deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into siosulli-privacy

Browse Source
This commit is contained in:
Sinead O'Sullivan 2020-06-24 11:27:22 +01:00
commit dee1315172
406 changed files with 4410 additions and 3165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.acrolinx-config.edn
View File

@ -1,5 +1,8 @@
{:allowed-branchname-matches ["master"]
:allowed-filename-matches ["windows/"]
:guidance-profile "d2b6c2c8-00ee-47f1-8d10-b280cc3434c1" ;; Profile ID for "M365-specific"
:acrolinx-check-settings
{
"languageId" "en"
@ -33,6 +36,6 @@ Click the scorecard links for each article to review the Acrolinx feedback on gr
"
**More info about Acrolinx**
You are helping M365 test Acrolinx while we merge to the Microsoft instance. We have set the minimum score to 20 to test that the minimum score script works. This is effectively *not* setting a minimum score. If you need to bypass this score, please contact krowley or go directly to the marveldocs-admins. Thanks for your patience while we continue with roll out!
We have set the minimum score to 20. This is effectively *not* setting a minimum score. If you need to bypass this score, please contact MARVEL PubOps.
"
}

BIN
.openpublishing.redirection.json
View File

Binary file not shown.

3
devices/hololens/TOC.md
View File

@ -57,7 +57,8 @@
# Update, troubleshoot, or recover HoloLens
## [Update HoloLens](hololens-update-hololens.md)
## [Restart, reset, or recover HoloLens](hololens-recovery.md)
## [Restart, reset, or recover HoloLens 2](hololens-recovery.md)
## [Restart, reset, or recover HoloLens (1st gen) ](hololens1-recovery.md)
## [Troubleshoot HoloLens issues](hololens-troubleshooting.md)
## [Collect diagnostic information from HoloLens devices](hololens-diagnostic-logs.md)
## [Known issues for HoloLens](hololens-known-issues.md)

8
devices/hololens/change-history-hololens.md
View File

@ -17,6 +17,14 @@ ms.localizationpriority: medium
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
## Windows 10 Holographic, version 2004
The topics in this library have been updated for Windows 10 Holographic, version 2004.
## HoloLens 2
The topics in this library have been updated for HoloLens 2 and Windows 10 Holographic, version 1903.
## April 2019
New or changed topic | Description

8
devices/hololens/holographic-photos-and-videos.md
View File

@ -44,7 +44,9 @@ To take a quick photo of your current view, press the volume up and volume down
### Voice commands to take photos
Cortana can also take a picture. Say: "Hey Cortana, take a picture."
On HoloLens 2, version 2004 (and later), say: "Take a picture."
On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, take a picture."
### Start menu to take photos
@ -67,7 +69,9 @@ The quickest way to record a video is to press and hold the **volume up** and **
### Voice to record videos
Cortana can also record a video. Say: "Hey Cortana, start recording." To stop a video, say "Hey Cortana, stop recording."
On HoloLens 2, version 2004 (and later), say: "Start recording." To stop recording, say "Stop recording."
On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, start recording." To stop recording, say "Hey Cortana, stop recording."
### Start menu to record videos

2
devices/hololens/hololens-FAQ.md
View File

@ -239,7 +239,7 @@ If your device was previously set up for someone else, either for a client or fo
- For a device that is enrolled in Intune mobile device management (MDM), you can use Intune to remotely [wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device. The device then re-flashes itself.
> [!IMPORTANT]
> When you wipe the device, make sure to leave **Retain enrollment state and user account** unchecked.
- For a non-MDM device, you can [put the device into **Flashing Mode** and use Advanced Recovery Companion](hololens-recovery.md#re-install-the-operating-system) to recover the device.
- For a non-MDM device, you can [put the device into **Flashing Mode** and use Advanced Recovery Companion](hololens-recovery.md#clean-reflash-the-device) to recover the device.
[Back to list](#list)

2
devices/hololens/hololens-calibration.md
View File

@ -25,7 +25,7 @@ While both devices need to calibrate for the best hologram viewing experience, t
## Calibrating your HoloLens 2
HoloLens 2 uses eye-tracking technology to improve your experience seeing and interacting with the virtual environment. Calibrating the HoloLens 2 ensures that it can accurately track your eyes (and the eyes of anyone else who uses the device). After calibration, holograms will appear correctly even as the visor shifts on your head.
HoloLens 2 uses eye-tracking technology to improve your experience seeing and interacting with the virtual environment. Calibrating the HoloLens 2 ensures that it can accurately track your eyes (and the eyes of anyone else who uses the device). It also helps with user comfort, hologram alignment, and hand tracking. After calibration, holograms will appear correctly even as the visor shifts on your head.
HoloLens 2 prompts a user to calibrate the device under the following circumstances:

12
devices/hololens/hololens-faq-security.md
View File

@ -34,7 +34,7 @@ appliesto:
1. **What frequency range and channels does the device operate on and is it configurable?**
1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range.
1. **Can the device blacklist or white list specific frequencies?**
1. **Can the device allow or block specific frequencies?**
1. This is not controllable by the user/device
1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs.
@ -63,9 +63,9 @@ appliesto:
1. Yes
1. **Is there an ability to control or disable the use of ports on the device?**
1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
1. **Antivirus, end point detection, IPS, app control whitelist Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
1. **Antivirus, end point detection, IPS, app control allow list Any ability to run antivirus, end point detection, IPS, app control allow list, etc.**
1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
1. Allowing apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
@ -85,7 +85,7 @@ appliesto:
1. C3K1855
1. **What frequency range and channels does the device operate on and is it configurable?**
1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
1. **Can the device blacklist or white list specific frequencies?**
1. **Can the device allow or block specific frequencies?**
1. This is not controllable by the user/device
1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region's regulatory rules.
@ -113,9 +113,9 @@ appliesto:
1. Yes
1. **Is there an ability to control or disable the use of ports on the device?**
1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
1. **Antivirus, end point detection, IPS, app control whitelist Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
1. **Antivirus, end point detection, IPS, app control allow Any ability to run antivirus, end point detection, IPS, app control allow, etc.**
1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
1. Allowing apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**

20
devices/hololens/hololens-identity.md
View File

@ -85,9 +85,9 @@ One way in which developing for HoloLens differs from developing for Desktop is
## Frequently asked questions
### Is Windows Hello for Business supported on HoloLens?
### Is Windows Hello for Business supported on HoloLens (1st Gen)?
Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens:
Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens (1st Gen). To allow Windows Hello for Business PIN sign-in on HoloLens:
1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md).
1. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello))
@ -96,13 +96,19 @@ Windows Hello for Business (which supports using a PIN to sign in) is supported
> [!NOTE]
> Users who sign in by using a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview).
#### Does the type of account change the sign-in behavior?
### How is Iris biometric authentication implemented on HoloLens 2?
Yes, the behavior for the type of account affects the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type:
HoloLens 2 supports Iris authentication. Iris is based on Windows Hello technology and is supported for use by both Azure Active Directory and Microsoft Accounts. Iris is implemented the same way as other Windows Hello technologies, and achieves biometrics security FAR of 1/100K.
- **Microsoft account**: signs in automatically
- **Local account**: always asks for password, not configurable in **Settings**
- **Azure AD**: asks for password by default, and configurable by **Settings** to no longer ask for password.
You can learn more about biometric requirements and specifications for Windows Hello [here](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Learn more about [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello) and [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification).
### How does the type of account affect sign-in behavior?
If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type:
- **Azure AD**: asks for authentication by default, and configurable by **Settings** to no longer ask for authentication.
- **Microsoft account**: lock behavior is different allowing automatic unlock, however sign in authentication is still required on reboot.
- **Local account**: always asks for authentication in the form of a password, not configurable in **Settings**
> [!NOTE]
> Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is only respected when the device goes into StandBy.

2
devices/hololens/hololens-multiple-users.md
View File

@ -37,7 +37,7 @@ To use HoloLens, each user follows these steps:
1. If another user has been using the device, do one of the following:
- Press the power button once to go to standby, and then press the power button again to return to the lock screen
- HoloLens 2 users may select the user tile on the top of the Pins panel to sign out the current user.
- HoloLens 2 users may select the user tile from the Start menu to sign out the current user.
1. Use your Azure AD account credentials to sign in to the device.
If this is the first time that you have used the device, you have to [calibrate](hololens-calibration.md) HoloLens to your own eyes.

2
devices/hololens/hololens-offline.md
View File

@ -22,7 +22,7 @@ appliesto:
# Manage connection endpoints for HoloLens
Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuration (e.g. proxy or firewall) for those components to be functional.
Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be allowed in your network configuration (e.g. proxy or firewall) for those components to be functional.
## Near-offline setup

155
devices/hololens/hololens-recovery.md
View File

@ -19,107 +19,99 @@ appliesto:
- HoloLens 2
---
# Restart, reset, or recover HoloLens
# Reset and Recovery for HoloLens 2
If you're experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery.
## Charging the device
Here are some things to try if your HoloLens isn't running well. This article will guide you through the recommended recovery steps in succession.
Before starting any troubleshooting procedure, if possible, ensure that your device is charged at least between 20% and 40%.
This article focuses on the HoloLens device and software, if your holograms don't look right, [this article](hololens-environment-considerations.md) talks about environmental factors that improve hologram quality.
## Restart your HoloLens
First, try restarting the device.
### Perform a safe restart by using Cortana
The safest way to restart the HoloLens is by using Cortana. This is generally a great first-step when experiencing an issue with HoloLens:
1. Put on your device
1. Make sure it's powered on, a user is logged in, and the device is not waiting for a password to unlock it.
1. Say "Hey Cortana, reboot" or "Hey Cortana, restart."
1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say "Yes."
1. The device will now restart.
### Perform a safe restart by using the power button
If you still can't restart your device, you can try to restart it by using the power button:
1. Press and hold the power button for five seconds.
1. After one second, you will see all five LEDs illuminate, then slowly turn off from right to left.
1. After five seconds, all LEDs will be off, indicating the shutdown command was issued successfully.
1. Note that it's important to stop pressing the button immediately after all the LEDs have turned off.
1. Wait one minute for the shutdown to cleanly succeed. Note that the shutdown may still be in progress even if the displays are turned off.
1. Power on the device again by pressing and holding the power button for one second.
### Perform a safe restart by using Windows Device Portal
Please ensure you are using the charger and the USB Type-C cables that come with the HoloLens2 device. In case they are not available ensure the charger available can support at least 15W of power.
> [!NOTE]
> To do this, HoloLens has to be configured as a developer device.
> Read more about [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal).
> If possible, do not use a PC to charge the device over USB as this will provide a very slow charge.
If the previous procedure doesn't work, you can try to restart the device by using [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). In the upper right corner, there is an option to restart or shut down the device.
If the device is correctly booted and running there are three different ways of checking the charge of your battery.
### Perform an unsafe forced restart
1. From the main menu of the HoloLens Device UI.
2. Using the LED close to the power button (for 40% you should see at least two solid LEDS).
3. On your Host PC open File Explorer window and look for your HoloLens 2 device on left side under “This PC”.
If none of the previous methods are able to successfully restart your device, you can force a restart. This method is equivalent to pulling the battery from the HoloLens. It is a dangerous operation which may leave your device in a corrupt state. If that happens, you'll have to flash your HoloLens.
a. Right click on the name of the device and select properties. A dialog will appear showing the battery level for your device.
> [!WARNING]
> This is a potentially harmful method and should only be used in the event none of the above methods work.
![HoloLens 2 ResetRecovery](images/ResetRecovery2.png)
1. Press and hold the power button for at least 10 seconds.
If the device cannot be booted to the Startup Menu, please take note of the LEDs and enumeration on the host PC and follow the troubleshooting guide (https://docs.microsoft.com/hololens/hololens-troubleshooting). In case the state of the device does not fall in any of the states listed in the troubleshooting guide, execute the **hard reset procedure** without reconnecting the device to your host PC, but connect it instead to the power supply. Wait for at least one hour for the device to charge.
- It's okay to hold the button for longer than 10 seconds.
- It's safe to ignore any LED activity.
1. Release the button and wait for two or three seconds.
1. Power on the device again by pressing and holding the power button for one second.
If you're still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device.
## Reset the device
## Reset to factory settings
Under certain circumstances the customer may be required to manually reset the device without using the SW UI.
> [!NOTE]
> The battery needs at least 40 percent charge to reset.
### Standard procedure
1. Disconnect the device from the power supply or the host PC by unplugging the Type-C cable.
If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that's installed on it and returns everything else to factory settings.
2. Press and hold the **power button** for 15 seconds. All LEDs should be off.
If you reset your device, all your personal data, apps, and settings will be erased, including TPM reset. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth).
3. Wait 2-3 seconds and Short press the **power button**, the LEDs close to the power button will light up and the device will start to boot.
1. Launch the Settings app, and then select **Update** > **Reset**.
1. Select the **Reset device** option and read the confirmation message.
1. If you agree to reset your device, the device will restart and display a set of spinning gears with a progress bar.
1. Wait about 30 minutes for this process to complete.
1. The reset will complete and the device will restart into the out-of-the-box experience.
4. Connect the device to the host PC, open Device Manager (for Windows 10 press the **“Windows” key** and then the **“x” key** and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the pictures below:
## Re-install the operating system
![HoloLens 2 MicrosoftHoloLensRecovery](images/MicrosoftHoloLensRecovery.png)
If the device is still having a problem after rebooting and resetting, you can use a recovery tool on your computer to reinstall the HoloLens' operating system and firmware.
### Hard-reset procedure
HoloLens (1st gen) and HoloLens 2 use different tools but both tools will auto-detect your HoloLens and install new software.
If the standard reset procedure does not work, you can use the hard-reset procedure.
All of the data HoloLens needs to reset is packaged in a Full Flash Update (ffu). This is similar to an iso, wim, or vhd. [Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats)
1. Disconnect the device from the power supply or the host PC by unplugging the Type-C cable.
### HoloLens 2
2. Hold **volume down + power button** for 15 seconds.
The Advanced Recovery Companion is a new app in Microsoft Store restore the operating system image to your HoloLens 2 device. Advanced Recovery Companion erases all your personal data, apps, and settings, and resets TPM.
3. The device will automatically reboot.
1. On your computer, get [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from Microsoft Store.
2. Connect HoloLens 2 to your computer.
3. Start Advanced Recovery Companion.
4. On the **Welcome** page, select your device.
5. On the **Device info** page, select **Install software** to install the default package. (If you have a Full Flash Update (FFU) image that you want to install instead, select **Manual package selection**.)
6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device.
4. Connect the device to the host PC, open Device Manager (for Windows 10 press the **“Windows” key** and then the **“x” key** and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the pictures below.
#### Manual flashing mode
![HoloLens 2 MicrosoftHoloLensRecovery](images/MicrosoftHoloLens_DeviceManager.png)
> [!TIP]
> In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion:
## Clean reflash the device
1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed.
1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit.
1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device.
1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2.
In extraordinary situations you may be required to clean flash the device. There are two ways to reflash a HoloLens2 device. For all reflashing procedures you will be required to [install the Advanced Recovery Companion app from the Windows Store](https://www.microsoft.com/store/productId/9P74Z35SFRS8). If you reset your device, all your personal data, apps, and settings will be erased, including TPM reset.
#### Downloading ARC without using the app store
Advanced Recovery Companion is currently set to download the feature release build for [Windows Holographic 2004](hololens-release-notes.md#windows-holographic-version-2004), if you would like to download the latest HoloLens 2 FFU to flash your device via Advanced Recovery Companion then you may download it from [here](https://aka.ms/hololens2download). This is kept up-to-date and will match the latest generally available build.
Before starting the flashing procedure make sure the app is installed and running on your Windows 10 PC and ready to detect the device.
![HoloLens 2 Clean Reflash](images/ARC1.png)
### Normal procedure
1. While the HoloLens device is running, connect it to your Windows 10 PC where you previously launched the Advanced Recovery Companion App.
2. The device will automatically be detected and the Advanced Recovery Companion App UI will update as follows:
![HoloLens 2 Clean Reflash](images/ARC2.png)
3. Select the HoloLens2 device in the Advanced Recovery Companion App UI and follow the instructions to complete the flashing.
### Manual procedure
If the device does not boot correctly you may need to put the HoloLens 2 device in Recovery mode.
1. Disconnect the device from the power supply or the host PC by unplugging the Type-C cable.
2. Press and hold the **power button** for 15 seconds. All LEDs should turn off.
3. While pressing the **volume up button**, press and release the **power button** to boot the device. Wait 15 seconds before releasing the volume up button. Out of the 5 LEDs on the device, only the middle LED will light up.
4. Connect the device to the host PC, open Device Manager (for Windows 10 press the **“Windows” key** and then the **“x” key** and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the image below.
![HoloLens 2 MicrosoftHoloLensRecovery](images/MicrosoftHoloLensRecovery.png)
5. The device will be automatically detected, and the Advanced Recovery Companion app UI will update as follows:
![HoloLens 2 Clean Reflash](images/ARC2.png)
6. Select the HoloLens 2 device in the Advanced Recovery Companion app UI and follow the instructions to complete the flashing.
## Downloading ARC without using the app store
If an IT environment prevents the use of the Windows Store app or limits access to the retail store, IT administrators can make this app available through other offline deployment paths.
@ -151,18 +143,3 @@ Other resources:
- https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-app-package--appx-or-appxbundle--servicing-command-line-options
### HoloLens (1st gen)
If necessary, you can install a completely new operating system on your HoloLens (1st gen) with the Windows Device Recovery Tool.
Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time. When you're done, the latest version of the Windows Holographic software approved for your HoloLens will be installed.
To use the tool, you'll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can't run this tool on a virtual machine.
To recover your HoloLens
1. Download and install the [Windows Device Recovery Tool](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq) on your computer.
1. Connect the HoloLens (1st gen) to your computer using the Micro USB cable that came with your HoloLens.
1. Run the Windows Device Recovery Tool and follow the instructions.
If the HoloLens (1st gen) isn't automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode.

53
devices/hololens/hololens-release-notes.md
View File

@ -8,7 +8,7 @@ ms.prod: hololens
ms.sitesec: library
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/12/2020
ms.date: 06/9/2020
ms.custom:
- CI 111456
- CSSTroubleshooting
@ -20,6 +20,52 @@ appliesto:
# HoloLens 2 release notes
To ensure you have a productive experience with your HoloLens devices, we continue to release feature, bug and security updates. In this page you can learn about whats new on HoloLens each month. If you would like to download the latest HoloLens 2 FFU to flash your device via [Advanced Recovery Companion](hololens-recovery.md#clean-reflash-the-device) then you may download it from [here](https://aka.ms/hololens2download). This is kept up-to-date and will match the latest generally available build.
HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
## Windows Holographic, version 2004 - June 2020 Update
- Build 19041.1106
Improvements and fixes in the update:
- Custom MRC recorders have new default values for certain properties if they aren't specified.
- On the MRC Video Effect:
- PreferredHologramPerspective (1 PhotoVideoCamera)
- GlobalOpacityCoefficient (0.9 (HoloLens) 1.0 (Immersive headset))
- On the MRC Audio Effect:
- LoopbackGain (the current "App Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
- MicrophoneGain (the current "Mic Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
- This update contains a bug fix that improves audio quality in Mixed Reality Capture scenarios. Specifically, it should eliminate any audio glitching in the recording when the Start Menu is displayed.
- Improved hologram stability in recorded videos.
- Resolves an issue where mixed reality capture couldn't record video after device is left in standby state for multiple days.
- The HolographicSpace.UserPresence API is generally disabled for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. The API is now enabled for Unity versions 2018.4.18 and higher, and 2019.3.4 and higher.
- When accessing Device Portal over a WiFi connection, a web browser might prevent access to due to an invalid certificate, reporting an error such as "ERR_SSL_PROTOCOL_ERROR," even if the device certificate has previously been trusted. In this case, you would be unable to progress to Device Portal as options to ignore security warnings are not available. This update resolves the issue. If the device certificate was previously downloaded and trusted on a PC to remove browser security warnings and the SSL error has been encountered, the new certificate will need to be downloaded and trusted to address browser security warnings.
- Enabled ability to create a runtime provisioning package which can install an app using MSIX packages.
- New setting that users can find under Settings > System > Holograms, that allows users to automatically remove all holograms from the mixed reality home when the device shuts down.
- Fixed an issue that caused HoloLens apps that change their pixel format to render black in the HoloLens emulator.
- Fixed bug that caused a crash during Iris Login.
- Fixes an issue around repeated store downloads for already current apps.
- Fixed a bug to preventing immersive apps from launching Edge multiple times.
- Fixes an issue around launches of the Photos app in initial boots after updating from the 1903 release.
- Improved performance and reliability.
## Windows Holographic, version 1903 - June 2020 Update
- Build 18362.1064
Improvements and fixes in the update:
- Custom MRC recorders have new default values for certain properties if they aren't specified.
- On the MRC Video Effect:
- PreferredHologramPerspective (1 PhotoVideoCamera)
- GlobalOpacityCoefficient (0.9 (HoloLens) 1.0 (Immersive headset))
- On the MRC Audio Effect:
- LoopbackGain (the current "App Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
- MicrophoneGain (the current "Mic Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
- The HolographicSpace.UserPresence API is generally disabled for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. The API is now enabled for Unity versions 2018.4.18 and higher, and 2019.3.4 and higher.
- Fixed an issue that caused HoloLens apps that change their pixel format to render black in the HoloLens emulator.
- Fixes an issue around launches of the Photos app in initial boots after updating from the 1903 release.
## Windows Holographic, version 2004
Build - 19041.1103
@ -32,15 +78,12 @@ We are excited to announce our May 2020 major software update for HoloLens 2, **
| Improved provisioning | Seamlessly apply a provisioning package from a USB drive to your HoloLens |
| Application install status | Check install status for apps have been pushed to HoloLens 2 via MDM, in the Settings app |
| Configuration Service Providers (CSPs) | Added new Configuration Service Providers (CSPs) enhancing admin control capabilities. |
| USB 5G/LTE support | Expanded USB Ethernet capability enables support for 5G/LTE dongles |
| USB 5G/LTE support | Expanded USB Ethernet capability enables support for 5G/LTE |
| Dark App Mode | Dark App Mode for apps that support both dark and light modes, improving the viewing experience |
| Voice Commands | Support for additional system voice commands to control HoloLens, hands-free |
| Hand Tracking improvements | Hand Tracking improvements make buttons and 2D slate interactions more accurate |
| Quality improvements and fixes | Various system performance and reliability improvements across the platform |
> [!Note]
> HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
### Support for Windows Autopilot
Windows Autopilot for HoloLens 2 lets the device sales channel pre-enroll HoloLens into your Intune tenant. When devices arrive, theyre ready to self-deploy as shared devices under your tenant. To take advantage of self-deployment, devices will need to connect to a network during the first screen in setup using either a USB-C to ethernet dongle or USB-C to LTE dongle.

2
devices/hololens/hololens-requirements.md
View File

@ -23,7 +23,7 @@ This document also assumes that the HoloLens has been evaluated by security team
1. [Determine what features you need](hololens-requirements.md#step-1-determine-what-you-need)
1. [Determine what licenses you need](hololens-licenses-requirements.md)
1. [Configure your network for HoloLens](hololens-commercial-infrastructure.md).
1. This section includes bandwidth requirements, URL, and ports that need to be whitelisted on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance.
1. This section includes bandwidth requirements, URL, and ports that need to be allowed on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance.
1. (Optional) [Configure HoloLens using a provisioning package](hololens-provisioning.md)
1. [Enroll Device](hololens-enroll-mdm.md)
1. [Set up ring based updates for HoloLens](hololens-updates.md)

10
devices/hololens/hololens-troubleshooting.md
View File

@ -27,14 +27,14 @@ This article describes how to resolve several common HoloLens issues.
If your HoloLens won't start:
- If the LEDs next to the power button don't light up, or only one LED briefly blinks, you may need to charge your HoloLens.
- If the LEDs light up when you press the power button but you can't see anything on the displays, hold the power button until all five of the LEDs turn off.
- If the LEDs next to the power button don't light up, or only one LED briefly blinks, you may need to [charge your HoloLens.](hololens-recovery.md#charging-the-device)
- If the LEDs light up when you press the power button but you can't see anything on the displays, [preform a hard reset of the device](hololens-recovery.md#hard-reset-procedure).
If your HoloLens becomes frozen or unresponsive:
- Turn off your HoloLens by pressing the power button until all five of the LEDs turn themselves off, or for 10 seconds if the LEDs are unresponsive. To start your HoloLens, press the power button again.
- Turn off your HoloLens by pressing the power button until all five of the LEDs turn themselves off, or for 15 seconds if the LEDs are unresponsive. To start your HoloLens, press the power button again.
If these steps don't work, you can try [recovering your device](hololens-recovery.md).
If these steps don't work, you can try [recovering your HoloLens 2 device](hololens-recovery.md) or [HoloLens (1st gen) device.](hololens1-recovery.md)
## Holograms don't look good
@ -92,6 +92,6 @@ You'll need to free up some storage space by doing one or more of the following:
The most likely problem is that you're running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.
## The HoloLens emulators isn't working
## The HoloLens emulator isn't working
Information about the HoloLens emulator is located in our developer documentation. Read more about [troubleshooting the HoloLens emulator](https://docs.microsoft.com/windows/mixed-reality/using-the-hololens-emulator#troubleshooting).

127
devices/hololens/hololens1-recovery.md Normal file
View File

@ -0,0 +1,127 @@
---
title: Restart, reset, or recover HoloLens 1
ms.reviewer: Both basic and advanced instructions for rebooting or resetting your HoloLens.
description: How to use Windows Device Recovery Tool to flash an image to HoloLens 1st Gen.
keywords: how-to, reboot, reset, recover, hard reset, soft reset, power cycle, HoloLens, shut down, wdrt, windows device recovery tool
ms.prod: hololens
ms.sitesec: library
author: evmill
ms.author: v-evmill
ms.date: 06/01/2020
ms.custom:
- CI 111456
- CSSTroubleshooting
ms.topic: article
ms.localizationpriority: high
manager: yannisle
appliesto:
- HoloLens (1st gen)
---
# Restart, reset, or recover HoloLens 1st Gen
If you're experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery.
Here are some things to try if your HoloLens isn't running well. This article will guide you through the recommended recovery steps in succession.
If you are looking to recover a HoloLens 2, please view the page for [Recovering a HoloLens 2](https://docs.microsoft.com/hololens/hololens-recovery), as there are differences in the processes.
This article focuses on the HoloLens device and software, if your holograms don't look right, [this article](hololens-environment-considerations.md) talks about environmental factors that improve hologram quality.
## Restart
### Perform a safe restart by using Cortana
The safest way to restart the HoloLens is by using Cortana. This is generally an easy first-step when experiencing an issue with HoloLens.
> [!NOTE]
> Cortana is not avalible on all devices.
> Cortana is avalible to all HoloLens (1st Gen) devices.
> Cortana is avalible on HoloLens 2 devices on a build prior to the Windows Holograpic, Version 2004 update.
1. Put on your device
1. Make sure it's powered on, a user is logged in, and the device is not waiting for a password to unlock it.
1. Say "Hey Cortana, reboot" or "Hey Cortana, restart."
1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say "Yes."
1. The device will now restart.
### Perform a safe restart by using the power button
If you still can't restart your device, you can try to restart it by using the power button:
1. Press and hold the power button for five seconds.
1. After one second, you will see all five LEDs illuminate, then slowly turn off from right to left.
1. After five seconds, all LEDs will be off, indicating the shutdown command was issued successfully.
1. Note that it's important to stop pressing the button immediately after all the LEDs have turned off.
1. Wait one minute for the shutdown to cleanly succeed. Note that the shutdown may still be in progress even if the displays are turned off.
1. Power on the device again by pressing and holding the power button for one second.
### Perform a safe restart by using Windows Device Portal
> [!NOTE]
> To do this, HoloLens has to be configured as a developer device.
> Read more about [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal).
If the previous procedure doesn't work, you can try to restart the device by using [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). In the upper right corner, there is an option to restart or shut down the device.
### Perform an unsafe forced restart
If none of the previous methods are able to successfully restart your device, you can force a restart. This method is equivalent to pulling the battery from the HoloLens. It is a dangerous operation which may leave your device in a corrupt state. If that happens, you'll have to flash your HoloLens.
> [!WARNING]
> This is a potentially harmful method and should only be used in the event none of the above methods work.
1. Press and hold the power button for at least 10 seconds.
- It's okay to hold the button for longer than 10 seconds.
- It's safe to ignore any LED activity.
1. Release the button and wait for two or three seconds.
1. Power on the device again by pressing and holding the power button for one second.
If you're still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device.
## Reset to factory settings
> [!NOTE]
> The battery needs at least 40 percent charge to reset.
If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that's installed on it and returns everything else to factory settings.
If you reset your device, all your personal data, apps, and settings will be erased, including TPM reset. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth).
1. Launch the Settings app, and then select **Update** > **Reset**.
1. Select the **Reset device** option and read the confirmation message.
1. If you agree to reset your device, the device will restart and display a set of spinning gears with a progress bar.
1. Wait about 30 minutes for this process to complete.
1. The reset will complete and the device will restart into the out-of-the-box experience.
## Re-install the operating system
If the device is still having a problem after rebooting and resetting, you can use a recovery tool on your computer to reinstall the HoloLens' operating system and firmware.
All of the data HoloLens needs to reset is packaged in a Full Flash Update (ffu). This is similar to an iso, wim, or vhd. [Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats)
If necessary, you can install a completely new operating system on your HoloLens (1st gen) with the Windows Device Recovery Tool.
Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time. When you're done, the latest version of the Windows Holographic software approved for your HoloLens will be installed.
To use the tool, you'll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can't run this tool on a virtual machine.
### Recover your HoloLens:
1. Download and install the [Windows Device Recovery Tool](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq) on your computer.
1. Connect the HoloLens (1st gen) to your computer using the Micro USB cable that came with your HoloLens.
1. Run the Windows Device Recovery Tool and follow the instructions.
If the HoloLens (1st gen) isn't automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode.
### Manual Flashing Mode:
In the event that your device is not being detected please use the following method to manually place it into flashing mode.
1. Unplug the device from all power sources.
1. If the device is on please hold down the power button until it is completely off.
1. Hold the **Volume Up** button, and breifly tap the **Power button**.
1. The device should boot and then display only the middle LED light.
1. Plug the device into your PC.
1. Launch Windows Device Recovery Tool.
1. You will need to select *My device was not detected**, and then select **HoloLens**.
1. Follow the instructions to recover your device.

3
devices/hololens/hololens1-upgrade-enterprise.md
View File

@ -16,6 +16,9 @@ appliesto:
# Unlock Windows Holographic for Business features
> [!IMPORTANT]
> This page only applies to HoloLens 1st Gen.
Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 that is designed for HoloLens), and in the [Commercial Suite](hololens-commercial-features.md), which provides extra features designed for business.
When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. You can apply this license to the device either by using the organization's [mobile device management (MDM) provider](#edition-upgrade-by-using-mdm) or a [provisioning package](#edition-upgrade-by-using-a-provisioning-package).

7
devices/hololens/hololens2-autopilot.md
View File

@ -71,10 +71,9 @@ Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows
Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
- The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
- Every device can connect to the internet. You can "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity.
- Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
- Advanced Recovery Companion (ARC)
- The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)
- Every device can connect to the internet. You can use "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity.
- Every device can connect to a computer by using a USB-C cable, and that computer has [Advanced Recovery Companion (ARC)](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?rtc=1&activetab=pivot:overviewtab) installed
- Every device has the latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version.
To configure and manage the Autopilot self-deploying mode profiles, make sure that you have access to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).

2
devices/hololens/hololens2-setup.md
View File

@ -104,7 +104,7 @@ Not sure what the indicator lights on your HoloLens mean? Want to know how HoloL
| - | - | - |
| You press the Power button. | One light flashes five times, then turns off. | The HoloLens battery is critically low. Charge your HoloLens. |
| You press the Power button. | All five lights flash five times, then turn off. | HoloLens cannot start correctly and is in an error state. [Reinstall the operating system](hololens-recovery.md) to recover your device. |
| You press the Power button. | The 1st, 3rd, and 5th lights flash together continually. | HoloLens may have a hardware failure. To be sure, [reinstall the OS](hololens-recovery.md#hololens-2), and try again. After reinstalling the OS, if the light-flash pattern persists, contact [support](https://support.microsoft.com/en-us/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb). |
| You press the Power button. | The 1st, 3rd, and 5th lights flash together continually. | HoloLens may have a hardware failure. To be sure, [reinstall the OS](hololens-recovery.md), and try again. After reinstalling the OS, if the light-flash pattern persists, contact [support](https://support.microsoft.com/en-us/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb). |
## Safety and comfort

BIN
devices/hololens/images/ARC1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
devices/hololens/images/ARC2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
devices/hololens/images/MicrosoftHoloLens_DeviceManager.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.9 KiB

BIN
devices/hololens/images/ResetRecovery1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 150 KiB

BIN
devices/hololens/images/ResetRecovery2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

1
devices/surface-hub/TOC.md
View File

@ -32,6 +32,7 @@
### [Create provisioning packages for Surface Hub 2S](surface-hub-2s-deploy.md)
### [Deploy apps to Surface Hub 2S using Intune](surface-hub-2s-deploy-apps-intune.md)
### [Create Surface Hub 2S on-premises accounts with PowerShell](surface-hub-2s-onprem-powershell.md)
### [Surface Hub Teams app](hub-teams-app.md)
## Manage
### [Manage Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md)

34
devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
View File

@ -16,7 +16,6 @@ ms.localizationpriority: medium
# PowerShell for Surface Hub
PowerShell scripts to help set up and manage your Microsoft Surface Hub.
- [PowerShell scripts for Surface Hub admins](#scripts-for-admins)
@ -30,7 +29,6 @@ PowerShell scripts to help set up and manage your Microsoft Surface Hub.
- [Auto-accepting and declining meeting requests](#auto-accept-meetings-cmdlet)
- [Accepting external meeting requests](#accept-ext-meetings-cmdlet)
## Prerequisites
To successfully execute these PowerShell scripts, you will need to install the following prerequisites:
@ -41,7 +39,6 @@ To successfully execute these PowerShell scripts, you will need to install the f
## <a href="" id="scripts-for-admins"></a>PowerShell scripts for Surface Hub administrators
What do the scripts do?
- Create device accounts for setups using pure single-forest on-premises (Microsoft Exchange and Skype 2013 and later only) or online (Microsoft Office 365), that are configured correctly for your Surface Hub.
@ -56,11 +53,8 @@ What do you need in order to run the scripts?
> [!NOTE]
> Whether youre creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
 
## Running the scripts
The account creation scripts will:
- Ask for administrator credentials
@ -178,11 +172,8 @@ These are the attributes that are set by the scripts:
</tbody>
</table>
 
## Account creation scripts
These scripts will create a device account for you. You can use the [Account verification script](#acct-verification-ps-scripts) to make sure they ran correctly.
The account creation scripts cannot modify an already existing account, but can be used to help you understand which cmdlets need to be run to configure the existing account correctly.
@ -257,7 +248,6 @@ if (!$credNewAccount -Or [System.String]::IsNullOrEmpty($strDisplayName) -Or [Sy
exit 1
}
## Sign in to remote powershell for exchange and lync online ##
$credExchange = $null
@ -307,7 +297,8 @@ Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue
Import-PSSession $sessLync -AllowClobber -WarningAction SilentlyContinue
## Create the Exchange mailbox ##
# Note: These exchange commandlets do not always throw their errors as exceptions
> [!Note]
> These exchange commandlets do not always throw their errors as exceptions
# Because Get-Mailbox will throw an error if the mailbox is not found
$Error.Clear()
@ -324,7 +315,6 @@ $status["Mailbox Setup"] = "Successfully created a mailbox for the new account"
$strEmail = $mailbox.WindowsEmailAddress
PrintSuccess "The following mailbox has been created for this room: $strEmail"
## Create or retrieve a policy that will be applied to surface hub devices ##
# The policy disables requiring a device password so that the SurfaceHub does not need to be lockable to use Active Sync
$strPolicy = Read-Host 'Please enter the name for a new Surface Hub ActiveSync policy that will be created and applied to this account.
@ -674,7 +664,8 @@ Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue
Import-PSSession $sessCS -AllowClobber -WarningAction SilentlyContinue
## Create the Exchange mailbox ##
# Note: These exchange commandlets do not always throw their errors as exceptions
> [!Note]
> These exchange commandlets do not always throw their errors as exceptions
# Because Get-Mailbox will throw an error if the mailbox is not found
$Error.Clear()
@ -994,7 +985,6 @@ else
## <a href="" id="acct-verification-ps-scripts"></a>Account verification script
This script will validate the previously-created device account on a Surface Hub, no matter which method was used to create it. This script is basically pass/fail. If one of the test errors out, it will show a detailed error message, but if all tests pass, the end result will be a summary report. For example, you might see:
``` syntax
@ -1446,7 +1436,6 @@ Cleanup
## <a href="" id="enable-sfb-ps-scripts"></a>Enable Skype for Business
This script will enable Skype for Business on a device account. Use it only if Skype for Business wasn't previously enabled during account creation.
```PowerShell
@ -1607,7 +1596,6 @@ Cleanup
## Useful cmdlets
### <a href="" id="create-compatible-as-policy"></a>Creating a Surface Hub-compatible ActiveSync policy
For Surface Hub to use Exchange services, a device account configured with a compatible ActiveSync policy must be provisioned on the device. This policy has the following requirements:
@ -1674,19 +1662,9 @@ Set-CalendarProcessing $strRoomUpn -AutomateProcessing AutoAccept
For a device account to accept external meeting requests (a meeting request from an account not in the same tenant/domain), the device account must be set to allow processing of external meeting requests. Once set, the device account will automatically accept or decline meeting requests from external accounts as well as local accounts.
>**Note**  If the **AutomateProcessing** attribute is not set to **AutoAccept**, then setting this will have no effect.
 
> [!Note]
> If the **AutomateProcessing** attribute is not set to **AutoAccept**, then setting this will have no effect.
```PowerShell
Set-CalendarProcessing $strRoomUpn -ProcessExternalMeetingMessages $true
```
 
 

4
devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
View File

@ -21,10 +21,10 @@ The Microsoft Surface Hub's device account uses ActiveSync to sync mail and cale
For these features to work, the ActiveSync policies for your organization must be configured as follows:
- There can't be any global policies that block synchronization of the resource mailbox that's being used by the Surface Hubs device account. If there is such a blocking policy, you need to whitelist the Surface Hub as an allowed device.
- There can't be any global policies that block synchronization of the resource mailbox that's being used by the Surface Hubs device account. If there is such a blocking policy, you need to add the Surface Hub as an allowed device.
- You must set a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Other mobile device mailbox policy settings are not compatible with the Surface Hub.
## Whitelisting the DeviceID
## Allowing the DeviceID
Your organization may have a global policy that prevents syncing of device accounts provisioned on Surface Hubs. To configure this property, see [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet).

2
devices/surface-hub/create-and-test-a-device-account-surface-hub.md
View File

@ -38,7 +38,7 @@ This table explains the main steps and configuration decisions when you create a
| 2 | Configure mailbox properties | The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. For more information on mailbox properties, see [Mailbox properties](exchange-properties-for-surface-hub-device-accounts.md). |
| 3 | Apply a compatible mobile device mailbox policy to the mailbox | Surface Hub is managed using mobile device management (MDM) rather than through mobile device mailbox policies. For compatibility, the device account must have a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Otherwise, Surface Hub can't sync mail and calendar info. |
| 4 | Enable mailbox with Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business must be enabled to use conferencing features like video calls, IM, and screen sharing. |
| 5 | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to whitelist the ActiveSync Device ID of your Surface Hub. |
| 5 | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to allow the ActiveSync Device ID of your Surface Hub. |
| 6 | (Optional) Disable password expiration | To simplify management, you can turn off password expiration for the device account and allow Surface Hub to automatically rotate the device account password. For more information about password management, see [Password management](password-management-for-surface-hub-device-accounts.md). |
## Detailed configuration steps

24
devices/surface-hub/hub-teams-app.md Normal file
View File

@ -0,0 +1,24 @@
---
title: Microsoft Teams app for Surface Hub
description: Provides a version history of updates for the Microsoft Teams app for Surface Hub
keywords: surface, hub,
ms.prod: surface-hub
ms.sitesec: library
author: greglin
ms.author: greglin
ms.topic: article
ms.date: 06/15/2020
ms.localizationpriority: medium
---
# Microsoft Teams app for Surface Hub
The Microsoft Teams app for Surface Hub is periodically updated and available via the [Microsoft Store](https://www.microsoft.com/store/apps/windows). If you manage Surface Hub with Automatic Updates enabled (default setting), the app will update automatically.
## Version history
| Store app version | Updates | Published to Microsoft Store |
| --------------------- | --------------------------------------------------------------------------------------------------- | -------------------------------- |
| 0.2020.13201.0 | - 3x3 Gallery view on Surface Hub<br>- Ability to search for External users | June 10, 2020<br> |
| 0.2020.13201 | - Quality improvements and Bug fixes | June 1, 2020<br> |
| 0.2020.4301.0 | - Accept incoming PSTN calls on Surface Hub<br>- Consume Attendee/Presenter role changes | May 21, 2020 |

182
devices/surface-hub/index.yml
View File

@ -1,116 +1,101 @@
### YamlMime:Hub
### YamlMime:Landing
title: Surface Hub documentation # < 60 chars
summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device. # < 160 chars
# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin
brand: windows
metadata:
title: Surface Hub documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Get started with Microsoft Surface Hub. # Required; article description that is displayed in search results. < 160 chars.
services: product-insights
description: Get started with Microsoft Surface Hub # Required; article description that is displayed in search results. < 160 chars.
ms.service: product-insights #Required; service per approved list. service slug assigned to your service by ACOM.
ms.topic: hub-page # Required
ms.prod: surface-hub
ms.technology: windows
audience: ITPro
ms.localizationpriority: medium
ms.topic: landing-page # Required
manager: laurawi
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
manager: laurawi
audience: itpro
ms.localizationpriority: High
# highlightedContent section (optional)
# Maximum of 8 items
highlightedContent:
# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
items:
# Card
- title: What's new in Surface Hub 2S?
itemType: whats-new
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: Surface devices
linkLists:
- linkListType: overview
links:
- text: What's new in Surface Hub 2S?
url: surface-hub-2s-whats-new.md
# Card
- title: Surface Hub security overview
itemType: learn
url: surface-hub-security.md
# Card
- title: Manage Surface Hub 2S with Intune
itemType: how-to-guide
url: surface-hub-2s-manage-intune.md
# Card
- title: Operating system essentials
itemType: learn
- text: Surface Hub 2S tech specs
url: surface-hub-2s-techspecs.md
- text: Operating system essentials
url: differences-between-surface-hub-and-windows-10-enterprise.md
# Card
- title: Surface Hub 2S Site Readiness Guide
itemType: learn
# Card (optional)
- title: Get started
linkLists:
- linkListType: get-started
links:
- text: Surface Hub 2S Site Readiness Guide
url: surface-hub-2s-site-readiness-guide.md
# Card
- title: Customize Surface Hub 2S installation
itemType: how-to-guide
- text: Customize Surface Hub 2S installation
url: surface-hub-2s-custom-install.md
# productDirectory section (optional)
productDirectory:
title: Deploy, manage, and support your Surface Hub devices # < 60 chars (optional)
summary: Find related links to deploy, manage and support your Surface Hub devices. # < 160 chars (optional)
items:
# Card
- title: Deploy
# imageSrc should be square in ratio with no whitespace
imageSrc: https://docs.microsoft.com/office/media/icons/deploy-blue.svg
links:
- url: surface-hub-2s-adoption-kit.md
text: Surface Hub 2S adoption and training
- url: surface-hub-2s-deploy-checklist.md
text: Surface Hub 2S deployment checklist
- url: surface-hub-2s-account.md
text: Create device account
# Card
- title: Manage
imageSrc: https://docs.microsoft.com/office/media/icons/process-flow-blue.svg
links:
- url: surface-hub-2s-manage-intune.md
text: Manage with Intune
- url: local-management-surface-hub-settings.md
text: Manage local settings
# Card
- title: Secure
imageSrc: https://docs.microsoft.com/office/media/icons/security-blue.svg
links:
- url: surface-hub-2s-secure-with-uefi-semm.md
text: Secure with UEFI and SEMM
- url: surface-hub-wifi-direct.md
text: Wi-Fi security considerations
# Card
- title: Troubleshoot
imageSrc: https://docs.microsoft.com/office/media/icons/connector-blue.svg
links:
- url: https://support.microsoft.com/help/4493926
text: Service and warranty
- url: surface-hub-2s-recover-reset.md
text: Recover & reset Surface Hub 2S
- url: support-solutions-surface-hub.md
text: Surface Hub support solutions
- url: https://support.office.com/article/Enable-Microsoft-Whiteboard-on-Surface-Hub-b5df4539-f735-42ff-b22a-0f5e21be7627
text: Enable Microsoft Whiteboard on Surface Hub
# additionalContent section (optional)
# Card with links style
additionalContent:
# Supports up to 3 sections
sections:
- title: Other content # < 60 chars (optional)
summary: Find related links for videos, community and support. # < 160 chars (optional)
items:
# Card
- title: Get ready for Surface Hub 2S
links:
- text: Ordering Surface Hub 2S
url: https://www.microsoft.com/p/surface-hub-2S/8P62MW6BN9G4?activetab=pivot:overviewtab
- text: Prepare your environment for Surface Hub 2S
url: surface-hub-2s-prepare-environment.md
# Card
- title: Deploy Surface Hub
linkLists:
- linkListType: deploy
links:
- text: Surface Hub 2S adoption and training
url: surface-hub-2s-adoption-kit.md
- text: Surface Hub 2S deployment checklist
url: surface-hub-2s-deploy-checklist.md
- text: Create device account
url: surface-hub-2s-account.md
# Card
- title: Manage Surface devices
linkLists:
- linkListType: how-to-guide
links:
- text: Manage Surface Hub 2S with Intune
url: surface-hub-2s-manage-intune.md
- text: Manage local settings
url: local-management-surface-hub-settings.md
- text: Manage Windows updates on Surface Hub
url: manage-windows-updates-for-surface-hub.md
# Card
- title: Explore security guidance
linkLists:
- linkListType: learn
links:
- text: Secure and manage Surface Hub 2S with SEMM and UEFI
url: surface-hub-2s-secure-with-uefi-semm.md
- text: Wi-Fi security considerations
url: surface-hub-wifi-direct.md
- text: Surface Hub security overview
url: surface-hub-security.md
# Card
- title: Troubleshoot Surface Hub
linkLists:
- linkListType: learn
links:
- text: Service and warranty
url: https://support.microsoft.com/help/4493926
- text: Recover & reset Surface Hub 2S
url: surface-hub-2s-recover-reset.md
- text: Surface Hub support solutions
url: support-solutions-surface-hub.md
# Card
- title: Surface Hub 2S Videos
linkLists:
- linkListType: video
links:
- text: Adoption and training videos
url: surface-hub-2s-adoption-videos.md
@ -118,10 +103,3 @@ additionalContent:
url: https://www.youtube.com/watch?v=CH2seLS5Wb0
- text: Surface Hub 2S with Microsoft 365
url: https://www.youtube.com/watch?v=I4N2lQX4WyI&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ&index=7
# Card
- title: Community
links:
- text: Join the Surface Hub Technical Community
url: https://techcommunity.microsoft.com/t5/Surface-Hub/bd-p/SurfaceHub
- text: Join the Surface Devices Technical Community
url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices

12
devices/surface-hub/local-management-surface-hub-settings.md
View File

@ -40,12 +40,12 @@ Surface Hubs have many settings that are common to other Windows devices, but al
| Wireless projection (Miracast) channel | Surface Hub > Projection | Set the channel for Miracast projection. |
| Meeting info shown on the welcome screen | Surface Hub > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
| Welcome screen background | Surface Hub > Welcome screen | Choose a background image for the welcome screen. |
| Idle timeout to Welcome screen | Surface Hub > Session & Power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. |
| Resume session | Surface Hub > Session & Power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. |
| Access to Office 365 meetings and files | Surface Hub > Session & Power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. |
| Turn on screen with motion sensors | Surface Hub > Session & clean up | Choose whether the screen turns on when motion is detected. |
| Session time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
| Sleep time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
| Session timeout to Welcome screen | Surface Hub > Session & power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. |
| Resume session | Surface Hub > Session & power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. |
| Access to Office 365 meetings and files | Surface Hub > Session & power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. |
| Turn on screen with motion sensors | Surface Hub > Session & power | Choose whether the screen turns on when motion is detected. |
| Screen time out | Surface Hub > Session & power | Choose how long the device needs to be inactive before turning off the screen. |
| Sleep time out | Surface Hub > Session & power | Choose how long the device needs to be inactive before going to sleep mode. |
| Friendly name | Surface Hub > About | Set the Surface Hub name that people will see when connecting wirelessly. |
| Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. |
| Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. |

21
devices/surface-hub/surface-hub-2s-adoption-videos.md
View File

@ -9,7 +9,6 @@ ms.author: greglin
manager: laurawi
audience: Admin
ms.topic: article
ms.date: 11/04/2019
ms.localizationpriority: Medium
---
@ -19,7 +18,7 @@ This page contains comprehensive training for Surface Hub 2S, available on deman
## Chapter 1 - Training overview
> ![VIDEO <https://www.microsoft.com/videoplayer/embed/RE46Jud>]<br>
> [!video https://www.microsoft.com/videoplayer/embed/RE46Jud]
- Welcome and introduction
- Training overview and agenda
@ -31,7 +30,7 @@ This page contains comprehensive training for Surface Hub 2S, available on deman
## Chapter 2 - Getting started with Surface Hub
> ![VIDEO <https://www.microsoft.com/videoplayer/embed/RE46Ejt>]<br>
> [!video https://www.microsoft.com/videoplayer/embed/RE46Ejt]
- What is Surface Hub?
- Technical overview
@ -42,7 +41,7 @@ This page contains comprehensive training for Surface Hub 2S, available on deman
## Chapter 3 - Navigating Surface Hub
> ![VIDEO <https://www.microsoft.com/videoplayer/embed/RE46OFW>]<br>
> [!video https://www.microsoft.com/videoplayer/embed/RE46OFW]
- Welcome screen
- Start menu
@ -54,7 +53,7 @@ This page contains comprehensive training for Surface Hub 2S, available on deman
## Chapter 4 - Whiteboarding and collaboration
> ![VIDEO <https://www.microsoft.com/videoplayer/embed/RE46M4v>]<br>
> [!video https://www.microsoft.com/videoplayer/embed/RE46M4v]
- Whiteboard introduction
- Starting the Whiteboard
@ -66,7 +65,7 @@ This page contains comprehensive training for Surface Hub 2S, available on deman
## Chapter 5 - Exploring Surface Hub apps
> ![VIDEO <https://www.microsoft.com/videoplayer/embed/RE46Ejz>]<br>
> [!video https://www.microsoft.com/videoplayer/embed/RE46Ejz]
- Surface Hub apps introduction
- PowerPoint overview
@ -76,7 +75,7 @@ This page contains comprehensive training for Surface Hub 2S, available on deman
## Chapter 6 - Advanced apps and Office 365
> ![VIDEO <https://www.microsoft.com/videoplayer/embed/RE46EjA>]<br>
> [!video https://www.microsoft.com/videoplayer/embed/RE46EjA]
- Advanced apps introduction
- Microsoft Maps
@ -88,7 +87,7 @@ This page contains comprehensive training for Surface Hub 2S, available on deman
## Chapter 7 - Connecting devices
> ![VIDEO <https://www.microsoft.com/videoplayer/embed/RE46M4w>]<br>
> [!video https://www.microsoft.com/videoplayer/embed/RE46M4w]
- Connect introduction
- Miracast overview
@ -99,7 +98,7 @@ This page contains comprehensive training for Surface Hub 2S, available on deman
## Chapter 8 - Skype for Business meetings
> ![VIDEO <https://www.microsoft.com/videoplayer/embed/RE46M4x>]<br>
> [!video https://www.microsoft.com/videoplayer/embed/RE46M4x]
- Introduction to Skype for Business
-Scheduling Skype for Business meetings
@ -111,7 +110,7 @@ This page contains comprehensive training for Surface Hub 2S, available on deman
## Chapter 9 - Microsoft Teams meetings
> ![VIDEO <https://www.microsoft.com/videoplayer/embed/RE46OFZ>]<br>
> [!video https://www.microsoft.com/videoplayer/embed/RE46OFZ]
- Introduction to Microsoft Teams
- Scheduling Microsoft Teams meetings
@ -124,7 +123,7 @@ This page contains comprehensive training for Surface Hub 2S, available on deman
## Chapter 10 - Basic troubleshooting
> ![VIDEO <https://www.microsoft.com/videoplayer/embed/RE46z65>]<br>
> [!video https://www.microsoft.com/videoplayer/embed/RE46z65]
- Introduction to Surface Hub troubleshooting
- Application troubleshooting

2
devices/surface-hub/troubleshoot-surface-hub.md
View File

@ -415,7 +415,7 @@ Possible fixes for issues with Surface Hub first-run program.
<td align="left"><p>Can't sync mail/calendar.</p></td>
<td align="left"><p>The account has not allowed the Surface Hub as an allowed device.</p></td>
<td align="left"><p>0x86000C1C</p></td>
<td align="left"><p>Add the Surface Hub device ID to the whitelist by setting the <strong>ActiveSyncAllowedDeviceIds</strong> property for the mailbox.</p></td>
<td align="left"><p>Add the Surface Hub device ID to the allowed list by setting the <strong>ActiveSyncAllowedDeviceIds</strong> property for the mailbox.</p></td>
</tr>
</tbody>
</table>

4
devices/surface/TOC.md
View File

@ -51,16 +51,18 @@
### [Surface Brightness Control](microsoft-surface-brightness-control.md)
### [Surface Asset Tag](assettag.md)
## Secure
### [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md)
### [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
### [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md)
### [Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
### [Surface Data Eraser](microsoft-surface-data-eraser.md)
### [Surface DMA Protection](dma-protect.md)
## Troubleshoot
### [Top support solutions for Surface devices](support-solutions-surface.md)

2
devices/surface/battery-limit.md
View File

@ -25,7 +25,7 @@ Setting the device on Battery Limit changes the protocol for charging the device
## Supported devices
The Battery Limit UEFI setting is built into the latest Surface devices including Surface Pro 7 and Surface Laptop 3. Earlier devices require a
[Surface UEFI firmware update](update.md), available through Windows Update or via the MSI driver and firmware packages on the [Surface Support site](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each supported device.
[Surface UEFI firmware update](manage-surface-driver-and-firmware-updates.md), available through Windows Update or via the MSI driver and firmware packages on the [Surface Support site](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each supported device.
## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later)

22
devices/surface/dma-protect.md Normal file
View File

@ -0,0 +1,22 @@
---
title: Surface DMA Protection
description: This article describes DMA protection on compatible Surface devices
ms.prod: w10
ms.mktglfcycl: manage
ms.localizationpriority: medium
ms.sitesec: library
author: coveminer
ms.author: greglin
ms.topic: article
ms.date: 6/10/2020
ms.reviewer: carlol
manager: laurawi
audience: itpro
---
# DMA Protection on Surface devices
Direct Memory Access (DMA) protection is designed to mitigate potential security vulnerabilities associated with using removable SSDs or external storage devices. Newer Surface devices come with DMA Protection enabled by default. These include Surface Pro 7, Surface Laptop 3, and Surface Pro X. To check the presence of DMA protection feature on your device, open System Information (**Start** > **msinfo32.exe**), as shown in the figure below.
![System information showing DMA Protection enabled](images/systeminfodma.png)
If a Surface removable SSD is tampered with, the device will shutoff power. The resulting reboot causes UEFI to wipe memory, to erase any residual data.

23
devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
View File

@ -97,6 +97,29 @@ To support Surface Laptop 3 with Intel Processor, import the following folders:
- SurfaceUpdate\SurfaceSerialHub
- SurfaceUpdate\SurfaceHotPlug
- SurfaceUpdate\Itouch
Importing the following folders will enable full keyboard, trackpad, and touch functionality in PE for Surface Laptop 3.
- IclSerialIOGPIO
- IclSerialIOI2C
- IclSerialIOSPI
- IclSerialIOUART
- itouch
- IclChipset
- IclChipsetLPSS
- IclChipsetNorthpeak
- ManagementEngine
- SurfaceAcpiNotify
- SurfaceBattery
- SurfaceDockIntegration
- SurfaceHidMini
- SurfaceHotPlug
- SurfaceIntegration
- SurfaceSerialHub
- SurfaceService
- SurfaceStorageFwUpdate
> [!NOTE]
> Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released.

4
devices/surface/get-started.yml
View File

@ -72,10 +72,10 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
url: secure-surface-dock-ports-semm.md
- text: Intune management of Surface UEFI settings
url: surface-manage-dfci-guide.md
- text: Surface Enterprise Management Mode (SEMM)
url: surface-enterprise-management-mode.md
- text: Surface Data Eraser tool
url: microsoft-surface-data-eraser.md

BIN
devices/surface/images/secure-surface-dock-ports-semm-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

BIN
devices/surface/images/secure-surface-dock-ports-semm-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
devices/surface/images/secure-surface-dock-ports-semm-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

BIN
devices/surface/images/secure-surface-dock-ports-semm-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
devices/surface/images/secure-surface-dock-ports-semm-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
devices/surface/images/secure-surface-dock-ports-semm-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
devices/surface/images/systeminfodma.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 119 KiB

6
devices/surface/manage-surface-driver-and-firmware-updates.md
View File

@ -35,7 +35,7 @@ Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Su
For detailed steps, see the following resources:
- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager.md)
- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager)
- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications)
- [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/)
@ -142,8 +142,8 @@ This file name provides the following information:
## Learn more
- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware)
- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager)
- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications).
- [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager)
- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications)
- [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/)
- [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit)

1
devices/surface/manage-surface-driver-updates-configuration-manager.md
View File

@ -11,7 +11,6 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: daclark
ms.topic: article
audience: itpro

168
devices/surface/secure-surface-dock-ports-semm.md Normal file
View File

@ -0,0 +1,168 @@
---
title: Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
description: This document provides guidance for configuring UEFI port settings for Surface Dock 2 when connected to compatible Surface devices including Surface Book 3, Surface Laptop 3, and Surface Pro 7.
ms.assetid: 2808a8be-e2d4-4cb6-bd53-9d10c0d3e1d6
ms.reviewer:
manager: laurawi
keywords: Troubleshoot common problems, setup issues
ms.prod: w10
ms.mktglfcycl: support
ms.sitesec: library
ms.pagetype: surfacehub
author: v-miegge
ms.author: jesko
ms.topic: article
ms.date: 06/08/2020
ms.localizationpriority: medium
ms.audience: itpro
---
# Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
## Introduction
Surface Enterprise Management Mode (SEMM) enables IT admins to secure and manage Surface Dock 2 ports by configuring UEFI settings in a Windows installer configuration package (.MSI file) deployed to compatible Surface devices across a corporate environment.
### Supported devices
Managing Surface Dock 2 with SEMM is available for docks connected to Surface Book 3, Surface Laptop 3, and Surface Pro 7. These compatible Surface devices are commonly referred to as **host devices**. A package is applied to host devices based on if a host device is **authenticated** or **unauthenticated**. Configured settings reside in the UEFI layer on host devices enabling you — the IT admin — to manage Surface Dock 2 just like any other built-in peripheral such as the camera.
>[!NOTE]
>You can manage Surface Dock 2 ports only when the dock is connected to one of the following compatible devices: Surface Book 3, Surface Laptop 3, and Surface Pro 7. Any device that doesn't receive the UEFI Authenticated policy settings is inherently an unauthenticated device.
### Scenarios
Restricting Surface Dock 2 to authorized persons signed into a corporate host device provides another layer of data protection. This ability to lock down Surface Dock 2 is critical for specific customers in highly secure environments who want the functionality and productivity benefits of the dock while maintaining compliance with strict security protocols. We anticipate SEMM used with Surface Dock 2 will be particularly useful in open offices and shared spaces especially for customers who want to lock USB ports for security reasons. For a video demo, check out [SEMM for Surface Dock 2](https://youtu.be/VLV19ISvq_s).
## Configuring and deploying UEFI settings for Surface Dock 2
This section provides step-by-step guidance for the following tasks:
1. Install [**Surface UEFI Configurator**](https://www.microsoft.com/download/details.aspx?id=46703).
1. Create or obtain public key certificates.
1. Create an .MSI configuration package.
1. Add your certificates.
1. Enter the 16-digit RN number for your Surface Dock 2 devices.
1. Configure UEFI settings.
1. Build and apply the configuration package to targeted Surface devices (Surface Book 3, Surface Laptop 3, or Surface Pro 7.)
>[!NOTE]
>The **Random Number (RN)** is a unique 16-digit hex code identifier which is provisioned at the factory, and printed in small type on the underside of the dock. The RN differs from most serial numbers in that it can't be read electronically. This ensures proof of ownership is primarily established only by reading the RN when physically accessing the device. The RN may also be obtained during the purchase transaction and is recorded in Microsoft inventory systems.
### Install SEMM and Surface UEFI Configurator
Install SEMM by running **SurfaceUEFI_Configurator_v2.71.139.0.msi**. This is a standalone installer and contains everything you need to create and distribute configuration packages for Surface Dock 2.
- Download **Surface UEFI Configurator** from [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703).
## Create public key certificates
This section provides specifications for creating the certificates needed to manage ports for Surface Dock 2.
### Prerequisites
This article assumes that you either obtain certificates from a third-party provider or you already have expertise in PKI certificate services and know how to create your own. You should be familiar with and follow the general recommendations for creating certificates as described in [Surface Enterprise Management Mode (SEMM)](https://docs.microsoft.com/surface/surface-enterprise-management-mode) documentation, with one exception. The certificates documented on this page require expiration terms of 30 years for the **Dock Certificate Authority**, and 20 years for the **Host Authentication Certificate**.
For more information, see [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture) documentation and review the appropriate chapters in [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277), or [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788) available from Microsoft Press.
### Root and host certificate requirements
Prior to creating the configuration package, you need to prepare public key certificates that authenticate ownership of Surface Dock 2 and facilitate any subsequent changes in ownership during the device lifecycle. The host and provisioning certificates require entering EKU IDs otherwise known as **Client Authentication Enhanced Key Usage (EKU) object identifiers (OIDs)**.
The required EKU values are listed in Table 1 and Table 2.
#### Table 1. Root and Dock Certificate requirements
|Certificate|Algorithm|Description|Expiration|EKU OID|
|---|---|---|---|---|
|Root Certificate Authority|ECDSA_P384|- Root certificate with 384-bit prime elliptic curve digital signature algorithm (ECDSA)<br>- SHA 256 Key Usage:<br>CERT_DIGITAL_SIGNATURE_KEY_USAGE<br>- CERT_KEY_CERT_SIGN_KEY_USAGE<br>CERT_CRL_SIGN_KEY_USAGE|30 years|N/A
|Dock Certificate Authority|ECC P256 curve|- Host certificate with 256-bit elliptic-curve cryptography (ECC)<br>- SHA 256 Key Usage:<br>CERT_KEY_CERT_SIGN_KEY_USAGE<br>- Path Length Constraint = 0|20 years|1.3.6.1.4.1.311.76.9.21.2<br>1.3.6.1.4.1.311.76.9.21.3|
>[!NOTE]
>The dock CA must be exported as a .p7b file.
### Provisioning Administration Certificate requirements
Each host device must have the doc CA and two certificates as shown in Table 2.
#### Table 2. Provisioning administration certificate requirements
|Certificate|Algorithm|Description|EKU OID|
|---|---|---|---|
|Host authentication certificate|ECC P256<br>SHA 256|Proves the identity of the host device.|1.3.6.1.4.1.311.76.9.21.2|
|Provisioning administration certificate|ECC P256<br>SHA256|Enables you to change dock ownership and/or policy settings by allowing you to replace the CA that's currently installed on the dock.|1.3.6.1.4.1.311.76.9.21.3<br>1.3.6.1.4.1.311.76.9.21.4|
>[!NOTE]
>The host authentication and provisioning certificates must be exported as .pfx files.
### Create configuration package
When you have obtained or created the certificates, youre ready to build the MSI configuration package that will be applied to target Surface devices.
1. Run Surface **UEFI Configurator**.
![Run Surface UEFI Configurator](images/secure-surface-dock-ports-semm-1.png)
1. Select **Surface Dock**.
![Select Surface Dock](images/secure-surface-dock-ports-semm-2.png)
1. On the certificate page, enter the appropriate **certificates**.
![enter the appropriate certificates](images/secure-surface-dock-ports-semm-3.png)
1. Add appropriate dock RNs to the list.
>[!NOTE]
>When creating a configuration package for multiple Surface Dock 2 devices, instead of entering each RN manually, you can use a .csv file that contains a list of RNs.
1. Specify your policy settings for USB data, Ethernet, and Audio ports. UEFI Configurator lets you configure policy settings for authenticated users (Authenticated Policy) and unauthenticated users (Unauthenticated Policy). The following figure shows port access turned on for authenticated users and turned off for unauthenticated users.
![Choose which components you want to activate or deactivate.](images/secure-surface-dock-ports-semm-4.png)
- Authenticated user refers to a Surface Device that has the appropriate certificates installed, as configured in the .MSI configuration package that you applied to target devices. It applies to any user authenticated user who signs into the device.
- Unauthenticated user refers to any other device.
- Select **Reset** to create a special “Reset” package that will remove any previous configuration package that the dock had accepted.
1. Select **Build** to create the package as specified.
### Apply the configuration package to a Surface Dock 2
1. Take the MSI file that the Surface UEFI Configurator generated and install it on a Surface host device. Compatible host devices are Surface Book 3, Surface Laptop 3, or Surface Pro 7.
1. Connect the host device to the Surface Dock 2. When you connect the dock UEFI policy settings are applied.
## Verify managed state using the Surface App
Once you have applied the configuration package, you can quickly verify the resultant policy state of the dock directly from the Surface App, installed by default on all Surface devices. If Surface App isn't present on the device, you can download and install it from the Microsoft Store.
### Test scenario
Objective: Configure policy settings to allow port access by authenticated users only.
1. Turn on all ports for authenticated users and turn them off for unauthenticated users.
![Enabling ports for authenticated users](images/secure-surface-dock-ports-semm-4.png)
1. Apply the configuration package to your target device and then connect Surface Dock 2.
1. Open **Surface App** and select **Surface Dock** to view the resultant policy state of your Surface Dock. If the policy settings are applied, Surface App will indicate that ports are available.
![Surface app shows all ports are available for authenticated users](images/secure-surface-dock-ports-semm-5.png)
1. Now you need to verify that the policy settings have successfully turned off all ports for unauthenticated users. Connect Surface Dock 2 to an unmanaged device, i.e., any Surface device outside the scope of management for the configuration package you created.
1. Open **Surface App** and select **Surface Dock**. The resultant policy state will indicate ports are turned off.
![Surface app showing ports turned off for unauthenticated users ](images/secure-surface-dock-ports-semm-6.png)
>[!NOTE]
>If you want to keep ownership of the device, but allow all users full access, you can make a new package with everything turned on. If you wish to completely remove the restrictions and ownership of the device (make it unmanaged), select **Reset** in Surface UEFI Configurator to create a package to apply to target devices.
Congratulations. You have successfully managed Surface Dock 2 ports on targeted host devices.
## Learn more
- [Surface Enterprise Management Mode (SEMM) documentation](https://docs.microsoft.com/surface/surface-enterprise-management-mode)
- [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture)
- [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277)
- [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788)

11
devices/surface/surface-book-gpu-overview.md
View File

@ -19,7 +19,7 @@ audience: itpro
Surface Book 3, the most powerful Surface laptop yet released, integrates fully modernized compute and graphics capabilities into its famous detachable form factor. Led by the quad-core 10th Gen Intel® Core™ i7 and NVIDIA® Quadro RTX™ 3000 graphical processing unit (GPU) on the 15-inch model, Surface Book 3 comes in a wide range of configurations for consumers, creative professionals, architects, engineers, and data scientists. This article explains the major differences between the GPU configurations across 13-inch and 15-inch models of Surface Book 3.
A significant differentiator across Surface Book 3 models is the GPU configuration. In addition to the integrated Intel GPU built into all models, all but the entry-level, 13.5-inch core i5 device also feature a discrete NVIDIA GPU with Max-Q Design, which incorporates features that optimize energy efficiency for mobile form factors.
A significant differentiator across Surface Book 3 models is the GPU configuration. In addition to the integrated Intel GPU built into all models, all but the entry-level 13.5-inch Core i5 device also feature a discrete NVIDIA GPU with Max-Q Design, which incorporates features that optimize energy efficiency for mobile form factors.
Built into the keyboard base, the additional NVIDIA GPU provides advanced graphics rendering capabilities and comes in two primary configurations: GeForce® GTX® 1650/1660 Ti for consumers or creative professionals and Quadro RTX 3000 for creative professionals, engineers, and other business professionals who need advanced graphics or deep learning capabilities. This article also describes how to optimize app utilization of GPUs by specifying which apps should use the integrated iGPU versus the discrete NVIDIA GPU.
@ -34,7 +34,7 @@ The integrated GPU (iGPU) included on all Surface Book 3 models incorporates a w
### NVIDIA GeForce GTX 1650
NVIDIA GeForce GTX 1650 with Max-Q design delivers a major upgrade of the core streaming multiprocessor to more efficiently handle the complex graphics of modern games. Its
concurrent execution of floating point and integer operations boosts performance in compute-heavy workloads of modern games. A new unified memory architecture with twice the cache of its predecessor allows for better performance on complex modern games. New shading advancements improve performance, enhance image quality, and deliver new levels of geometric complexity.
concurrent execution of floating point and integer operations boosts performance in the compute-heavy workloads of modern games. A new unified memory architecture with twice the cache of its predecessor allows for better performance on complex modern games. New shading advancements improve performance, enhance image quality, and deliver new levels of geometric complexity.
### NVIDIA GeForce GTX 1660 Ti
@ -44,7 +44,7 @@ Thanks to 6 GB of GDDR6 graphics memory, Surface Book 3 models equipped with NVI
### NVIDIA Quadro RTX 3000
NVIDIA Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance. A combination of 30 RT cores, 240 tensor cores, and 6 GB of GDDR6 graphics memory enables multiple advanced workloads including Al-powered workflows, 3D content creation, advanced video editing, professional broadcasting, and multi-app workflows. Enterprise level hardware and software support integrate deployment tools to maximize uptime and minimize IT support requirements. Certified for the worlds most advanced software, Quadro drivers are optimized for professional applications, and are tuned, tested, and validated to provide app certification, enterprise level stability, reliability, availability, and support with extended product availability.
NVIDIA Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance. A combination of 30 RT cores, 240 tensor cores, and 6 GB of GDDR6 graphics memory enables multiple advanced workloads including Al-powered workflows, 3D content creation, advanced video editing, professional broadcasting, and multi-app workflows. Enterprise level hardware and software support integrate deployment tools to maximize uptime and minimize IT support requirements. Certified for the worlds most advanced software, Quadro drivers are optimized for professional applications and are tuned, tested, and validated to provide app certification, enterprise level stability, reliability, availability, and support with extended product availability.
## Comparing GPUs across Surface Book 3
@ -61,13 +61,12 @@ NVIDIA GPUs provide users with great performance for gaming, live streaming, and
| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** |
| -------------------- | -------------------------------------- | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
| **Target users** | Gamers, hobbyists and online creators | Gamers, creative professionals and online creators | Creative professionals, architects, engineers, developers, data scientists |
| **Target users** | Gamers, hobbyists, and online creators | Gamers, creative professionals, and online creators | Creative professionals, architects, engineers, developers, data scientists |
| **Workflows** | Graphic design<br>Photography<br>Video | Graphic design<br>Photography<br>Video | Al-powered Workflows <br>App certifications<br>High-res video<br>Pro broadcasting<br>Multi-app workflows |
| **Key apps** | Adobe Creative Suite | Adobe Creative Suite | Adobe Creative Suite<br>Autodesk AutoCAD<br>Dassault Systemes SolidWorks |
| **GPU acceleration** | Video and image processing | Video and image processing | Ray tracing + AI + 6K video<br>Pro broadcasting features<br>Enterprise support |
**Table 2. GPU tech specs on Surface Book 3**
| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** |
@ -157,7 +156,7 @@ In some instances, Windows 10 may assign a graphically demanding app to be iGPU;
## Summary
Built for performance, Surface Book 3 includes different GPU configurations optimized to meet specific workload and use requirements. An integrated Intel Iris graphics GPU functions as the sole GPU on the entry-level core i5 device and as a secondary GPU on all other models. GeForce GTX 1650 features a major upgrade of the core streaming multiprocessor to run complex graphics more efficiently. The faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements making it better for consumers, gamers, live streamers, and creative professionals. Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance.
Built for performance, Surface Book 3 includes different GPU configurations optimized to meet specific workload and use requirements. An integrated Intel Iris graphics GPU functions as the sole GPU on the entry-level Core i5 device and as a secondary GPU on all other models. GeForce GTX 1650 features a major upgrade of the core streaming multiprocessor to run complex graphics more efficiently. The faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements making it better for consumers, gamers, live streamers, and creative professionals. Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance.
## Learn more

38
devices/surface/surface-book-quadro.md
View File

@ -24,20 +24,20 @@ Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is bu
## Enterprise grade solution
Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs providing an additional layer of quality assurance to validate stability, reliability, and performance.
Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional-grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs, providing an additional layer of quality assurance to validate stability, reliability, and performance.
Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems, and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man-days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
## Built for compute-intensive workloads
Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
- **Creative professionals such as designers and animators.** Quadro RTX enables real-time cinematic-quality rendering through Turing-optimized ray tracing APIs such as NVIDIA OptiX, Microsoft DXR, and Vulkan.
- **Architects and engineers using large, complex computer aided design (CAD) models and assemblies.** The RTX platform features the new NGX SDK to infuse powerful AI-enhanced capabilities into visual applications. This frees up time and resources through intelligent manipulation of images, automation of repetitive tasks, and optimization of compute-intensive processes.
- **Software developers across manufacturing, media & entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
- **Software developers across manufacturing, media and entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
- **Data scientists using Tensor Cores and CUDA cores to accelerate computationally intensive tasks and other deep learning operations.** By using sensors, increased connectivity, and deep learning, researchers and developers can enable AI applications for everything from autonomous vehicles to scientific research.
@ -49,8 +49,8 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an
| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
| Turing optimized software | Deep learning frameworks such as the Microsoft Cognitive Toolkit (CNTK), Caffe2, MXNet, TensorFlow, and others deliver significantly faster training times and higher multi-node training performance. GPU accelerated libraries such as cuDNN, cuBLAS, and TensorRT deliver higher performance for both deep learning inference and High-Performance Computing (HPC) applications. |
| NVIDIA CUDA parallel computing platform | Natively execute standard programming languages like C/C++ and Fortran, and APIs such as OpenCL, OpenACC and Direct Compute to accelerate techniques such as ray tracing, video and image processing, and computation fluid dynamics. |
| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain best application performance. |
| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer making it the ideal platform for handling large datasets and latency-sensitive applications. |
| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain the best application performance. |
| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer, making it the ideal platform for handling large datasets and latency-sensitive applications. |
| Single instruction, multiple thread (SIMT) | New independent thread scheduling capability enables finer-grain synchronization and cooperation between parallel threads by sharing resources among small jobs. |
| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. |
| Dynamic load balancing | Provides dynamic allocation capabilities of GPU resources for graphics and compute tasks as needed to maximize resource utilization. |
@ -86,7 +86,7 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an
## App acceleration
The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in market March 2020.
The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing the Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus the Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in the market as of March 2020.
**Table 3. App acceleration on Surface Book 3 with Quadro RTX 3000**
@ -95,23 +95,23 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce
| Adobe Dimension | - RTX-accelerated ray tracing delivers photorealistic 3D rendering to 2D artists and designers. |
| Adobe Substance Alchemist | - Create and blend materials with ease, featuring RTX-accelerated AI. |
| Adobe Substance Painter | - Paint materials onto 3d models, featuring RTX accelerated bakers, and Iray RTX rendering which generates photorealistic imagery for interactive and batch rendering workflows. <br> |
| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers<br>- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray powered compatible with MDL.<br>- DXR-accelerated light and ambient occlusion baking. |
| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, & perspective warp enable photographers and designers to modify images smoothly and quickly. |
| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers<br>- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray that is compatible with MDL.<br>- DXR-accelerated light and ambient occlusion baking. |
| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, and perspective warp enable photographers and designers to modify images smoothly and quickly. |
| Adobe Lightroom | - Faster editing high res images with GPU-accelerated viewport, which enables the modeling of larger 3D scenes, and the rigging of more complex animations.<br>- GPU-accelerated image processing enables dramatically more responsive adjustments, especially on 4K or higher resolution displays.<br>- GPU-accelerated AI-powered “Enhance Details” for refining fine color detail of RAW images. |
| Adobe Illustrator | - Pan and zoom with GPU-accelerated canvas faster, which enables graphic designers and illustrators to pan across and zoom in and out of complex vector graphics smoothly and interactively. |
| Adobe<br>Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU:<br>- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.<br>- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. |
| Adobe<br>Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU.<br>- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.<br>- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. |
| Autodesk<br>Revit | - GPU-accelerated viewport for a smoother, more interactive design experience.<br>- Supports 3rd party GPU-accelerated 3D renderers such as V-Ray and Enscape. |
| Autodesk<br>3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.<br>- RTX-accelerated ray tracing and AI denoising ****with the default Arnold renderer.<br>- More than 70 percent faster compared with Surface Book 2 15”. |
| Autodesk<br>3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.<br>- RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.<br>- More than 70 percent faster compared with Surface Book 2 15”. |
| Autodesk<br>Maya | - RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.<br>- OpenGL Viewport Acceleration. |
| Dassault Systemes<br>Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.<br>- Runs more than 50% faster compared with Surface Book 2 15” |
| Dassault Systemes<br>3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.<br>- Catia runs more than 100% faster compared with Surface Book 2 15. |
| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”.. |
| Dassault Systemes<br>Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.<br>- Runs more than 50% faster compared with Surface Book 2 15”. |
| Dassault Systemes<br>3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.<br>- Catia runs more than 100% faster compared with Surface Book 2 15". |
| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”. |
| McNeel & Associates<br>Rhino 3D | - GPU-accelerated viewport for a smooth and interactive modelling and design experience.<br>- Supports Cycles for GPU-accelerated 3D rendering. |
| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.<br>- Runs more than 10 x faster compared with Surface Book 2 15”.. |
| Esri ArcGIS | - Real-time results from what took days & weeks, due to DL inferencing leveraging tensor cores. |
| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.<br>- Runs more than 10x faster compared with Surface Book 2 15”. |
| Esri ArcGIS | - Real-time results from what took days and weeks, due to DL inferencing leveraging tensor cores. |
| PTC Creo | - Creo's real-time engineering simulation tool (Creo Simulation Live) built on CUDA.<br>- Runs more than 15% faster compared with Surface Book 2 15”. |
| Luxion KeyShot | - 3rd party Interactive Ray Tracer used by Solidworks, Creo, and Rhino. Accelerated by RT Cores, OptiX™ AI-accelerated denoising. |
| ANSYS<br>Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA |
| ANSYS<br>Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA. |
## SKUs
**Table 4. Surface Book 3 with Quadro RTX 3000 SKUs**
@ -123,7 +123,7 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce
## Summary
Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
- RTX-acceleration across multiple workflows like design, animation, video production, and more.
- Desktop-grade performance in a mobile form factor.

9
devices/surface/surface-enterprise-management-mode.md
View File

@ -32,6 +32,9 @@ There are two administrative options you can use to manage SEMM and enrolled Sur
The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
>[!NOTE]
>You can now use Surface UEFI Configurator and SEMM to manage ports on Surface Dock 2. To learn more, see [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md).
![Microsoft Surface UEFI Configurator](images/surface-ent-mgmt-fig1-uefi-configurator.png "Microsoft Surface UEFI Configurator")
*Figure 1. Microsoft Surface UEFI Configurator*
@ -282,6 +285,6 @@ This version of SEMM includes:
## Related topics
[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
- [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
- [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
- [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md)

143
mdop/appv-v5/app-v-50-prerequisites.md
View File

@ -16,11 +16,10 @@ ms.date: 08/30/2016
# App-V 5.0 Prerequisites
Before you begin the Microsoft Application Virtualization (App-V) 5.0 Setup, you should make sure that you have met the prerequisites to install the product. This topic contains information to help you successfully plan for preparing your computing environment before you deploy the App-V 5.0 features.
**Important**
**The prerequisites in this article apply only to App-V 5.0**. For additional prerequisites that apply to App-V 5.0 Service Packs, see the following web pages:
> [!Important]
> **The prerequisites in this article apply only to App-V 5.0**. For additional prerequisites that apply to App-V 5.0 Service Packs, see the following web pages:
- [What's new in App-V 5.0 SP1](whats-new-in-app-v-50-sp1.md)
@ -28,8 +27,6 @@ Before you begin the Microsoft Application Virtualization (App-V) 5.0 Setup, you
- [App-V 5.0 SP3 Prerequisites](app-v-50-sp3-prerequisites.md)
The following table lists prerequisite information that pertains to specific operating systems.
<table>
@ -69,15 +66,10 @@ The following table lists prerequisite information that pertains to specific ope
</tbody>
</table>
## Installation prerequisites for App-V 5.0
**Note**
The following prerequisites are already installed for computers that run Windows 8.
> [!Note]
> The following prerequisites are already installed for computers that run Windows 8.
Each of the App-V 5.0 features have specific prerequisites that must be met before the App-V 5.0 features can be successfully installed.
@ -100,8 +92,8 @@ The following table lists the installation prerequisites for the App-V 5.0 clien
<tr class="odd">
<td align="left"><p><strong>Software requirements</strong></p></td>
<td align="left"><ul>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="https://www.microsoft.com/download/details.aspx?id=34595">https://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a></p>
<p></p>
<div class="alert">
<strong>Note</strong><br/><p>Installing PowerShell 3.0 requires a restart.</p>
@ -109,7 +101,7 @@ The following table lists the installation prerequisites for the App-V 5.0 clien
<div>
</div></li>
<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a> (<a href="https://support.microsoft.com/kb/2533623" data-raw-source="https://support.microsoft.com/kb/2533623">https://support.microsoft.com/kb/2533623</a>)</p>
<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a></p>
<p></p>
<div class="alert">
<strong>Important</strong><br/><p>You can download and install the previous KB article. However, it may have been replaced with a more recent version.</p>
@ -120,26 +112,22 @@ The following table lists the installation prerequisites for the App-V 5.0 clien
<li><p>The client installer (.exe) will detect if it is necessary to install the following prerequisites, and it will do so accordingly:</p>
<p></p>
<ul>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a> (<a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="https://www.microsoft.com/download/details.aspx?id=40784">https://www.microsoft.com/download/details.aspx?id=40784</a>)</p>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a></p>
<p>This prerequisite is only required if you have installed Hotfix Package 4 for Application Virtualization 5.0 SP2 or later.</p>
<p></p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=26999" data-raw-source="[The Microsoft Visual C++ 2010 Redistributable](https://www.microsoft.com/download/details.aspx?id=26999)">The Microsoft Visual C++ 2010 Redistributable</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=26999" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=26999">https://go.microsoft.com/fwlink/?LinkId=26999</a>)</p>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=26999" data-raw-source="[The Microsoft Visual C++ 2010 Redistributable](https://www.microsoft.com/download/details.aspx?id=26999)">The Microsoft Visual C++ 2010 Redistributable</a></p>
<p></p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="[Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://www.microsoft.com/download/details.aspx?id=5638)">Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="https://www.microsoft.com/download/details.aspx?id=5638">https://www.microsoft.com/download/details.aspx?id=5638</a>)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="[Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://www.microsoft.com/download/details.aspx?id=5638)">Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)</a></p></li>
</ul></li>
</ul></td>
</tr>
</tbody>
</table>
### Prerequisites for the App-V 5.0 Remote Desktop Services client
**Note**
The following prerequisites are already installed for computers that run Windows Server 2012.
> [!Note]
> The following prerequisites are already installed for computers that run Windows Server 2012.
The following table lists the installation prerequisites for the App-V 5.0 Remote Desktop Services client:
@ -158,8 +146,8 @@ The following table lists the installation prerequisites for the App-V 5.0 Remot
<tr class="odd">
<td align="left"><p><strong>Software requirements</strong></p></td>
<td align="left"><ul>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft.NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft.NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="https://www.microsoft.com/download/details.aspx?id=34595">https://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft.NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft.NET Framework 4 (Full Package)</a></p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a></p>
<p></p>
<div class="alert">
<strong>Note</strong><br/><p>Installing PowerShell 3.0 requires a restart.</p>
@ -167,7 +155,7 @@ The following table lists the installation prerequisites for the App-V 5.0 Remot
<div>
</div></li>
<li><p>Download and install <a href="https://go.microsoft.com/fwlink/?LinkId=286102" data-raw-source="[KB2533623](https://go.microsoft.com/fwlink/?LinkId=286102 )">KB2533623</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=286102" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=286102">https://go.microsoft.com/fwlink/?LinkId=286102</a>)</p>
<li><p>Download and install <a href="https://go.microsoft.com/fwlink/?LinkId=286102" data-raw-source="[KB2533623](https://go.microsoft.com/fwlink/?LinkId=286102 )">KB2533623</a></p>
<p></p>
<div class="alert">
<strong>Important</strong><br/><p>You can download and install the previous KB article. However, it may have been replaced with a more recent version.</p>
@ -178,33 +166,27 @@ The following table lists the installation prerequisites for the App-V 5.0 Remot
<li><p>The client (.exe) installer will detect if it is necessary to install the following prerequisites, and it will do so accordingly:</p>
<p></p>
<ul>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a> (<a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="https://www.microsoft.com/download/details.aspx?id=40784">https://www.microsoft.com/download/details.aspx?id=40784</a>)</p>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a></p>
<p>This prerequisite is required only if you have installed Hotfix Package 4 for Application Virtualization 5.0 SP2 or later.</p>
<p></p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=26999" data-raw-source="[The Microsoft Visual C++ 2010 Redistributable](https://www.microsoft.com/download/details.aspx?id=26999)">The Microsoft Visual C++ 2010 Redistributable</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=26999" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=26999">https://go.microsoft.com/fwlink/?LinkId=26999</a>)</p>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=26999" data-raw-source="[The Microsoft Visual C++ 2010 Redistributable](https://www.microsoft.com/download/details.aspx?id=26999)">The Microsoft Visual C++ 2010 Redistributable</a></p>
<p></p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="[Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://www.microsoft.com/download/details.aspx?id=5638)">Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="https://www.microsoft.com/download/details.aspx?id=5638">https://www.microsoft.com/download/details.aspx?id=5638</a>)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="[Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://www.microsoft.com/download/details.aspx?id=5638)">Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)</a></p></li>
</ul></li>
</ul></td>
</tr>
</tbody>
</table>
### Prerequisites for the App-V 5.0 Sequencer
**Note**
The following prerequisites are already installed for computers that run Windows 8 and Windows Server 2012.
> [!Note]
> The following prerequisites are already installed for computers that run Windows 8 and Windows Server 2012.
The following table lists the installation prerequisites for the App-V 5.0 Sequencer. If possible, the computer that runs the Sequencer should have the same hardware and software configurations as the computers that will run the virtual applications.
**Note**
If the system requirements of a locally installed application exceed the requirements of the Sequencer, you must meet the requirements of that application. Additionally, because the sequencing process is system resource-intensive, we recommend that the computer that runs the Sequencer has plenty of memory, a fast processor, and a fast hard drive. For more information see [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md).
> [!Note]
> If the system requirements of a locally installed application exceed the requirements of the Sequencer, you must meet the requirements of that application. Additionally, because the sequencing process is system resource-intensive, we recommend that the computer that runs the Sequencer has plenty of memory, a fast processor, and a fast hard drive. For more information see [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md).
<table>
<colgroup>
@ -221,16 +203,16 @@ If the system requirements of a locally installed application exceed the require
<tr class="odd">
<td align="left"><p><strong>Software requirements</strong></p></td>
<td align="left"><ul>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a> (<a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="https://www.microsoft.com/download/details.aspx?id=40784">https://www.microsoft.com/download/details.aspx?id=40784</a>)</p>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a></p>
<p>This prerequisite is required only if you have installed Hotfix Package 4 for Application Virtualization 5.0 SP2.</p>
<p></p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a></p>
<p></p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="https://www.microsoft.com/download/details.aspx?id=34595">https://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a></p>
<p></p></li>
<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a> (<a href="https://support.microsoft.com/kb/2533623" data-raw-source="https://support.microsoft.com/kb/2533623">https://support.microsoft.com/kb/2533623</a>)</p>
<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a></p>
<p></p></li>
<li><p>For computers running Microsoft Windows Server 2008 R2 SP1, download and install <a href="https://go.microsoft.com/fwlink/?LinkId=286102" data-raw-source="[KB2533623](https://go.microsoft.com/fwlink/?LinkId=286102 )">KB2533623</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=286102" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=286102">https://go.microsoft.com/fwlink/?LinkId=286102</a>)</p>
<li><p>For computers running Microsoft Windows Server 2008 R2 SP1, download and install <a href="https://go.microsoft.com/fwlink/?LinkId=286102" data-raw-source="[KB2533623](https://go.microsoft.com/fwlink/?LinkId=286102 )">KB2533623</a></p>
<p></p>
<div class="alert">
<strong>Important</strong><br/><p>You can download and install either one of the previous KB articles. However, they may have been replaced with a more recent version.</p>
@ -243,12 +225,10 @@ If the system requirements of a locally installed application exceed the require
</tbody>
</table>
### Prerequisites for the App-V 5.0 server
**Note**
The following prerequisites are already installed for computers that run Windows Server 2012:
> [!Note]
> The following prerequisites are already installed for computers that run Windows Server 2012:
- Microsoft .NET Framework 4.5. This eliminates the Microsoft .NET Framework 4 requirement.
@ -256,26 +236,18 @@ The following prerequisites are already installed for computers that run Windows
- Download and install [KB2533623](https://support.microsoft.com/kb/2533623) (https://support.microsoft.com/kb/2533623)
**Important**
You can still download install the previous KB. However, it may have been replaced with a more recent version.
> [!Important]
> You can still download install the previous KB. However, it may have been replaced with a more recent version.
The following table lists the installation prerequisites for the App-V 5.0 server. The account that you use to install the server components must have administrative rights on the computer that you are installing on. This account must also have the ability to query Active Directory Directory Services. Before you install and configure the App-V 5.0 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to the specified ports.
**Note**
Web Distributed Authoring and Versioning (WebDAV) is automatically disabled for the Management Service.
> [!Note]
> Web Distributed Authoring and Versioning (WebDAV) is automatically disabled for the Management Service.
The App-V 5.0 server is supported for a standalone deployment, where all the components are deployed on the same server, and a distributed deployment. Depending on the topology that you use to deploy the App-V 5.0 server, the data that you will need for each component will slightly change.
**Important**
The installation of the App-V 5.0 server on a computer that runs any previous version or component of App-V is not supported. Additionally, the installation of the server components on a computer that runs Server Core or a Domain Controller is also not supported.
> [!Important]
> The installation of the App-V 5.0 server on a computer that runs any previous version or component of App-V is not supported. Additionally, the installation of the server components on a computer that runs Server Core or a Domain Controller is also not supported.
<table>
<colgroup>
@ -292,8 +264,8 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
<tr class="odd">
<td align="left"><p><strong>Management Server</strong></p></td>
<td align="left"><ul>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="https://www.microsoft.com/download/details.aspx?id=34595">https://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a></p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a></p>
<div class="alert">
<strong>Note</strong><br/><p>Installing PowerShell 3.0 requires a restart.</p>
</div>
@ -301,7 +273,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
</div></li>
<li><p>Windows Web Server with the IIS role enabled and the following features: <strong>Common HTTP Features</strong> (static content and default document), <strong>Application Development</strong> (ASP.NET, .NET Extensibility, ISAPI Extensions and ISAPI Filters), <strong>Security</strong> (Windows Authentication, Request Filtering), <strong>Management Tools</strong> (IIS Management Console).</p></li>
<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a> (<a href="https://support.microsoft.com/kb/2533623" data-raw-source="https://support.microsoft.com/kb/2533623">https://support.microsoft.com/kb/2533623</a>)</p>
<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a></p>
<p></p>
<div class="alert">
<strong>Important</strong><br/><p>You can still download install the previous KB. However, it may have been replaced with a more recent version.</p>
@ -309,8 +281,8 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
<div>
</div></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=13523" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)](https://www.microsoft.com/download/details.aspx?id=13523)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=13523" data-raw-source="https://www.microsoft.com/download/details.aspx?id=13523">https://www.microsoft.com/download/details.aspx?id=13523</a>)</p></li>
<li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=267110">https://go.microsoft.com/fwlink/?LinkId=267110</a>)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=13523" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)](https://www.microsoft.com/download/details.aspx?id=13523)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)</a></p></li>
<li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a></p></li>
<li><p>64-bit ASP.NET registration</p></li>
</ul>
<p>The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 management server.</p>
@ -339,8 +311,8 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
</div>
<ul>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
<li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a>(<a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=267110">https://go.microsoft.com/fwlink/?LinkId=267110</a>)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a></p></li>
<li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a></p></li>
</ul>
<p>The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 management database.</p>
<ul>
@ -349,14 +321,14 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
<li><p>Custom App-V 5.0 database name (if applicable) you must specify a unique database name. The default value for the management database is <strong>AppVManagement</strong>.</p></li>
<li><p>App-V 5.0 management server location specifies the machine account on which the management server is deployed. This should be specified in the following format <strong>Domain\MachineAccount</strong>.</p></li>
<li><p>App-V 5.0 management server installation administrator - specifies the account that will be used to install the App-V 5.0 management server. You should use the following format: <strong>Domain\AdministratorLoginName</strong>.</p></li>
<li><p>Microsoft SQL Server Service Agent - configure the computer running the App-V 5.0 Management Database so that Microsoft SQL Server Agent service is restarted automatically. For more information see <a href="https://go.microsoft.com/fwlink/?LinkId=273725" data-raw-source="[Configure SQL Server Agent to Restart Services Automatically](https://go.microsoft.com/fwlink/?LinkId=273725)">Configure SQL Server Agent to Restart Services Automatically</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=273725" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=273725">https://go.microsoft.com/fwlink/?LinkId=273725</a>).</p></li>
<li><p>Microsoft SQL Server Service Agent - configure the computer running the App-V 5.0 Management Database so that Microsoft SQL Server Agent service is restarted automatically. For more information see <a href="https://go.microsoft.com/fwlink/?LinkId=273725" data-raw-source="[Configure SQL Server Agent to Restart Services Automatically](https://go.microsoft.com/fwlink/?LinkId=273725)">Configure SQL Server Agent to Restart Services Automatically</a></p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Reporting Server</strong></p></td>
<td align="left"><ul>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
<li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a>(<a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=267110">https://go.microsoft.com/fwlink/?LinkId=267110</a>)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a></p></li>
<li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a></p></li>
<li><div class="alert">
<strong>Note</strong><br/><p>To help reduce the risk of unwanted or malicious data being sent to the reporting server, you should restrict access to the Reporting Web Service per your corporate security policy.</p>
</div>
@ -380,8 +352,8 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
</div>
<ul>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
<li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a>(<a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=267110">https://go.microsoft.com/fwlink/?LinkId=267110</a>)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a></p></li>
<li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a></p></li>
</ul>
<p>The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 reporting database.</p>
<ul>
@ -396,8 +368,8 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
<tr class="odd">
<td align="left"><p><strong>Publishing Server</strong></p></td>
<td align="left"><ul>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
<li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a>(<a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=267110">https://go.microsoft.com/fwlink/?LinkId=267110</a>)</p></li>
<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a></p></li>
<li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a></p></li>
<li><p>Windows Web Server with the IIS role with the following features: <strong>Common HTTP Features</strong> (static content and default document), <strong>Application Development</strong> (ASP.NET, .NET Extensibility, ISAPI Extensions and ISAPI Filters), <strong>Security</strong> (Windows Authentication, Request Filtering), <strong>Security</strong> (Windows Authentication, Request Filtering), <strong>Management Tools</strong> (IIS Management Console)</p></li>
<li><p>64-bit ASP.NET registration</p></li>
</ul>
@ -412,25 +384,8 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
</tbody>
</table>
## Related topics
[Planning to Deploy App-V](planning-to-deploy-app-v.md)
[App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md)

2
mdop/appv-v5/app-v-51-supported-configurations.md
View File

@ -16,6 +16,8 @@ ms.date: 04/02/2020
# App-V 5.1 Supported Configurations
>Applies to: Windows 10, version 1607; Window Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 (Extended Security Update)
This topic specifies the requirements to install and run Microsoft Application Virtualization (App-V) 5.1 in your environment.
## App-V Server system requirements

5
mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md
View File

@ -16,12 +16,10 @@ ms.date: 08/30/2016
# Known Issues in the MBAM International Release
This section contains known issues for Microsoft BitLocker Administration and Monitoring (MBAM) International Release.
## Known Issues in the MBAM International Release
### The Installation Process Does Not Specify Update
Upon updating the Microsoft BitLocker Administration and Monitoring server or servers, the Setup program does not state that an update is being installed.
@ -36,13 +34,12 @@ If you are using a certificate for authentication between MBAM servers, after up
### MBAM Svclog File Filling Disk Space
If you have followed Knowledge Base article 2668170, [https://support.microsoft.com/kb/2668170](https://go.microsoft.com/fwlink/?LinkID=247277), you might have to repeat the KB steps after you install this update.
If you have followed [Knowledge Base article 2668170](https://go.microsoft.com/fwlink/?LinkID=247277), you might have to repeat the KB steps after you install this update.
**Workaround**: None.
## Related topics
[Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)
 

27
mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md
View File

@ -16,10 +16,8 @@ ms.date: 08/30/2016
# MBAM 2.0 Privacy Statement
## Microsoft BitLocker Administration and Monitoring (MBAM) v2 Privacy Statement
Microsoft is committed to protecting your privacy, while delivering software that brings you the performance, power, and convenience you desire in your personal computing. This privacy statement explains many of the data collection and use practices of Microsoft BitLocker Administration and Monitoring v2 (MBAM). This is a preliminary disclosure that focuses on features that communicate with the Internet and is not intended to be an exhaustive list.
Microsoft BitLocker Administration and Monitoring (MBAM) enhances BitLocker by simplifying deployment and key recovery, centralizing provisioning, monitoring and reporting of encryption status for fixed and removable drives, and minimizing support costs. This release provides support for Windows 8 as well as improvements on Configuration Manager Integration and key recovery functionality.
@ -86,13 +84,12 @@ Microsoft Error Reporting is not turned on or off by MBAM. MBAM will utilize wha
"HKLM\\Software\\Wow6432Node\\Microsoft\\Microsoft Standalone System Sweeper Tool" (for the 64-bit version)
**Warning**
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the PC. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
> [!Warning]
> Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the PC. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
Important Information: Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their PCs. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available on [TechNet](https://technet.microsoft.com/library/cc709644.aspx).
Additional information on how to modify enable and disable error reporting is available at this support article: [(https://support.microsoft.com/kb/188296)](https://support.microsoft.com/kb/188296).
Additional information on how to modify enable and disable error reporting is available at this support article: [How to disable or enable Dr. Watson for Windows](https://support.microsoft.com/kb/188296).
### Microsoft Update
@ -102,15 +99,15 @@ Microsoft Update is a service that provides Windows updates as well as updates f
**Information Collected, Processed, or Transmitted:**
For details about what information is collected and how it is used, see the Update Services Privacy Statement at <https://go.microsoft.com/fwlink/?LinkId=244400>.
For details about what information is collected and how it is used, see the [Update Services Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=244400).
**Use of Information:**
For details about what information is collected and how it is used, see the Update Services Privacy Statement at <https://go.microsoft.com/fwlink/?LinkId=244400>.
For details about what information is collected and how it is used, see the [Update Services Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=244400).
**Choice/Control:**
For details about controlling this feature, see the Update Services Privacy Statement at <https://go.microsoft.com/fwlink/?LinkId=244000>.
For details about controlling this feature, see the [Update Services Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=244000).
### Customer Experience Improvement Program
@ -120,7 +117,7 @@ The Customer Experience Improvement Program (“CEIP”) collects basic informat
**Information Collected, Processed, or Transmitted:**
For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at <https://go.microsoft.com/fwlink/?LinkID=52097>.
For more information about the information collected, processed, or transmitted by CEIP, see the [CEIP privacy statement](https://go.microsoft.com/fwlink/?LinkID=52097).
**Use of Information:**
@ -132,14 +129,4 @@ CEIP is off by default. You're offered the opportunity to participate in CEIP du
## Related topics
[Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md)
 
 

2
windows/application-management/app-v/appv-create-a-package-accelerator.md
View File

@ -1,6 +1,6 @@
---
title: How to create a package accelerator (Windows 10)
description: How to create a package accelerator.
description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/application-management/app-v/appv-for-windows.md
View File

@ -1,6 +1,6 @@
---
title: Application Virtualization (App-V) (Windows 10)
description: Application Virtualization (App-V)
description: See various topics that can help you administer Application Virtualization (App-V) and its components.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/application-management/app-v/appv-getting-started.md
View File

@ -1,6 +1,6 @@
---
title: Getting Started with App-V (Windows 10)
description: Getting Started with App-V for Windows 10
description: Get started with Microsoft Application Virtualization (App-V) for Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

4
windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
View File

@ -1,6 +1,6 @@
---
title: Install the Publishing Server on a Remote Computer (Windows 10)
description: How to Install the App-V Publishing Server on a Remote Computer
description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
@ -38,7 +38,7 @@ Use the following procedure to install the publishing server on a separate compu
3. Enter the server name and a description (if required), then select **Add**.
9. To verify that the publishing server is running correctly, you should import a package to the management server, entitle that package to an AD group, then publish it. Using an internet browser, open the following URL: <strong>https://publishingserver:pubport</strong>. If the server is running correctly, information like the following example should appear.
```SQL
```xml
<Publishing Protocol="1.0">
<Packages>

4
windows/application-management/app-v/appv-supported-configurations.md
View File

@ -14,7 +14,7 @@ ms.topic: article
---
# App-V Supported Configurations
>Applies to: Windows 10, version 1607; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2
>Applies to: Windows 10, version 1607; Window Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 (Extended Security Update)
This topic specifies the requirements to install and run App-V in your Windows 10 environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md).
@ -34,7 +34,7 @@ The App-V server does not support the following scenarios:
### Management server operating system requirements
You can install the App-V Management server on a server running Windows Server 2008 R2 with SP1 or later.
You can install the App-V Management server on a server running Windows Server 2008 R2 with SP1 (Extended Security Update) or later.
>[!IMPORTANT]
>Deploying a Management server role to a computer with Remote Desktop Services enabled is not supported.

2
windows/application-management/manage-windows-mixed-reality.md
View File

@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
a. Download the FOD .cab file for [Windows 10, version 20H1](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
a. Download the FOD .cab file for [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
>[!NOTE]
>You must download the FOD .cab file that matches your operating system version.

51
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -22,7 +22,7 @@ ms.topic: article
- Windows 10
From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
![Remote Desktop Connection client](images/rdp.png)
@ -31,25 +31,30 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connection to an Azure AD joined PC from an unjoined device or a non-Windows 10 device is not supported.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
- On the PC that you want to connect to:
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connections to an Azure AD joined PC from an unjoined device or a non-Windows 10 device are not supported.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
- On the PC you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
![Allow remote connections to this computer](images/allow-rdp.png)
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
> [!NOTE]
>You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
>
>`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
> You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet:
> ```PowerShell
> net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
> ```
> where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
>
> This command only works for AADJ device users already added to any of the local groups (administrators).
> Otherwise this command throws the below error. For example: </br>
> for cloud only user: "There is no such global user or group : *name*" </br>
> for synced user: "There is no such global user or group : *name*" </br>
> Otherwise this command throws the below error. For example:
> - for cloud only user: "There is no such global user or group : *name*"
> - for synced user: "There is no such global user or group : *name*" </br>
>
> In Windows 10, version 1709, the user does not have to sign in to the remote device first.
>
@ -61,30 +66,29 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
> When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
> [!Note]
> If you cannot connect using Remote Desktop Connection 6.0, then you must turn off new features of RDP 6.0 and revert back to RDP 5.0 by changing a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
## Supported configurations
In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using:
In organizations using integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC by using any of the following:
- Password
- Smartcards
- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager
- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager.
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using:
In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network by using any of the following:
- Password
- Smartcards
- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription.
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following:
- Password
- Smartcards
- Windows Hello for Business, with or without an MDM subscription.
In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following:
- Password
- Windows Hello for Business, with or without an MDM subscription.
@ -96,14 +100,3 @@ In organizations using only Azure AD, you can connect from an Azure AD-joined PC
[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)

2
windows/client-management/mandatory-user-profile.md
View File

@ -38,7 +38,7 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 8 | Windows Server 2012 | v3 |
| Windows 8.1 | Windows Server 2012 R2 | v4 |
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903 | Windows Server 2016 and Windows Server 2019 | v6 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).

2
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server.
keywords: whitelisting, security, malware
keywords: security, malware
ms.author: dansimp
ms.topic: article
ms.prod: w10

3
windows/client-management/mdm/applocker-csp.md
View File

@ -40,7 +40,6 @@ Defines restrictions for applications.
Additional information:
- [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps.
- [Whitelist example](#whitelist-examples) - example for Windows 10 Mobile that denies all apps except the ones listed.
<a href="" id="applocker-applicationlaunchrestrictions-grouping"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_**
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
@ -869,7 +868,7 @@ The following list shows the apps that may be included in the inbox.
## Whitelist examples
## <a href="" id="allow-list-examples"></a>Allow list examples
The following example disables the calendar application.

23
windows/client-management/mdm/bitlocker-csp.md
View File

@ -930,12 +930,35 @@ The following list shows the supported values:
<!--Description-->
Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
<!--/Description-->
> [!NOTE]
> This policy is only supported in Azure AD accounts.
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.
If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--SupportedValues-->
The expected values for this policy are:

13
windows/client-management/mdm/certificate-authentication-device-enrollment.md
View File

@ -14,15 +14,13 @@ ms.date: 06/26/2017
# Certificate authentication device enrollment
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
> **Note**  To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).
> [!Note]
> To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).
## In this topic
- [Discovery service](#discovery-service)
- [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service)
@ -507,10 +505,3 @@ The following example shows the encoded provisioning XML.
protocol. This configuration service provider is being deprecated for Windows 10. -->
</wap-provisioningdoc>
```
 

43
windows/client-management/mdm/certificate-renewal-windows-mdm.md
View File

@ -1,6 +1,6 @@
---
title: Certificate Renewal
description: The enrolled client certificate expires after a period of use.
description: Find all the resources needed to provide continuous access to client certificates.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
@ -17,16 +17,13 @@ ms.date: 06/26/2017
# Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> **Note**  Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
 
> [!Note]
> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
## In this topic
- [Automatic certificate renewal request](#automatic-certificate-renewal-request)
- [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration)
- [Certificate renewal response](#certificate-renewal-response)
@ -35,12 +32,10 @@ The enrolled client certificate expires after a period of use. The expiration da
<a href="" id="automatic-certificate-renewal"></a>
## Automatic certificate renewal request
In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal.
> **Note**  Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
 
> [!Note]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate.
@ -54,7 +49,7 @@ During the automatic certificate renew process, the device will deny HTTP redire
The following example shows the details of an automatic renewal request.
```
``` xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
@ -106,7 +101,6 @@ The following example shows the details of an automatic renewal request.
</s:Envelope>
```
<a href="" id="certificate-renewal-schedule"></a>
## Certificate renewal schedule configuration
@ -116,11 +110,10 @@ For more information about the parameters, see the CertificateStore configuratio
Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week.
> **Note**  For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
> [!Note]
> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
> For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design.
 
## Certificate renewal response
When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
@ -133,12 +126,12 @@ When RequestType is set to Renew, the web service verifies the following (in add
After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
> [!Note]
> The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of an certificate renewal response.
```
``` xml
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<!-- Root certificate provision is only needed here if it is not in the device already --> <characteristic type="Root">
@ -163,25 +156,15 @@ The following example shows the details of an certificate renewal response.
</wap-provisioningdoc>
```
> **Note**  The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
 
> [!Note]
The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
<a href="" id="csp-support-during-enrollment-and-renewal"></a>
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
- CertificateStore
- w7 APPLICATION
- DMClient
- EnterpriseAppManagement
 

49
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -1,6 +1,6 @@
---
title: ClientCertificateInstall CSP
description: ClientCertificateInstall CSP
description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7
ms.reviewer:
manager: dansimp
@ -14,17 +14,15 @@ ms.date: 02/28/2020
# ClientCertificateInstall CSP
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> **Note**  
Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
> [!Note]
> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following image shows the ClientCertificateInstall configuration service provider in tree format.
![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png)
@ -63,7 +61,6 @@ The data type is an integer corresponding to one of the following values:
| 3 | Install to software. |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
@ -107,8 +104,8 @@ Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
> [!Note]
> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The data type bool.
@ -138,20 +135,19 @@ Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**
Node for SCEP.
> **Note**  An alert is sent after the SCEP certificate is installed.
> [!Note]
> An alert is sent after the SCEP certificate is installed.
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/**<strong>*UniqueID*</strong>
A unique ID to differentiate different certificate installation requests.
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
Supported operations are Get, Add, Replace, and Delete.
> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
> [!Note]
> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
@ -191,8 +187,8 @@ Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
Optional. Specifies where to keep the private key.
> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN.
> [!Note]
> Even if the private key is protected by TPM, it is not protected with a TPM PIN.
The data type is an integer corresponding to one of the following values:
@ -203,7 +199,6 @@ The data type is an integer corresponding to one of the following values:
| 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
@ -238,8 +233,8 @@ Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
Optional. OID of certificate template name.
> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it.
> [!Note]
> This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it.
Data type is string.
@ -294,7 +289,6 @@ Valid values are:
> **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
@ -302,8 +296,8 @@ Optional. Specifies the desired number of units used in the validity period. Thi
Data type is string.
>**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
> [!Note]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
Supported operations are Add, Get, Delete, and Replace.
@ -358,7 +352,6 @@ The only supported operation is Get.
| 16 | Action failed |
| 32 | Unknown |
<a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
Optional. An integer value that indicates the HRESULT of the last enrollment error code.
@ -373,7 +366,6 @@ The only supported operation is Get.
## Example
Enroll a client certificate through SCEP.
```xml
@ -669,15 +661,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

27
windows/client-management/mdm/defender-csp.md
View File

@ -1,6 +1,6 @@
---
title: Defender CSP
description: Defender CSP
description: See how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C
ms.reviewer:
manager: dansimp
@ -120,8 +120,6 @@ The following table describes the supported values:
| 50 | Ransomware |
| 51 | ASR Rule |
Supported operation is Get.
<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**
@ -248,60 +246,60 @@ Supported operation is Get.
<a href="" id="health-defenderenabled"></a>**Health/DefenderEnabled**
Indicates whether the Windows Defender service is running.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-rtpenabled"></a>**Health/RtpEnabled**
Indicates whether real-time protection is running.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-nisenabled"></a>**Health/NisEnabled**
Indicates whether network protection is running.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-quickscanoverdue"></a>**Health/QuickScanOverdue**
Indicates whether a Windows Defender quick scan is overdue for the device.
A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default)
A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default).
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-fullscanoverdue"></a>**Health/FullScanOverdue**
Indicates whether a Windows Defender full scan is overdue for the device.
A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default)
A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default).
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-signatureoutofdate"></a>**Health/SignatureOutOfDate**
Indicates whether the Windows Defender signature is outdated.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-rebootrequired"></a>**Health/RebootRequired**
Indicates whether a device reboot is needed.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-fullscanrequired"></a>**Health/FullScanRequired**
Indicates whether a Windows Defender full scan is required.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
@ -357,7 +355,7 @@ Supported operation is Get.
<a href="" id="health-tamperprotectionenabled"></a>**Health/TamperProtectionEnabled**
Indicates whether the Windows Defender tamper protection feature is enabled.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
@ -422,5 +420,4 @@ Supported operations are Get and Execute.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

2
windows/client-management/mdm/defender-ddf.md
View File

@ -1,6 +1,6 @@
---
title: Defender DDF file
description: Defender DDF file
description: See how the the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/enterpriseappvmanagement-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement CSP
description: EnterpriseAppVManagement CSP
description: Examine the tree format for EnterpriseAppVManagement configuration service provider (CSP) to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/enterpriseassignedaccess-xsd.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAssignedAccess XSD
description: EnterpriseAssignedAccess XSD
description: This XSD can be used to validate that the lockdown XML in the \<Data\> block of the AssignedAccessXML node.
ms.assetid: BB3B633E-E361-4B95-9D4A-CE6E08D67ADA
ms.reviewer:
manager: dansimp

62
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -14,7 +14,6 @@ ms.date: 07/28/2017
# Federated authentication device enrollment
This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
The &lt;AuthenticationServiceURL&gt; element the discovery response message specifies web authentication broker page start URL.
@ -23,7 +22,6 @@ For details about the Microsoft mobile device enrollment protocol for Windows 1
## In this topic
[Discovery service](#discovery-service)
[Enrollment policy web service](#enrollment-policy-web-service)
[Enrollment web service](#enrollment-web-service)
@ -32,12 +30,10 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme
## Discovery service
The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only).
> **Note**  The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
> [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
@ -45,28 +41,28 @@ The first request is a standard HTTP GET request.
The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address.
```
```http
Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc
Content Type: unknown
Header Byte Count: 153
Body Byte Count: 0
```
```
```http
GET /EnrollmentServer/Discovery.svc HTTP/1.1
User-Agent: Windows Phone 8 Enrollment Client
Host: EnterpriseEnrollment.contoso.com
Pragma: no-cache
```
```
```http
Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc
Content Type: text/html
Header Byte Count: 248
Body Byte Count: 0
```
```
```http
HTTP/1.1 200 OK
Connection: Keep-Alive
Pragma: no-cache
@ -86,7 +82,7 @@ The following logic is applied:
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address
```
```http
https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc
```
@ -131,24 +127,21 @@ The discovery response is in the XML format and includes the following fields:
- Authentication policy (AuthPolicy) Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
> [!Note]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be leveraged by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
> **Note**  Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
> [!Note]
> Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
> - Parse the OS version from the data sent up during the discovery request.
> - Append the OS version as a parameter in the AuthenticationServiceURL.
> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication.
A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist.
> **Note**  The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
> [!Note]
> The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
The following are the explicit requirements for the server.
@ -170,7 +163,7 @@ After authentication is complete, the auth server should return an HTML form doc
> [!NOTE]
> To make an application compatible with strict Content Security Policy, it is usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed.
```
```html
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
@ -237,7 +230,6 @@ The following example shows a response received from the discovery web service w
## Enrollment policy web service
Policy service is optional. By default, if no policies are specified, the minimum key length is 2k and the hash algorithm is SHA-1.
This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.
@ -302,9 +294,8 @@ After the user is authenticated, the web service retrieves the certificate templ
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. For Windows device, we will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
> [!NOTE]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
The following snippet shows the policy web service response.
@ -387,7 +378,6 @@ The following snippet shows the policy web service response.
## Enrollment web service
This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client.
The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully.
@ -396,9 +386,8 @@ Note that the RequestSecurityToken will use a custom TokenType (http:<span></spa
The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
> **Note**  The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
> [!Note]
> The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
The following example shows the enrollment web service request for federated authentication.
@ -487,9 +476,8 @@ The following example shows the enrollment web service request for federated aut
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
> **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
> [!Note]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (http:<span></span>//schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc), because the token is more than an X.509 v3 certificate.
@ -553,7 +541,7 @@ The following example shows the enrollment web service response.
The following code shows sample provisioning XML (presented in the preceding package as a security token):
```
```xml
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<characteristic type="Root">
@ -640,11 +628,3 @@ The following code shows sample provisioning XML (presented in the preceding pac
- The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
- Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.

16
windows/client-management/mdm/healthattestation-csp.md
View File

@ -748,13 +748,13 @@ Each of these are described in further detail in the following sections, along w
<a href="" id="pcr0"></a>**PCR0**
<p style="margin-left: 20px">The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.</p>
<p style="margin-left: 20px">Enterprise managers can create a whitelist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the whitelist, and then make a trust decision based on the result of the comparison.</p>
<p style="margin-left: 20px">Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.</p>
<p style="margin-left: 20px">If your enterprise does not have a whitelist of accepted PCR[0] values, then take no action.</p>
<p style="margin-left: 20px">If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.</p>
<p style="margin-left: 20px">If PCR[0] equals an accepted whitelisted value, then allow access.</p>
<p style="margin-left: 20px">If PCR[0] equals an accepted allow list value, then allow access.</p>
<p style="margin-left: 20px">If PCR[0] does not equal any accepted whitelisted value, then take one of the following actions that align with your enterprise policies:</p>
<p style="margin-left: 20px">If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:</p>
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
@ -762,9 +762,9 @@ Each of these are described in further detail in the following sections, along w
<a href="" id="sbcphash"></a>**SBCPHash**
<p style="margin-left: 20px">SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.</p>
<p style="margin-left: 20px">If SBCPHash is not present, or is an accepted (whitelisted) value, then allow access.
<p style="margin-left: 20px">If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
<p style="margin-left: 20px">If SBCPHash is present in DHA-Report, and is not a whitelisted value, then take one of the following actions that align with your enterprise policies:</p>
<p style="margin-left: 20px">If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
- Disallow all access
- Place the device in a watch list to monitor the device more closely for potential risks.
@ -772,9 +772,9 @@ Each of these are described in further detail in the following sections, along w
<a href="" id="cipolicy"></a>**CIPolicy**
<p style="margin-left: 20px">This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.</p>
<p style="margin-left: 20px">If CIPolicy is not present, or is an accepted (whitelisted) value, then allow access.</p>
<p style="margin-left: 20px">If CIPolicy is not present, or is an accepted allow-listed value, then allow access.</p>
<p style="margin-left: 20px">If CIPolicy is present and is not a whitelisted value, then take one of the following actions that align with your enterprise policies:</p>
<p style="margin-left: 20px">If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
- Disallow all access
- Place the device in a watch list to monitor the device more closely for potential risks.

30
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -14,7 +14,6 @@ ms.date: 08/11/2017
# Mobile device enrollment
Mobile device enrollment is the first phase of enterprise management. The device is configured to communicate with the MDM server using security precautions during the enrollment process. The enrollment service verifies that only authenticated and authorized devices can be managed by their enterprise.
The enrollment process includes the following steps:
@ -33,21 +32,20 @@ The enrollment process includes the following steps:
## Enrollment protocol
There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
The enrollment process involves the following steps:
**Discovery request**
### Discovery request
The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type.
**Certificate enrollment policy**
### Certificate enrollment policy
The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619345)
**Certificate enrollment**
### Certificate enrollment
The certificate enrollment is an implementation of the MS-WSTEP protocol.
**Management configuration**
### Management configuration
The server sends provisioning XML that contains a server certificate (for SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application.
The following topics describe the end-to-end enrollment process using various authentication methods:
@ -56,19 +54,18 @@ The following topics describe the end-to-end enrollment process using various au
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
> **Note**  As a best practice, do not use hardcoded server-side checks on values such as:
> [!Note]
> As a best practice, do not use hardcoded server-side checks on values such as:
> - User agent string
> - Any fixed URIs that are passed during enrollment
> - Specific formatting of any value unless otherwise noted, such as the format of the device ID.
## Enrollment support for domain-joined devices
 
Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
## Disable MDM enrollments
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png)
@ -89,7 +86,6 @@ The following scenarios do not allow MDM enrollments:
## Enrollment migration
**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours.
Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work.
@ -100,7 +96,6 @@ To manually trigger enrollment migration, you can run MDMMaintenenceTask.
## Enrollment error messages
The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows:
```xml
@ -196,8 +191,6 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
</tbody>
</table>
 
In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example:
```xml
@ -291,20 +284,11 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
</tbody>
</table>
 
TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.
## Related topics
- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)

23
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -44,7 +44,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [Server-initiated unenrollment failure](#server-initiated-unenrollment-failure)
- [Certificates causing issues with Wi-Fi and VPN](#certificates-causing-issues-with-wi-fi-and-vpn)
- [Version information for mobile devices](#version-information-for-mobile-devices)
- [Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#upgrading-windows-phone-81-devices-with-app-whitelisting-using-applicationrestriction-policy-has-issues)
- [Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218](#apps-dependent-on-microsoft-frameworks-may-get-blocked-in-phones-prior-to-build-10586218)
- [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#multiple-certificates-might-cause-wi-fi-connection-instabilities-in-windows-10-mobile)
- [Remote PIN reset not supported in Azure Active Directory joined mobile devices](#remote-pin-reset-not-supported-in-azure-active-directory-joined-mobile-devices)
@ -109,10 +108,23 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<ul>
<li><a href="policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall" data-raw-source="[ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall)">ApplicationManagement/BlockNonAdminUserInstall</a></li>
<li><a href="policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize" data-raw-source="[Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize)">Bluetooth/SetMinimumEncryptionKeySize</a></li>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource" data-raw-source="[DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)">DeliveryOptimization/DOCacheHostSource</a></li>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth" data-raw-source="[DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)">DeliveryOptimization/DOMaxBackgroundDownloadBandwidth</a></li>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth" data-raw-source="[DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)">DeliveryOptimization/DOMaxForegroundDownloadBandwidth</a></li>
<li><a href="policy-csp-education.md#education-allowgraphingcalculator" data-raw-source="[Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator)">Education/AllowGraphingCalculator</a></li>
<li><a href="policy-csp-textinput.md#textinput-configurejapaneseimeversion" data-raw-source="[TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion)">TextInput/ConfigureJapaneseIMEVersion</a></li>
<li><a href="policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion" data-raw-source="[TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion)">TextInput/ConfigureSimplifiedChineseIMEVersion</a></li>
<li><a href="policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion" data-raw-source="[TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)">TextInput/ConfigureTraditionalChineseIMEVersion</a></li>
<li><a href="policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion" data-raw-source="[TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)">TextInput/ConfigureTraditionalChineseIMEVersion</a></li></ul>
<p>Updated the following policy in Windows 10, version 2004:</p>
<ul>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost" data-raw-source="[DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)">DeliveryOptimization/DOCacheHost</a></li></ul>
<p>Deprecated the following policies in Windows 10, version 2004:</p>
<ul>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth" data-raw-source="[DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)">DeliveryOptimization/DOMaxDownloadBandwidth</a></li>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth" data-raw-source="[DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)">DeliveryOptimization/DOMaxUploadBandwidth</a></li>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth" data-raw-source="[DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)">DeliveryOptimization/DOPercentageMaxDownloadBandwidth</a></li></ul>
</td></tr>
<tr>
<td style="vertical-align:top"><a href="devdetail-csp.md" data-raw-source="[DevDetail CSP](devdetail-csp.md)">DevDetail CSP</a></td>
@ -1734,7 +1746,7 @@ Currently in Windows 10, version 1511, when using the ClientCertificateInstall
The software version information from **DevDetail/SwV** does not match the version in **Settings** under **System/About**.
### Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues
### Upgrading Windows Phone 8.1 devices with app allow-listing using ApplicationRestriction policy has issues
- When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile using ApplicationRestrictions with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
@ -1984,7 +1996,8 @@ How do I turn if off? | The service can be stopped from the "Services" console o
### June 2020
|New or updated topic | Description|
|--- | ---|
|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description to Integer instead of Boolean for the following policy settings:<br>EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative|
|[BitLocker CSP](bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.|
|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:<br>EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.|
### May 2020
|New or updated topic | Description|
@ -2932,7 +2945,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
</td></tr>
<tr class="odd">
<td style="vertical-align:top"><a href="applocker-csp.md" data-raw-source="[AppLocker CSP](applocker-csp.md)">AppLocker CSP</a></td>
<td style="vertical-align:top"><p>Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in <a href="applocker-csp.md#whitelist-examples" data-raw-source="[Whitelist examples](applocker-csp.md#whitelist-examples)">Whitelist examples</a>.</p>
<td style="vertical-align:top"><p>Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in <a href="applocker-csp.md#allow-list-examples" data-raw-source="[Allowlist examples](applocker-csp.md#allow-list-examples)">Allow list examples</a>.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top"><a href="devicemanageability-csp.md" data-raw-source="[DeviceManageability CSP](devicemanageability-csp.md)">DeviceManageability CSP</a></td>

2
windows/client-management/mdm/on-premise-authentication-device-enrollment.md
View File

@ -78,7 +78,7 @@ The following logic is applied:
- If the device is not redirected, it prompts the user for the server address.
- If the device is redirected, it prompts the user to allow the redirect.
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address
The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address:
```
https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc

15
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1075,6 +1075,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost" id="deliveryoptimization-docachehost">DeliveryOptimization/DOCacheHost</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource" id="deliveryoptimization-docachehostsource">DeliveryOptimization/DOCacheHostSource</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp" id="deliveryoptimization-dodelaybackgrounddownloadfromhttp">DeliveryOptimization/DODelayBackgroundDownloadFromHttp</a>
</dd>
@ -1095,6 +1098,9 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource" id="deliveryoptimization-dogroupidsource">DeliveryOptimization/DOGroupIdSource</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth" id="deliveryoptimization-domaxbackgrounddownloadbandwidth">DeliveryOptimization/DOMaxBackgroundDownloadBandwidth</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage" id="deliveryoptimization-domaxcacheage">DeliveryOptimization/DOMaxCacheAge</a>
@ -1103,10 +1109,13 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize" id="deliveryoptimization-domaxcachesize">DeliveryOptimization/DOMaxCacheSize</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth" id="deliveryoptimization-domaxdownloadbandwidth">DeliveryOptimization/DOMaxDownloadBandwidth</a>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth" id="deliveryoptimization-domaxdownloadbandwidth">DeliveryOptimization/DOMaxDownloadBandwidth</a> (deprecated)
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth" id="deliveryoptimization-domaxuploadbandwidth">DeliveryOptimization/DOMaxUploadBandwidth</a>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth" id="deliveryoptimization-domaxforegrounddownloadbandwidth">DeliveryOptimization/DOMaxForegroundDownloadBandwidth</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth" id="deliveryoptimization-domaxuploadbandwidth">DeliveryOptimization/DOMaxUploadBandwidth</a> (deprecated)
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos" id="deliveryoptimization-dominbackgroundqos">DeliveryOptimization/DOMinBackgroundQos</a>
@ -1133,7 +1142,7 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth" id="deliveryoptimization-dopercentagemaxbackgroundbandwidth">DeliveryOptimization/DOPercentageMaxBackgroundBandwidth</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth" id="deliveryoptimization-dopercentagemaxdownloadbandwidth">DeliveryOptimization/DOPercentageMaxDownloadBandwidth</a>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth" id="deliveryoptimization-dopercentagemaxdownloadbandwidth">DeliveryOptimization/DOPercentageMaxDownloadBandwidth</a> (deprecated)
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth" id="deliveryoptimization-dopercentagemaxforegroundbandwidth">DeliveryOptimization/DOPercentageMaxForegroundBandwidth</a>

2
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -167,6 +167,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -254,6 +254,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -225,6 +225,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

11
windows/client-management/mdm/policy-csp-appruntime.md
View File

@ -99,5 +99,16 @@ ADMX Info:
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -2066,6 +2066,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

4
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - AttachmentManager
description: Policy CSP - AttachmentManager
description: Manage Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local).
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -259,6 +259,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-audit.md
View File

@ -4800,6 +4800,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -575,6 +575,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-autoplay.md
View File

@ -275,6 +275,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-bitlocker.md
View File

@ -103,6 +103,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-bits.md
View File

@ -548,6 +548,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-camera.md
View File

@ -105,6 +105,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-cellular.md
View File

@ -378,6 +378,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -1026,6 +1026,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-controlpolicyconflict.md
View File

@ -124,6 +124,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-credentialsdelegation.md
View File

@ -109,6 +109,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-credentialsui.md
View File

@ -185,6 +185,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -172,6 +172,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-dataprotection.md
View File

@ -158,6 +158,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-datausage.md
View File

@ -129,6 +129,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-defender.md
View File

@ -3107,6 +3107,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

Some files were not shown because too many files have changed in this diff Show More