mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 05:17:22 +00:00
Merged PR 9321: premises
This commit is contained in:
Jeanie Decker
parent
9bd4958503
commit
c0e174692f
@ -18,7 +18,7 @@ ms.localizationpriority: medium
|
||||
PowerShell scripts to help set up and manage your Microsoft Surface Hub.
|
||||
|
||||
- [PowerShell scripts for Surface Hub admins](#scripts-for-admins)
|
||||
- [Create an on-premise account](#create-on-premise-ps-scripts)
|
||||
- [Create an on-premises account](#create-on-premises-ps-scripts)
|
||||
- [Create a device account using Office 365](#create-os356-ps-scripts)
|
||||
- [Account verification script](#acct-verification-ps-scripts)
|
||||
- [Enable Skype for Business (EnableSfb.ps1)](#enable-sfb-ps-scripts)
|
||||
@ -185,7 +185,7 @@ These scripts will create a device account for you. You can use the [Account ver
|
||||
|
||||
The account creation scripts cannot modify an already existing account, but can be used to help you understand which cmdlets need to be run to configure the existing account correctly.
|
||||
|
||||
### <a href="" id="create-on-premise-ps-scripts"></a>Create an on-premise account
|
||||
### <a href="" id="create-on-premises-ps-scripts"></a>Create an on-premises account
|
||||
|
||||
Creates an account as described in [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md).
|
||||
|
||||
|
||||
@ -35,10 +35,11 @@ If you have a Surface Hub or other Windows 10 device that has been updated to Wi
|
||||
|
||||
- The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703.
|
||||
- A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
|
||||
- As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
|
||||
- As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Surface Hub or device is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
|
||||
- As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
|
||||
- The DNS Hostname (device name) of the Surface Hub or device needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname.
|
||||
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
|
||||
- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled within System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests.
|
||||
|
||||
|
||||
It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
|
||||
|
||||
@ -16,7 +16,7 @@ ms.localizationpriority: medium
|
||||
|
||||
This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
|
||||
|
||||
If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md).
|
||||
If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premises-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md).
|
||||
|
||||
1. Start a remote PowerShell session from a PC and connect to Exchange.
|
||||
|
||||
|
||||
@ -15,7 +15,7 @@ ms.localizationpriority: medium
|
||||
|
||||
This topic explains how you add a device account for your Microsoft Surface Hub when you have a multi-forest, on-premises deployment.
|
||||
|
||||
If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md).
|
||||
If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premises-ps-scripts) to create device accounts. If you’re using a single-forest deployment, see [On-premises deployment for Surface Hub in a single-forest environment](on-premises-deployment-surface-hub-device-accounts.md).
|
||||
|
||||
1. Start a remote PowerShell session from a PC and connect to Exchange.
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ ms.sitesec: library
|
||||
There are a few scenarios where you need to specify the domain name of your Skype for Business server:
|
||||
- **Multiple DNS suffixes** - When your Skype for Business infrastructure has disjointed namespaces such that one or more servers have a DNS suffix that doesn't match the suffix of the sign-in address (SIP) for Skype for Business.
|
||||
- **Skype for Business and Exchange suffixes are different** - When the suffix of the sign-in address for Skype for Business differs from the suffix of the Exchange address used for the device account.
|
||||
- **Working with certificates** - Large organizations with on-premise Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
|
||||
- **Working with certificates** - Large organizations with on-premises Skype for Business servers commonly use certificates with their own root certificate authority (CA). It is common for the CA domain to be different than the domain of the Skype for Business server which causes the certificate to not be trusted, and sign-in fails. Skype needs to know the domain name of the certificate in order to set up a trust relationship. Enterprises typically use Group Policy to push this out to Skype desktop, but Group Policy is not supported on Surface Hub.
|
||||
|
||||
**To configure the domain name for your Skype for Business server**</br>
|
||||
1. On Surface Hub, open **Settings**.
|
||||
|
||||
@ -94,7 +94,7 @@ As you review the roles in your organization, you can use the following generali
|
||||
|
||||
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
|
||||
|
||||
**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premise domain joined devices. This makes MDM the best choice for devices that are constantly on the go.
|
||||
**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
|
||||
|
||||
**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
|
||||
|
||||
|
||||
@ -13,7 +13,7 @@ ms.date: 06/26/2017
|
||||
|
||||
## Executive summary
|
||||
|
||||
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premise group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premise counterparts.</p>
|
||||
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.</p>
|
||||
|
||||
<p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
|
||||
|
||||
@ -79,7 +79,7 @@ ms.date: 06/26/2017
|
||||
|
||||
## Scenarios addressed in App-V MDM functionality
|
||||
|
||||
<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premise App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
|
||||
<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
|
||||
|
||||
<p>A complete list of App-V policies can be found here:</p>
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ On the desktop, you can create an Active Directory account, such as "enrollment@
|
||||
|
||||
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
|
||||
|
||||
> **Note**
|
||||
>[!NOTE]
|
||||
> - Bulk-join is not supported in Azure Active Directory Join.
|
||||
> - Bulk enrollment does not work in Intune standalone enviroment.
|
||||
> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
|
||||
@ -47,7 +47,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
|
||||
|
||||
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
|
||||
|
||||
## Create and apply a provisioning package for on-premise authentication
|
||||
## Create and apply a provisioning package for on-premises authentication
|
||||
|
||||
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
|
||||
|
||||
|
||||
@ -630,7 +630,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
|
||||
> [!Important]
|
||||
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise.
|
||||
|
||||
<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
|
||||
<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
|
||||
|
||||
<p style="margin-left: 20px">Supported operations are Get and Replace.
|
||||
|
||||
|
||||
@ -138,11 +138,11 @@ The following is a list of functions performed by the Device HealthAttestation C
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td style="vertical-align:top">Device Health Attestation – On Premise<p>(DHA-OnPrem)</p></td>
|
||||
<td style="vertical-align:top"><p>DHA-OnPrem refers to DHA-Service that is running on premise:</p>
|
||||
<td style="vertical-align:top"><p>DHA-OnPrem refers to DHA-Service that is running on premises:</p>
|
||||
<ul>
|
||||
<li>Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) </li>
|
||||
<li>Hosted on an enterprise owned and managed server device/hardware</li>
|
||||
<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on premise and hybrid (Cloud + OnPrem) hardware attestation scenarios</li>
|
||||
<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios</li>
|
||||
<li><p>Accessible to all enterprise managed devices via following:</p>
|
||||
<ul>
|
||||
<li>FQDN = (enterprise assigned)</li>
|
||||
@ -151,14 +151,14 @@ The following is a list of functions performed by the Device HealthAttestation C
|
||||
</ul>
|
||||
</li>
|
||||
</ul></td>
|
||||
<td style="vertical-align:top">The operation cost of running one or more instances of Server 2016 on premise.</td>
|
||||
<td style="vertical-align:top">The operation cost of running one or more instances of Server 2016 on-premises.</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td style="vertical-align:top">Device Health Attestation - Enterprise Managed Cloud<p>(DHA-EMC)</p></td>
|
||||
<td style="vertical-align:top"><p>DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure.</p>
|
||||
<ul>
|
||||
<li>Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)</li>
|
||||
<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on premise and hybrid (Cloud + OnPrem) hardware attestation scenarios </li>
|
||||
<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios </li>
|
||||
<li><p>Accessible to all enterprise managed devices via following:</p>
|
||||
<ul>
|
||||
<li>FQDN = (enterprise assigned)</li>
|
||||
@ -304,7 +304,7 @@ SSL-Session:
|
||||
|
||||
There are three types of DHA-Service:
|
||||
- Device Health Attestation – Cloud (owned and operated by Microsoft)
|
||||
- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premise)
|
||||
- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises)
|
||||
- Device Health Attestation - Enterprise Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise managed cloud)
|
||||
|
||||
DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider.
|
||||
|
||||
@ -62,7 +62,7 @@ The following topics describe the end-to-end enrollment process using various au
|
||||
|
||||
## Enrollment support for domain-joined devices
|
||||
|
||||
Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
|
||||
Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
|
||||
|
||||
## Disable MDM enrollments
|
||||
|
||||
|
||||
@ -1600,7 +1600,8 @@ Alternatively you can use the following procedure to create an EAP Configuration
|
||||
7. Close the rasphone dialog box.
|
||||
8. Continue following the procedure in the [EAP configuration](eap-configuration.md) topic from Step 9 to get an EAP TLS profile with appropriate filtering.
|
||||
|
||||
> **Note** You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
|
||||
>[!NOTE]
|
||||
>You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
|
||||
|
||||
|
||||
### <a href="" id="remote"></a>Remote PIN reset not supported in Azure Active Directory joined mobile devices
|
||||
@ -1617,7 +1618,7 @@ In Azure AD joined Windows 10 PC, provisioning /.User resources fails when the
|
||||
|
||||
### <a href="" id="kerberos"></a>Requirements to note for VPN certificates also used for Kerberos Authentication
|
||||
|
||||
If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premise resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone.
|
||||
If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone.
|
||||
|
||||
### <a href="" id="pushbuttonreset"></a>Device management agent for the push-button reset is not working
|
||||
|
||||
@ -2204,7 +2205,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
|
||||
<td style="vertical-align:top">[Mobile device enrollment](mobile-device-enrollment.md)</td>
|
||||
<td style="vertical-align:top"><p>Added the following statement:</p>
|
||||
<ul>
|
||||
<li>Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
|
||||
<li>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
|
||||
</ul>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
|
||||
@ -76,7 +76,7 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
|
||||
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
|
||||
|
||||
<a href="" id="tenantid-policies-usecertificateforonpremauth--only-for---device-vendor-msft-"></a>***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT)
|
||||
<p style="margin-left: 20px">Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premise resources.
|
||||
<p style="margin-left: 20px">Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources.
|
||||
|
||||
<p style="margin-left: 20px">If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
|
||||
|
||||
|
||||
@ -657,7 +657,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
|
||||
<Replace />
|
||||
</AccessType>
|
||||
<DefaultValue>False</DefaultValue>
|
||||
<Description>Windows Hello for Business can use certificates to authenticate to on-premise resources.
|
||||
<Description>Windows Hello for Business can use certificates to authenticate to on-premises resources.
|
||||
|
||||
If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
|
||||
|
||||
|
||||
@ -283,7 +283,7 @@ The following list shows the supported values:
|
||||
<!--Description-->
|
||||
Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
|
||||
|
||||
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
|
||||
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD).
|
||||
|
||||
<!--/Description-->
|
||||
<!--ADMXMapped-->
|
||||
|
||||
@ -2968,7 +2968,7 @@ The following list shows the supported values:
|
||||
> [!Important]
|
||||
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
|
||||
|
||||
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
|
||||
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
|
||||
|
||||
Supported operations are Get and Replace.
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ The full URL for the discovery service.
|
||||
<a href="" id="provisioning-enrollments-upn-secret"></a>**Provisioning/Enrollments/*UPN*/Secret**
|
||||
This information is dependent on the AuthPolicy being used. Possible values:
|
||||
|
||||
- Password string for on-premise authentication enrollment
|
||||
- Password string for on-premises authentication enrollment
|
||||
- Federated security token for federated enrollment
|
||||
- Certificate thumb print for certificated based enrollment
|
||||
|
||||
|
||||
@ -736,7 +736,7 @@ Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No
|
||||
<span id="lnk-files" />
|
||||
## Provision .lnk files using Windows Configuration Designer
|
||||
|
||||
First, create your desktop app's shortcut file by installing the app on a test device. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`
|
||||
First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`
|
||||
|
||||
Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.
|
||||
|
||||
|
||||
@ -32,7 +32,7 @@ Select **Enrollments**, enter a UPN, and then click **Add** to configure the set
|
||||
| DiscoveryServiceFullUrl | URL | The full URL for the discovery service |
|
||||
| EnrollmentServiceFullUrl | URL | The full URL for the enrollment service |
|
||||
| PolicyServiceFullUrl | URL | The full URL for the policy service |
|
||||
| Secret | - Password string for on-premise authentication enrollment</br>- Federated security token for federated enrollment</br>- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy |
|
||||
| Secret | - Password string for on-premises authentication enrollment</br>- Federated security token for federated enrollment</br>- Certificate thumb print for certificate-based enrollment | Enter the appropriate value for the selected AuthPolicy |
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ Steps are provided in sections that follow the recommended setup process:
|
||||
|
||||
## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics
|
||||
|
||||
Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
|
||||
Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
|
||||
|
||||
**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ Steps are provided in sections that follow the recommended setup process:
|
||||
|
||||
## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics
|
||||
|
||||
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
|
||||
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
|
||||
|
||||
>[!IMPORTANT]
|
||||
>Update Compliance is a free solution for Azure subscribers.
|
||||
|
||||
@ -38,7 +38,7 @@ While Upgrade Readiness can be used to assist with updating devices from Windows
|
||||
|
||||
## Operations Management Suite or Azure Log Analytics
|
||||
|
||||
Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
|
||||
Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premises and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
|
||||
|
||||
If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. You can also
|
||||
|
||||
|
||||
@ -1625,7 +1625,7 @@ To turn this off:
|
||||
|
||||
### <a href="" id="bkmk-spp"></a>18. Software Protection Platform
|
||||
|
||||
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
|
||||
Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
|
||||
|
||||
For Windows 10:
|
||||
|
||||
|
||||
@ -79,7 +79,7 @@ For planned scenarios, such as a known hardware or firmware upgrades, you can av
|
||||
|
||||
>**Note:** If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
|
||||
|
||||
If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premise user to provide the additional authentication method.
|
||||
If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
|
||||
|
||||
Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user