strong>Protected Apps</strong> list.</p></li>
<li><p>Create, edit, write, save, and move files.</p>
<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</p></li>
<li><p>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</p></li>
</ol></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>Use EDP on NTFS systems</p></td>
<td align="left"><ol>
<li><p>Start an app that uses the NTFS file system and appears on your <strong>Protected Apps</strong> list.</p></li>
<li><p>Create, edit, write, save, and move files.</p>
<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</p></li>
<li><p>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</p></li>
</ol></td>
<td align="left"><p>Please pay attention and report any performance issues or slow-downs on the NTFS file system.</p>
<p>Currently, EFS Performance Optimizations are only enabled on NTFS.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Unenroll client devices from EDP</p></td>
<td align="left"><ul>
<li><p>Unenroll a device from EDP by going to <strong>Settings</strong> (which settings menu?), click <strong>Accounts</strong>, click <strong>Work</strong>, click the name of the device (or name of the person?) you want to unenroll, and then click <strong>Remove</strong> .</p>
<p>The device should be removed and all of the enterprise content for that managed account should be gone.</p></li>
</ul></td>
<td align="left"><p><strong>WARNING</strong></p>
<p>Unenrolling a device revokes and erases all of the enterprise data for the managed account.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Verify that app content is protected when a Windows 10 Mobile phone is locked (also known as, Data Protection under Lock (DPL))</p></td>
<td align="left"><p>Check that protected app data doesn't appear on the <strong>Lock</strong> screen of a Windows 10 Mobile phone.</p></td>
<td align="left"><p><strong>Additional requirements to run DPL:</strong></p>
<ul>
<li><p>Device needs to be running TPM 2.0.</p></li>
<li><p>Employee setup PIN for the device. You'll need to also setup a policy to require the PIN when you turn on DPL.</p></li>
<li><p>At least one piece of encrypted enterprise content. This is because DPL keys are created during the first attempt to protect a file. Before that, nothing will happen, since there's no enterprise content to protect.</p></li>
</ul></td>
</tr>
</tbody>
</table>
   

150
windows/manage/manage-cortana-in-enterprise.md
View File

@ -1,13 +1,11 @@
--- ---
title: Cortana integration in your business or enterprise (Windows 10) title: Cortana integration in your business or enterprise (Windows 10)
description: The worlds first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. description: The worlds first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
ms.assetid: DB7B05DA-186F-4628-806A-F8B134E2AF2C ms.assetid: db7b05da-186f-4628-806a-f8b134e2af2c
author: eross-msft author: eross-msft
--- ---
# Cortana integration in your business or enterprise # Cortana integration in your business or enterprise
**Applies to:** **Applies to:**
- Windows 10 - Windows 10
@ -15,9 +13,7 @@ author: eross-msft
The worlds first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. The worlds first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
## <a href="" id="cortana-integration-with-o365"></a>Cortana integration with Office 365 ## Cortana integration with Office 365
Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips. Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips.
But Cortana works even harder when she connects to Office 365, helping employees prepare for meetings, learn about co-workers, and receive reminders about where they need to be so they wont be late. But Cortana works even harder when she connects to Office 365, helping employees prepare for meetings, learn about co-workers, and receive reminders about where they need to be so they wont be late.
@ -28,9 +24,7 @@ But Cortana works even harder when she connects to Office 365, helping employees
- For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379). - For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379).
## <a href="" id="cortana-and-bi-power"></a>Cortana and Power BI ## Cortana and Power BI
Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana answers using the full capabilities of Power BI Desktop. Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana answers using the full capabilities of Power BI Desktop.
**More info:** **More info:**
@ -38,146 +32,36 @@ Integration between Cortana and Power BI shows how Cortana can work with custom
- For specific info about how to start using Power BI and Cortana integration, how to customize your data results, and how to use the “Hey Cortana” functionality, see the [Power BI: Announcing Power BI integration with Cortana and new ways to quickly find insights in your data](http://go.microsoft.com/fwlink/p/?LinkId=717382) blog. - For specific info about how to start using Power BI and Cortana integration, how to customize your data results, and how to use the “Hey Cortana” functionality, see the [Power BI: Announcing Power BI integration with Cortana and new ways to quickly find insights in your data](http://go.microsoft.com/fwlink/p/?LinkId=717382) blog.
## Cortana and Microsoft Dynamics CRM ## Cortana and Microsoft Dynamics CRM
Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time.
**More info:** **More info:**
- For more info about Preview features, see [What are Preview features and how do I enable them?](http://go.microsoft.com/fwlink/p/?LinkId=746817). - For more info about Preview features, see [What are Preview features and how do I enable them?](http://go.microsoft.com/fwlink/p/?LinkId=746817).
- For more info about Cortana, see [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818). - For more info about Cortana, see [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818).
- For more info about CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/p/?LinkId=746819).
- For more info about CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/?LinkId=746819).
## Cortana and privacy ## Cortana and privacy
We understand that there are concerns about Cortana and enterprise privacy, so weve put together the [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=717383) topic that covers many of the frequently asked questions. These questions include things such as what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. We understand that there are concerns about Cortana and enterprise privacy, so weve put together the [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=717383) topic that covers many of the frequently asked questions. These questions include things such as what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services.
## <a href="" id="set-up-cortana-using-gp-and-mdm"></a>Set up Cortana using Group Policy and MDM policies ## Set up Cortana using Group Policy and MDM policies
Set up and manage Cortana by using the following Group Policy and mobile device management (MDM) policies. Set up and manage Cortana by using the following Group Policy and mobile device management (MDM) policies.
<table> |Group policy |MDM policy |Description |
<colgroup> |-------------|-----------|------------|
<col width="33%" /> |Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.<p>**Note**<br>Employees can still perform searches even with Cortana turned off. |
<col width="33%" /> |Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInput Personalization |Specifies whether to turn on automatic learning, which allows the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). |
<col width="33%" /> |None |System/AllowLocation |Specifies whether to allow app access to the Location service. |
</colgroup> |Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). |
<thead> |Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUse Location |Specifies whether search and Cortana can provide location aware search and Cortana results.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). |
<tr class="header"> |Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearch Permissions |Specifies what level of safe search (filtering adult content) is required.<p>**Note**<br>This setting only applies to Windows 10 Mobile. |
<th align="left">Group Policy</th> |User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). |
<th align="left">MDM policy</th> |User Configuration\Administrative Templates\Start Menu and Taskbar\Do not search communications |None |Specifies whether the Start menu search box searches communications.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). |
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana</p></td>
<td align="left"><p>Experience/AllowCortana</p></td>
<td align="left"><p>Specifies whether employees can use Cortana.</p>
<div class="alert">
<strong>Note</strong>  
<p>Employees can still perform searches even with Cortana turned off.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left"><p>Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization</p></td>
<td align="left"><p>Privacy/AllowInput Personalization</p></td>
<td align="left"><p>Specifies whether to turn on automatic learning, which allows the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana.</p>
<div class="alert">
<strong>Important</strong>  
<p>Cortana wont work if this setting is turned off (disabled).</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left"><p>None</p></td>
<td align="left"><p>System/AllowLocation</p></td>
<td align="left"><p>Specifies whether to allow app access to the Location service.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results</p></td>
<td align="left"><p>None</p></td>
<td align="left"><p>Specifies whether search can perform queries on the web and if the web results are displayed in search.</p>
<div class="alert">
<strong>Important</strong>  
<p>Cortana wont work if this setting is turned off (disabled).</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location</p></td>
<td align="left"><p>Search/AllowSearchToUse Location</p></td>
<td align="left"><p>Specifies whether search and Cortana can provide location aware search and Cortana results.</p>
<div class="alert">
<strong>Important</strong>  
<p>Cortana wont work if this setting is turned off (disabled).</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left"><p>Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search</p></td>
<td align="left"><p>Search/SafeSearch Permissions</p></td>
<td align="left"><p>Specifies what level of safe search (filtering adult content) is required.</p>
<div class="alert">
<strong>Note</strong>  
<p>This setting only applies to Windows 10 Mobile.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left"><p>User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box</p></td>
<td align="left"><p>None</p></td>
<td align="left"><p>Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.</p>
<div class="alert">
<strong>Important</strong>  
<p>Cortana wont work if this setting is turned off (disabled).</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left"><p>User Configuration\Administrative Templates\Start Menu and Taskbar\Do not search communications</p></td>
<td align="left"><p>None</p></td>
<td align="left"><p>Specifies whether the Start menu search box searches communications.</p>
<div class="alert">
<strong>Important</strong>  
<p>Cortana wont work if this setting is turned off (disabled).</p>
</div>
<div>
 
</div></td>
</tr>
</tbody>
</table>
 
**More info:** **More info:**
- For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381). - For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
## Related topics ## Related topics
- [Cortana and Windows](http://go.microsoft.com/fwlink/p/?LinkId=717384)
- [Cortana for developers](http://go.microsoft.com/fwlink/p/?LinkId=717385)
[Cortana and Windows](http://go.microsoft.com/fwlink/p/?LinkId=717384)
[Cortana for developers](http://go.microsoft.com/fwlink/p/?LinkId=717385)
   

77
windows/manage/manage-wifi-sense-in-enterprise.md
View File

@ -1,7 +1,7 @@
--- ---
title: Manage Wi-Fi Sense in your company (Windows 10) title: Manage Wi-Fi Sense in your company (Windows 10)
description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places.
ms.assetid: 1845E00D-C4EE-4A8F-A5E5-D00F2735A271 ms.assetid: 1845e00d-c4ee-4a8f-a5e5-d00f2735a271
keywords: ["WiFi Sense", "Shared networks"] keywords: ["WiFi Sense", "Shared networks"]
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: manage ms.mktglfcycl: manage
@ -10,8 +10,6 @@ author: eross-msft
--- ---
# Manage Wi-Fi Sense in your company # Manage Wi-Fi Sense in your company
**Applies to:** **Applies to:**
- Windows 10 - Windows 10
@ -20,107 +18,80 @@ author: eross-msft
Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.
The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.
<p>**Note**<br>Wi-Fi Sense isnt available in all countries or regions.
**Note**   ## How does Wi-Fi Sense work?
Wi-Fi Sense isnt available in all countries or regions.
 
## <a href="" id="how-does-wifi-sense-work"></a>How does Wi-Fi Sense work?
Wi-Fi Sense connects your employees to the available Wi-Fi networks, including: Wi-Fi Sense connects your employees to the available Wi-Fi networks, including:
- **Open Wi-Fi networks.** Wi-Fi Sense uses crowdsourcing to find the networks that other Windows users are connected to. Typically, these are the open (no password required) Wi-Fi hotspots you see when youre out and about. - **Open Wi-Fi networks.** Wi-Fi Sense uses crowdsourcing to find the networks that other Windows users are connected to. Typically, these are the open (no password required) Wi-Fi hotspots you see when youre out and about.
- **Shared Wi-Fi networks.** Wi-Fi Sense uses the Wi-Fi networks that your employee shares with Facebook friends, Outlook.com contacts, or Skype contacts. Sharing doesnt happen automatically; an employee must connect to a network, enter the network password, and then choose the **Share network with my contacts** box before the network is shared. - **Shared Wi-Fi networks.** Wi-Fi Sense uses the Wi-Fi networks that your employee shares with Facebook friends, Outlook.com contacts, or Skype contacts. Sharing doesnt happen automatically; an employee must connect to a network, enter the network password, and then choose the **Share network with my contacts** box before the network is shared.
**Important**   **Important**<br>Wi-Fi Sense lets your employees share your network access with their contacts, without telling their contacts the actual network password. Should the contact want to share your network with another contact, he or she would have to share the network directly, by providing the password and clicking to share the network.
Wi-Fi Sense lets your employees share your network access with their contacts, without telling their contacts the actual network password. Should the contact want to share your network with another contact, he or she would have to share the network directly, by providing the password and clicking to share the network.
Employees can't share network info with their contacts for any company network using the IEEE 802.1X protocol. Employees can't share network info with their contacts for any company network using the IEEE 802.1X protocol.
  ## How to manage Wi-Fi Sense in your company
## <a href="" id="how-to-manage-wifi-sense-in-your-company"></a>How to manage Wi-Fi Sense in your company
In a company environment, you will most likely deploy Windows 10 to your employees' PCs using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense. In a company environment, you will most likely deploy Windows 10 to your employees' PCs using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense.
<p>**Important**<br>Turning off Wi-Fi Sense also turns off all related features, including: connecting automatically to open hotspots, connecting automatically to networks shared by contacts, and sharing networks with contacts.
**Important**  
Turning off Wi-Fi Sense also turns off all related features, including: connecting automatically to open hotspots, connecting automatically to networks shared by contacts, and sharing networks with contacts.
 
### Using Group Policy (available starting with Windows 10, version 1511) ### Using Group Policy (available starting with Windows 10, version 1511)
You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor. You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor.
**To set up Wi-Fi Sense using Group Policy** **To set up Wi-Fi Sense using Group Policy**
1. Open your Group Policy editor and go to the **Computer Configuration\\Administrative Templates\\Network\\WLAN Service\\WLAN Settings\\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services** setting. 1. Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting.
![group policy editor with wi-fi sense setting](images/wifisense-grouppolicy.png) ![Group Policy Editor, showing the Wi-Fi Sense setting](images/wifisense-grouppolicy.png)
2. Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment. 2. Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment.
### Using the Registry Editor ### Using the Registry Editor
You can manage your Wi-Fi Sense settings by using registry keys and the Registry Editor. You can manage your Wi-Fi Sense settings by using registry keys and the Registry Editor.
**To set up Wi-Fi Sense using the Registry Editor** **To set up Wi-Fi Sense using the Registry Editor**
1. Open your Registry Editor and go to **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config\\**. 1. Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\`
2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**. 2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.
<p>Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see [How to configure Wi-Fi Sense on Windows 10 in an enterprise](http://go.microsoft.com/fwlink/p/?LinkId=620959).
Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see [How to configure Wi-Fi Sense on Windows 10 in an enterprise](http://go.microsoft.com/fwlink/p/?LinkId=620959). ![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png)
![registry editor showing new dword value](images/wifisense-registry.png)
### Using the Windows Provisioning settings ### Using the Windows Provisioning settings
You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**. You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**.
**To set up Wi-Fi Sense using **WiFISenseAllowed**** **To set up Wi-Fi Sense using WiFISenseAllowed**
- Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**. - Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**.
<p>Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909). ### Using Unattended Windows Setup settings
### <a href="" id="using-the-unattended-windows-setup-settings"></a>Using Unattended Windows Setup settings
If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**. If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**.
**To set up Wi-Fi Sense using **WiFISenseAllowed**** **To set up Wi-Fi Sense using WiFISenseAllowed**
- Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**. - Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**.
<p>Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910).
Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910). ### How employees can change their own Wi-Fi Sense settings
### <a href="" id="how-emps-can-change-their-own-wifi-sense-settings"></a>How employees can change their own Wi-Fi Sense settings
If you dont turn off the ability for your employees to use Wi-Fi Sense, they can turn the settings on locally by selecting **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings**, and then changing one or both of these settings under **Wi-Fi Sense**: If you dont turn off the ability for your employees to use Wi-Fi Sense, they can turn the settings on locally by selecting **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings**, and then changing one or both of these settings under **Wi-Fi Sense**:
- Connect to suggested open hotspots - Connect to suggested open hotspots
- Connect to networks shared by my contacts - Connect to networks shared by my contacts
![local wi-fi sense settings](images/wifisense-settingscreens.png) ![Wi-Fi Sense options shown to employees if it's not turned off](images/wifisense-settingscreens.png)
## Important considerations ## Important considerations
Whether to allow your employees to share your password-protected Wi-Fi networks with their contacts to give them Internet access is completely up to you. However, if you decide to allow it, you should consider the following important info. Whether to allow your employees to share your password-protected Wi-Fi networks with their contacts to give them Internet access is completely up to you. However, if you decide to allow it, you should consider the following important info.
### Network considerations ### Network considerations
- Wi-Fi Sense is designed to block contacts given Internet access through your password-protected network from reaching your intranet sites and other devices or files on the shared network. - Wi-Fi Sense is designed to block contacts given Internet access through your password-protected network from reaching your intranet sites and other devices or files on the shared network.
- Network info can only be shared with contacts using Wi-Fi Sense on PCs running Windows 10 or phones running Windows 10 Mobile. Wi-Fi Sense wont work with any other operating system. - Network info can only be shared with contacts using Wi-Fi Sense on PCs running Windows 10 or phones running Windows 10 Mobile. Wi-Fi Sense wont work with any other operating system.
### Security considerations ### Security considerations
- Your employees must be connected using a Microsoft account to use Wi-Fi Sense. - Your employees must be connected using a Microsoft account to use Wi-Fi Sense.
- Your employees cant pick individual contacts to share with. Instead, they must pick a group of contacts, such as their Skype contacts. In this case, all of the employees Skype contacts will be able to access the shared network. - Your employees cant pick individual contacts to share with. Instead, they must pick a group of contacts, such as their Skype contacts. In this case, all of the employees Skype contacts will be able to access the shared network.
@ -130,17 +101,13 @@ Whether to allow your employees to share your password-protected Wi-Fi networks
- Access is only shared with your employees contacts. Wi-Fi Sense doesn't share networks with the contact's contacts. Should the contact want to share your network with another contact, he or she would have to share the network directly, by providing the password and clicking to share the network. - Access is only shared with your employees contacts. Wi-Fi Sense doesn't share networks with the contact's contacts. Should the contact want to share your network with another contact, he or she would have to share the network directly, by providing the password and clicking to share the network.
### Sharing considerations ### Sharing considerations
- Employees can't share network info with their contacts for any company network using the IEEE 802.1X protocol. - Employees can't share network info with their contacts for any company network using the IEEE 802.1X protocol.
- Your employees can pick which Wi-Fi networks they want to share. The first time the employee connects to a password-protected Wi-Fi network, theyre presented with an option to share the network and to pick the contacts that should be given the info. - Your employees can pick which Wi-Fi networks they want to share. The first time the employee connects to a password-protected Wi-Fi network, theyre presented with an option to share the network and to pick the contacts that should be given the info.
## Related topics ## Related topics
- [Wi-Fi Sense FAQ](http://go.microsoft.com/fwlink/p/?LinkId=620911)
- [How to configure Wi-Fi Sense on Windows 10 in an enterprise](http://go.microsoft.com/fwlink/p/?LinkId=620959)
[Wi-Fi Sense FAQ](http://go.microsoft.com/fwlink/p/?LinkId=620911)
[How to configure Wi-Fi Sense on Windows 10 in an enterprise](http://go.microsoft.com/fwlink/p/?LinkId=620959)
   

89
windows/plan/index.md
View File

@ -10,82 +10,29 @@ author: TrudyHa
--- ---
# Plan for Windows 10 deployment # Plan for Windows 10 deployment
Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. Together, these changes require that you rethink the traditional deployment process. Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. Together, these changes require that you rethink the traditional deployment process.
## In this section ## In this section
|Topic |Description |
|------|------------|
<table> |[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) |This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
<colgroup> |[Windows 10 servicing options](windows-10-servicing-options.md) |Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
<col width="50%" /> |[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
<col width="50%" /> |[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
</colgroup> |[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
<thead> |[Windows Update for Business](windows-update-for-business.md) |Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. |
<tr class="header"> |[Guidance for education environments](windows-10-guidance-for-education-environments.md) |Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. |
<th align="left">Topic</th> |[Windows To Go: feature overview](windows-to-go-overview.md) |Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. |
<th align="left">Description</th> |[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. |
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)</p></td>
<td align="left"><p>This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Windows 10 servicing options](windows-10-servicing-options.md)</p></td>
<td align="left"><p>Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Windows 10 deployment considerations](windows-10-deployment-considerations.md)</p></td>
<td align="left"><p>There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Windows 10 compatibility](windows-10-compatibility.md)</p></td>
<td align="left"><p>Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)</p></td>
<td align="left"><p>There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Windows Update for Business](windows-update-for-business.md)</p></td>
<td align="left"><p>Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Guidance for education environments](windows-10-guidance-for-education-environments.md)</p></td>
<td align="left"><p>Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Windows To Go: feature overview](windows-to-go-overview.md)</p></td>
<td align="left"><p>Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md)</p></td>
<td align="left"><p>The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.</p></td>
</tr>
</tbody>
</table>
 
## Related topics ## Related topics
- [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md)
- [Deploy Windows 10 with MDT 2013 Update 1](../deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
[Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md) - [Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
- [Upgrade to Windows 10 with MDT 2013 Update 1](../deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
[Deploy Windows 10 with MDT 2013 Update 1](../deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) - [Upgrade to Windows 10 with Configuration Manager](../deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)
[Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) - [Windows 10 and Windows 10 Mobile](../index.md)
[Upgrade to Windows 10 with MDT 2013 Update 1](../deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
[Upgrade to Windows 10 with Configuration Manager](../deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
[Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)
[Windows 10 and Windows 10 Mobile](../index.md)
   

41
windows/whats-new/edge-ie11-whats-new-overview.md
View File

@ -1,16 +1,14 @@
--- ---
title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10) title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10)
description: Resources to help you explore the Windows 10 browsing options for your enterprise. description: Resources to help you explore the Windows 10 browsing options for your enterprise.
ms.assetid: E986F903-69AD-4145-9D24-0C6D04B3E489 ms.assetid: e986f903-69ad-4145-9d24-0c6d04b3e489
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library
author: TrudyHa author: eross-msft
--- ---
# Browser: Microsoft Edge and Internet Explorer 11 # Browser: Microsoft Edge and Internet Explorer 11
**Microsoft Edge content applies to:** **Microsoft Edge content applies to:**
- Windows 10 - Windows 10
@ -20,58 +18,35 @@ author: TrudyHa
- Windows 10 - Windows 10
Resources to help you explore the Windows 10 browsing options for your enterprise.
## Enterprise guidance ## Enterprise guidance
Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956). Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956).
We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
### Microsoft Edge ### Microsoft Edge
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
Microsoft Edge is the new, default web browser for Windows 10 and Windows 10 Mobile, taking you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages. - **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing. - **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage. - **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls. - **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
### IE11 ### IE11
IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
- **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE. - **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
- **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps. - **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
- **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk. - **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
- **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering. - **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
- **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices. - **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control. - **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
## Related topics ## Related topics
- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx)
- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie)
[Web Application Compatibility Lab Kit for Internet Explorer 11](http://go.microsoft.com/fwlink/p/?LinkId=715642) - [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
[Download Internet Explorer 11](http://go.microsoft.com/fwlink/p/?linkid=290956) - [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
[Microsoft Edge - Deployment Guide for IT Pros](http://go.microsoft.com/fwlink/p/?LinkId=618271)
[Internet Explorer 11 - Deployment Guide for IT Pros](http://go.microsoft.com/fwlink/p/?linkid=313986)
[IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](http://go.microsoft.com/fwlink/p/?LinkId=619690)
 
   

134
windows/whats-new/edp-whats-new-overview.md
View File

@ -6,22 +6,23 @@ keywords: ["EDP Overview", "EDP"]
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library
author: TrudyHa author: eross-msft
--- ---
# Enterprise data protection (EDP) overview # Enterprise data protection (EDP) overview
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprises control like email, social media, and the public cloud. With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprises control like email, social media, and the public cloud.
Many of the existing solutions try to address this issue by requiring employees to switch between personal and work containers and apps, which can lead to a less than optimal user experience. The feature code-named enterprise data protection (EDP) offers a better user experience, while helping to better separate and protect enterprise apps and data against disclosure risks across both company and personal devices, without requiring changes in environments or apps. Additionally, EDP when used with Rights Management Services (RMS), can help to protect your enterprise data locally, persisting the protection even when your data roams or is shared. Many of the existing solutions try to address this issue by requiring employees to switch between personal and work containers and apps, which can lead to a less than optimal user experience. The feature code-named enterprise data protection (EDP) offers a better user experience, while helping to better separate and protect enterprise apps and data against disclosure risks across both company and personal devices, without requiring changes in environments or apps. Additionally, EDP when used with Rights Management Services (RMS), can help to protect your enterprise data locally, persisting the protection even when your data roams or is shared.
### Benefits of EDP ## Benefits of EDP
EDP provides: EDP provides:
- Additional protection against enterprise data leakage, with minimal impact on employees regular work practices. - Additional protection against enterprise data leakage, with minimal impact on employees regular work practices.
- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps. - Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
@ -38,38 +39,7 @@ EDP provides:
- Ability to manage Office universal apps on Windows 10 devices using an MDM solution to help protect corporate data. To manage Office mobile apps for Android and iOS devices, see technical resources [here]( http://go.microsoft.com/fwlink/p/?LinkId=526490). - Ability to manage Office universal apps on Windows 10 devices using an MDM solution to help protect corporate data. To manage Office mobile apps for Android and iOS devices, see technical resources [here]( http://go.microsoft.com/fwlink/p/?LinkId=526490).
### Prerequisites ## Enterprise scenarios
Youll need this software to run EDP in your enterprise:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Operating system</th>
<th align="left">Management solution</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Windows 10</td>
<td align="left"><ul>
<li><p>Intune</p>
<p><strong>-OR-</strong></p></li>
<li><p>Configuration Manager (version 1511 or later)</p>
<p><strong>-OR-</strong></p></li>
<li><p>Your current company-wide MDM solution</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
### Enterprise scenarios
EDP currently addresses these enterprise scenarios: EDP currently addresses these enterprise scenarios:
@ -77,91 +47,53 @@ EDP currently addresses these enterprise scenarios:
- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data. - You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
- You can select specific apps that can access enterprise data, called “privileged apps” that are clearly recognizable to employees. You can also block non-privileged apps from accessing enterprise data. - You can select specific apps that can access enterprise data, called "protected apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
- Your employees won't have their work interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isnt required. - Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isnt required.
## How EDP works
EDP helps address your everyday challenges in the enterprise. Including helping you:
- Deal with unwanted employee experiences because of severe data protection policies.
- Maintain the privacy of your enterprise data.
- Manage apps that arent policy-aware, especially on mobile devices.
- Handle the inability to lock down employee-owned devices, potentially allowing the accidental release of enterprise data.
### Protection modes
You can set EDP to 1 of 4 protection modes:
- **Block.** EDP looks for inappropriate data sharing and stops the employee from completing the action.
- **Override.** EDP looks for inappropriate data sharing, letting employees know whether they do something inappropriate. However, this protection mode lets the employee override the policy and share the data anyway, while logging the action to your audit log.
- **Audit.** EDP runs silently, logging inappropriate data sharing, without blocking anything.
- **Off.** EDP isn't active and doesn't protect your data.
### Great employee experiences
EDP can offer a great user experience by not requiring employees to switch between apps to protect corporate data. For example, while checking work emails in Microsoft Outlook, an employee gets a personal message. Instead of having to leave Outlook, both the work and personal messages appear on the screen, side-by-side.
### Changing the EDP protection
Employees can change enterprise data protected documents back to personal if the document is wrongly marked as enterprise. However, this requires the employee to take an action and is audited and logged for you to review
### Enterprise data security ### Enterprise data security
As an enterprise admin, you need to maintain the security and confidentiality of your corporate data. Using EDP you can help ensure that your corporate data is protected on your employee-owned computers, even when the employee isnt actively using it. In this case, when the employee initially creates the content on a managed device hes asked whether its a work document. If it's a work document, it becomes locally-protected as enterprise data. As an enterprise admin, you need to maintain the security and confidentiality of your corporate data. Using EDP you can help ensure that your corporate data is protected on your employee-owned computers, even when the employee isnt actively using it. In this case, when the employee initially creates the content on a managed device hes asked whether its a work document. If it's a work document, it becomes locally-protected as enterprise data.
### Remotely wiping devices of enterprise data ### Persistent data encryption
EDP helps keep your enterprise data protected, even when it roams. Apps like Office and OneNote work with EDP to persist your data encryption across locations and services. For example, if an employee opens EDP-encrypted content from Outlook, edits it, and then tries to save the edited version with a different name to remove the encryption, it wont work. Outlook automatically applies EDP to the new document, keeping the data encryption in place.
### Remotely wiping devices of enterprise data
EDP also offers the ability to remotely wipe your corporate data from all devices managed by you and used by an employee, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen computer. EDP also offers the ability to remotely wipe your corporate data from all devices managed by you and used by an employee, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen computer.
In this case, documents are stored locally, and encrypted with an enterprise identity. When you verify that you have to wipe the device, you can send a remote wipe command through your mobile device management system so when the device connects to the network, the encryption keys are revoked and the enterprise data is removed. This action only affects devices that have been targeted by the command. All other devices will continue to work normally. In this case, documents are stored locally, and encrypted with an enterprise identity. When you verify that you have to wipe the device, you can send a remote wipe command through your mobile device management system so when the device connects to the network, the encryption keys are revoked and the enterprise data is removed. This action only affects devices that have been targeted by the command. All other devices will continue to work normally.
### Copying or downloading enterprise data ### Protected apps and restrictions
Using EDP you can control the set of apps that are made "protected apps", or apps that can access and use your enterprise data. After you add an app to your **Protected App** list, its trusted to use enterprise data. All apps not on this list are treated as personal and are potentially blocked from accessing your corporate data, depending on your EDP protection-mode.
As a note, your existing line-of-business apps dont have to change to be included as protected apps. You simply have to include them in your list.
### Great employee experiences
EDP can offer a great user experience by not requiring employees to switch between apps to protect corporate data. For example, while checking work emails in Microsoft Outlook, an employee gets a personal message. Instead of having to leave Outlook, both the work and personal messages appear on the screen, side-by-side.
#### Using protected apps
Protected apps are allowed to access your enterprise data and will react differently with other non-protected or personal apps. For example, if your EDP-protection mode is set to block, your protected apps will let the employee copy and paste information between other protected apps, but not with personal apps. Imagine an HR person wants to copy a job description from a protected app to an internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that it couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website and it works without a problem.
#### Copying or downloading enterprise data
Downloading content from a location like SharePoint or a network file share, or an enterprise web location, such as Office365.com automatically determines that the content is enterprise data and is encrypted as such, while its stored locally. The same applies to copying enterprise data to something like a USB drive. Because the content is already marked as enterprise data locally, the encryption is persisted on the new device. Downloading content from a location like SharePoint or a network file share, or an enterprise web location, such as Office365.com automatically determines that the content is enterprise data and is encrypted as such, while its stored locally. The same applies to copying enterprise data to something like a USB drive. Because the content is already marked as enterprise data locally, the encryption is persisted on the new device.
### Privileged apps and restrictions #### Changing the EDP protection
Employees can change enterprise data protected documents back to personal if the document is wrongly marked as enterprise. However, this requires the employee to take an action and is audited and logged for you to review
Using EDP you can control the set of apps that are made “privileged apps”, or apps that can access and use your enterprise data. After you add an app to your privileged app list, its trusted to use enterprise data. All apps not on this list are treated as personal and are potentially blocked from accessing your corporate data, depending on your EDP protection-mode.
As a note, your existing line-of-business apps dont have to change to be included as privileged apps. You simply have to include them in your list.
### Using privileged apps
Privileged apps are allowed to access your enterprise data and will react differently with other non-privileged or personal apps. For example, if your EDP protection mode is set to block, your privileged apps will let the user copy and paste information between other privileged apps, but not with personal apps. Imagine an HR person wants to copy a job description from a privileged app to the career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that it couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website and it works without a problem.
### Deciding your level of data access ### Deciding your level of data access
EDP lets you decide to block, allow overrides, or silently audit your employee's data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there's a problem, but lets the employee continue to share the info, and silent just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action.
EDP lets you decide to block, allow overrides, or audit your employee's data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there's a problem, but lets the employee continue to share the info, and audit just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action. ### Helping prevent accidental data disclosure to public spaces
EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your Protected Apps list), then the document is encrypted locally and not synched it to the users personal cloud. Likewise, if other synching apps, like Dropbox™, arent on the Protected Apps list, they also wont be able to sync encrypted files to the users personal cloud.
### <a href="" id="persistent-data-protection"></a>Persistent data encryption
EDP helps keep your enterprise data protected, even when it roams. Apps like Office and OneNote work with EDP to persist your data encryption across locations and services. For example, if an employee opens EDP-encrypted content from Outlook, edits it, and then tries to save the edited version with a different name to remove the encryption, it wont work. Outlook automatically applies EDP to the new document, keeping the data encryption in place.
### <a href="" id="protection-against-accidental-disclosure-to-public-spaces"></a>Helping prevent accidental data disclosure to public spaces
EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your privileged list), then the document is encrypted locally and not synched it to the users personal cloud. Likewise, if other synching apps, like Dropbox™, arent on the privileged list, they also wont be able to sync encrypted files to the users personal cloud.
### <a href="" id="protection-against-accidental-data-disclosure-to-other-devices"></a>Helping prevent accidental data disclosure to other devices
### Helping prevent accidental data disclosure to other devices
EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device. EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device.
**Important**  EDP also supports per-file encryption on SD cards along with the device encryption policy. To access your encrypted data, you will need to set up RMS during your EDP policy set up. ## Turn off EDP
 
### <a href="" id="turning-off-edp"></a>Turn off EDP
You can turn off all enterprise data protection and restrictions, reverting to where you were pre-EDP, with no data loss. However, turning off EDP isn't recommended. If you choose to turn it off, you can always turn it back on, but EDP won't retain your decryption and policies info. You can turn off all enterprise data protection and restrictions, reverting to where you were pre-EDP, with no data loss. However, turning off EDP isn't recommended. If you choose to turn it off, you can always turn it back on, but EDP won't retain your decryption and policies info.
## Related topics
- [Protect your enterprise data using enterprise data protection (EDP)](../keep-secure/protect-enterprise-data-using-edp.md)