From 8153f3d6013a6c1783fa4bff2207cf309b8aeebb Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 7 Nov 2017 20:56:10 +0000 Subject: [PATCH 1/9] Merged PR 4353: Added AutoPilot and Subscription Activation to deployment scenarios topic Added AutoPilot and Subscription Activation to deployment scenarios --- .../windows-10-deployment-scenarios.md | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 1acb80e7a6..1b9607c9b5 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library -ms.date: 10/26/2017 +ms.date: 11/7/2017 author: greg-lindsay --- @@ -18,7 +18,18 @@ author: greg-lindsay To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. +## Windows AutoPilot + +Windows AutoPilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows AutoPilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows AutoPilot, see [Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows AutoPilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +## Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation). + ## In-place upgrade + For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. @@ -43,6 +54,7 @@ There are some situations where you cannot use in-place upgrade; in these situat - Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. ## Dynamic provisioning + For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: @@ -50,11 +62,8 @@ The goal of dynamic provisioning is to take a new PC out of the box, turn it on, - Changing the Windows edition with a single reboot. For organizations that have Software Assurance for Windows, it is easy to change a device from Windows 10 Pro to Windows 10 Enterprise, just by specifying an appropriate product or setup key. When the device restarts, all of the Windows 10 Enterprise features will be enabled. - Configuring the device with VPN and Wi-Fi connections that may be needed to gain access to organization resources. - - Installation of additional apps needed for organization functions. - - Configuration of common Windows settings to ensure compliance with organization policies. - - Enrollment of the device in a mobile device management (MDM) solution, such as Microsoft Intune. There are two primary dynamic provisioning scenarios: @@ -67,7 +76,8 @@ Either way, these scenarios can be used to enable “choose your own device” ( While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. -## Traditional deployment +## Traditional deployment: + New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. From ab19870cb13dfd625150dbcb69ef0c2e459d455b Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 8 Nov 2017 00:07:37 +0000 Subject: [PATCH 2/9] Merged PR 4339: Merged PR 4338: Merge ms-whfb-staging to whfb-staging Merged PR 4338: Merge ms-whfb-staging to whfb-staging Corrections for Hybrid Cert trust deployment guide --- .../hello-for-business/hello-deployment-guide.md | 2 +- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- .../hello-hybrid-cert-whfb-settings-policy.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index c202596cd4..35ca37be84 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -28,7 +28,7 @@ This deployment guide is to guide you through deploying Windows Hello for Busine This guide assumes a baseline infrastructure exists that meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: * A well-connected, working network * Internet access - * Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning +* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning * Proper name resolution, both internal and external names * Active Directory and an adequate number of domain controllers per site to support authentication * Active Directory Certificate Services 2012 or later diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 7c56e7ded8..0aafbf488a 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infastructure) +* [Public Key Infrastucture](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) * [MultiFactor Authetication](#multifactor-authentication) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index d7f825257f..6c59f37b66 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -133,7 +133,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 10. On the **Request Handling** tab, select the **Renew with same key** check box. 11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. 14. Click on the **Apply** to save changes and close the console. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 342e42b0d0..5b1f2a3188 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -108,7 +108,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. 4. In the navigation pane, expand **Policies** under **User Configuration**. 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. +6. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. 8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 9. Select the **Update certificates that use certificate templates** check box. From 5ed75d14bf060387067770e9907dbcdc635cfa99 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 8 Nov 2017 00:35:08 +0000 Subject: [PATCH 3/9] Merged PR 4331: Add desktop support to Conditions for multivariant provisioning --- .../change-history-for-configure-windows-10.md | 8 +++++++- .../provisioning-multivariant.md | 14 ++++++++------ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index f2d6cf6527..95fedcd1de 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -8,13 +8,19 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jdeckerms -ms.date: 10/20/2017 +ms.date: 11/06/2017 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## November 2017 + +New or changed topic | Description +--- | --- +[Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md) | Add support for desktop to [Conditions](provisioning-packages/provisioning-multivariant.md#conditions) table. + ## October 2017 New or changed topic | Description diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 6da2cc4314..e63300657b 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -6,6 +6,8 @@ ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms ms.localizationpriority: high +ms.date: 11/06/2017 +ms.author: jdecker --- # Create a provisioning package with multivariant settings @@ -44,12 +46,12 @@ The following table shows the conditions supported in Windows 10 provisioning fo | Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description | | --- | --- | --- | --- | --- | --- | -| MNC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. | -| MCC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. | -| SPN | P0 | Supported | N/A | String | Use to target settings based on the Service Provider Name (SPN) value. | -| PNN | P0 | Supported | N/A | String | Use to target settings based on public land mobile network (PLMN) Network Name value. | -| GID1 | P0 | Supported | N/A | Digit string | Use to target settings based on the Group Identifier (level 1) value. | -| ICCID | P0 | Supported | N/A | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | +| MNC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. | +| MCC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. | +| SPN | P0 | Supported | Supported | String | Use to target settings based on the Service Provider Name (SPN) value. | +| PNN | P0 | Supported | Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. | +| GID1 | P0 | Supported | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. | +| ICCID | P0 | Supported | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | | Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | | UICC | P0 | Supported | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:


- 0 - Empty
- 1 - Ready
- 2 - Locked | | UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:


- 0 - Slot 0
- 1 - Slot 1 | From 41642eb46e5d304630f88a82d8fde900dabfae76 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Tue, 7 Nov 2017 19:55:24 -0800 Subject: [PATCH 4/9] add non-windows topic --- windows/threat-protection/TOC.md | 1 + ...ows-defender-advanced-threat-protection.md | 70 +++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 1 + 3 files changed, 72 insertions(+) create mode 100644 windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 84c4ef2208..dca4705764 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -30,6 +30,7 @@ ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection) #### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..bdb618b0cb --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -0,0 +1,70 @@ +--- +title: Configure non-Windows endpoints in Windows Defender ATP +description: Configure non-Winodws endpoints so that they can send sensor data to the Windows Defender ATP service. +keywords: configure endpoints non-Windows endpoints, macos, linux, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +ms.date: 11/07/2017 +--- + +# Configure non-Windows endpoints + +**Applies to:** + +- Mac OS X +- Linux +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. + +You'll need to know the exact Linux distros and Mac OS X versions that are compatible with Windows Defender ATP for the integration to work. + +## Onboard non-Windows endpoints +You'll need to take the following steps to oboard non-Windows endpoints: +1. Turn on third-party integration +2. Run a detection test + +### Turn on third-party integration + +1. In Windows Defender Security Center portal, select **Endpoint management** > **Clients** > **Non-Windows**. Make sure the third-party solution is listed. + +2. Toggle the third-party provider switch button to turn on the third-party solution integration. + +3. Click **Generate access token** button and then **Copy**. + +4. Depending on the third-party implementation you're using, the implementation might vary. Refer to the third-party solution documentation for guidance on how to use the token. + + +>[!WARNING] +>The access token has a limited validity period. If needed, regenerate the token close to the time you need to share it with the third-party solution. + +### Run detection test +Create an EICAR test file by saving the string displayed on the portal in an empty text file. Then, introduce the test file to a machine running the third-party antivirus solution. + +The file should trigger a detection and a corresponding alert on Windows Defender ATP. + +### Offboard non-Windows endpoints +To effectively offboard the endpoints from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow. + + +1. Follow the third-party documentation to opt-out on the third-party service side. + +2. In Windows Defender Security Center portal, select **Endpoint management**> **Non-Windows**. + +3. Toggle the third-party provider switch button to turn stop telemetry from endpoints. + +>[!WARNING] +>If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on endpoints. + +## Related topics +- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) +- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) +- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index 68514478d8..a937627030 100644 --- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -44,6 +44,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us Topic | Description :---|:--- [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise. +[Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products sensor data. [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. From 09eb4e53b8d52b22774566ccae12d4f03240d782 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Tue, 7 Nov 2017 20:13:00 -0800 Subject: [PATCH 5/9] minor updates --- windows/threat-protection/TOC.md | 2 +- ...ver-endpoints-windows-defender-advanced-threat-protection.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index dca4705764..72f67e94be 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -30,7 +30,7 @@ ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) -#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection) +#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) #### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 8e51bf936a..d4e348984c 100644 --- a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -85,5 +85,6 @@ For more information, see [To disable an agent](https://docs.microsoft.com/en-us ## Related topics - [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) From 1271d020237622965d997e629b2ff4157f873c83 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 8 Nov 2017 19:15:10 +0000 Subject: [PATCH 6/9] Merged PR 4379: Add waring about Skip OOBE in Unattend.xml --- .../create-a-windows-10-reference-image.md | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 491211e7a9..e4723f6e1c 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -9,6 +9,7 @@ ms.localizationpriority: high ms.sitesec: library ms.pagetype: mdt author: mtniehaus +ms.date: 11/08/2017 --- # Create a Windows 10 reference image @@ -19,8 +20,8 @@ author: mtniehaus Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. -**Note**   -For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). +>{!NOTE]}   +>For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).   ![figure 1](../images/mdt-08-fig01.png) @@ -75,8 +76,8 @@ This section will show you how to populate the MDT deployment share with the Win MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. -**Note**   -Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. +>[!OTE]   +>Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.   ### Add Windows 10 Enterprise x64 (full source) @@ -115,8 +116,8 @@ By storing configuration items as MDT applications, it is easy to move these obj In these examples, we assume that you downloaded the software in this list to the E:\\Downloads folder. The first application is added using the UI, but because MDT supports Windows PowerShell, you add the other applications using Windows PowerShell. -**Note**   -All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). +>[!NOTE]   +>All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523).   ### Create the install: Microsoft Office Professional Plus 2013 x86 @@ -371,8 +372,11 @@ Figure 9. The Windows 10 desktop with the Resume Task Sequence shortcut. When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer 11 behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use Internet Explorer Administration Kit (IEAK). -**Note**   -You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the Install Roles and Features action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing. +>[!WARNING] +>Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml + +>[!NOTE]   +>You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing.   Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: From 15f0afcecbad6f5d3e293f0d5d5a53c101af1d3f Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Wed, 8 Nov 2017 19:15:55 +0000 Subject: [PATCH 7/9] Merged PR 4380: set publishing date for support article Top support solutions article currently using the default 4/5/17 publishing date, instead of a manually set date, which is needed to help customers know that the support list is current. Updated to 8/30/17. --- windows/client-management/windows-10-support-solutions.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 5c68eb15b8..2daf689b30 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -7,6 +7,7 @@ ms.sitesec: library ms.author: elizapo author: kaushika-msft ms.localizationpriority: high +ms.date: 08/30/2017 --- # Top support solutions for Windows 10 From bd5013b930a9da2e505982704e50a02dafa8f27e Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 8 Nov 2017 20:29:07 +0000 Subject: [PATCH 8/9] Merged PR 4384: Noted the new unattend.xml warning in Change History --- .../deployment/change-history-for-deploy-windows-10.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md index fab7d7e9ce..af4b28f704 100644 --- a/windows/deployment/change-history-for-deploy-windows-10.md +++ b/windows/deployment/change-history-for-deploy-windows-10.md @@ -6,12 +6,18 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay -ms.date: 10/31/2017 +ms.date: 11/08/2017 --- # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). +## November 2017 + +New or changed topic | Description +-- | --- + [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml. + ## RELEASE: Windows 10, version 1709 | New or changed topic | Description | |----------------------|-------------| From d067c6d4f06f3fdd059a3af9d7bab864d4783596 Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Wed, 8 Nov 2017 14:44:11 -0800 Subject: [PATCH 9/9] changed instances of the parameter enablePrint or enablePrinting to requirePrinting, per PM --- education/windows/change-history-edu.md | 2 ++ education/windows/take-a-test-multiple-pcs.md | 4 ++-- education/windows/take-a-test-single-pc.md | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index b8aac09d33..12ad05add1 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -20,6 +20,8 @@ This topic lists new and updated topics in the [Windows 10 for Education](index. | New or changed topic | Description | | --- | ---- | | [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the the list of device manufacturers. | +| [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | +| [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. | ## RELEASE: Windows 10, version 1709 (Fall Creators Update) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index beddf8d589..4514676415 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -233,9 +233,9 @@ One of the ways you can present content in a locked down manner is by embedding 2. To enable printing, screen capture, or both, use the above link and append one of these parameters: - `&enableTextSuggestions` - Enables text suggestions - - `&enablePrint` - Enables printing + - `&requirePrinting` - Enables printing - `&enableScreenCapture` - Enables screen capture - - `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability. + - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. If you exclude these parameters, the default behavior is disabled. diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 6b07a96b6c..b64859a2d9 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -97,9 +97,9 @@ One of the ways you can present content in a locked down manner is by embedding 2. To enable printing, screen capture, or both, use the above link and append one of these parameters: - `&enableTextSuggestions` - Enables text suggestions - - `&enablePrint` - Enables printing + - `&requirePrinting` - Enables printing - `&enableScreenCapture` - Enables screen capture - - `&enablePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&enablePrint`, and `&enableScreenCapture` if you want to enable more than one capability. + - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. If you exclude these parameters, the default behavior is disabled.