From c0e174692fe1913532b78c1680f3349f9b135838 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Mon, 25 Jun 2018 14:32:39 +0000 Subject: [PATCH] Merged PR 9321: premises --- .../appendix-a-powershell-scripts-for-surface-hub.md | 4 ++-- devices/surface-hub/miracast-over-infrastructure.md | 7 ++++--- ...-premises-deployment-surface-hub-device-accounts.md | 2 +- .../on-premises-deployment-surface-hub-multi-forest.md | 2 +- .../use-fully-qualified-domain-name-surface-hub.md | 2 +- ...indows-10-in-your-organization-modern-management.md | 2 +- .../client-management/mdm/appv-deploy-and-config.md | 4 ++-- .../bulk-enrollment-using-windows-provisioning-tool.md | 4 ++-- .../client-management/mdm/device-update-management.md | 2 +- windows/client-management/mdm/healthattestation-csp.md | 10 +++++----- .../client-management/mdm/mobile-device-enrollment.md | 2 +- .../mdm/new-in-windows-mdm-enrollment-management.md | 7 ++++--- windows/client-management/mdm/passportforwork-csp.md | 2 +- windows/client-management/mdm/passportforwork-ddf.md | 2 +- .../client-management/mdm/policy-csp-authentication.md | 2 +- windows/client-management/mdm/policy-csp-update.md | 2 +- windows/client-management/mdm/provisioning-csp.md | 2 +- .../lock-down-windows-10-to-specific-apps.md | 2 +- windows/configuration/wcd/wcd-workplace.md | 2 +- windows/deployment/update/device-health-get-started.md | 2 +- .../deployment/update/update-compliance-get-started.md | 2 +- .../upgrade/upgrade-readiness-requirements.md | 2 +- ...perating-system-components-to-microsoft-services.md | 2 +- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 24 files changed, 37 insertions(+), 35 deletions(-) diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 7dafdcf898..ae2a7ce2e0 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -18,7 +18,7 @@ ms.localizationpriority: medium PowerShell scripts to help set up and manage your Microsoft Surface Hub. - [PowerShell scripts for Surface Hub admins](#scripts-for-admins) - - [Create an on-premise account](#create-on-premise-ps-scripts) + - [Create an on-premises account](#create-on-premises-ps-scripts) - [Create a device account using Office 365](#create-os356-ps-scripts) - [Account verification script](#acct-verification-ps-scripts) - [Enable Skype for Business (EnableSfb.ps1)](#enable-sfb-ps-scripts) @@ -185,7 +185,7 @@ These scripts will create a device account for you. You can use the [Account ver The account creation scripts cannot modify an already existing account, but can be used to help you understand which cmdlets need to be run to configure the existing account correctly. -### Create an on-premise account +### Create an on-premises account Creates an account as described in [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md). diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md index fb81f8e16d..7b6737d1ac 100644 --- a/devices/surface-hub/miracast-over-infrastructure.md +++ b/devices/surface-hub/miracast-over-infrastructure.md @@ -35,10 +35,11 @@ If you have a Surface Hub or other Windows 10 device that has been updated to Wi - The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703. - A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Surface Hub or device is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- The DNS Hostname (device name) of the Surface Hub or deviceneeds to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. -- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- The DNS Hostname (device name) of the Surface Hub or device needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. +- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled within System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests. It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 15d5c2746e..953c771d7c 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -16,7 +16,7 @@ ms.localizationpriority: medium This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment. -If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md). +If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premises-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md). 1. Start a remote PowerShell session from a PC and connect to Exchange. diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index b367367025..ff5af2b652 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment. -If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md). +If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premises-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md). 1. Start a remote PowerShell session from a PC and connect to Exchange. diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md index c9183716e7..f64a9fbf5d 100644 --- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md +++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md @@ -16,7 +16,7 @@ ms.sitesec: library There are a few scenarios where you need to specify the domain name of your Skype for Business server: - **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business. - **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account. -- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub. +- **Working with certificates** - Large organizations with on-premises Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub. **To configure the domain name for your Skype for Business server**
1. On Surface Hub, open **Settings**. diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 4e93c9b375..ff5186b3bf 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -94,7 +94,7 @@ As you review the roles in your organization, you can use the following generali Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.  -**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premise domain joined devices. This makes MDM the best choice for devices that are constantly on the go. +**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go. **Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices: diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 5b7d449cb7..62c91ca217 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -13,7 +13,7 @@ ms.date: 06/26/2017 ## Executive summary -

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premise group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premise counterparts.

+

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

@@ -79,7 +79,7 @@ ms.date: 06/26/2017 ## Scenarios addressed in App-V MDM functionality -

All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premise App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.

+

All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.

A complete list of App-V policies can be found here:

diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 63c22e0fb2..fc0c578410 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -30,7 +30,7 @@ On the desktop, you can create an Active Directory account, such as "enrollment@ On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. -> **Note**   +>[!NOTE]   > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone enviroment. > - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console. @@ -47,7 +47,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain. -## Create and apply a provisioning package for on-premise authentication +## Create and apply a provisioning package for on-premises authentication Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index f20da5c4c5..2e48c36d75 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -630,7 +630,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > [!Important] > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise. -

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet. +

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.

Supported operations are Get and Replace. diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 2ebb1b49fe..a08bdd89b6 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -138,11 +138,11 @@ The following is a list of functions performed by the Device HealthAttestation C Device Health Attestation – On Premise

(DHA-OnPrem)

-

DHA-OnPrem refers to DHA-Service that is running on premise:

+

DHA-OnPrem refers to DHA-Service that is running on premises:

-The operation cost of running one or more instances of Server 2016 on premise. +The operation cost of running one or more instances of Server 2016 on-premises. Device Health Attestation - Enterprise Managed Cloud

(DHA-EMC)

DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure.