deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into atp-securityanalytics

Browse Source
This commit is contained in:
Joey Caparas 2017-08-02 11:48:03 -07:00
commit b102444f23
64 changed files with 1598 additions and 260 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.openpublishing.publish.config.json
View File

@ -477,10 +477,6 @@
"master": [
"Publish",
"Pdf"
],
"msesdemo": [
"Publish",
"Pdf"
]
},
"need_generate_pdf_url_template": true,

5
.openpublishing.redirection.json
View File

@ -8279,6 +8279,11 @@
"source_path": "windows/deployment/update/waas-servicing-branches-windows-10-updates.md",
"redirect_url": "/windows/deployment/update/waas-servicing-channels-windows-10-updates",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-10-enterprise-activation-subscription.md",
"redirect_url": "/windows/deployment/windows-10-enterprise-subscription-activation",
"redirect_document_id": true
}
]
}

6
bcs/index.md
View File

@ -18,7 +18,7 @@ description: Learn about the product documentation and resources available for M
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/ih_learn-about.svg" src="/media/common/ih_learn-about.svg" alt="Learn about Microsoft 365 Business" />
<img data-hoverimage="/media/common/ih_learn-about.svg" src="/media/common/ih_learn-about.png" alt="Learn about Microsoft 365 Business" />
</div>
</div>
<div class="cardText">
@ -36,7 +36,7 @@ description: Learn about the product documentation and resources available for M
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/ih_tools.svg" src="/media/common/ih_tools.svg" alt="Get started using Microsoft 365 Business" />
<img data-hoverimage="/media/common/ih_tools.svg" src="/media/common/ih_tools.png" alt="Get started using Microsoft 365 Business" />
</div>
</div>
<div class="cardText">
@ -446,6 +446,7 @@ description: Learn about the product documentation and resources available for M
<p>See these links for more in-depth information about these products and features.</p>
</div>
</li>
<!--
<li>
<a href="https://docs.microsoft.com/intune">
<div class="cardSize">
@ -465,6 +466,7 @@ description: Learn about the product documentation and resources available for M
</div>
</a>
</li>
-->
<li>
<a href="https://docs.microsoft.com/windows">
<div class="cardSize">

7
education/get-started/configure-microsoft-store-for-education.md
View File

@ -52,8 +52,15 @@ You can watch the descriptive audio version here: [Microsoft Education: Configur
Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
<!--
> [!div class="nextstepaction"]
> [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
-->
> [!div class="step-by-step"]
[<< Enable Microsoft Teams for your school](enable-microsoft-teams.md)
[Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
## Related topic
[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)

6
education/get-started/enable-microsoft-teams.md
View File

@ -46,8 +46,14 @@ To get started, IT administrators need to use the Office 365 Admin Center to ena
You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
<!--
> [!div class="nextstepaction"]
> [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
-->
> [!div class="step-by-step"]
[<< Use School Data Sync to import student data](use-school-data-sync.md)
[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
## Related topic

4
education/get-started/finish-setup-and-other-tasks.md
View File

@ -142,7 +142,7 @@ After your cloud infrastructure is set up and you have a device management strat
See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
## Connect other devices to your cloud infrastructure
Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [6. Set up Windows 10 devices](#6-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [Set up Windows 10 education devices](set-up-windows-10-education-devices.md). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
> [!NOTE]
> These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
@ -169,7 +169,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [6.3 Verify the device is Azure AD joined](#63-verify-the-device-is-azure-ad-joined).
6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [Verify the device is Azure AD joined](#verify-the-device-is-azure-ad-joined).
It may take several minutes before the new device shows up so check again later.

5
education/get-started/set-up-office365-edu-tenant.md
View File

@ -45,8 +45,9 @@ You can watch the descriptive audio version here: [Microsoft Education: Set up a
As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See *Complete Office 365 for Education setup* in [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) for info.
> [!div class="nextstepaction"]
> [Use School Data Sync to import student data](use-school-data-sync.md)
> [!div class="step-by-step"]
[<< Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
[Use School Data Sync to import student data >>](use-school-data-sync.md)
## Related topic

9
education/get-started/set-up-windows-10-education-devices.md
View File

@ -21,9 +21,16 @@ To set up new Windows 10 devices and enroll them to your education tenant, choos
- **Option 1: [Use the Set up School PCs app](https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
- **Option 2: [Go through Windows OOBE and join the device to Azure AD](set-up-windows-education-devices.md)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
<!--
> [!div class="nextstepaction"]
> [Finish setup and other tasks](finish-setup-and-other-tasks.md)
-->
> [!div class="step-by-step"]
[<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
[Finish setup and other tasks >>](finish-setup-and-other-tasks.md)
## Related topic

4
education/get-started/set-up-windows-education-devices.md
View File

@ -20,9 +20,7 @@ If you are setting up a Windows 10 device invidividually, and network bandwidth
You can watch the video to see how this is done, or follow the step-by-step guide. </br>
<center><iframe src="https://www.youtube.com/embed/nADWqBYvqXk" width="960" height="540" allowFullScreen frameBorder="0"></iframe></center>
<!--
<div style="position:relative;height:0;padding-bottom:56.25%"><iframe src="https://www.youtube.com/embed/nADWqBYvqXk?ecver=2" width="640" height="360" frameborder="0" style="position:absolute;width:100%;height:100%;left:0" allowfullscreen></iframe></div>
-->
You can watch the descriptive audio version here: [Microsoft Education: Set up a new Windows 10 education devices using the Windows setup experience (DA)](https://www.youtube.com/watch?v=_UtS1Cz2Pno)
## To set up Windows 10 devices using OOBE

7
education/get-started/use-intune-for-education.md
View File

@ -206,8 +206,15 @@ Now that you've bought the apps, use Intune for Education to specify the group t
You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
<!--
> [!div class="nextstepaction"]
> [Set up Windows 10 devices](set-up-windows-10-education-devices.md)
-->
> [!div class="step-by-step"]
[<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
[Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
## Related topic

5
education/get-started/use-school-data-sync.md
View File

@ -170,9 +170,14 @@ To learn more about the CSV files that are required and the info you need to inc
That's it for importing sample school data using SDS.
<!--
> [!div class="nextstepaction"]
> [Enable Microsoft Teams for your school](enable-microsoft-teams.md)
-->
> [!div class="step-by-step"]
[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
[Enable Microsoft Teams for your school >>](enable-microsoft-teams.md)
## Related topic
[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)

18
education/index.md
View File

@ -45,6 +45,24 @@ ms.author: celested
</div>
</a>
</li>
<li>
<a href="/education/windows/test-windows10s-for-edu">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_download-install.svg" src="/media/common/i_download-install.svg" alt="Test Windows 10 S for education" />
</div>
</div>
<div class="cardText">
<span class="likeAnH3">Test Windows 10 S for Education</span>
</div>
</div>
</div>
</div>
</a>
</li>
</ul>
</div>
<div class="container">

1
education/windows/TOC.md
View File

@ -16,6 +16,7 @@
### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
### [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-device-promotion.md)
## [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)

10
education/windows/change-history-edu.md
View File

@ -8,19 +8,27 @@ ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
ms.author: celested
ms.date: 07/10/2017
ms.date: 08/01/2017
---
# Change history for Windows 10 for Education
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
## August 2017
| New or changed topic | Description |
| --- | ---- |
| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. |
| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. |
## July 2017
| New or changed topic | Description |
| --- | ---- |
| [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-for-education.md) | New information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Added the how-to video, which shows how to use the app to create a provisioning package that you can use to set up school PCs. |
| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a policies section to inform you of any policies that affect the Take a Test app or functionality within the app. |
## June 2017

4
education/windows/configure-windows-for-education.md
View File

@ -4,6 +4,8 @@ description: Provides guidance on ways to configure the OS diagnostic data, cons
keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations, accessibility, assistive technology
ms.mktglfcycl: plan
ms.sitesec: library
ms.prod: w10
ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
@ -16,7 +18,7 @@ ms.date: 06/19/2017
- Windows 10
Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md).

BIN
education/windows/images/suspc_createpackage_recommendedapps_073117.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 139 KiB

BIN
education/windows/images/suspc_createpackage_summary_073117.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
education/windows/images/suspc_createpackage_takeatestpage_073117.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

8
education/windows/index.md
View File

@ -40,10 +40,10 @@ ms.author: celested
## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy
<p><b>[Set up Windows devices for education](set-up-windows-10.md)</b><br />Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p><p>
<p><b>[Set up Windows devices for education](set-up-windows-10.md)</b><br />Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p>
<p><b>[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)</b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p>
<p><b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
<p><b>[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)</b><br />Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.</p>
## ![Switch to Windows 10 for Education](images/windows.png) Switch
@ -65,3 +65,7 @@ Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in
## Related topics
- [Microsoft Education documentation and resources](https://docs.microsoft.com/education)
- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)
<!--
<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
-->

3
education/windows/set-up-students-pcs-with-apps.md
View File

@ -2,7 +2,8 @@
title: Provision student PCs with apps
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer
ms.prod: W10
ms.prod: w10
ms.pagetype: edu
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: high

21
education/windows/take-a-test-app-technical.md
View File

@ -9,6 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 07/28/2017
---
# Take a Test app technical reference
@ -74,6 +75,26 @@ When Take a Test is running, the following functionality is available to student
- Ctrl+Alt+Del
- Alt+F4 (Take a Test will restart if the student is using a dedicated test account)
## Policies
If the lock screen is disabled, Take a Test will not launch above lock. Be aware that if you set the following Group Policy, this breaks activation of Take a Test above lock.
**Group Policy path:** Computer Configuration\Administrative Templates\Control Panel\Personalization\ <br />
**Group Policy name:** Do not display the lock screen <br />
**ADML:** %SDXROOT%\shell\policies\ControlPanelDisplay.adml <br />
**ADMX:** %SDXROOT%\shell\policies\ControlPanelDisplay.admx <br />
 
```
<policy name="CPL_Personalization_NoLockScreen" class="Machine"
        displayName="$(string.CPL_Personalization_NoLockScreen)"
        explainText="$(string.CPL_Personalization_NoLockScreen_Help)"
        key="Software\Policies\Microsoft\Windows\Personalization"
        valueName="NoLockScreen">
  <parentCategory ref="Personalization" />
  <supportedOn ref="windows:SUPPORTED_Windows8" />
</policy>
```
## Learn more

216
education/windows/test-windows10s-for-edu.md Normal file
View File

@ -0,0 +1,216 @@
---
title: Test Windows 10 S on existing Windows 10 education devices
description: Provides guidance on downloading and testing Windows 10 S for existing Windows 10 education devices.
keywords: Windows 10 S, try, download, school, education, Windows 10 S installer, existing Windows 10 education devices
ms.mktglfcycl: deploy
ms.prod: w10
ms.pagetype: edu
ms.sitesec: library
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 08/01/2017
---
# Test Windows 10 S on existing Windows 10 education devices
**Applies to:**
- Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, Windows 10 Enterprise
The Windows 10 S self-installer will allow you to test Windows 10 S on a variety of individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license<sup>[1](#footnote1)</sup>. Please test Windows 10 S on a variety of devices in your school and share your feedback with us.
Windows 10 S is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education<sup>[2](#footnote2)</sup>.
Windows 10 S is different from other editions of Windows 10 as everything that runs on the device is verfied by Microsoft for security and performance. Therefore, Windows 10 S works exclusively with apps from the Windows Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 S, your existing applications and settings will be deleted and you will only be able to install apps from the Windows Store.
**Configuring Windows 10 S for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
**Installing Office 365 for Windows 10 S (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Windows Store.
As we finalize development of Office 365 for Windows 10 S (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they are installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 S](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f).
## Before you install Windows 10 S
### Important information
Before you install Windows 10 S, be aware that non-Windows Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 S:
* Is intended for education customers to test compatibility with existing hardware
* May not work with some device drivers, which may not yet be ready for Windows 10 S and may cause some loss in functionality
* May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
* Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 S is limited to Store apps only
> [!WARNING]
> You can install Windows 10 S on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 S on Windows 10 Home devices as you won't be able to activate it.
* Will not run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
Due to these reasons, we recommend that you use the installation tool and avoid doing a clean install from an ISO media.
Before you install Windows 10 S on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device:
* Make sure that you updated your existing device to Windows 10, version 1703 (Creators Update).
See [Download Windows 10](https://www.microsoft.com/en-us/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**.
* Install the latest Windows Update.
To do this, go to **Settings > Update & security > Windows Update**.
* Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 S.
See [Create a recovery drive](#create-a-recovery-drive) for information on how to do this.
## Supported devices
The Windows 10 S install will install and activate on the following editions of Windows 10 in use by schools:
* Windows 10 Pro
* Windows 10 Pro Education
* Windows 10 Education
* Windows 10 Enterprise
Other Windows 10 editions cannot be activated and are not supported. If your device is not running one of these supported Windows 10 editions, do not proceed with using the Windows 10 S installer. Windows 10 N editions and running in virtual machines are not supported by the Windows 10 S installer.
### Preparing your device to install drivers
Make sure all drivers are installed and working properly on your device running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise before installing Windows 10 S.
### Supported devices and drivers
Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer.
> [!NOTE]
> We'll update this section with more information so check back again soon.
<!--
* [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s)
If you don't see your manufacturer or device model listed, you can still proceed and provide feedback, but be aware that you may not be able to get support from your device manufacturer to install Windows 10 S and you may experience limited or incomplete functionality on Windows features, device hardware, peripherals, and others.
-->
## Kept files
Back up all your data before installing Windows 10 S. Only personal files may be kept during installation. Your settings and apps will be deleted.
> [!NOTE]
> All existing Win32 applications and data will be deleted. Save any data or installation files in case you may need to access that data again or need to reinstall these applications later.
## Domain join
Windows 10 S does not support non-Azure Active Directory domain accounts. Before installing Windows 10 S, you must have at least one of these administrator accounts:
- Local administrator
- Microsoft Account (MSA) administrator
- Azure Active Directory administrator
> [!WARNING]
> If you don't have one of these administrator accounts accessible before migration, you will not be able to log in to your device after migrating to Windows 10 S.
We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 S in case you run into this issue.
## Installing Office applications
After installing Windows 10 S, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 S (Education preview). You must have an Office license to activate the applications once they are installed.
## Switch to previously installed Windows 10 editions
If Windows 10 S is not right for you, you can switch to the Windows 10 edition previously installed on your device(s).
* Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md).
* If you try Windows 10 S and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
## Device recovery
Before installing Windows 10 S, we recommend that you create a system backup in case you would like to return to Windows 10 Pro or Windows 10 Pro Education after trying Windows 10 S.
### Create a recovery drive
To create a recovery drive, follow these steps.
1. From the taskbar, search for **Create a recovery drive** and then select it. You might be asked to enter an admin password or confirm your choice.
2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then click **Next**.
3. Connect a USB drive to your PC, select it, and then select **Next > Create**.
A lot of files need to be copied to the recovery drive so this might take a while.
4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link and then select **Delete**. If not, select **Finish**.
### Go back to your previous edition of Windows 10
Alternatively, for a period of 10 days after you install Windows 10 S, you have the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This will keep your personal files, but it will remove installed apps as well as any changes you made to **Settings**.
To go back, you need to:
* Keep everything in the windows.old and $windows.~bt folders after the upgrade.
* Remove any user accounts you added after the upgrade.
If going back is not available:
* Check if you can restore your PC to factory settings. This will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
* If you have a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install.
### Use installation media to reinstall Windows 10
> [!WARNING]
> This will remove all your personal files, apps, and installed drivers. apps and customizations from your PC manufacturer, and changes you made to **Settings**.
To use an installation media to reinstall Windows 10, follow these steps.
1. On a working PC, go to the [Microsoft software download website](https://www.microsoft.com/en-us/software-download/windows10).
2. Download the Media Creation Tool and then run it.
3. Select **Create installation media for another PC**.
4. Choose a language, edition, and architecture (64-bit or 32-bit).
5. Follow the steps to create an installation media and then select **Finish**.
6. Connect the installation media that you created to your non-functional PC, and then turn it on.
7. On the initial setup screen, enter your language and other preferences, and then select **Next**.
If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again.
8. Select **Install now**.
9. On the **Enter the product key to active Windows** page, enter a product key if you have one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Windows Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/en-us/help/12440/windows-10-activation).
10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**.
11. On the **Which type of installation do you want?** page, select **Custom**.
12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions.
13. When you're done formatting, select **Next**.
14. Follow the rest of the setup instructions to finish installing Windows 10.
## Download Windows 10 S
Ready to test Windows 10 S on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information.
When you're ready, you can download the Windows 10 S installer by clicking the **Download installer** button below:
<!-- download the Windows 10 S installer from [this Microsoft website](https://go.microsoft.com/fwlink/?linkid=853240). -->
> [!div class="nextstepaction" style="center"]
> [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)
After you install Windows 10 S, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages** select **Add a language** to add a new language or select an existing language and set it as the default.
## Terms and Conditions
Because youre installing Windows 10 S on a running version of Windows 10, you have already accepted the Windows 10 Terms and Conditions. You are not required to accept it again and the Windows 10 installer doesnt show a Terms and Conditions page during installation.
## Support
Thank you for testing Windows 10 S. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 S on existing devices with an eligible operating system. If you are having difficulty installing or running Windows 10 S, use the Windows **Feedback Hub** to report your experience to Microsoft. This is the best way to help improve Windows 10 S with your feedback.
Common support questions for the Windows 10 S test program:
* **How do I activate if I don't have a Windows 10 S product key?**
As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 S and it will automatically activate. Testing Windows 10 S on a device running Windows 10 Home is not recommended and supported at this time.
* **Will my OEM help me run Windows 10 S?**
OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 S. When testing Windows 10 S, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above.
* **What happens when I run Reset or Fresh Start on Windows 10 S?**
**Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 S. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 S.
* **What if I want to move from Windows 10 S to Windows 10 Pro?**
If you want to discontinue using Windows 10 S, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you are testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, ther emay be a cost to acquire a Windows 10 Pro license in the Store.
For help with activation issues, click on the appropriate link below for support options.
* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you are seeking commercial support to contact our commercial support team.
* If you do not have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/en-us/contactus/) website and choose a support option.
<p>
<a name="footnote1"></a><sup>1</sup> <small>Internet access fees may apply.</small><br/>
<a name="footnote2"></a><sup>2</sup> <small>Devices must be configured for educational use by applying **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** using the Set up School PCs app.</small><br/>
</p>

35
education/windows/use-set-up-school-pcs-app.md
View File

@ -9,7 +9,7 @@ ms.pagetype: edu
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 07/10/2017
ms.date: 08/01/2017
---
# Use the Set up School PCs app
@ -119,7 +119,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
![Launch the Set up School PCs app](images/suspc_getstarted_050817.png)
2. Click **Get started**.
3. To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
3. <a name="suspc_signin"></a>To sign in to your school's Office 365 account, in the **First step: Let's get you signed in** page:
To get the best option for setup and enable student PCs to automatically be connected to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**.
@ -140,7 +140,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
5. Click **Next**.
4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
4. <a name="suspc_wireless"></a>To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network.
2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network.
@ -152,7 +152,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png)
5. To assign a name to the student PCs, in the **Name these devices** page:
5. <a name="suspc_devicename"></a>To assign a name to the student PCs, in the **Name these devices** page:
1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client.
> [!NOTE]
@ -162,7 +162,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
2. Click **Next**.
6. To specify other settings for the student PC, in the **Configure student PC settings** page:
6. <a name="suspc_settings"></a>To specify other settings for the student PC, in the **Configure student PC settings** page:
- Select **Remove apps pre-installed by the device manufacturer** to install only the base Windows image.
> [!NOTE]
@ -186,44 +186,45 @@ The **Set up School PCs** app guides you through the configuration choices for t
When you're doing configuring the student PC settings, click **Next**.
7. If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page.
1. Enter the assessment URL.
7. <a name="suspc_takeatest"></a>If you want to set up the Take a Test app and use it for taking quizzes and high-stakes assessments by some providers like Smarter Balanced, configure the settings in the **Set up the Take a Test app** page. Windows will also lock down the student PC so that students can't access anything else while taking the test.
1. Specify if you want to create a Take a Test button on the sign-in screens of students' PCs.
2. Check the options whether to allow keyboard text suggestions to appear and to allow teachers to monitor online tests.
3. Enter the assessment URL.
If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
You can leave the URL blank so that students can enter one later. This enables teachers to use the the Take a Test account for daily quizzes or tests by having students manually enter a URL.
**Figure 5** - Configure the Take a Test app
![Configure the Take a Test app](images/suspc_createpackage_takeatest.png)
![Configure the Take a Test app](images/suspc_createpackage_takeatestpage_073117.png)
3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
8. <a name="suspc_recommendedapps"></a>In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
* **Office 365 for Windows 10 S (Education Preview)**
* Office 365 for Windows 10 S will only work on student PCs running Windows 10 S. If you try to install this app on other editions of Windows, setup will fail.
* When adding the Office 365 for Windows 10 S to a package, the device you use to run Set up School PCs does not have to be running Windows 10 S.
* **Minecraft: Education Edition** - Free trial
* Popular **STEM and Makerspace apps**
1. Select the apps that you would like to provision and then click **Next** when you're done.
1. Select the apps that you would like to provision and then click **Next** when you're done. Apps that you provision on student PCs will be pinned to the Start menu.
2. Click **Skip** if you don't want to provision any apps.
**Figure 6** - Select from a set of recommended Microsoft Store apps
**Figure 6** - Select from a set of recommended apps
![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_office061217.png)
![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_073117.png)
The set of recommended Microsoft Store for Education apps may vary from what we show here.
9. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
9. <a name="suspc_packagesummary"></a>In the **Review package summary** page, make sure that all the settings you configured appear correctly.
1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes.
**Figure 7** - Review your settings and change them as needed
![Review your settings and change them as needed](images/suspc_createpackage_summary.png)
![Review your settings and change them as needed](images/suspc_createpackage_summary_073117.png)
2. Click **Accept**.
10. In the **Insert a USB drive now** page:
10. <a name="suspc_savepackage"></a>In the **Insert a USB drive now** page:
1. Insert a USB drive to save your settings and create a provisioning package on the USB drive.
2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list.
3. Click **Save** to save the provisioning package to the USB drive.
@ -238,7 +239,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png)
12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
12. <a name="suspc_getpcsready"></a>Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
**Figure 10** - Line up the student PCs and get them ready for setup

6
education/windows/windows-editions-for-education-customers.md
View File

@ -27,7 +27,7 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
For Cortana<sup>1</sup>,
For Cortana<sup>[1](#footnote1)</sup>,
- If you're using version 1607, Cortana is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
@ -60,7 +60,7 @@ Customers who deploy Windows 10 Enterprise are able to configure the product to
For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
## Related topics
* [Switch Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
* [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
* [Windows deployment for education](http://aka.ms/edudeploy)
* [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787)
* [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788)
@ -69,4 +69,4 @@ For any other questions, contact [Microsoft Customer Service and Support](https:
<sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device.</small>
<a name="footnote1"></a><sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device.</small>

69
microsoft-365/index.md
View File

@ -1 +1,68 @@
# Placeholder!
---
layout: HubPage
hide_bc: true
author: v-kents
ms.author: celested
ms.topic: hub-page
title: Microsoft 365 Documentation
description: Microsoft 365 is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
---
<div id="main" class="v2">
<div class="container">
<h1> Microsoft 365 Documentation</h1>
<ul class="pivots">
<li>
<a href="#home"></a>
<ul id="home">
<li>
<a href="#home-all"></a>
<ul id="home-all" class="cardsW">
<li class="fullSpan intro">[Microsoft 365](https://www.microsoft.com/microsoft-365/default.aspx) is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely.
</li>
<li>
<a href="https://docs.microsoft.com/microsoft-365-enterprise/">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/microsoft365/M365-enterprise.svg" alt="" />
</div>
</div>
<div class="cardText">
<br />
<h3>Microsoft 365 Enterprise</h3>
<p>Microsoft 365 Enterprise is designed for large organizations and integrates Office 365 Enterprise, Windows 10 Enterprise, and Enterprise Mobility + Security.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="https://docs.microsoft.com/microsoft-365-business/">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/microsoft365/M365-business.svg" alt="" />
</div>
</div>
<div class="cardText">
<br />
<h3>Microsoft 365 Business</h3>
<p>Microsoft 365 Business is designed for small- to medium-sized businesses with up to 300 users and integrates Office 365 Business Premium with tailored security and management features from Windows 10, and Enterprise Mobility + Security. </p>
</div>
</div>
</div>
</div>
</a>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
</div>

1
windows/client-management/mdm/TOC.md
View File

@ -194,6 +194,7 @@
#### [DeviceInstallation](policy-csp-deviceinstallation.md)
#### [DeviceLock](policy-csp-devicelock.md)
#### [Display](policy-csp-display.md)
#### [Education](policy-csp-education.md)
#### [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md)
#### [ErrorReporting](policy-csp-errorreporting.md)
#### [EventLogService](policy-csp-eventlogservice.md)

14
windows/client-management/mdm/applocker-csp.md
View File

@ -156,6 +156,20 @@ Each of the previous nodes contains one or more of the following leaf nodes:
<td><p>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</p>
<p>Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.</p>
<p>For CodeIntegrity/Policy, you can use the [certutil -encode](http://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool to encode the data to base-64.</p>
<p>Here is a sample certutil invocation:</p>
```
certutil -encode WinSiPolicy.p7b WinSiPolicy.txt
```
<p>Use only the data enclosed in the BEGIN CERTIFIFCATE and END CERTIFICATE section. Ensure that you have removed all line breaks before passing the data to the CSP node.</p>
<p>An alternative to using certutil would be to use the following PowerShell invocation:</p>
```
[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
```
<p>If you are using Hybrid MDM management with System Center Configuration Manager please ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.</p>
<p>Data type is string. Supported operations are Get, Add, Delete, and Replace.</p></td>
</tr>
<tr class="even">

328
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -7,11 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 07/27/2017
---
# AssignedAccess CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
@ -19,8 +21,6 @@ For step-by-step guide for setting up devices to run in kiosk mode, see [Set up
> **Note**  The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education.
 
The following diagram shows the AssignedAccess configuration service provider in tree format
![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png)
@ -36,21 +36,29 @@ In Windows 10, version 1607, you can use a provisioned app to configure the kio
Here's an example:
``` syntax
{"Account":"redmond\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
```
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
> **Note**  The domain name can be optional if the user name is unique across the system.
 
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
## Examples
<a href="" id="assignedaccess-configuration"></a>**AssignedAccess/Configuration**
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
Enterprises can use this to easily configure and manage the curated lockdown experience.
Supported operations are Add, Get, Delete, and Replace.
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
## Examples
KioskModeApp Add
@ -132,11 +140,319 @@ KioskModeApp Replace
</SyncML>
```
## AssignedAccessConfiguration XSD
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDupApps">
<xs:selector xpath="App"/>
<xs:field xpath="@AppUserModelId"/>
<xs:field xpath="@DesktopAppPath"/>
</xs:unique>
</xs:element>
<xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="allappslist_t">
<xs:sequence minOccurs="1" >
<xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="allowedapps_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded">
<xs:key name="mutexAumidOrDesktopApp">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
</xs:key>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="app_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attribute name="DesktopAppPath" type="xs:string"/>
</xs:complexType>
<xs:complexType name="taskbar_t">
<xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
</xs:complexType>
<xs:complexType name="profileId_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Config" type="config_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<!--below is the definition of the config xml content-->
<xs:element name="AssignedAccessConfiguration">
<xs:complexType>
<xs:all minOccurs="1">
<xs:element name="Profiles" type="profile_list_t">
</xs:element>
<xs:element name="Configs" type="config_list_t"/>
</xs:all>
</xs:complexType>
</xs:element>
</xs:schema>
```
## Overview of the AssignedAccessConfiguration XML
Let's start by looking at the basic structure of the XML file. 
- A configuration xml can define multiple profiles, each profile has a unique Id and defines a curated set of applications that are allowed to run. 
- A configuration xml can have multiple configs, each config associates a non-admin user account to a default profile Id.
- A profile has no effect if its not associated to a user account. 
 
A profile node has below information: 
- Id: a GUID attribute to uniquely identify the Profile.
- AllowedApps: a node with a list of allowed to run applications, could be UWP apps or desktop apps. 
- StartLayout: a node for startlayout policy xml. 
- Taskbar: a node with a Boolean attribute ShowTaskbar to indicate whether to show taskbar. 
You can start your file by pasting the following XML (or any other examples in this doc) into a XML editor, and saving the file as filename.xml.
``` syntax
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
    <Profiles>
        <Profile Id="">
            <AllAppsList>
                <AllowedApps/>
            </AllAppsList>         
            <StartLayout/>
            <Taskbar/>
        </Profile>
    </Profiles>
    <Configs>
        <Config>
            <Account/>
            <DefaultProfile Id=""/>
        </Config>
    </Configs>
</AssignedAccessConfiguration>
```
 
### Allowed apps
Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps, which is used to generate the assigned access AppLocker rules. 
- For Windows apps, you need to provide the App User Model ID (AUMID). 
- [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or 
- Get the AUMID via the [Start Layout XML](#start-layout). 
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
Here are the predefined assigned access AppLocker rules: 
**For UWP apps**
   
1. Default rule is to allow all users to launch the signed package apps. 
2. The package app deny list is generated at run time when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed package apps enterprises defined in the assigned access configuration. This deny list will be used to prevent the user from accessing the apps which are available for the user but not in the allowed list. 
 
> [!Note]
> Assigned access multi-app mode doesnt block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise deployed LoB app and you want to allow it running, make sure update the assigned access configuration to include it in the allowed app list. 
 
**For Win32 apps**
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. Also the rule allows admin user group to launch all desktop programs. 
2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list you defined in the multi-app configuration. 
3. Enterprise defined allowed desktop apps are added in the AppLocker allow list. 
The following example makes Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps allowed to run on the device.
``` syntax
      <AllAppsList>
        <AllowedApps>
          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
        </AllowedApps>
      </AllAppsList>
```
### Start layout
Once you have defined the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset depending on whether you want the end user to directly access them on the Start. 
 
The easiest way for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. 
A few things to note here:
- The test device on which you customize the Start layout should have the same OS version that is installed on the device you plan to deploy the multi-app assigned access configuration. 
- Since the multi-app assigned access experience is intended for fixed purpose devices, to ensure the device experiences are consistent and predictable, use the full Start layout option instead of the partial Start layout. 
- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the CustomTaskbarLayoutCollection tag in a layout modification XML as part of the assigned access configuration.
The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps on Start.
```syntax
      <StartLayout>
        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                      <LayoutOptions StartTileGroupCellWidth="6" />
                      <DefaultLayoutOverride>
                        <StartLayoutCollection>
                          <defaultlayout:StartLayout GroupCellWidth="6">
                            <start:Group Name="Group1">
                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
                            </start:Group>
                            <start:Group Name="Group2">
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
                            </start:Group>
                          </defaultlayout:StartLayout>
                        </StartLayoutCollection>
                      </DefaultLayoutOverride>
                    </LayoutModificationTemplate>
                ]]>
      </StartLayout>
```
For additional information, see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout)
### Taskbar
Define whether you want to have the taskbar present in the kiosk device. For tablet based or touch enabled All-In-One kiosks, when you dont attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. 
The following example exposes the taskbar to the end user:
``` syntax
      <Taskbar ShowTaskbar="true"/>
```
The following example hides the taskbar:
``` syntax
      <Taskbar ShowTaskbar="false"/>
```
> [!Note]
> This is different with the “Automatically hide the taskbar” option in tablet mode which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting “ShowTaskbar” as “false” will always hide the taskbar. 
### Profiles and configs
In the XML file, you define each profile with a GUID. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. 
``` syntax
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"></Profile>
  </Profiles>
```
Under Configs, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, start layout, taskbar configuration as well as other local group policies/MDM policies set as part of the multi-app experience. 
``` syntax
  <Configs>
    <Config>
      <Account>MultiAppKioskUser</Account>
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
    </Config>
  </Configs> 
```
> [!Note]
> - The full multi-app assigned access experience can only work for non-admin users. Its not supported to associate an admin user with the assigned access profile, doing this in the XML file will result unexpected/unsupported experiences when this admin user signs in.  
> - Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
### Example AssignedAccessConfiguration XML
``` syntax
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
      <AllAppsList>
        <AllowedApps>
          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
        </AllowedApps>
      </AllAppsList>
      <StartLayout>
        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                      <LayoutOptions StartTileGroupCellWidth="6" />
                      <DefaultLayoutOverride>
                        <StartLayoutCollection>
                          <defaultlayout:StartLayout GroupCellWidth="6">
                            <start:Group Name="Group1">
                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
                            </start:Group>
                            <start:Group Name="Group2">
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
                            </start:Group>
                          </defaultlayout:StartLayout>
                        </StartLayoutCollection>
                      </DefaultLayoutOverride>
                    </LayoutModificationTemplate>
                ]]>
      </StartLayout>
      <Taskbar ShowTaskbar="true"/>
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <Account>MultiAppKioskUser</Account>
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
    </Config>
  </Configs>
</AssignedAccessConfiguration>
```

47
windows/client-management/mdm/assignedaccess-ddf.md
View File

@ -7,11 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 07/27/2017
---
# AssignedAccess DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
@ -20,13 +22,15 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
The XML below is for Windows 10, version 1709.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[
<?oma-dm-ddf-ver supported-versions="1.2"?>
]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
@ -46,25 +50,52 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
<MIME>com.microsoft/1.1/MDM/AssignedAccess</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>KioskModeApp</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This node can accept and return json string which comprises of account name and AUMID for Kiosk mode app.
<Description>This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. </Description>
This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Configuration</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>This node accepts an AssignedAccessConfiguration xml as input. Please check out samples and required xsd on MSDN.</Description>
<DFFormat>
<chr />
</DFFormat>

4
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -840,8 +840,8 @@ Footnotes:
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>

6
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -129,7 +129,7 @@ The discovery response is in the XML format and includes the following fields:
- Authentication policy (AuthPolicy) Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 
@ -297,7 +297,7 @@ After the user is authenticated, the web service retrieves the certificate templ
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. For Windows device, we will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 
@ -482,7 +482,7 @@ The following example shows the enrollment web service request for federated aut
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 

BIN
windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.4 KiB

After

Width:  |  Height:  |  Size: 5.7 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-surfacehub.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 60 KiB

After

Width:  |  Height:  |  Size: 59 KiB

28
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/26/2017
ms.date: 07/28/2017
---
# What's new in MDM enrollment and management
@ -956,6 +956,14 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq</li>
<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus</li>
<li>DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
<td style="vertical-align:top"><p>Here are the changes in Windows 10, version 1709.</p>
<ul>
<li>Added Configuration node</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
@ -979,6 +987,9 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Defender/EnableNetworkProtection</li>
<li>Defender/GuardedFoldersAllowedApplications</li>
<li>Defender/GuardedFoldersList</li>
<li>Education/DefaultPrinterName</li>
<li>Education/PreventAddingNewPrinters</li>
<li>Education/PrinterNames</li>
<li>Security/ClearTPMIfNotReady</li>
<li>Update/ScheduledInstallEveryWeek</li>
<li>Update/ScheduledInstallFirstWeek</li>
@ -1300,6 +1311,9 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">
<p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Education/DefaultPrinterName</li>
<li>Education/PreventAddingNewPrinters</li>
<li>Education/PrinterNames</li>
<li>Security/ClearTPMIfNotReady</li>
<li>WindowsDefenderSecurityCenter/CompanyName</li>
<li>WindowsDefenderSecurityCenter/DisableAppBrowserUI</li>
@ -1341,6 +1355,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq</li>
<li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus</li>
<li>DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus</li>
<ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
<td style="vertical-align:top"><p>Here are the changes in Windows 10, version 1709.</p>
<ul>
<li>Added Configuration node</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[SurfaceHub CSP](surfacehub-csp.md)</td>
<td style="vertical-align:top"><p>Changed PasswordRotationPeriod to PasswordRotationEnabled.</p>
</td></tr>
</tbody>
</table>

16
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/26/2017
ms.date: 07/27/2017
---
# Policy CSP
@ -842,6 +842,20 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### Education policies
<dl>
<dd>
<a href="./policy-csp-education.md#education-defaultprintername" id="education-defaultprintername">Education/DefaultPrinterName</a>
</dd>
<dd>
<a href="./policy-csp-education.md#education-preventaddingnewprinters" id="education-preventaddingnewprinters">Education/PreventAddingNewPrinters</a>
</dd>
<dd>
<a href="./policy-csp-education.md#education-printernames" id="education-printernames">Education/PrinterNames</a>
</dd>
</dl>
### EnterpriseCloudPrint policies
<dl>

2
windows/client-management/mdm/policy-csp-defender.md
View File

@ -687,7 +687,7 @@ Value type is string.
<p style="margin-left: 20px">If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
p<p style="margin-left: 20px">For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
<p style="margin-left: 20px">For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
     
> [!Note]
> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.

133
windows/client-management/mdm/policy-csp-education.md Normal file
View File

@ -0,0 +1,133 @@
---
title: Policy CSP - Education
description: Policy CSP - Education
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 07/27/2017
---
# Policy CSP - Education
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Education policies
<!--StartPolicy-->
<a href="" id="education-defaultprintername"></a>**Education/DefaultPrinterName**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer.
The policy value is expected to be the name (network host name) of an installed printer.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="education-preventaddingnewprinters"></a>**Education/PreventAddingNewPrinters**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
The following list shows the supported values:
- 0 (default) Allow user installation.
- 1 Prevent user installation.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="education-printernames"></a>**Education/PrinterNames**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names).
The policy value is expected to be a ```&#xF000;``` seperated list of printer names. The OS will attempt to search and install the matching printer driver for each listed printer.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->

20
windows/client-management/mdm/policy-csp-games.md
View File

@ -23,26 +23,6 @@ ms.date: 07/14/2017
<a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->

4
windows/client-management/mdm/surfacehub-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 07/28/2017
---
# SurfaceHub CSP
@ -127,7 +127,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<p style="margin-left: 20px">The data type is char.
<a href="" id="deviceaccount-passwordrotationperiod"></a>**DeviceAccount/PasswordRotationPeriod**
<a href="" id="deviceaccount-passwordrotationenabled"></a>**DeviceAccount/PasswordRotationEnabled**
<p style="margin-left: 20px">Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
<p style="margin-left: 20px">Valid values:

4
windows/client-management/mdm/surfacehub-ddf-file.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 07/28/2017
---
# SurfaceHub DDF file
@ -281,7 +281,7 @@ The XML below is the current version for this CSP.
</DFProperties>
</Node>
<Node>
<NodeName>PasswordRotationPeriod</NodeName>
<NodeName>PasswordRotationEnabled</NodeName>
<DFProperties>
<AccessType>
<Get />

1
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -21,6 +21,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
| [Customize and export Start layout](customize-and-export-start-layout.md) | Added explanation for tile behavior when the app is not installed |
| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access |
|[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)|Updated several Appraiser events and added Census.Speech. |
| [Manage connections from Windows operating system components to Microsoft-services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Updated Date & Time and Windows spotlight sections. |
## June 2017

8
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: brianlic-msft
ms.author: brianlic-msft
ms.date: 06/13/2017
ms.date: 07/28/2017
---
# Manage connections from Windows operating system components to Microsoft services
@ -296,7 +296,7 @@ After that, configure the following:
- Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Enable Windows NTP Server** &gt; **Windows Time Service** &gt; **Configure Windows NTP Client**
> [!NOTE]
> This is only available on Windows 10, version 1703 and later.
> This is only available on Windows 10, version 1703 and later. If you're using Windows 10, version 1607, the Group Policy setting is **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Windows Time Service** &gt; **Time Providers** &gt; **Enable Windows NTP Client**
-or -
@ -1692,10 +1692,6 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
-or-
- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
-and-
- Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.

2
windows/configuration/windows-spotlight.md
View File

@ -69,6 +69,8 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
>[!WARNING]
> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
>
> In Windows 10, version 1703, the **Force a specific default lock screen image** policy setting applies only intermittently and may not produce expected results. This behavior will be corrected in a future release.
![lockscreen policy details](images/lockscreenpolicy.png)

7
windows/deployment/TOC.md
View File

@ -2,10 +2,15 @@
## [What's new in Windows 10 deployment](deploy-whats-new.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
## [Windows 10 Enterprise E3 in CSP overview](windows-10-enterprise-e3-overview.md)
## [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md)
### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
### [Configure VDA for Enterprise Subscription Activation](vda-subscription-activation.md)
### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md)
## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
## [Deploy Windows 10](deploy.md)
### [Overview of Windows AutoPilot](windows-10-auto-pilot.md)
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)

195
windows/deployment/deploy-enterprise-licenses.md Normal file
View File

@ -0,0 +1,195 @@
---
title: Deploy Windows 10 Enterprise licenses
description: Steps to deploy Windows 10 Enterprise licenses for Windows 10 Enterprise E3 or E5 Subscription Activation, or for Windows 10 Enterprise E3 in CSP
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: greg-lindsay
---
# Deploy Windows 10 Enterprise licenses
This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
>Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
Also in this article:
- [Explore the upgrade experience](#explore-the-upgrade-experience): How to upgrade devices using the deployed licenses.
- [Troubleshoot the user experience](#troubleshoot-the-user-experience): Examples of some license activation issues that can be encountered, and how to resolve them.
## Active Directory synchronization with Azure AD
You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png)
**Figure 1. On-premises AD DS integrated with Azure AD**
For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
## Preparing for deployment: reviewing requirements
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
## Assigning licenses to users
Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
![profile](images/al01.png)
The following methods are available to assign licenses:
1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
2. You can sign in to portal.office.com and manually assign licenses:
![portal](images/al02.png)
3. You can assign licenses by uploading a spreadsheet.
4. A per-user [PowerShell scripted method](http://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses.
## Explore the upgrade experience
Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1703 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
### Step 1: Join users devices to Azure AD
Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1703.
**To join a device to Azure AD the first time the device is started**
1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
<img src="images/enterprise-e3-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
**Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
2. On the **Choose how youll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
<img src="images/enterprise-e3-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
**Figure 3. The “Choose how youll connect” page in initial Windows 10 setup**
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
<img src="images/enterprise-e3-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
**Figure 4. The “Lets get you signed in” page in initial Windows 10 setup**
Now the device is Azure AD joined to the companys subscription.
**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
1. Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.
<img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
**Figure 5. Connect to work or school configuration in Settings**
2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
<img src="images/enterprise-e3-set-up-work-or-school.png" alt="Set up a work or school account" width="624" height="603" />
**Figure 6. Set up a work or school account**
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
<img src="images/enterprise-e3-lets-get-2.png" alt="Let's get you signed in - dialog box" width="624" height="603" />
**Figure 7. The “Lets get you signed in” dialog box**
Now the device is Azure AD joined to the companys subscription.
### Step 2: Sign in using Azure AD account
Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
<img src="images/enterprise-e3-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
**Figure 8. Sign in by using Azure AD account**
### Step 3: Verify that Enterprise edition is enabled
You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
<span id="win-10-activated-subscription-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
<BR>**Figure 9 - Windows 10 Enterprise subscription in Settings** <BR>
If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
## Virtual Desktop Access (VDA)
Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
## Troubleshoot the user experience
In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1703 operating system is not activated.
- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
- [Figure 9](#win-10-activated-subscription-active) (above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
<BR>
<span id="win-10-not-activated"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" />
<BR>**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**<BR>
<BR>
<span id="subscription-not-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" />
<BR>**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**<BR>
<BR>
<span id="win-10-not-activated-subscription-not-active"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" />
<BR>**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**<BR>
### Review requirements on devices
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
**To determine if a device is Azure Active Directory joined:**
1. Open a command prompt and type **dsregcmd /status**.
2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
**To determine the version of Windows 10:**
- At a command prompt, type:
**winver**
A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.

13
windows/deployment/deploy-whats-new.md
View File

@ -26,13 +26,21 @@ This topic provides an overview of new solutions and online content related to d
## Windows 10 Enterprise upgrade
Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md).
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
For more information, see [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
## Deployment solutions and tools
### Windows AutoPilot
Windows AutoPilot streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows AutoPilot to reset, repurpose and recover devices.
Windows AutoPilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows AutoPilot](windows-10-auto-pilot.md).
### Upgrade Readiness
The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
@ -55,6 +63,9 @@ Update Compliance is a solution built using OMS Logs and Analytics that provides
For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md).
### Device Health
Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](update/device-health-monitor.md)
### MBR2GPT

BIN
windows/deployment/images/al01.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/deployment/images/al02.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

3
windows/deployment/index.md
View File

@ -17,7 +17,7 @@ Learn about deployment in Windows 10 for IT professionals. This includes deploy
|------|------------|
|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
|[Windows 10 Enterprise E3 in CSP overview](windows-10-enterprise-e3-overview.md) |Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. |
|[Windows 10 Enterprise Activation Subscription](windows-10-enterprise-activation-subscription.md) |Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creators Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). |
|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
@ -27,6 +27,7 @@ Windows 10 upgrade options are discussed and information is provided about plann
|Topic |Description |
|------|------------|
|[Overview of Windows AutoPilot](windows-10-auto-pilot.md) |Windows AutoPilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices. |
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |

88
windows/deployment/vda-subscription-activation.md Normal file
View File

@ -0,0 +1,88 @@
---
title: Configure VDA for Enterprise Subscription Activation
description: How to enable Windows 10 Enterprise E3 and E5 subscriptions for VDA
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: greg-lindsay
---
# Configure VDA for Enterprise Subscription Activation
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license.
## Requirements
- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
- VMs must be Active Directory-joined or Azure Active Directory-joined.
- VMs must be generation 1.
- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
## Active Directory-joined VMs
1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image)
2. (Optional) To disable network level authentication, type the following at an elevated command prompt:
```
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```
3. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
4. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**.
5. Click **Add**, type **Authenticated users**, and then click **OK** three times.
6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd).
7. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
8. Open Windows Configuration Designer and click **Provison desktop services**.
9. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
- Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
10. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
11. On the Set up network page, choose **Off**.
12. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
- Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
13. On the Add applications page, add applications if desired. This step is optional.
14. On the Add certificates page, add certificates if desired. This step is optional.
15. On the Finish page, click **Create**.
16. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image.
17. Type the following at an elevated commnand prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested:
```
Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
```
18. Right-click the mounted image in file explorer and click **Eject**.
19. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image.
## Azure Active Directory-joined VMs
>[!IMPORTANT]
>Azure Active Directory (Azure AD) provisioning packages have a 30 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 30 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated.
For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
- In step 12, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials.
- In step 17, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**)
- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below.
To create custom RDP settings for Azure:
1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host.
2. Click **Show Options**, and then under Connection settings click **Save As** and save the RDP file to the location where you will use it.
3. Close the Remote Desktop Connection window and open Notepad.
4. Drag the RDP file into the Notepad window to edit it.
5. Enter or replace the line that specifies authentication level with the following two lines of text:
```text
enablecredsspsupport:i:0
authentication level:i:2
```
6. **enablecredsspsupport** and **authentication level** should each appear only once in the file.
7. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM.
## Related topics
[Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md)
<BR>[Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
<BR>[Licensing the Windows Desktop for VDI Environments](http://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)

160
windows/deployment/windows-10-enterprise-e3-overview.md
View File

@ -1,5 +1,5 @@
---
title: Windows 10 Enterprise E3 in CSP overview
title: Windows 10 Enterprise E3 in CSP
description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition.
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
@ -10,12 +10,11 @@ ms.pagetype: mdt
author: greg-lindsay
---
# Windows 10 Enterprise E3 in CSP overview
# Windows 10 Enterprise E3 in CSP
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:
- Windows 10 Pro, version 1607 (also known as Windows 10 Anniversary Update) or later installed on the devices to be upgraded
- Azure Active Directory (Azure AD) available for identity management
Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro.
@ -134,151 +133,9 @@ Windows 10 Enterprise edition has a number of features that are unavailable in
</tbody>
</table>
## Preparing for deployment of Windows 10 Enterprise E3 licenses
## Deployment of Windows 10 Enterprise E3 licenses
You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 licenses to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD.
You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png)
**Figure 1. On-premises AD DS integrated with Azure AD**
For more information about integrating on-premises AD DS domains with Azure AD, see the following resources:
- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
### Preparing for deployment: reviewing requirements
Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
<!-- Watch the preceding link if you divide this into multiple topics. -->
## Explore the upgrade experience
Now that your subscription has been established (by the partner who you work with) and Windows 10 Enterprise E3 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1607 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
### Step 1: Join users devices to Azure AD
Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607.
**To join a device to Azure AD the first time the device is started**
1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
<img src="images/enterprise-e3-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
**Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
2. On the **Choose how youll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
<img src="images/enterprise-e3-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
**Figure 3. The “Choose how youll connect” page in initial Windows 10 setup**
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
<img src="images/enterprise-e3-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
**Figure 4. The “Lets get you signed in” page in initial Windows 10 setup**
Now the device is Azure AD joined to the companys subscription.
**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up**
1. Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 5**.
<img src="images/enterprise-e3-connect-to-work-or-school.png" alt="Connect to work or school configuration" width="624" height="482" />
**Figure 5. Connect to work or school configuration in Settings**
2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
<img src="images/enterprise-e3-set-up-work-or-school.png" alt="Set up a work or school account" width="624" height="603" />
**Figure 6. Set up a work or school account**
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
<img src="images/enterprise-e3-lets-get-2.png" alt="Let's get you signed in - dialog box" width="624" height="603" />
**Figure 7. The “Lets get you signed in” dialog box**
Now the device is Azure AD joined to the companys subscription.
### Step 2: Sign in using Azure AD account
Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
<img src="images/enterprise-e3-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
**Figure 8. Sign in by using Azure AD account**
### Step 3: Verify that Enterprise edition is enabled
You can verify the Windows 10 Enterprise E3 subscription in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 9**.
<span id="win-10-activated-subscription-active"/>
#### Figure 9 - Windows 10 Enterprise E3 subscription in Settings
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
If there are any problems with the Windows 10 Enterprise E3 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
## Troubleshoot the user experience
In some instances, users may experience problems with the Windows 10 Enterprise E3 subscription. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1607 operating system is not activated.
- The Windows 10 Enterprise E3 subscription has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
- [Figure 9](#win-10-activated-subscription-active) illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Enterprise E3 subscription is active.
- [Figure 10](#win-10-not-activated) illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Enterprise E3 subscription is active.
- [Figure 11](#subscription-not-active) illustrates a device on which Windows 10 Pro, version 1607 is activated, but the Windows 10 Enterprise E3 subscription is lapsed or removed.
- [Figure 12](#win-10-not-activated-subscription-not-active) illustrates a device on which Windows 10 Pro, version 1607 license is not activated and the Windows 10 Enterprise E3 subscription is lapsed or removed.
<span id="win-10-not-activated"/>
### Figure 10 - Windows 10 Pro, version 1607 edition not activated in Settings
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" /><br><br>
<span id="subscription-not-active"/>
### Figure 11 - Windows 10 Enterprise E3 subscription lapsed or removed in Settings
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" /><br><br>
<span id="win-10-not-activated-subscription-not-active"/>
### Figure 12 - Windows 10 Pro, version 1607 edition not activated and Windows 10 Enterprise E3 subscription lapsed or removed in Settings
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" /><br><br>
### Review requirements on devices
Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
**To determine if a device is Azure Active Directory joined:**
1. Open a command prompt and type **dsregcmd /status**.
2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
**To determine the version of Windows 10:**
- At a command prompt, type:
**winver**
A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
## Deploy Windows 10 Enterprise features
@ -389,8 +246,7 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f
## Related topics
[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
[Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md)
<BR>[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
<BR>[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
<BR>[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)

127
windows/deployment/windows-10-enterprise-subscription-activation.md Normal file
View File

@ -0,0 +1,127 @@
---
title: Windows 10 Enterprise Subscription Activation
description: How to enable Windows 10 Enterprise E3 and E5 subscriptions
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: greg-lindsay
---
# Windows 10 Enterprise Subscription Activation
With Windows 10 version 1703 (also known as the Creators Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots.
If you are running Windows 10 version 1703 or later:
- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise.
- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions.
Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis).
See the following topics in this article:
- [Requirements](#requirements): Prerequisites to use the Windows 10 Enterprise subscription model.
- [Benefits](#benefits): Advantages of Windows 10 Enterprise + subscription-based licensing.
- [How it works](#how-it-works): A summary of the subscription-based licensing option.
- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Enterprise Subscription Activation for VMs in the cloud.
For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
## Requirements
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded
- Azure Active Directory (Azure AD) available for identity management
- Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported.
For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3 or E5 through a cloud solution provider (CSP). Identity management and device equirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
## Benefits
With Windows 10 Enterprise, businesses can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise E3 or E5 to their users. Now, with Windows 10 Enterprise E3 and E5 being available as a true online service, it is available in every channel thus allowing all organizations to take advantage of enterprise grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
- [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)
- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing)
You can benefit by moving to Windows as an online service in the following ways:
1. Licenses for Windows 10 Enterprise are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
2. Azure AD logon triggers a silent edition upgrade, with no reboot required
3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
4. Compliance support via seat assignment.
## How it works
When a licensed user signs in to a device that meets requirements using the Azure AD credentials associated with a Windows 10 Enterprise E3 or E5 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a users subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition, after a grace period of up to 90 days.
Devices currently running Windows 10 Pro, version 1703 can get Windows 10 Enterprise Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
### Licenses
The following policies apply to acquisition and renewal of licenses on devices:
- Devices that have been upgraded will attempt to acquire licenses every 30 days, and must be connected to the Internet to be successful.
- Licenses are valid for 90 days. If a device is disconnected from the Internet until its current license expires, the operating system will revert to Windows 10 Pro. As soon as the device is connected to the Internet again, the license will automatically renew assuming the device is still present on list of user devices.
- Up to five devices can be upgraded for each user license.
- The list of devices is chronological and cannot be manually modified.
- If a device meets requirements and a licensed user signs in on that device, it will be upgraded.
- If five devices are already on the list and a subscribed user signs in on a sixth device, then this new device is added to the end of the list and the first device is removed.
- Devices that are removed from the list will cease trying to acquire a license and revert to Windows 10 Pro when the grace period expires.
Licenses can also be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal).
### Existing Enterprise deployments
If you have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you are able to seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
<pre style="overflow-y: visible">
@echo off
FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO (
SET "ProductKey=%%A"
goto InstallKey
)
:InstallKey
IF [%ProductKey%]==[] (
echo No key present
) ELSE (
echo Installing %ProductKey%
changepk.exe /ProductKey %ProductKey%
)
</pre>
### Obtaining an Azure AD licence
Enterprise Agreement/Software Assurance (EA/SA):
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment).
- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
Microsoft Products & Services Agreements (MPSA):
- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
### Deploying licenses
See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
## Virtual Desktop Access (VDA)
Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
## Related topics
[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
<BR>[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
<BR>[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)

1
windows/device-security/TOC.md
View File

@ -650,6 +650,7 @@
## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
### [TPM fundamentals](tpm/tpm-fundamentals.md)
### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
### [Manage TPM commands](tpm/manage-tpm-commands.md)

6
windows/device-security/change-history-for-device-security.md
View File

@ -11,6 +11,12 @@ author: brianlic-msft
# Change history for device security
This topic lists new and updated topics in the [Device security](index.md) documentation.
## July 2017
|New or changed topic |Description |
|---------------------|------------|
| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
## May 2017
|New or changed topic |Description |
|---------------------|------------|

15
windows/device-security/security-policy-settings/accounts-administrator-account-status.md
View File

@ -18,18 +18,17 @@ Describes the best practices, location, values, and security considerations for
## Reference
This security setting determines whether the local administrator account is enabled or disabled.
This security setting determines whether the local Administrator account is enabled or disabled.
If you try to enable the administrator account after it has been disabled, and if the current administrator password does not meet the password requirements, you cannot enable the account. In this case, an alternative member of the Administrators group must reset the password on the administrator account.
The following conditions prevent disabling the Administrator account, even if this security setting is disabled.
If you disable this policy setting, and one of the following conditions exists on the computer, the administrator account is not disabled.
1. No other local administrator account exists
2. The administrator account is currently in use
3. All other local administrator accounts are:
1. The Administrator account is currently in use
2. The Administrators group has no other members
3. All other members of the Administrators group are:
1. Disabled
2. Listed in the [Deny log on locally](deny-log-on-locally.md) User Rights Assignment
If the current administrator password does not meet the password requirements, you will not be able to enable the administrator account again after it has been disabled. In this case, another member of the Administrators group must set the password on the administrator account.
If the Administrator account is disabled, you cannot enable it if the password does not meet requirements. In this case, another member of the Administrators group must reset the password.
### Possible values
- Enabled
@ -51,12 +50,14 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy |Not defined |
| Stand-Alone Server Default Settings | Enabled |
| DC Effective Default Settings | Enabled |
| Member Server Effective Default Settings | Enabled |
| Client Computer Effective Default Settings | Disabled |
 
## Policy management

4
windows/device-security/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
View File

@ -24,11 +24,11 @@ This policy setting allows a client device to require the negotiation of 128-bit
- Require NTLMv2 session security
The connection fails if strong encryption (128-bit) is not negotiated.
The connection fails if the NTLMv2 protocol is not negotiated.
- Require 128-bit encryption
The connection fails if the NTLMv2 protocol is not negotiated.
The connection fails if strong encryption (128-bit) is not negotiated.
### Best practices

3
windows/device-security/security-policy-settings/security-options.md
View File

@ -53,7 +53,8 @@ For info about setting security policies, see [Configure security policy setting
| [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) |Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.|
|[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)| Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. |
| [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. |
| [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting.|
| [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting.|
| [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display username at sign-in** security policy setting.|
| [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)| Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting.|
| [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.|
| [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.|

2
windows/device-security/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
# Shutdown: Clear virtual memory pagefile - security policy setting
# Shutdown: Clear virtual memory pagefile
**Applies to**
- Windows 10

159
windows/device-security/tpm/how-windows-uses-the-tpm.md Normal file
View File

@ -0,0 +1,159 @@
---
title: How Windows uses the TPM
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security.
ms.assetid: 0f7e779c-bd25-42a8-b8c1-69dfb54d0c7f
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# How Windows 10 uses the Trusted Platform Module
The Windows 10 operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows 10 makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10—as well as the cumulative security impact of running Windows 10 on a PC that contains a TPM.
**See also:**
- [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
- [TPM Fundamentals](tpm-fundamentals.md)
- [TPM Recommendations](tpm-recommendations.md)
## TPM Overview
The TPM is a cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. The TPM helps with all these scenarios and more.
Historically, TPMs have been discrete chips soldered to a computers motherboard. Such implementations allow the computers original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platforms owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPMs features.
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*.
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not.
Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsofts best advice is to determine your organizations security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
## TPM in Windows 10
The security features of Windows 10 combined with the benefits of a TPM offer practical security and privacy benefits. The following sections start with major TPM-related security features in Windows 10 and go on to describe how key technologies use the TPM to enable or increase security.
## Platform Crypto Provider
Windows includes a cryptography framework called *Cryptographic API: Next Generation* (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself.
Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively:
**Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making additional copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
**Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows 10 device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could simply prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPMs dictionary attack protection automatically.
## Virtual Smart Card
Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the cards certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes “something the user has” but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPMs dictionary attack protection to prevent too many PIN guesses.
For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart cardbased multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
## Windows Hello for Business
Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, user name - password solutions for authentication often reuse the same user name password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](http://go.microsoft.com/fwlink/p/?LinkId=533889).
Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
**Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
**Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
![TPM Capabilities](images/tpm-capabilities.png)
*Figure 1: TPM Cryptographic Key Management*
For Windows Hello for Business, Microsoft can fill the role of the identity CA. Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned.
## BitLocker Drive Encryption
BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without additional protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating systems enforcement of file permissions to read any user data.
In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
**Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each components measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
**Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key in Active Directory Domain Services (AD DS).
Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volumes decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
Newer hardware and Windows 10 work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
## Device Encryption
Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets InstantGo hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The InstantGo hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, InstantGo hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
## Measured Boot
Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows.
The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating systems starting state to determine whether the running operating system should be trusted.
TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware.
The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot:
**Remote Attestation**. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows 10 can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
![Process to Create Evidence of Boot Software and Configuration Using TPM](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
*Figure 2: Process used to create evidence of boot software and configuration using a TPM*
## Health Attestation
Some Windows 10 improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health.
Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements. MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365.
## Credential Guard
Credential Guard is a new feature in Windows 10 that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a users credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computers memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization.
Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows 10.
## Conclusion
The TPM adds hardware-based security benefits to Windows 10. When installed on hardware that includes a TPM, Window 10 delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPMs major features.
|Feature | Benefits when used on a system with a TPM|
|---|---|
| Platform Crypto Provider | • &nbsp; &nbsp; If the machine is compromised, the private key associated with the certificate cannot be copied off the device.<br />&nbsp; &nbsp; The TPMs dictionary attack mechanism protects PIN values to use a certificate.
| Virtual Smart Card | • &nbsp; &nbsp; Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.|
| Windows Hello for Business | • &nbsp; &nbsp; Credentials provisioned on a device cannot be copied elsewhere. <br />&nbsp; &nbsp; Confirm a devices TPM before credentials are provisioned. |
| BitLocker Drive Encryption | • &nbsp; &nbsp; Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
|Device Encryption | • &nbsp; &nbsp; With a Microsoft account and the right hardware, consumers devices seamlessly benefit from data-at-rest protection.
| Measured Boot | • &nbsp; &nbsp; A hardware root of trust contains boot measurements that help detect malware during remote attestation.
| Health Attestation | • &nbsp; &nbsp; MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
| Credential Guard | • &nbsp; &nbsp; Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
<br />
Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows 10 security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/iotcore). IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.

BIN
windows/device-security/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 90 KiB

BIN
windows/device-security/tpm/images/tpm-capabilities.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

4
windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -364,7 +364,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
### Define your enterprise-managed corporate identity
Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field.
**To change your corporate identity**
@ -372,7 +372,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
The **Required settings** blade appears.
2. If the identity isnt correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`.
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area.
![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)

BIN
windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 53 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/threat-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 26 KiB