deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into vs-intunechanges

Browse Source
This commit is contained in:
LizRoss
2017-04-14 08:36:39 -07:00
parent 280da26eb6 b70312a6fe
commit d8394ede25
9 changed files with 36 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.openpublishing.redirection.json
View File

@ -166,6 +166,16 @@
"redirect_document_id": true
},
{
"source_path": "windows/manage/lockdown-features-windows-10.md",
"redirect_url": "/itpro/windows/configure/lockdown-features-windows-10",
"redirect_document_id": true
},
{
"source_path": "windows/manage/set-up-shared-or-guest-pc.md",
"redirect_url": "/itpro/windows/configure/set-up-shared-or-guest-pc",
"redirect_document_id": true
},
{
"source_path": "windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md",
"redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services",
"redirect_document_id": false
@ -1068,7 +1078,7 @@
{
"source_path": "windows/whats-new/lockdown-features-windows-10.md",
"redirect_url": "/itpro/windows/configure/lockdown-features-windows-10",
"redirect_document_id": true
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/microsoft-passport.md",

2
mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
View File

@ -55,7 +55,7 @@ This topic explains how to enable BitLocker on an end user's computer by using M
- Robust error handling
You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=48698). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=54439). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
**WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script.

2
windows/configure/provisioning-packages.md
View File

@ -71,7 +71,7 @@ The following table describes settings that you can configure using the wizards
<table><tr><td align="left">**Step**</td><td align="left">**Description**</td><td>**Desktop</br>wizard**</td><td align="center">**Mobile</br>wizard**</td><td>**Kiosk</br>wizard**</td></tr>
<tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</br>(Only device name and upgrade key)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fit network</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fi network</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
<tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>
<tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td></tr>
<tr><td valign="top">Add applications</td><td valign="top">Install applications using the provisioning package.</td><td align="center" valign="top">![yes](images/checkmark.png)</td><td align="center" valign="top">![no](images/crossmark.png)</td><td align="center" valign="top">![yes](images/checkmark.png)</td></tr>

12
windows/deploy/resolve-windows-10-upgrade-errors.md
View File

@ -553,22 +553,20 @@ Disconnect all peripheral devices that are connected to the system, except for t
For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135).
<P>Ensure you select the option to "Download and install updates (recommended)."
<BR><BR>Ensure you select the option to "Download and install updates (recommended)."
</TABLE>
</TD>
</TR>
</TABLE>
<h3 id="0x800xxxxx">0x800xxxxx</h3>
### 0x800xxxxx
<P>Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
<P>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
<TABLE border=1 cellspacing=0 cellpadding=0>
<P><TABLE border=1 cellspacing=0 cellpadding=0>
<TR><TD align="left" valign="top" style='border:solid #000000 1.0pt;'>

2
windows/deploy/usmt-best-practices.md
View File

@ -98,7 +98,7 @@ As the authorized administrator, it is your responsibility to protect the privac
<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
```
- **TUse the XML Schema (MigXML.xsd) when authoring .xml files to validate synta**
- **Use the XML Schema (MigXML.xsd) when authoring .xml files to validate syntax**
The MigXML.xsd schema file should not be included on the command line or in any of the .xml files.

18
windows/keep-secure/bitlocker-group-policy-settings.md
View File

@ -360,15 +360,15 @@ This policy setting is applied when you turn on BitLocker. The startup PIN must
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
| | |
|--------------------|----------------------|
| Policy description | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
| Introduced | Windows 10, version 1703 |
| Drive type | Operating system drives |
| Policy path | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
| Conflicts | None |
| When enabled | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
| When disabled or not configured | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
| | |
| - | - |
| **Policy description** | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
| **Introduced** | Windows 10, version 1703 |
| **Drive type** | Operating system drives |
| **Policy path** | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
| **Conflicts** | None |
| **When enabled** | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
| **When disabled or not configured** | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
**Reference**

7
windows/keep-secure/hello-manage-in-organization.md
View File

@ -307,7 +307,7 @@ Youll need this software to set Windows Hello for Business policies in your e
<tr class="header">
<th align="left">Windows Hello for Business mode</th>
<th align="left">Azure AD</th>
<th align="left">Active Directory (AD) on-premises (available with production release of Windows Server 2016)</th>
<th align="left">Active Directory (AD) on-premises (only supported with Windows 10, version 1703 clients)</th>
<th align="left">Azure AD/AD hybrid (available with production release of Windows Server 2016)</th>
</tr>
</thead>
@ -318,7 +318,6 @@ Youll need this software to set Windows Hello for Business policies in your e
<td align="left"><ul>
<li>Active Directory Federation Service (AD FS) (Windows Server 2016)</li>
<li>A few Windows Server 2016 domain controllers on-site</li>
<li>Microsoft System Center 2012 R2 Configuration Manager SP2</li>
</ul></td>
<td align="left"><ul>
<li>Azure AD subscription</li>
@ -339,7 +338,6 @@ Youll need this software to set Windows Hello for Business policies in your e
<li>ADFS (Windows Server 2016)</li>
<li>Active Directory Domain Services (AD DS) Windows Server 2016 schema</li>
<li>PKI infrastructure</li>
<li>Configuration Manager SP2, Intune, or non-Microsoft MDM solution</li>
</ul></td>
<td align="left"><ul>
<li>Azure AD subscription</li>
@ -355,7 +353,8 @@ Configuration Manager and MDM provide the ability to manage Windows Hello for Bu
Azure AD provides the ability to register devices with your enterprise and to provision Windows Hello for Business for organization accounts.
>[!IMPORTANT]
>Active Directory on-premises deployment **is not currently available** and will become available with a future update of ADFS on Windows Server 2016. The requirements listed in the above table will apply when this deployment type becomes available.
## How to use Windows Hello for Business with Azure Active Directory

77
windows/update/waas-manage-updates-configuration-manager.md
View File

@ -48,83 +48,6 @@ For the Windows 10 servicing dashboard to display information, you must adhere t
When you have met all these requirements and deployed a servicing plan to a collection, youll receive information on the Windows 10 servicing dashboard.
## Enable CBB clients in Windows 10, version 1511
When you use System Center Configuration Manager to manage Windows 10 servicing, you must first set the **Defer Updates or Upgrades** policy on the clients that should be on the Current Branch for Business (CBB) servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you dont set this policy, Configuration Manager discovers all clients, as it would in Current Branch (CB) mode.
**To use Group Policy to configure a client for the CBB servicing branch**
>[!NOTE]
>In this example, a specific organizational unit (OU) called **Windows 10 Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
1. On a PC running the Remote Server Administration Tools or on a domain controller, open Group Policy Management Console (GPMC).
2. Expand Forest\Domains\\*Your_Domain*.
4. Right-click the **Windows 10 Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**.
![Example of UI](images/waas-sccm-fig2.png)
5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
>[!NOTE]
>In this example, youre linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
8. Right-click the **Defer Upgrades and Updates** setting, and then click **Edit**.
![Example of UI](images/waas-sccm-fig3.png)
9. Enable the policy, and then click **OK**.
>[!NOTE]
>The additional options in this setting are only for Windows Update for Business, so be sure not to configure them when using System Center Configuration Manager for Windows 10 servicing.
10. Close the Group Policy Management Editor.
This policy will now be deployed to every device in the **Windows 10 Current Branch for Business Machines** OU.
## Enable CBB clients in Windows 10, version 1607
When you use Configuration Manager to manage Windows 10 servicing, you must first set the **Select when Feature Updates** are received policy on the clients that should be on the CBB servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you dont set this policy, Configuration Manager discovers all clients, as it would in CB mode.
>[!NOTE]
>System Center Configuration Manager version 1606 is required to manage devices running Windows 10, version 1607.
**To use Group Policy to configure a client for the CBB servicing branch**
>[!NOTE]
>In this example, a specific organizational unit (OU) called **Windows 10 Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
1. On a PC running the Remote Server Administration Tools or on a domain controller, open GPMC.
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click the **Windows 10 Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**.
![Example of UI](images/waas-sccm-fig2.png)
5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
>[!NOTE]
>In this example, youre linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates.
8. Right-click the **Select when Feature Updates are received** setting, and then click **Edit**.
9. Enable the policy, select the **CBB** branch readiness level, and then click **OK**.
10. Close the Group Policy Management Editor.
This policy will now be deployed to every device in the **Windows 10 Current Branch for Business Machines** OU.
## Create collections for deployment rings
Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 All Current Branch for Business** and **Ring 4 Broad business users**. Youll use the **Windows 10 All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. Youll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.

10
windows/whats-new/whats-new-windows-10-version-1703.md
View File

@ -143,7 +143,7 @@ New features for Windows Defender AV in Windows 10, version 1703 include:
- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md).
In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md).
You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
@ -164,7 +164,7 @@ A new security policy setting
You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
For Windows Phone devices, an adminisrator is able to initiate a remote PIN reset through the Intune portal.
For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
@ -176,7 +176,7 @@ For more details, check out [What if I forget my PIN?](../keep-secure/hello-why-
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates).
Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
### Windows Insider for Business
@ -239,7 +239,7 @@ For more info, see [Implement server-side support for mobile application managem
In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
### Application Virtualization for Windows (App-V)
Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
For more info, see the following topics:
- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-provision-a-vm.md)
@ -275,7 +275,7 @@ Windows 10 Mobile, version 1703 also includes the following enhancements:
- OTC update tool
- Continuum display management
- Individually turn off the monitor or phone screen when not in use
- Indivudally adjust screen time-out settings
- Indiviudally adjust screen time-out settings
- Continuum docking solutions
- Set Ethernet port properties
- Set proxy properties for the Ethernet port