| Section | +Settings | +
|---|---|
| Network | +These settings configure the network connections for Chromebook devices and include the following settings categories: +
|
+
| Mobile | +These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories: +
|
+
| Chrome management | +These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories: +
|
+
| Section | +Settings | +
|---|---|
Basic settings |
+These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA. +Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment. |
+
Password monitoring |
+This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section. |
+
API reference |
+This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section. |
+
Set up single sign-on (SSO) |
+This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO. |
+
Advanced settings |
+This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section. |
+
| If you plan to... | +On-premises AD DS | +Azure AD | +Hybrid | +
|---|---|---|---|
| Use Office 365 | ++ | X | +X | +
| Use Intune for management | ++ | X | +X | +
| Use System Center 2012 R2 Configuration Manager for management | +X | ++ | X | +
| Use Group Policy for management | +X | ++ | X | +
| Have devices that are domain-joined | +X | ++ | X | +
| Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined | ++ | X | +X | +
| Desired feature | +Windows provisioning packages | +Group Policy | +Configuration Manager | +Intune | +MDT | +Windows Software Update Services | +
|---|---|---|---|---|---|---|
| Deploy operating system images | +X | ++ | X | ++ | X | ++ |
| Deploy apps during operating system deployment | +X | ++ | X | ++ | X | ++ |
| Deploy apps after operating system deployment | +X | +X | +X | ++ | + | + |
| Deploy software updates during operating system deployment | ++ | + | X | ++ | X | ++ |
| Deploy software updates after operating system deployment | +X | +X | +X | +X | ++ | X | +
| Support devices that are domain-joined | +X | +X | +X | +X | +X | ++ |
| Support devices that are not domain-joined | +X | ++ | + | X | +X | ++ |
| Use on-premises resources | +X | +X | +X | ++ | X | ++ |
| Use cloud-based services | ++ | + | + | X | ++ | + |
| Product or technology | +Resources | +
|---|---|
| DHCP | +
|
+
| DNS | +
|
+
| Product or technology | +Resources | +
|---|---|
| AD DS | +
|
+
| Azure AD | +
|
+
| Management system | +Resources | +
|---|---|
| Windows provisioning packages | +
|
+
| Group Policy | +
|
+
| Configuration Manager | +
|
+
| Intune | +
|
+
| MDT | +
|
+
| Management system | +Resources | +
|---|---|
| Group Policy | +
|
+
| Configuration Manager | +
|
+
| Intune | +
|
+
| Plan | +Advantages | +Disadvantages | +
|---|---|---|
| Standard |
|
|
| Office ProPlus |
|
|
| Quantity | +Plan | +
|---|---|
| Office 365 Education for students | |
| Office 365 Education for faculty | |
| Azure Rights Management for students | |
| Azure Rights Management for faculty |
+**Note** If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. + +### Disable automatic licensing + +To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. + +**Note** By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. + +Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). + +*Table 4. Windows PowerShell commands to enable or disable automatic licensing* + +| Action | Windows PowerShell command| +| -------| --------------------------| +| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`| +|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`| +
+### Enable Azure AD Premium + +When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. + +Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access). + +The Azure AD Premium features that are not in Azure AD Basic include: + +- Allow designated users to manage group membership +- Dynamic group membership based on user metadata +- Multifactor authentication (MFA) +- Identify cloud apps that your users run +- Automatic enrollment in a mobile device management (MDM) system (such as Intune) +- Self-service recovery of BitLocker +- Add local administrator accounts to Windows 10 devices +- Azure AD Connect health monitoring +- Extended reporting capabilities + +You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. + +You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. + +For more information about: + +- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). +- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3). + +### Summary +You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. + +## Select an Office 365 user account–creation method + + +Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: + +- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain. +- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain. + +### Method 1: Automatic synchronization between AD DS and Azure AD + +In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. + +**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396). + + + +*Figure 4. Automatic synchronization between AD DS and Azure AD* + +For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide. + +### Method 2: Bulk import into Azure AD from a .csv file + +In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. + + + +*Figure 5. Bulk import into Azure AD from other sources* + +To implement this method, perform the following steps: + +1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires. +2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section. + +### Summary + +In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts. + +## Integrate on-premises AD DS with Azure AD + +You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. + +**Note** If your institution does not have an on-premises AD DS domain, you can skip this section. + +### Select synchronization model + +Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect. + +You can deploy the Azure AD Connect tool by using one of the following methods: + +- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. + +  + + *Figure 6. Azure AD Connect on premises* + +- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. + +  + + *Figure 7. Azure AD Connect in Azure* + +This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx). + +### Deploy Azure AD Connect on premises + +In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution. + +#### To deploy AD DS and Azure AD synchronization + +1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/). +2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account. +3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect). +4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features). + +Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. + +### Verify synchronization + +Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console. + +#### To verify AD DS and Azure AD synchronization + +1. Open https://portal.office.com in your web browser. +2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365. +3. In the list view, expand **USERS**, and then click **Active Users**. +4. In the details pane, view the list of users. The list of users should mirror the users in AD DS. +5. In the list view, click **GROUPS**. +6. In the details pane, view the list of security groups. The list of users should mirror the security groups in AD DS. +7. In the details pane, double-click one of the security groups. +8. The list of security group members should mirror the group membership for the corresponding security group in AD DS. +9. Close the browser. + +Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium. + +### Summary + +In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly. + +## Bulk-import user and group accounts into AD DS + +You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS. + +**Note** If your institution doesn’t have an on-premises AD DS domain, you can skip this section. + +### Select the bulk import method + +Several methods are available to bulk-import user accounts into AD DS domains. Table 5 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS. + +*Table 5. AD DS bulk-import account methods* + +|Method | Description and reason to select this method | +|-------| ---------------------------------------------| +|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).| +|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| +
+### Create a source file that contains the user and group accounts + +After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. + +*Table 6. Source file format for each bulk import method* + +| Method | Source file format | +|--------| -------------------| +|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).| +| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| +
+### Import the user accounts into AD DS + +With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. + +**Note** Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. + +For more information about how to import user accounts into AD DS by using: + +- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). +- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx). +- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). + +### Summary + +In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide. + +## Bulk-import user accounts into Office 365 + +You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires. + +### Create user accounts in Office 365 + +Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. + +You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). + +The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts. + +For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US). + +**Note** If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. + +The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365. + +### Create Office 365 security groups + +Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources. + +**Note** If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. + +For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). + +You can add and remove users from security groups at any time. + +**Note** Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect. + +### Create email distribution groups + +Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student. + +You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. + +**Note** Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. + +For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). + +### Summary + +Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. + +## Assign user licenses for Azure AD Premium + +Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost. + +You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users. + +For more information about: + +- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). +- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts). + +## Create and configure a Windows Store for Business portal + +Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following: + +- Find and acquire Windows Store apps. +- Manage apps, app licenses, and updates. +- Distribute apps to your users. + +For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview). + +The following section shows you how to create a Windows Store for Business portal and configure it for your school. + +### Create and configure your Windows Store for Business portal + +To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator. + +#### To create and configure a Windows Store for Business portal + +1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar. +2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.
**Note** If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in. +4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept** +5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**. + +After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal. + +*Table 7. Menu selections to configure Windows Store for Business settings* + +| Menu selection | What you can do in this menu | +|---------------| -------------------| +|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).| +|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).| +|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).| +|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).| +|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).| +|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).| +|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).| +
+### Find, acquire, and distribute apps in the portal + +Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business. + +**Note** Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business. + +You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users. + +For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business). + +### Summary + +At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users. + +## Plan for deployment + +You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. + +### Select the operating systems + +Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: + +- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10. +- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. + +Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: + +- **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home. +- **Windows 10 Pro**. Use this operating system to: + - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro. + - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration. +- **Windows 10 Education**. Use this operating system to: + - Upgrade institution-owned devices to Windows 10 Education. + - Deploy new instances of Windows 10 Education so that new devices have a known configuration. + +**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home. + +One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. + +**Note** On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. + +Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. + +### Select an image approach + +A key operating system image decision is whether to use a “thin” or “thick” image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed. + +The advantage to a thin image is that the final deployment configuration is dynamic, and you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment. + +The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image. + +### Select a method to initiate deployment + +The MDT deployment process is highly automated, requiring minimal information to deploy or upgrade Windows 10, but you must manually initiate the MDT deployment process. To do so, use the method listed in Table 8 that best meets the needs of your institution. + +*Table 8. Methods to initiate MDT deployment* + +
| Method | +Description and reason to select this method | +
|---|---|
| Windows Deployment Services | +This method: +
|
+
| Bootable media | +This method: +
|
+
| MDT deployment media | +This method: +
|
+
| Task | +Description | +
|---|---|
| 1. Import operating systems | +Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench). | +
| 2. Import device drives | +Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat. + +Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). + + |
+
| 3. Create MDT applications for Windows Store apps | +Create an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10. + +Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business. + +If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps. + +In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to: +
|
+
| 4. Create MDT applications for Windows desktop apps + | +You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them. + +To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396). + +If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps. + +**Note** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. + +For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). + + |
+
| 5. Create task sequences. + | +You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will:
+ +
|
+
| 6. Update the deployment share. + | +Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services. + +For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench). |
+
Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources: + + - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx) + - The Windows Deployment Services Help file, included in Windows Deployment Services + - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx) + +2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices). + +### Summary + +Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution. + +## Prepare for device management + +Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. + +### Select the management method + +If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases. + +For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution. + +*Table 10. School management methods* + +
| Method | +Description | +
|---|---|
| Group Policy | +
+Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you:
+
|
+
| Intune | +Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
+Select this method when you:
+
|
+
+ +### Select Microsoft-recommended settings + +Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. + +*Table 11. Recommended settings for educational institutions* + +
| Recommendation | +Description | +
|---|---|
| Use of Microsoft accounts | +You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts. +**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. +**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option. +**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. + |
+
| Restrict local administrator accounts on the devices | +Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices. +**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx). +**Intune**. Not available. + |
+
| Restrict the local administrator accounts on the devices | +Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices. +**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx). +**Intune**. Not available. + |
+
| Manage the built-in administrator account created during device deployment | +When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it. +**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx). +**Intune**. Not available. + |
+
| Control Windows Store access | +You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise. +**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP). +**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. + |
+
| Use of Remote Desktop connections to devices | +Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices. +**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections. +**Intune**. Not available. + |
+
| Use of camera | +A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices. +**Group Policy**. Not available. +**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. + |
+
| Use of audio recording | +Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices. +**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx). +**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy. + |
+
| Use of screen capture | +Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices. +**Group Policy**. Not available. +**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy. + |
+
| Use of location services | +Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices. +**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors. +**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. + |
+
| Changing wallpaper | +Displaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices. +**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop. +**Intune**. Not available. + |
+
+ +### Configure settings by using Group Policy + +Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. + +For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx). + +#### To configure Group Policy settings + +1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx). +2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx). +3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx). + +### Configure settings by using Intune + +Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. + +For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/). + +#### To configure Intune settings + +1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune). +2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646962.aspx). +3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/en-us/library/dn646984.aspx). +4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646959.aspx). + +### Deploy apps by using Intune + +You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution. + +For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/). + +### Summary + +In this section, you prepared your institution for device management. You determined whether you want to use Group Policy or Intune to manage your devices. You identified the configuration settings that you want to use to manage your users and devices. Finally, you configured the Group Policy and Intune settings in Group Policy and Intune, respectively. + +## Deploy Windows 10 to devices + +You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10. + +### Prepare for deployment + +Prior to deployment of Windows 10, ensure that you complete the tasks listed in Table 12. Most of these tasks are already complete, but use this step to make sure. + +*Table 12. Deployment preparation checklist* + +|Task | | +| ---| --- | +| |The target devices have sufficient system resources to run Windows 10. | +| | Identify the necessary devices drivers, and import them to the MDT deployment share.| +| | Create an MDT application for each Windows Store and Windows desktop app.| +| | Notify the students and faculty about the deployment.| +
+### Perform the deployment + +Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. + +**Note** To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx). + +In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems. + +#### To deploy Windows 10 + +1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide. +2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Running%20the%20Deployment%20Wizard). + +### Set up printers + +After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section. + +**Note** If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section. + +#### To set up printers + +1. Review the printer manufacturer’s instructions for installing the printer drivers. +2. On the admin device, download the printer drivers. +3. Copy the printer drivers to a USB drive. +4. On a device, use the same account you used to set up Windows 10 in the [Perform the deployment](#perform-the-deployment) section to sign in to the device. +5. Insert the USB drive in the device. +6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive. +7. Verify that the printer drivers were installed correctly by printing a test page. +8. Complete steps 1–8 for each printer. + +### Verify deployment + +As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following: + +- The device can connect to the Internet and view the appropriate web content in Microsoft Edge. +- Windows Update is active and current with software updates. +- Windows Defender is active and current with malware signatures. +- The SmartScreen Filter is active. +- All Windows Store apps are properly installed and updated. +- All Windows desktop apps are properly installed and updated. +- Printers are properly configured. + +When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. + +### Summary + +You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use. + +## Maintain Windows devices and Office 365 + +After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: + +- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware. +- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students. +- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration. + +Table 13 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks. + +*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them* + +
| Task and resources | +Monthly | +New semester or academic year | +As required | +
|---|---|---|---|
| Verify that Windows Update is active and current with operating system and software updates. +For more information about completing this task when you have: +
|
+X | +X | +X | +
| Verify that Windows Defender is active and current with malware signatures. +For more information about completing this task, see [Turn Windows Defender on or off](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03). |
+X | +X | +X | +
| Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found. +For more information about completing this task, see [How do I find and remove a virus?](http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus) + |
+X | +X | +X | +
| Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business). +For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing). |
++ | X | +X | +
| Refresh the operating system and apps on devices. +For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. + + |
++ | X | +X | +
| Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum. +For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. + + |
++ | X | +X | +
| Install new or update existing Windows Store apps that are used in the curriculum. +Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download. +You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. + + |
++ | X | +X | +
| Remove unnecessary user accounts (and corresponding licenses) from Office 365. +For more information about how to: +
|
++ | X | +X | +
| Add new accounts (and corresponding licenses) to Office 365. +For more information about how to: +
|
++ | X | +X | +
| Create or modify security groups and manage group membership in Office 365. +For more information about how to: +
|
++ | X | +X | +
| Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365. +For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange). + + |
++ | X | +X | +
| Install new student devices +Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. + + |
++ | + | X | +
+### Summary + +Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified. + +##Related resources +
| Purpose | -Name | -User | -Rule condition type | -
|---|---|---|---|
Allow members of the local Administrators group access to run all executable files |
-(Default Rule) All files |
-BUILTIN\Administrators |
-Path: * |
-
Allow all users to run executable files in the Windows folder |
-(Default Rule) All files located in the Windows folder |
-Everyone |
-Path: %windir%\* |
-
Allow all users to run executable files in the Program Files folder |
-(Default Rule) All files located in the Program Files folder |
-Everyone |
-Path: %programfiles%\* |
-
| Server type or Group Policy Object (GPO) | -Default value | -
|---|---|
Default domain policy |
-Enabled |
-
Default domain controller policy |
-Enabled |
-
Stand-alone server default settings |
-Disabled |
-
Domain controller effective default settings |
-Enabled |
-
Member server effective default settings |
-Enabled |
-
Effective GPO default settings on client computers |
-Disabled |
-
| Topic | -Description | -
|---|---|
[Enforce password history](enforce-password-history.md) |
-Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting. |
-
[Maximum password age](maximum-password-age.md) |
-Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting. |
-
[Minimum password age](minimum-password-age.md) |
-Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting. |
-
[Minimum password length](minimum-password-length.md) |
-Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting. |
-
[Password must meet complexity requirements](password-must-meet-complexity-requirements.md) |
-Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting. |
-
[Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) |
-Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting. |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Administrators |
-
Stand-Alone Server Default Settings |
-Administrators |
-
DC Effective Default Settings |
-Administrators |
-
Member Server Effective Default Settings |
-Administrators |
-
Client Computer Effective Default Settings |
-Administrators |
-
| Resource class | -Where stored | -Organizational unit | -Business impact | -Security or regulatory requirements | -
|---|---|---|---|---|
Payroll data |
-Corp-Finance-1 |
-Accounting: Read/Write on Corp-Finance-1 -Departmental Payroll Managers: Write only on Corp-Finance-1 |
-High |
-Financial integrity and employee privacy |
-
Patient medical records |
-MedRec-2 |
-Doctors and Nurses: Read/Write on Med/Rec-2 -Lab Assistants: Write only on MedRec-2 -Accounting: Read only on MedRec-2 |
-High |
-Strict legal and regulatory standards |
-
Consumer health information |
-Web-Ext-1 |
-Public Relations Web Content Creators: Read/Write on Web-Ext-1 -Public: Read only on Web-Ext-1 |
-Low |
-Public education and corporate image |
-
| Groups | -Data | -Possible auditing considerations | -
|---|---|---|
Account administrators |
-User accounts and security groups |
-Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
-
Members of the Finance OU |
-Financial records |
-Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
-
External partners |
-Project Z |
-Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network. |
-
| Type of computer and applications | -Operating system version | -Where located | -
|---|---|---|
Servers hosting Exchange Server |
-Windows Server 2008 R2 |
-ExchangeSrv OU |
-
File servers |
-Windows Server 2012 |
-Separate resource OUs by department and (in some cases) by location |
-
Portable computers |
-Windows Vista and Windows 7 |
-Separate portable computer OUs by department and (in some cases) by location |
-
Web servers |
-Windows Server 2008 R2 |
-WebSrv OU |
-
| Key protector | -Description | -
|---|---|
TPM |
-A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher. |
-
PIN |
-A user-entered numeric key protector that can only be used in addition to the TPM. |
-
Enhanced PIN |
-A user-entered alphanumeric key protector that can only be used in addition to the TPM. |
-
Startup key |
-An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security. |
-
Recovery password |
-A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers. |
-
Recovery key |
-An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. |
-
| Authentication method | -Requires user interaction | -Description | -
|---|---|---|
TPM only |
-No |
-TPM validates early boot components. |
-
TPM + PIN |
-Yes |
-TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable. |
-
TPM + Network key |
-No |
-The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
-
TPM + startup key |
-Yes |
-The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted. |
-
Startup key only |
-Yes |
-The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer. |
-
| State | -Description | -
|---|---|
Enabled |
-Most features of the TPM are available. -The TPM may be enabled and disabled multiple times within a boot period, if ownership is taken. |
-
Disabled |
-The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and to perform hashing and basic initialization. -The TPM may be enabled and disabled multiple times within a boot period. |
-
Activated |
-Most features of the TPM are available. The TPM may be activated and deactivated only through physical presence which requires a reboot. |
-
Deactivated |
-Similar to disabled, with the exception that ownership can be taken while deactivated and enabled. The TPM may be activated and deactivated only through physical presence which requires a reboot. |
-
Owned |
-Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data. |
-
Un-owned |
-The TPM does not have a storage root key and may or may not have an endorsement key. |
-
| BitLocker Group Policy setting | -Configuration | -
|---|---|
BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services |
-Require BitLocker backup to AD DS (Passwords and key packages) |
-
Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services |
-Require TPM backup to AD DS |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Administrators |
-
Stand-Alone Server Default Settings |
-Administrators |
-
Domain Controller Effective Default Settings |
-Administrators |
-
Member Server Effective Default Settings |
-Administrators |
-
Client Computer Effective Default Settings |
-Administrators |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Administrators |
-
Stand-Alone Server Default Settings |
-Administrators |
-
Domain Controller Effective Default Settings |
-Administrators |
-
Member Server Effective Default Settings |
-Administrators |
-
Client Computer Effective Default Settings |
-Administrators |
-
| Number | -Part of the solution | -Description | -
|---|---|---|
1 |
-Windows 10-based device |
-The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM. -A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10. |
-
2 |
-Identity provider |
-Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status. -Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision. |
-
3 |
-Mobile device management |
-Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent. -MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10. |
-
4 |
-Remote health attestation |
-The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device. -Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard). |
-
5 |
-Enterprise managed asset |
-Enterprise managed asset is the resource to protect. -For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access. |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Disabled |
-
DC Effective Default Settings |
-Disabled |
-
Member Server Effective Default Settings |
-Disabled |
-
Client Computer Effective Default Settings |
-Disabled |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Disabled |
-
DC Effective Default Settings |
-Disabled |
-
Member Server Effective Default Settings |
-Disabled |
-
Client Computer Effective Default Settings |
-Disabled |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Administrators |
-
Stand-Alone Server Default Settings |
-Administrators |
-
Domain Controller Effective Default Settings |
-Administrators |
-
Member Server Effective Default Settings |
-Administrators |
-
Client Computer Effective Default Settings |
-Administrators |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Network Service -Local Service |
-
Stand-Alone Server Default Settings |
-Network Service -Local Service |
-
Domain Controller Effective Default Settings |
-Network Service -Local Service |
-
Member Server Effective Default Settings |
-Network Service -Local Service |
-
Client Computer Effective Default Settings |
-Network Service -Local Service |
-
| Version | -Can be configured | -Can be enforced | -Available rules | -Notes | -
|---|---|---|---|---|
Windows 10 |
-Yes |
-Yes |
-Packaged apps -Executable -Windows Installer -Script -DLL |
-You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview. |
-
Windows Server 2012 R2 |
-Yes |
-Yes |
-Packaged apps -Executable -Windows Installer -Script -DLL |
-- |
Windows 8.1 |
-Yes |
-Yes |
-Packaged apps -Executable -Windows Installer -Script -DLL |
-Only the Enterprise edition supports AppLocker |
-
Windows RT 8.1 |
-No |
-No |
-N/A |
-- |
Windows Server 2012 Standard |
-Yes |
-Yes |
-Packaged apps -Executable -Windows Installer -Script -DLL |
-- |
Windows Server 2012 Datacenter |
-Yes |
-Yes |
-Packaged apps -Executable -Windows Installer -Script -DLL |
-- |
Windows 8 Pro |
-No |
-No |
-N/A |
-- |
Windows 8 Enterprise |
-Yes |
-Yes |
-Packaged apps -Executable -Windows Installer -Script -DLL |
-- |
Windows RT |
-No |
-No |
-N/A |
-- |
Windows Server 2008 R2 Standard |
-Yes |
-Yes |
-Executable -Windows Installer -Script -DLL |
-Packaged app rules will not be enforced. |
-
Windows Server 2008 R2 Enterprise |
-Yes |
-Yes |
-Executable -Windows Installer -Script -DLL |
-Packaged app rules will not be enforced. |
-
Windows Server 2008 R2 Datacenter |
-Yes |
-Yes |
-Executable -Windows Installer -Script -DLL |
-Packaged app rules will not be enforced. |
-
Windows Server 2008 R2 for Itanium-Based Systems |
-Yes |
-Yes |
-Executable -Windows Installer -Script -DLL |
-Packaged app rules will not be enforced. |
-
Windows 7 Ultimate |
-Yes |
-Yes |
-Executable -Windows Installer -Script -DLL |
-Packaged app rules will not be enforced. |
-
Windows 7 Enterprise |
-Yes |
-Yes |
-Executable -Windows Installer -Script -DLL |
-Packaged app rules will not be enforced. |
-
Windows 7 Professional |
-Yes |
-No |
-Executable -Windows Installer -Script -DLL |
-No AppLocker rules are enforced. |
-
| Server type or Group Policy Object (GPO) | -Default value | -
|---|---|
Default domain policy |
-Not defined |
-
Default domain controller policy |
-Not defined |
-
Stand-alone server default settings |
-Not applicable |
-
Domain controller effective default settings |
-Not defined |
-
Member server effective default settings |
-Not defined |
-
Client computer effective default settings |
-Not applicable |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-- |
Default Domain Controller Policy |
-Administrators -Backup Operators -Server Operators |
-
Stand-Alone Server Default Settings |
-Administrators -Backup Operators |
-
Domain Controller Effective Default Settings |
-Administrators -Backup Operators -Server Operators |
-
Member Server Effective Default Settings |
-Administrators -Backup Operators |
-
Client Computer Effective Default Settings |
-Administrators -Backup Operators |
-
| Purpose | -Name | -User | -Rule condition type | -
|---|---|---|---|
Allows members of the local Administrators group to run all scripts |
-(Default Rule) All scripts |
-BUILTIN\Administrators |
-Path: * |
-
Allow all users to run scripts in the Windows folder |
-(Default Rule) All scripts located in the Windows folder |
-Everyone |
-Path: %windir%\* |
-
Allow all users to run scripts in the Program Files folder |
-(Default Rule) All scripts located in the Program Files folder |
-Everyone |
-Path: %programfiles%\* |
-
| Topic | -Description | -
|---|---|
[Basic security audit policies](basic-security-audit-policies.md) |
-Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. |
-
[Advanced security audit policies](advanced-security-auditing.md) |
-Advanced security audit policy settings are found in Security Settings\Advanced Audit Policy Configuration\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently. |
-
| Topic | -Description | -
|---|---|
[Accounts: Administrator account status](accounts-administrator-account-status.md) |
-Describes the best practices, location, values, and security considerations for the Accounts: Administrator account status security policy setting. |
-
[Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md) |
-Describes the best practices, location, values, management, and security considerations for the Accounts: Block Microsoft accounts security policy setting. |
-
[Accounts: Guest account status](accounts-guest-account-status.md) |
-Describes the best practices, location, values, and security considerations for the Accounts: Guest account status security policy setting. |
-
[Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) |
-Describes the best practices, location, values, and security considerations for the Accounts: Limit local account use of blank passwords to console logon only security policy setting. |
-
[Accounts: Rename administrator account](accounts-rename-administrator-account.md) |
-This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting. |
-
[Accounts: Rename guest account](accounts-rename-guest-account.md) |
-Describes the best practices, location, values, and security considerations for the Accounts: Rename guest account security policy setting. |
-
[Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md) |
-Describes the best practices, location, values, and security considerations for the Audit: Audit the access of global system objects security policy setting. |
-
[Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md) |
-Describes the best practices, location, values, and security considerations for the Audit: Audit the use of Backup and Restore privilege security policy setting. |
-
[Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md) |
-Describes the best practices, location, values, and security considerations for the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting. |
-
[Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md) |
-Describes the best practices, location, values, management practices, and security considerations for the Audit: Shut down system immediately if unable to log security audits security policy setting. |
-
[DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) |
-Describes the best practices, location, values, and security considerations for the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting. |
-
[DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) |
-Describes the best practices, location, values, and security considerations for the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting. |
-
[Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md) |
-Describes the best practices, location, values, and security considerations for the Devices: Allow undock without having to log on security policy setting. |
-
[Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md) |
-Describes the best practices, location, values, and security considerations for the Devices: Allowed to format and eject removable media security policy setting. |
-
[Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md) |
-Describes the best practices, location, values, and security considerations for the Devices: Prevent users from installing printer drivers security policy setting. |
-
[Devices: Restrict CD-ROM access to locally logged-on user only](devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md) |
-Describes the best practices, location, values, and security considerations for the Devices: Restrict CD-ROM access to locally logged-on user only security policy setting. |
-
[Devices: Restrict floppy access to locally logged-on user only](devices-restrict-floppy-access-to-locally-logged-on-user-only.md) |
-Describes the best practices, location, values, and security considerations for the Devices: Restrict floppy access to locally logged-on user only security policy setting. |
-
[Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md) |
-Describes the best practices, location, values, and security considerations for the Domain controller: Allow server operators to schedule tasks security policy setting. |
-
[Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md) |
-Describes the best practices, location, values, and security considerations for the Domain controller: LDAP server signing requirements security policy setting. |
-
[Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md) |
-Describes the best practices, location, values, and security considerations for the Domain controller: Refuse machine account password changes security policy setting. |
-
[Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) |
-Describes the best practices, location, values, and security considerations for the Domain member: Digitally encrypt or sign secure channel data (always) security policy setting. |
-
[Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) |
-Describes the best practices, location, values, and security considerations for the Domain member: Digitally encrypt secure channel data (when possible) security policy setting. |
-
[Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) |
-Describes the best practices, location, values, and security considerations for the Domain member: Digitally sign secure channel data (when possible) security policy setting. |
-
[Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md) |
-Describes the best practices, location, values, and security considerations for the Domain member: Disable machine account password changes security policy setting. |
-
[Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) |
-Describes the best practices, location, values, and security considerations for the Domain member: Maximum machine account password age security policy setting. |
-
[Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md) |
-Describes the best practices, location, values, and security considerations for the Domain member: Require strong (Windows 2000 or later) session key security policy setting. |
-
[Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md) |
-Describes the best practices, location, values, and security considerations for the Interactive logon: Display user information when the session is locked security policy setting. |
-
[Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) |
-Describes the best practices, location, values, and security considerations for the Interactive logon: Do not display last user name security policy setting. |
-
[Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md) |
-Describes the best practices, location, values, and security considerations for the Interactive logon: Do not require CTRL+ALT+DEL security policy setting. |
-
[Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) |
-Describes the best practices, location, values, management, and security considerations for the Interactive logon: Machine account lockout threshold security policy setting. |
-
[Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md) |
-Describes the best practices, location, values, management, and security considerations for the Interactive logon: Machine inactivity limit security policy setting. |
-
[Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) |
-Describes the best practices, location, values, management, and security considerations for the Interactive logon: Message text for users attempting to log on security policy setting. |
-
[Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) |
-Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Message title for users attempting to log on security policy setting. |
-
[Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) |
-Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Number of previous logons to cache (in case domain controller is not available) security policy setting. |
-
[Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md) |
-Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Prompt user to change password before expiration security policy setting. |
-
[Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) |
-Describes the best practices, location, values, policy management, and security considerations for the Interactive logon: Require Domain Controller authentication to unlock workstation security policy setting. |
-
[Interactive logon: Require smart card](interactive-logon-require-smart-card.md) |
-Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Require smart card security policy setting. |
-
[Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) |
-Describes the best practices, location, values, policy management and security considerations for the Interactive logon: Smart card removal behavior security policy setting. |
-
[Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) |
-Describes the best practices, location, values, policy management and security considerations for the Microsoft network client: Digitally sign communications (always) security policy setting. |
-
[Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md) |
-Describes the best practices, location, values, and security considerations for the Microsoft network client: Digitally sign communications (if server agrees) security policy setting. |
-
[Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md) |
-Describes the best practices, location, values, policy management and security considerations for the Microsoft network client: Send unencrypted password to third-party SMB servers security policy setting. |
-
[Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md) |
-Describes the best practices, location, values, and security considerations for the Microsoft network server: Amount of idle time required before suspending session security policy setting. |
-
[Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md) |
-Describes the best practices, location, values, management, and security considerations for the Microsoft network server: Attempt S4U2Self to obtain claim information security policy setting. |
-
[Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md) |
-Describes the best practices, location, values, policy management and security considerations for the Microsoft network server: Digitally sign communications (always) security policy setting. |
-
[Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md) |
-Describes the best practices, location, values, policy management and security considerations for the Microsoft network server: Digitally sign communications (if client agrees) security policy setting. |
-
[Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md) |
-Describes the best practices, location, values, and security considerations for the Microsoft network server: Disconnect clients when logon hours expire security policy setting. |
-
[Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md) |
-Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server: Server SPN target name validation level security policy setting. |
-
[Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network access: Allow anonymous SID/Name translation security policy setting. |
-
[Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md) |
-Describes the best practices, location, values, and security considerations for the Network access: Do not allow anonymous enumeration of SAM accounts security policy setting. |
-
[Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md) |
-Describes the best practices, location, values, and security considerations for the Network access: Do not allow anonymous enumeration of SAM accounts and shares security policy setting. |
-
[Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network access: Do not allow storage of passwords and credentials for network authentication security policy setting. |
-
[Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network access: Let Everyone permissions apply to anonymous users security policy setting. |
-
[Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network access: Named Pipes that can be accessed anonymously security policy setting. |
-
[Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network access: Remotely accessible registry paths security policy setting. |
-
[Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md) |
-Describes the best practices, location, values, and security considerations for the Network access: Remotely accessible registry paths and subpaths security policy setting. |
-
[Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network access: Restrict anonymous access to Named Pipes and Shares security policy setting. |
-
[Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network access: Shares that can be accessed anonymously security policy setting. |
-
[Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network access: Sharing and security model for local accounts security policy setting. |
-
[Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) |
-Describes the location, values, policy management, and security considerations for the Network security: Allow Local System to use computer identity for NTLM security policy setting. |
-
[Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md) |
-Describes the best practices, location, values, and security considerations for the Network security: Allow LocalSystem NULL session fallback security policy setting. |
-
[Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md) |
-Describes the best practices, location, and values for the Network Security: Allow PKU2U authentication requests to this computer to use online identities security policy setting. |
-
[Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md) |
-Describes the best practices, location, values and security considerations for the Network security: Configure encryption types allowed for Kerberos Win7 only security policy setting. |
-
[Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network security: Do not store LAN Manager hash value on next password change security policy setting. |
-
[Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network security: Force logoff when logon hours expire security policy setting. |
-
[Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network security: LAN Manager authentication level security policy setting. |
-
[Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md) |
-This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. |
-
[Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients security policy setting. |
-
[Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md) |
-Describes the best practices, location, values, policy management and security considerations for the Network security: Minimum session security for NTLM SSP based (including secure RPC) servers security policy setting. |
-
[Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) |
-Describes the best practices, location, values, management aspects, and security considerations for the Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication security policy setting. |
-
[Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md) |
-Describes the best practices, location, values, management aspects, and security considerations for the Network security: Restrict NTLM: Add server exceptions in this domain security policy setting. |
-
[Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) |
-Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Audit incoming NTLM traffic security policy setting. |
-
[Network security: Restrict NTLM: Audit NTLM authentication in this domain](network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) |
-Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Audit NTLM authentication in this domain security policy setting. |
-
[Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) |
-Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Incoming NTLM traffic security policy setting. |
-
[Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) |
-Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: NTLM authentication in this domain security policy setting. |
-
[Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) |
-Describes the best practices, location, values, management aspects, and security considerations for the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers security policy setting. |
-
[Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md) |
-Describes the best practices, location, values, policy management and security considerations for the Recovery console: Allow automatic administrative logon security policy setting. |
-
[Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md) |
-Describes the best practices, location, values, policy management and security considerations for the Recovery console: Allow floppy copy and access to all drives and folders security policy setting. |
-
[Shutdown: Allow system to be shut down without having to log on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md) |
-Describes the best practices, location, values, policy management and security considerations for the Shutdown: Allow system to be shut down without having to log on security policy setting. |
-
[Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md) |
-Describes the best practices, location, values, policy management and security considerations for the Shutdown: Clear virtual memory pagefile security policy setting. |
-
[System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md) |
-Describes the best practices, location, values, policy management and security considerations for the System cryptography: Force strong key protection for user keys stored on the computer security policy setting. |
-
[System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md) |
-This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. |
-
[System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md) |
-Describes the best practices, location, values, policy management and security considerations for the System objects: Require case insensitivity for non-Windows subsystems security policy setting. |
-
[System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md) |
-Describes the best practices, location, values, policy management and security considerations for the System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) security policy setting. |
-
[System settings: Optional subsystems](system-settings-optional-subsystems.md) |
-Describes the best practices, location, values, policy management and security considerations for the System settings: Optional subsystems security policy setting. |
-
[System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md) |
-Describes the best practices, location, values, policy management and security considerations for the System settings: Use certificate rules on Windows executables for Software Restriction Policies security policy setting. |
-
[User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md) |
-Describes the best practices, location, values, policy management and security considerations for the User Account Control: Admin Approval Mode for the Built-in Administrator account security policy setting. |
-
[User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md) |
-Describes the best practices, location, values, and security considerations for the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop security policy setting. |
-
[User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md) |
-Describes the best practices, location, values, policy management and security considerations for the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting. |
-
[User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) |
-Describes the best practices, location, values, policy management and security considerations for the User Account Control: Behavior of the elevation prompt for standard users security policy setting. |
-
[User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md) |
-Describes the best practices, location, values, policy management and security considerations for the User Account Control: Detect application installations and prompt for elevation security policy setting. |
-
[User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md) |
-Describes the best practices, location, values, policy management and security considerations for the User Account Control: Only elevate executables that are signed and validated security policy setting. |
-
[User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) |
-Describes the best practices, location, values, policy management and security considerations for the User Account Control: Only elevate UIAccess applications that are installed in secure locations security policy setting. |
-
[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md) |
-Describes the best practices, location, values, policy management and security considerations for the User Account Control: Run all administrators in Admin Approval Mode security policy setting. |
-
[User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) |
-Describes the best practices, location, values, policy management and security considerations for the User Account Control: Switch to the secure desktop when prompting for elevation security policy setting. |
-
[User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md) |
-Describes the best practices, location, values, policy management and security considerations for the User Account Control: Virtualize file and registry write failures to per-user locations security policy setting. |
-
| Topic | -Description | -
|---|---|
[Account Policies](account-policies.md) |
-An overview of account policies in Windows and provides links to policy descriptions. |
-
[Audit Policy](audit-policy.md) |
-Provides information about basic audit policies that are available in Windows and links to information about each setting. |
-
[Security Options](security-options.md) |
-Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting. |
-
[Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) |
-Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate. |
-
[User Rights Assignment](user-rights-assignment.md) |
-Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. |
-
| Topic | -Description | -
|---|---|
[Administer security policy settings](administer-security-policy-settings.md) |
-This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. |
-
[Configure security policy settings](how-to-configure-security-policy-settings.md) |
-Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller. |
-
[Security policy settings reference](security-policy-settings-reference.md) |
-This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. |
-
| Topic | -Description | -
|---|---|
[AppLocker](applocker-overview.md) |
-This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. |
-
[BitLocker](bitlocker-overview.md) |
-This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. |
-
[Encrypted Hard Drive](encrypted-hard-drive.md) |
-Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
-
[Security auditing](security-auditing-overview.md) |
-Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. |
-
[Security policy settings](security-policy-settings.md) |
-This reference topic describes the common scenarios, architecture, and processes for security settings. |
-
[Trusted Platform Module](trusted-platform-module-overview.md) |
-This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. The topic provides links to other resources about the TPM. |
-
[User Account Control](user-account-control-overview.md) |
-User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
-
[Windows Defender in Windows 10](windows-defender-in-windows-10.md) |
-This topic provides an overview of Windows Defender, including a list of system requirements and new features. |
-
| Rule condition | -Usage scenario | -Resources | -
|---|---|---|
Publisher |
-To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released. |
-For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). |
-
Path |
-Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted). |
-For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). |
-
File hash |
-Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version. |
-For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Administrators -Backup Operators -Server Operators -Print Operators |
-
Stand-Alone Server Default Settings |
-Administrators -Backup Operators |
-
Domain Controller Effective Default Settings |
-Administrators -Backup Operators -Server Operators -Print Operators |
-
Member Server Effective Default Settings |
-Administrators -Backup Operators |
-
Client Computer Effective Default Settings |
-Administrators -Backup Operators -Users |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Disabled |
-
DC Effective Default Settings |
-Disabled |
-
Member Server Effective Default Settings |
-Disabled |
-
Client Computer Effective Default Settings |
-Enabled |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Disabled |
-
DC Effective Default Settings |
-Disabled |
-
Member Server Effective Default Settings |
-Disabled |
-
Client Computer Effective Default Settings |
-Disabled |
-
| Server type or Group Policy Object (GPO) | -Default value | -
|---|---|
Default domain policy |
-Disabled |
-
Default domain controller policy |
-Disabled |
-
Stand-alone server default settings |
-Disabled |
-
Domain controller effective default settings |
-Disabled |
-
Member server effective default settings |
-Disabled |
-
Effective GPO default settings on client computers |
-Disabled |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Not defined |
-
Domain Controller Effective Default Settings |
-Enabled |
-
Member Server Effective Default Settings |
-Disabled |
-
Client Computer Effective Default Settings |
-Disabled |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Not defined |
-
DC Effective Default Settings |
-Not defined |
-
Member Server Effective Default Settings |
-Not defined |
-
Client Computer Effective Default Settings |
-Not defined |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Disabled |
-
DC Effective Default Settings |
-Disabled |
-
Member Server Effective Default Settings |
-Disabled |
-
Client Computer Effective Default Settings |
-Disabled |
-
| Operating systems | -Applicability | -
|---|---|
Windows 10, Windows 8.1, and Windows Server 2012 R2 |
-When created on these operating systems, the recovery password cannot be used on other systems listed in this table. |
-
Windows Server 2012 and Windows 8 |
-When created on these operating systems, the recovery key can be used on other systems listed in this table as well. |
-
Windows Server 2008 R2 and Windows 7 |
-When created on these operating systems, the recovery key can be used on other systems listed in this table as well. |
-
Windows Server 2008 and Windows Vista |
-When created on these operating systems, the recovery key can be used on other systems listed in this table as well. |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Enabled |
-
DC Effective Default Settings |
-Enabled |
-
Member Server Effective Default Settings |
-Enabled |
-
Client Computer Effective Default Settings |
-Enabled |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Enabled |
-
DC Effective Default Settings |
-Enabled |
-
Member Server Effective Default Settings |
-Enabled |
-
Client Computer Effective Default Settings |
-Enabled |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-POSIX |
-
DC Effective Default Settings |
-POSIX |
-
Member Server Effective Default Settings |
-POSIX |
-
Client Computer Effective Default Settings |
-POSIX |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Disabled |
-
DC Effective Default Settings |
-Disabled |
-
Member Server Effective Default Settings |
-Disabled |
-
Client Computer Effective Default Settings |
-Disabled |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Administrators |
-
Stand-Alone Server Default Settings |
-Administrators |
-
Domain Controller Effective Default Settings |
-Administrators |
-
Member Server Effective Default Settings |
-Administrators |
-
Client Computer Effective Default Settings |
-Administrators |
-
| Value Data | -Setting | -
|---|---|
0 |
-None |
-
2 |
-Delegated |
-
4 |
-Full |
-
| State | -Description | -
|---|---|
Enabled |
-Most features of the TPM are available. -The TPM can be enabled and disabled multiple times within a boot period, if ownership is taken. |
-
Disabled |
-The TPM restricts most operations. Exceptions include the ability to report TPM capabilities, extend and reset Platform Configuration Register (PCR) functions, and perform hashing and basic initialization. -The TPM can be enabled and disabled multiple times within a start-up period. |
-
Activated |
-Most features of the TPM are available. The TPM can be activated and deactivated only through physical presence, which requires a restart. |
-
Deactivated |
-Similar to the disabled state, with the exception that ownership can be taken when the TPM is deactivated and enabled. The TPM can be activated and deactivated only through physical presence, which requires a restart. |
-
Owned |
-Most features of the TPM are available. The TPM has an endorsement key and storage root key, and the owner knows information about owner authorization data. |
-
Unowned |
-The TPM does not have a storage root key, and it may or may not have an endorsement key. |
-
| Event ID: 1000 | @@ -3257,8 +3268,8 @@ article.
|---|
| TPM version | -Windows 10 | -Windows Server 2012 R2, Windows 8.1, and Windows RT | -Windows Server 2012, Windows 8, and Windows RT | -Windows Server 2008 R2 and Windows 7 | -
|---|---|---|---|---|
TPM 1.2 |
-X |
-X |
-X |
-X |
-
TPM 2.0 |
-X |
-X |
-X |
-X |
-
| Setting | -Windows 10 | -Windows Server 2012 R2, Windows 8.1 and Windows RT | -Windows Server 2012, Windows 8 and Windows RT | -Windows Server 2008 R2 and Windows 7 | -Windows Server 2008 and Windows Vista | -
|---|---|---|---|---|---|
[Turn on TPM backup to Active Directory Domain Services](#bkmk-tpmgp-addsbu) |
-X |
-X |
-X |
-X |
-X |
-
[Configure the list of blocked TPM commands](#bkmk-tpmgp-clbtc) |
-X |
-X |
-X |
-X |
-X |
-
[Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) |
-X |
-X |
-X |
-X |
-X |
-
[Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) |
-X |
-X |
-X |
-X |
-X |
-
[Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos) |
-X |
-X |
-X |
-- | - |
[Standard User Lockout Duration](#bkmk-tpmgp-suld) |
-X |
-X |
-X |
-- | - |
[Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt) |
-X |
-X |
-X |
-- | - |
[Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt) |
-X |
-X |
-X |
-- | - |
| Value Data | -Setting | -
|---|---|
0 |
-None |
-
2 |
-Delegated |
-
4 |
-Full |
-
| Enforcement setting | -Description | -
|---|---|
Not configured |
-By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the Not configured value. |
-
Enforce rules |
-Rules are enforced for the rule collection, and all rule events are audited. |
-
Audit only |
-Rule events are audited only. Use this value when planning and testing AppLocker rules. |
-
| Possible answers | -Design considerations | -
|---|---|
Control all apps |
-AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md). |
-
Control specific apps |
-When you create AppLocker rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md). |
-
Control only Classic Windows applications, only Universal Windows apps, or both |
-AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Windows Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps. -For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic. |
-
Control apps by business group and user |
-AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users. |
-
Control apps by computer, not user |
-AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements. |
-
Understand app usage, but there is no need to control any apps yet |
-AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies. |
-
| Possible answers | -Design considerations | -
|---|---|
Security polices (locally set or through Group Policy) |
-Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method. |
-
Non-Microsoft app control software |
-Using AppLocker requires a complete app control policy evaluation and implementation. |
-
Managed usage by group or OU |
-Using AppLocker requires a complete app control policy evaluation and implementation. |
-
Authorization Manager or other role-based access technologies |
-Using AppLocker requires a complete app control policy evaluation and implementation. |
-
Other |
-Using AppLocker requires a complete app control policy evaluation and implementation. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes - |
-For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment. -If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups. |
-
No |
-AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes |
-Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible. |
-
No |
-Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes |
-Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. |
-
No |
-Invest time in developing online support processes and documentation before deployment. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes |
-You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. |
-
No |
-You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in Audit only mode, and tools to view the event logs. |
-
| Possible answers | -Design considerations | -
|---|---|
Ad hoc |
-You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls. |
-
Strict written policy or guidelines to follow |
-You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules. |
-
No process in place |
-You need to determine if you have the resources to develop an application control policy, and for which groups. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes |
-You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems. -
-Note
-
-If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems. -
-
- |
-
No |
-Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems. |
-
| Possible answers | -Design considerations | -
|---|---|
Productivity: The organization assures that tools work and required applications can be installed. |
-To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. |
-
Management: The organization is aware of and controls the apps it supports. |
-In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps |
-
Security: The organization must protect data in part by ensuring that only approved apps are used. |
-AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive. |
-
| Possible answers | -Design considerations | -
|---|---|
Users run without administrative rights. -Apps are installed by using an installation deployment technology. |
-AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information. -
-Note
-
-AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy. -
-
- |
-
Users must be able to install applications as needed. -Users currently have administrator access, and it would be difficult to change this. |
-Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the Audit only enforcement setting through AppLocker. |
-
| Possible answers | -Design considerations | -
|---|---|
Yes |
-AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure. |
-
No |
-The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer. |
-
| Rule condition | -Security concern with deny action | -
|---|---|
Publisher |
-A user could modify the properties of a file (for example, re-signing the file with a different certificate). |
-
File hash |
-A user could modify the hash for a file. |
-
Path |
-A user could move the denied file to a different location and run it from there. |
-
| Topic | -Description | -
|---|---|
[Executable rules in AppLocker](executable-rules-in-applocker.md) |
-This topic describes the file formats and available default rules for the executable rule collection. |
-
[Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) |
-This topic describes the file formats and available default rules for the Windows Installer rule collection. |
-
[Script rules in AppLocker](script-rules-in-applocker.md) |
-This topic describes the file formats and available default rules for the script rule collection. |
-
[DLL rules in AppLocker](dll-rules-in-applocker.md) |
-This topic describes the file formats and available default rules for the DLL rule collection. |
-
[Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) |
-This topic explains the AppLocker rule collection for packaged app installers and packaged apps. |
-
| File hash condition advantages | -File hash condition disadvantages | -
|---|---|
Because each file has a unique hash, a file hash condition applies to only one file. |
-Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules. |
-
| Windows directory or drive | -AppLocker path variable | -Windows environment variable | -
|---|---|---|
Windows |
-%WINDIR% |
-%SystemRoot% |
-
System32 |
-%SYSTEM32% |
-%SystemDirectory% |
-
Windows installation directory |
-%OSDRIVE% |
-%SystemDrive% |
-
Program Files |
-%PROGRAMFILES% |
-%ProgramFiles% and %ProgramFiles(x86)% |
-
Removable media (for example, CD or DVD) |
-%REMOVABLE% |
-- |
Removable storage device (for example, USB flash drive) |
-%HOT% |
-- |
| Option | -The publisher condition allows or denies… | -
|---|---|
All signed files |
-All files that are signed by a publisher. |
-
Publisher only |
-All files that are signed by the named publisher. |
-
Publisher and product name |
-All files for the specified product that are signed by the named publisher. |
-
Publisher, product name, and file name |
-Any version of the named file for the named product that is signed by the publisher. |
-
Publisher, product name, file name, and file version |
-Exactly -The specified version of the named file for the named product that is signed by the publisher. |
-
Publisher, product name, file name, and file version |
-And above -The specified version of the named file and any new releases for the product that are signed by the publisher. |
-
Publisher, product name, file name, and file version |
-And below -The specified version of the named file and any older versions for the product that are signed by the publisher. |
-
Custom |
-You can edit the Publisher, Product name, File name, and Version fields to create a custom rule. |
-