Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox

2025-05-14 14:27:22 +00:00 · 2016-10-20 07:51:32 -07:00 · 2016-10-20 07:51:32 -07:00 · c533886373
commit c533886373
parent 583744b3c5 d726120732
10 changed files with 167 additions and 81 deletions
--- a/devices/hololens/hololens-checklist.md
+++ b/devices/hololens/hololens-checklist.md
@ -0,0 +1,30 @@
 ---
 title: Checklist for HoloLens in the enterprise (HoloLens)
 description: tbd
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerMS
 ---
 # Checklist: HoloLens in the enterprise
 [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers)
 Windows Store for Business 
 Requirements
 - IT Admins: Before you sign up for the Store for Business, at a minimum, you'll need an Azure Active Directory (AAD) account for your organization, and you'll need to be the global administrator for your organization. Once the Global Admin has signed in, they can give permissions to other employees.
 - End Users: Need Azure AD account when they access Store for Business content from Windows-based devices.
 [Getting started with Azure Active Directory Premium](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/)
 [Get started with Intune](https://docs.microsoft.com/en-us/intune/understand-explore/get-started-with-a-30-day-trial-of-microsoft-intune)
 [Enroll devices for management in Intune](https://docs.microsoft.com/en-us/intune/deploy-use/enroll-devices-in-microsoft-intune#supported-device-platforms)
 [Azure AD editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@ -1,4 +1,4 @@
-> ---
+---
 title: Chromebook migration guide (Windows 10)
 description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
 ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@ -19,6 +19,7 @@
 ### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
 ### [Manage device restarts after updates](waas-restart.md)
 ## [Manage corporate devices](manage-corporate-devices.md)
 ### [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
 ### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
 ### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
 ### [New policies for Windows 10](new-policies-for-windows-10.md)
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@ -17,6 +17,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 | New or changed topic | Description |
 | --- | --- |
 | [Manage device restarts after updates](waas-restart.md) | New |
 | [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)  | New |
 | [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
 | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. |
--- a/windows/manage/images/windows-10-management-cyod-byod-flow.png
+++ b/windows/manage/images/windows-10-management-cyod-byod-flow.png
--- a/windows/manage/images/windows-10-management-gp-intune-flow.png
+++ b/windows/manage/images/windows-10-management-gp-intune-flow.png
--- a/windows/manage/images/windows-10-management-range-of-options.png
+++ b/windows/manage/images/windows-10-management-range-of-options.png
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@ -19,81 +19,22 @@ localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
-You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.
+You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10.
-There are several options for managing Windows 10 on corporate-owned devices in an enterprise.
+## In this section
-## Identity and management options
+| Topic | Description |
 | --- | --- |
 | [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment | 
 | [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC |
 | [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage user experiences to provide a consistent and predictable experience for employees |
 | [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
 | [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
 | [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md) | Changes to the Group Policy settings that you use to manage Start |
 | [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices |
 | [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations |
 Your employees using devices that are owned by the organization can connect to Active Directory or Azure Active Directory (Azure AD). Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
 ![choose active directory or azure ad for identity](images/identitychoices.png)
 ### Active Directory join
 You can join a device running Windows 10 to an on-premises Active Directory domain after the first-run experience (sometimes called out-of-box experience or OOBE). You can add devices running Windows 10 to your existing Active Directory infrastructure and manage them just as you've always been used to managing PCs running Windows.
 Desktop devices running Windows 10 that are joined to an Active Directory domain can be managed using Group Policy and System Center Configuration Manager (current branch). The following table shows the management support for Windows 10 in Configuration Manager.
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Product version</th>
 <th align="left">Windows 10 support</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>[System Center Configuration Manager (current branch) ](https://technet.microsoft.com/en-us/library/mt346023.aspx)</p></td>
 <td align="left"><p>Client deployment, upgrade, and management with new and existing features</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Configuration Manager and Configuration Manager SP1</p></td>
 <td align="left"><p>Deployment, upgrade, and management with existing features</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Configuration Manager 2007</p></td>
 <td align="left"><p>Management with existing features</p></td>
 </tr>
 </tbody>
 </table>
 ### Azure AD join
 Devices joined to Azure AD can be managed using Microsoft Intune or other mobile device management (MDM) solutions. MDM infrastructure for Windows 10 is consistent across device types. Configuration capabilities may vary based on device platform.
 ![mdm options for mobile, desktop, and iot through device lifecycle](images/mdm.png)
 For flexibility in identity and management, you can combine Active Directory and Azure AD. Learn about [integrating Active Directory and Azure Active Directory for a hybrid identity solution](https://go.microsoft.com/fwlink/p/?LinkId=613209).
 ## How setting conflicts are resolved
 A device or user might receive policies from multiple sources, such as MDM, Exchange, or provisioning packages. In any policy conflict, the most secure policy value is applied. Policy settings take precedence over settings applied in a provisioning package.
 **Note**  
 Provisioning packages can be applied either during device setup or after setup for runtime configuration. For more information about runtime provisioning packages, see [Configure devices without MDM](configure-devices-without-mdm.md).
 When setting values that do not have a security implication conflict, last write wins. When settings are configured from both a provisioning package and another configuration source, the non-provisioning package configuration source has higher priority.
 ![](images/configconflict.png)
 ## MDM enrollment
 Devices running Windows 10 include a built-in agent that can be used by MDM servers to enroll and manage devices. MDM servers do not need to create a separate agent or client to install on devices running Windows 10.
 For more information about the MDM protocols, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkID=533172).
 ## Learn more
 [How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx)
@ -114,16 +55,8 @@ For more information about the MDM protocols, see [Mobile device management](htt
 Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=613208)
 ## Related topics
 [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
 - [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) 
 - [New policies for Windows 10](new-policies-for-windows-10.md)
 - [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
 - [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
 - [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
 - [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md)
--- a/windows/manage/manage-tips-and-suggestions.md
+++ b/windows/manage/manage-tips-and-suggestions.md
@ -1,6 +1,6 @@
 ---
 title: Manage Windows 10 and Windows Store tips, tricks, and suggestions (Windows 10)
-description: Windows 10 provides organizations with various options to manage auser experiences to provide a consistent and predictable experience for employees. 
+description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. 
 keywords: ["device management"]
 ms.prod: w10
 ms.mktglfcycl: manage
--- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md
@ -0,0 +1,121 @@
 ---
 title: Manage Windows 10 in your organization - transitioning to modern management
 description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
 keywords: ["MDM", "device management", "group policy", "Azure Active Directory"]
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: devices
 author: jdeckerMS
 localizationpriority: medium
 ---
 # Manage Windows 10 in your organization - transitioning to modern management
 Use of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
 Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist.
 Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
 This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
 -   [Deployment and Provisioning](#deployment-and-provisioning)
 -   [Identity and Authentication](#identity-and-authentication)
 -   [Configuration](#settings-and-configuration)
 -   [Updating and Servicing](#updating-and-servicing)
 ## Reviewing the management options with Windows 10
 Windows 10 offers a range of management options, as shown in the following diagram:
 <img src="images/windows-10-management-range-of-options.png" alt="The path to modern IT" width="766" height="654" />
 As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Rights Management Service, Office 365, and the Windows Store for Business.
 ## Deployment and Provisioning
 With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
 <!-- The phrase "Windows Imaging and Configuration Designer (ICD)" below might need to be changed to "Windows Configuration Designer" -->
 -   Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like Microsoft Intune.
 -   Create self-contained provisioning packages built with the Windows Imaging and Configuration Designer (ICD).
 -   Use traditional imaging techniques such as deploying custom images using System Center Configuration Manager.
 You have multiple options for upgrading to Windows 10. For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
 ## Identity and Authentication
 You can use Windows 10 and services like Azure Active Directory in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
 You can envision user and device management as falling into these two categories:
 -   **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
 -   For corporate devices, they can set up corporate access with Azure AD Join. When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.
    Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
 -   Likewise, for personal devices, employees can use a new, simplified BYOD experience to add their work account to Windows, then access work resources on the device.
 -   **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises.
    With Windows 10, if you have an on-premises Active Directory domain that’s integrated with Azure AD, when employee devices are joined, they automatically register with Azure AD. This provides:
    -   Single sign-on to cloud and on-premises resources from everywhere
    -   Enterprise roaming of settings
    -   Conditional access to corporate resources based on the health or configuration of the device
    -   Windows Hello for Business
    -   Windows Hello
    Domain joined PCs and tablets can continue to be managed with the System Center Configuration Manager client or Group Policy.
 For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/).
 As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
 ![Decision tree for device authentication options](images/windows-10-management-cyod-byod-flow.png)
 ## Settings and Configuration
 Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. 
 **MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. This makes MDM the best choice for devices that are constantly on the go.
 **Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings, or very specific Windows Firewall rules. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
 -   Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
 -   Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
 You can use the following generalized decision tree to review the management choices for devices in your organization:
 ![Decision tree for device configuration options](images/windows-10-management-gp-intune-flow.png)
 ## Updating and Servicing
 With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes.
 MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
 ## Next steps
 There are a variety of steps you can take to begin the process of modernizing device management in your organization:
 -   **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate.
 -   **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
 -   **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
 -   **Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability.
 -   **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. As additional capabilities become available in the cloud-identity/MDM model, Microsoft is committed to providing a clear path from traditional to modern management.