From 94ad54a9290c8eb233c4428018556c6652a9ed42 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 8 Aug 2016 12:43:33 -0700 Subject: [PATCH 01/10] Added information about the Company Settings Center being removed in Windows 10, 1607 --- windows/manage/uev-release-notes-1607.md | 17 +++++++++++++++ .../uev-whats-new-in-uev-for-windows.md | 21 ++++++++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/windows/manage/uev-release-notes-1607.md b/windows/manage/uev-release-notes-1607.md index d28d61f312..4a416cacc4 100644 --- a/windows/manage/uev-release-notes-1607.md +++ b/windows/manage/uev-release-notes-1607.md @@ -14,6 +14,23 @@ Applies to: Windows 10, version 1607 This topic includes information required to successfully install and use UE-V that is not included in the User Experience Virtualization (UE-V) documentation. If there are differences between the information in this topic and other UE-V topics, the latest change should be considered authoritative. +### Company Settings Center removed in UE-V for Windows 10, version 1607 + +In previous versions of UE-V, users could select which of their customized application settings to synchronize with the Company Settings Center, a user interface that was available on user devices. + +Additionally, administrators could configure the Company Settings Center to include a link to support resources so that users could easily get support on virtualized settings-related issues. + +With the release of Windows 10, version 1607, the Company Settings Center was removed and users can no longer manage their synchronized settings. + +Administrators can still define which user-customized application settings can synchronize (roam) with Group Policy or Windows PowerShell. + +>**Note** With the removal of the Company Settings Center, the following group policies are no longer applicable: + +- Contact IT Link Text +- Contact IT URL +- Tray Icon + + ### Upgrading from UE-V 1.0 to the in-box version of UE-V is blocked Version 1.0 of UE-V used Offline Files (Client Side Caching) for settings synchronization and pinned the UE-V sync folder to be available when the network was offline, however, this technology was removed in UE-V 2.x. As a result, UE-V 1.0 users are blocked from upgrading to UE-V for Windows 10, version 1607. diff --git a/windows/manage/uev-whats-new-in-uev-for-windows.md b/windows/manage/uev-whats-new-in-uev-for-windows.md index f4192c7109..361d8d472d 100644 --- a/windows/manage/uev-whats-new-in-uev-for-windows.md +++ b/windows/manage/uev-whats-new-in-uev-for-windows.md @@ -24,6 +24,8 @@ The changes in UE-V for Windows 10, version 1607 impact already existing impleme - The UE-V template generator is available from the Windows 10 ADK. In previous releases of UE-V, the template generator was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new template generator to create new settings location templates, existing settings location templates will continue to work. +- The Company Settings Center was removed and is no longer available on user devices. Users can no longer manage their synchronized settings. + For more information about how to configure an existing UE-V installation after upgrading user devices to Windows 10, see [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md). > **Important**  You can upgrade your existing UE-V installation to Windows 10 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10. @@ -32,11 +34,27 @@ For more information about how to configure an existing UE-V installation after UE-V for Windows 10 includes a new template generator, available from a new location. If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK). +### Company Settings Center removed in UE-V for Windows 10, version 1607 + +In previous versions of UE-V, users could select which of their customized application settings to synchronize with the Company Settings Center, a user interface that was available on user devices. + +Additionally, administrators could configure the Company Settings Center to include a link to support resources so that users could easily get support on virtualized settings-related issues. + +With the release of Windows 10, version 1607, the Company Settings Center was removed and users can no longer manage their synchronized settings. + +Administrators can still define which user-customized application settings can synchronize (roam) with Group Policy or Windows PowerShell. + +>**Note** With the removal of the Company Settings Center, the following group policies are no longer applicable: + +- Contact IT Link Text +- Contact IT URL +- Tray Icon + ## Compatibility with Microsoft Enterprise State Roaming With Windows 10, version 1607, users can synchronize Windows application settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V on on-premises domain-joined devices only. -In hybrid cloud environments, UE-V can roam win32 applications on-premise while [Enterprise State Roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation. +In hybrid cloud environments, UE-V can roam win32 applications on-premises while [Enterprise State Roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation. To configure UE-V to roam Windows desktop and application data only, change the following group policies: @@ -52,6 +70,7 @@ Additionally, to enable Windows 10 and UE-V to work together, configure these po - Disable “Sync Windows Settings” + ## Settings Synchronization Behavior Changed in UE-V for Windows 10 While earlier versions of UE-V roamed taskbar settings between Windows 10 devices, UE-V for Windows 10, version 1607 does not synchronize taskbar settings between devices running Windows 10 and devices running previous versions of Windows. From e2f2a7b6ded78c9036ff0d8cf065d0edaff0e6d1 Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 8 Aug 2016 12:59:49 -0700 Subject: [PATCH 02/10] Fixed formatting --- windows/manage/uev-release-notes-1607.md | 6 ++---- windows/manage/uev-whats-new-in-uev-for-windows.md | 8 +++----- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/windows/manage/uev-release-notes-1607.md b/windows/manage/uev-release-notes-1607.md index 4a416cacc4..9e43ca4bef 100644 --- a/windows/manage/uev-release-notes-1607.md +++ b/windows/manage/uev-release-notes-1607.md @@ -16,15 +16,13 @@ This topic includes information required to successfully install and use UE-V th ### Company Settings Center removed in UE-V for Windows 10, version 1607 -In previous versions of UE-V, users could select which of their customized application settings to synchronize with the Company Settings Center, a user interface that was available on user devices. - -Additionally, administrators could configure the Company Settings Center to include a link to support resources so that users could easily get support on virtualized settings-related issues. +In previous versions of UE-V, users could select which of their customized application settings to synchronize with the Company Settings Center, a user interface that was available on user devices. Additionally, administrators could configure the Company Settings Center to include a link to support resources so that users could easily get support on virtualized settings-related issues. With the release of Windows 10, version 1607, the Company Settings Center was removed and users can no longer manage their synchronized settings. Administrators can still define which user-customized application settings can synchronize (roam) with Group Policy or Windows PowerShell. ->**Note** With the removal of the Company Settings Center, the following group policies are no longer applicable: +**Note** With the removal of the Company Settings Center, the following group policies are no longer applicable: - Contact IT Link Text - Contact IT URL diff --git a/windows/manage/uev-whats-new-in-uev-for-windows.md b/windows/manage/uev-whats-new-in-uev-for-windows.md index 361d8d472d..06f90bb53f 100644 --- a/windows/manage/uev-whats-new-in-uev-for-windows.md +++ b/windows/manage/uev-whats-new-in-uev-for-windows.md @@ -34,17 +34,15 @@ For more information about how to configure an existing UE-V installation after UE-V for Windows 10 includes a new template generator, available from a new location. If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK). -### Company Settings Center removed in UE-V for Windows 10, version 1607 +## Company Settings Center removed in UE-V for Windows 10, version 1607 -In previous versions of UE-V, users could select which of their customized application settings to synchronize with the Company Settings Center, a user interface that was available on user devices. - -Additionally, administrators could configure the Company Settings Center to include a link to support resources so that users could easily get support on virtualized settings-related issues. +In previous versions of UE-V, users could select which of their customized application settings to synchronize with the Company Settings Center, a user interface that was available on user devices. Additionally, administrators could configure the Company Settings Center to include a link to support resources so that users could easily get support on virtualized settings-related issues. With the release of Windows 10, version 1607, the Company Settings Center was removed and users can no longer manage their synchronized settings. Administrators can still define which user-customized application settings can synchronize (roam) with Group Policy or Windows PowerShell. ->**Note** With the removal of the Company Settings Center, the following group policies are no longer applicable: +**Note** With the removal of the Company Settings Center, the following group policies are no longer applicable: - Contact IT Link Text - Contact IT URL From 9f7eda83271861e12694a1bb28acf665f8438bea Mon Sep 17 00:00:00 2001 From: Justinha Date: Mon, 8 Aug 2016 14:47:05 -0700 Subject: [PATCH 03/10] removed self-signed cert option --- .../bitlocker-how-to-enable-network-unlock.md | 81 ++++++------------- 1 file changed, 24 insertions(+), 57 deletions(-) diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 16e0aa12b2..2b1a237877 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -80,11 +80,11 @@ The server side configuration to enable Network Unlock also requires provisionin ## Configure Network Unlock -The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. +The following steps allow an administrator to configure Network Unlock in a domain where the domain functional level is at least Windows Server 2012. ### Step One: Install the WDS Server role -The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. +The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock, you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role. To install the role using Windows PowerShell, use the following command: @@ -114,72 +114,39 @@ Install-WindowsFeature BitLocker-NetworkUnlock ``` ### Step Four: Create the Network Unlock certificate -Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate. +Network Unlock can use imported certificates from an existing PKI infrastructure. To enroll a certificate from an existing certification authority (CA), do the following: -1. Open Certificate Manager on the WDS server using **certmgr.msc** -2. Under the Certificates - Current User item, right-click Personal -3. Select All Tasks, then **Request New Certificate** -4. Select **Next** when the Certificate Enrollment wizard opens -5. Select Active Directory Enrollment Policy -6. Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate: +1. Open Certificate Manager on the WDS server using **certmgr.msc**. +2. Under the Certificates - Current User item, right-click **Personal**. +3. Select All Tasks, then **Request New Certificate**. +4. Select **Next** when the Certificate Enrollment wizard opens. +5. Select **Active Directory Enrollment Policy**. +6. Choose the certificate template created for Network Unlock on the domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate: - Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain" 7. Create the certificate. Ensure the certificate appears in the Personal folder. -8. Export the public key certificate for Network Unlock +8. Export the public key certificate for Network Unlock: 1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. 2. Select **No, do not export the private key**. 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. 4. Give the file a name such as BitLocker-NetworkUnlock.cer. -9. Export the public key with a private key for Network Unlock +9. Export the public key with a private key for Network Unlock: 1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. 2. Select **Yes, export the private key**. 3. Complete the wizard to create the .pfx file. -To create a self-signed certificate, do the following: - -1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf -2. Add the following contents to the previously created file: - - ``` syntax - [NewRequest] - Subject="CN=BitLocker Network Unlock certificate" - Exportable=true - RequestType=Cert - KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE" - KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG" - KeyLength=2048 - Keyspec="AT_KEYEXCHANGE" - SMIME=FALSE - HashAlgorithm=sha512 - [Extensions] - 1.3.6.1.4.1.311.21.10 = "{text}" - _continue_ = "OID=1.3.6.1.4.1.311.67.1.1" - 2.5.29.37 = "{text}" - _continue_ = "1.3.6.1.4.1.311.67.1.1" - ``` - -3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name: - - ``` syntax - certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer - ``` - -4. Verify the previous command properly created the certificate by confirming the .cer file exists -5. Launch the Certificate Manager by running **certmgr.msc** -6. Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file. - ### Step Five: Deploy the private key and certificate to the WDS server With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: 1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. -2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import** +2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**. 3. In the **File to Import** dialog, choose the .pfx file created previously. 4. Enter the password used to create the .pfx and complete the wizard. @@ -189,18 +156,18 @@ With certificate and key deployed to the WDS server for Network Unlock, the fina The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock. -1. Open Group Policy Management Console (gpmc.msc) -2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option -3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers +1. Open Group Policy Management Console (gpmc.msc). +2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option. +3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. The following steps describe how to deploy the required Group Policy setting: >**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.   -1. Copy the .cer file created for Network Unlock to the domain controller -2. On the domain controller, launch Group Policy Management Console (gpmc.msc) +1. Copy the .cer file created for Network Unlock to the domain controller. +2. On the domain controller, launch Group Policy Management Console (gpmc.msc). 3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. -4. Deploy the public certificate to clients +4. Deploy the public certificate to clients: 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** 2. Right-click the folder and choose **Add Network Unlock Certificate** @@ -212,16 +179,16 @@ The following steps describe how to deploy the required Group Policy setting: An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following: -1. Open Group Policy Management Console (gpmc.msc) -2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option -3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers +1. Open Group Policy Management Console (gpmc.msc). +2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option. +3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. ### Create the certificate template for Network Unlock The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates. 1. Open the Certificates Template snap-in (certtmpl.msc). -2. Locate the User template. Right-click the template name and select **Duplicate Template** +2. Locate the User template. Right-click the template name and select **Duplicate Template**. 3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected. 4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option. 5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected. @@ -237,9 +204,9 @@ The following steps detail how to create a certificate template for use with Bit - **Name:** **BitLocker Network Unlock** - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** -14. Select the newly created **BitLocker Network Unlock** application policy and select **OK** +14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**. 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. -16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission +16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission. 17. Select **OK** to complete configuration of the template. To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. From cd9fbc5cd12db8617bd3d70f0c4094e8a0ba52bb Mon Sep 17 00:00:00 2001 From: Maggie Evans Date: Mon, 8 Aug 2016 15:16:45 -0700 Subject: [PATCH 04/10] Fixed bugs --- windows/deploy/upgrade-analytics-get-started.md | 2 +- windows/deploy/upgrade-analytics-release-notes.md | 2 +- windows/deploy/upgrade-analytics-requirements.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index 61df9139e8..3e691ab5e1 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -37,7 +37,7 @@ If you are already using OMS, you’ll find Upgrade Analytics in the Solutions G If you are not using OMS: -1. Go to the [Upgrade Analytics website](http://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process. +1. Go to the [Upgrade Analytics page on Microsoft.com](http://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process. 2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. diff --git a/windows/deploy/upgrade-analytics-release-notes.md b/windows/deploy/upgrade-analytics-release-notes.md index dd1959b0e1..dbf92527d7 100644 --- a/windows/deploy/upgrade-analytics-release-notes.md +++ b/windows/deploy/upgrade-analytics-release-notes.md @@ -1,5 +1,5 @@ --- title: Upgrade Analytics release notes (Windows 10) description: Provides tips and limitations about Upgrade Analytics. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements +redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements#important-information-about-this-release --- \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-requirements.md b/windows/deploy/upgrade-analytics-requirements.md index 5dc5a972e7..1d48d9a363 100644 --- a/windows/deploy/upgrade-analytics-requirements.md +++ b/windows/deploy/upgrade-analytics-requirements.md @@ -29,7 +29,7 @@ Upgrade Analytics is offered as a solution in the Microsoft Operations Managemen If you’re already using OMS, you’ll find Upgrade Analytics in the Solutions Gallery. Click the Upgrade Analytics tile in the gallery and then click Add on the solution’s details page. Upgrade Analytics is now visible in your workspace. -If you are not using OMS, go to \[link to new Upgrade Analytics Web page on Microsoft.com\] and select **Upgrade Analytics Service** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Analytics solution to it. +If you are not using OMS, go to [the Upgrade Analytics page on Microsoft.com](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics) and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Analytics solution to it. Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. @@ -37,7 +37,7 @@ Important: You can use either a Microsoft Account or a Work or School account to After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Analytics. -See \[link to Steve May’s PDF doc when it’s published\] for more information about what user computer data Upgrade Analytics collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data. +See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Analytics collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data. **Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this. From 009b03f63efa81e5ad1c1fcfa8736f6a0716cffc Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 9 Aug 2016 07:26:59 -0700 Subject: [PATCH 05/10] fixed typos --- windows/manage/settings-that-can-be-locked-down.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md index fe4253fb64..c0348677ba 100644 --- a/windows/manage/settings-that-can-be-locked-down.md +++ b/windows/manage/settings-that-can-be-locked-down.md @@ -266,27 +266,27 @@ The following table lists the settings pages and page groups. Use the page name Narrator -SettingsPageEaseoOfAccessNarrator +SettingsPageEaseOfAccessNarrator Magnifier -SettingsPageEaseoOfAccessMagnifier +SettingsPageEaseOfAccessMagnifier High contrast -SettingsPageEaseoOfAccessHighContrast +SettingsPageEaseOfAccessHighContrast Closed captions -SettingsPageEaseoOfAccessClosedCaptioning +SettingsPageEaseOfAccessClosedCaptioning More options -SettingsPageEaseoOfAccessMoreOptions +SettingsPageEaseOfAccessMoreOptions Privacy From 5a5095b29ae896ea56b28234d92e9e4c37068cf2 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 9 Aug 2016 09:25:22 -0700 Subject: [PATCH 06/10] removing placeholder content --- devices/hololens/TOC.md | 1 - devices/hololens/index.md | 1 - 2 files changed, 2 deletions(-) delete mode 100644 devices/hololens/TOC.md delete mode 100644 devices/hololens/index.md diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md deleted file mode 100644 index 06913f7aef..0000000000 --- a/devices/hololens/TOC.md +++ /dev/null @@ -1 +0,0 @@ -# [Index](index.md) \ No newline at end of file diff --git a/devices/hololens/index.md b/devices/hololens/index.md deleted file mode 100644 index beccdc8994..0000000000 --- a/devices/hololens/index.md +++ /dev/null @@ -1 +0,0 @@ -# Index test file for Open Publishing \ No newline at end of file From c17f869ceb0c4196feae4f905c9d177b3f188dfc Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 9 Aug 2016 09:32:45 -0700 Subject: [PATCH 07/10] update link --- windows/manage/lockdown-features-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/manage/lockdown-features-windows-10.md index 555ec7ab73..ed9d772f83 100644 --- a/windows/manage/lockdown-features-windows-10.md +++ b/windows/manage/lockdown-features-windows-10.md @@ -40,7 +40,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media

-[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607) +[Unified Write Filter](https://msdn.microsoft.com/en-us/library/windows/hardware/mt572001.aspx)

The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.

From 8e28557db123bab78112a0c2e62dc681a52a65eb Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 9 Aug 2016 09:37:07 -0700 Subject: [PATCH 08/10] Revert "removing placeholder content" This reverts commit 5a5095b29ae896ea56b28234d92e9e4c37068cf2. --- devices/hololens/TOC.md | 1 + devices/hololens/index.md | 1 + 2 files changed, 2 insertions(+) create mode 100644 devices/hololens/TOC.md create mode 100644 devices/hololens/index.md diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md new file mode 100644 index 0000000000..06913f7aef --- /dev/null +++ b/devices/hololens/TOC.md @@ -0,0 +1 @@ +# [Index](index.md) \ No newline at end of file diff --git a/devices/hololens/index.md b/devices/hololens/index.md new file mode 100644 index 0000000000..beccdc8994 --- /dev/null +++ b/devices/hololens/index.md @@ -0,0 +1 @@ +# Index test file for Open Publishing \ No newline at end of file From 0cbe3dbd6fd5b661db37678835c5ba2611b652f5 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 9 Aug 2016 09:38:24 -0700 Subject: [PATCH 09/10] changing tex --- devices/hololens/TOC.md | 2 +- devices/hololens/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 06913f7aef..8b4c888244 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1 +1 @@ -# [Index](index.md) \ No newline at end of file +# [Placeholder](index.md) \ No newline at end of file diff --git a/devices/hololens/index.md b/devices/hololens/index.md index beccdc8994..867e2c8492 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -1 +1 @@ -# Index test file for Open Publishing \ No newline at end of file +# Placeholder \ No newline at end of file From 87a89759ef8d9a80938ac22b73302f70441e08d8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 9 Aug 2016 09:39:15 -0700 Subject: [PATCH 10/10] Revert "removed self-signed cert option" --- .../bitlocker-how-to-enable-network-unlock.md | 81 +++++++++++++------ 1 file changed, 57 insertions(+), 24 deletions(-) diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 2b1a237877..16e0aa12b2 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -80,11 +80,11 @@ The server side configuration to enable Network Unlock also requires provisionin ## Configure Network Unlock -The following steps allow an administrator to configure Network Unlock in a domain where the domain functional level is at least Windows Server 2012. +The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. ### Step One: Install the WDS Server role -The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock, you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role. +The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. To install the role using Windows PowerShell, use the following command: @@ -114,39 +114,72 @@ Install-WindowsFeature BitLocker-NetworkUnlock ``` ### Step Four: Create the Network Unlock certificate -Network Unlock can use imported certificates from an existing PKI infrastructure. +Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate. To enroll a certificate from an existing certification authority (CA), do the following: -1. Open Certificate Manager on the WDS server using **certmgr.msc**. -2. Under the Certificates - Current User item, right-click **Personal**. -3. Select All Tasks, then **Request New Certificate**. -4. Select **Next** when the Certificate Enrollment wizard opens. -5. Select **Active Directory Enrollment Policy**. -6. Choose the certificate template created for Network Unlock on the domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate: +1. Open Certificate Manager on the WDS server using **certmgr.msc** +2. Under the Certificates - Current User item, right-click Personal +3. Select All Tasks, then **Request New Certificate** +4. Select **Next** when the Certificate Enrollment wizard opens +5. Select Active Directory Enrollment Policy +6. Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate: - Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain" 7. Create the certificate. Ensure the certificate appears in the Personal folder. -8. Export the public key certificate for Network Unlock: +8. Export the public key certificate for Network Unlock 1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. 2. Select **No, do not export the private key**. 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. 4. Give the file a name such as BitLocker-NetworkUnlock.cer. -9. Export the public key with a private key for Network Unlock: +9. Export the public key with a private key for Network Unlock 1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. 2. Select **Yes, export the private key**. 3. Complete the wizard to create the .pfx file. +To create a self-signed certificate, do the following: + +1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf +2. Add the following contents to the previously created file: + + ``` syntax + [NewRequest] + Subject="CN=BitLocker Network Unlock certificate" + Exportable=true + RequestType=Cert + KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE" + KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG" + KeyLength=2048 + Keyspec="AT_KEYEXCHANGE" + SMIME=FALSE + HashAlgorithm=sha512 + [Extensions] + 1.3.6.1.4.1.311.21.10 = "{text}" + _continue_ = "OID=1.3.6.1.4.1.311.67.1.1" + 2.5.29.37 = "{text}" + _continue_ = "1.3.6.1.4.1.311.67.1.1" + ``` + +3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name: + + ``` syntax + certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer + ``` + +4. Verify the previous command properly created the certificate by confirming the .cer file exists +5. Launch the Certificate Manager by running **certmgr.msc** +6. Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file. + ### Step Five: Deploy the private key and certificate to the WDS server With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: 1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. -2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**. +2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import** 3. In the **File to Import** dialog, choose the .pfx file created previously. 4. Enter the password used to create the .pfx and complete the wizard. @@ -156,18 +189,18 @@ With certificate and key deployed to the WDS server for Network Unlock, the fina The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock. -1. Open Group Policy Management Console (gpmc.msc). -2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option. -3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. +1. Open Group Policy Management Console (gpmc.msc) +2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option +3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers The following steps describe how to deploy the required Group Policy setting: >**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.   -1. Copy the .cer file created for Network Unlock to the domain controller. -2. On the domain controller, launch Group Policy Management Console (gpmc.msc). +1. Copy the .cer file created for Network Unlock to the domain controller +2. On the domain controller, launch Group Policy Management Console (gpmc.msc) 3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. -4. Deploy the public certificate to clients: +4. Deploy the public certificate to clients 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** 2. Right-click the folder and choose **Add Network Unlock Certificate** @@ -179,16 +212,16 @@ The following steps describe how to deploy the required Group Policy setting: An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following: -1. Open Group Policy Management Console (gpmc.msc). -2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option. -3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. +1. Open Group Policy Management Console (gpmc.msc) +2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option +3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers ### Create the certificate template for Network Unlock The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates. 1. Open the Certificates Template snap-in (certtmpl.msc). -2. Locate the User template. Right-click the template name and select **Duplicate Template**. +2. Locate the User template. Right-click the template name and select **Duplicate Template** 3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected. 4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option. 5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected. @@ -204,9 +237,9 @@ The following steps detail how to create a certificate template for use with Bit - **Name:** **BitLocker Network Unlock** - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** -14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**. +14. Select the newly created **BitLocker Network Unlock** application policy and select **OK** 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. -16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission. +16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission 17. Select **OK** to complete configuration of the template. To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.