deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-27 20:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into SSUinfo

Browse Source
This commit is contained in:
jaimeo 2018-05-25 10:06:03 -07:00
commit e62d059f20
74 changed files with 1104 additions and 954 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.openpublishing.publish.config.json
View File

@ -142,7 +142,7 @@
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",

0
[!NOTE] Normal file
View File

15
browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
View File

@ -10,18 +10,21 @@ ms.prod: ie11
ms.assetid:
title: Internet Explorer 11 delivery through automatic updates
ms.sitesec: library
ms.date: 05/10/2018
ms.date: 05/22/2018
---
# Internet Explorer 11 delivery through automatic updates
Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
- [Automatic updates delivery process](#automatic-updates-delivery-process)
- [Internet Explorer 11 automatic upgrades](#internet-explorer-11-automatic-upgrades)
- [Options for blocking automatic delivery](#options-for-blocking-automatic-delivery)
- [Availability of Internet Explorer 11](#availability-of-internet-explorer 11)
- [Prevent automatic installation of Internet Explorer 11 with WSUS](#prevent-automatic-installation-of-internet-explorer-11-with-wsus)
- [Automatic updates delivery process](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process)
- [Internet Explorer 11 automatic upgrades](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#internet-explorer-11-automatic-upgrades)
- [Options for blocking automatic delivery](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#options-for-blocking-automatic-delivery)
- [Availability of Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#availability-of-internet-explorer-11)
- [Prevent automatic installation of Internet Explorer 11 with WSUS](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#prevent-automatic-installation-of-internet-explorer-11-with-wsus)
## Automatic updates delivery process

4
devices/hololens/TOC.md
View File

@ -9,6 +9,8 @@
## [Share HoloLens with multiple people](hololens-multiple-users.md)
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Install apps on HoloLens](hololens-install-apps.md)
## [Get ready to preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md)
## [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md)
### [Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md)
### [Microsoft Layout app](hololens-microsoft-layout-app.md)
## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

9
devices/hololens/change-history-hololens.md
View File

@ -10,7 +10,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/07/2018
ms.date: 05/22/2018
---
# Change history for Microsoft HoloLens documentation
@ -21,9 +21,10 @@ This topic lists new and updated topics in the [Microsoft HoloLens documentation
New or changed topic | Description
--- | ---
[Get ready to preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | New
[Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | New
[Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) | New
[Microsoft Layout app](hololens-microsoft-layout-app.md) | New
[Set up HoloLens in kiosk mode](hololens-kiosk.md) | Added instructions for setting up a guest account for kiosk mode.
## Windows 10 Holographic for Business, version 1803

21
devices/hololens/hololens-kiosk.md
View File

@ -9,15 +9,14 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/30/2018
ms.date: 05/22/2018
---
# Set up HoloLens in kiosk mode
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks.
In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#guest)
When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they dont need to access.
@ -117,6 +116,20 @@ Follow [the instructions for creating a kiosk configuration XML file for desktop
- Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens.
- Use the [placeholder Start XML](#start-kiosk) for HoloLens.
<span id="guest" />
#### Add guest access to the kiosk configuration (optional)
In the [Configs section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group account named **Visitor** to allow guests to use the kiosk. Use the following snippet in your kiosk configuration XML to enable **Visitor**:
```xml
<Configs>
<Config>
<SpecialGroup Name="Visitor" />
<DefaultProfile Id="enter a profile ID"/>
</Config>
</Configs>
```
<span id="add-xml"/>
### Add the kiosk configuration XML file to a provisioning package

75
devices/hololens/hololens-microsoft-layout-app.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Microsoft Layout
description: How to get and deploy the Microsoft Layout app throughout your organization
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: alhopper-msft
ms.author: alhopper
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/21/2018
---
# Microsoft Layout
Bring designs from concept to completion with confidence and speed. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical space or virtual reality and edit with stakeholders in real time. With Microsoft Layout, see ideas in context, saving valuable time and money.
## Device options and technical requirements
Below are the device options, and technical requirements, to use and deploy Microsoft Layout throughout your organization.
### Device options
Microsoft Layout works with a HoloLens, or with a Windows Mixed Reality headset with motion controllers.
#### HoloLens requirements
| OS requirements | Details |
|:----------------------------------|:-----------------------------------------------------------|
| Build 10.0.17134.77 or above | See [Manage updates to HoloLens](hololens-updates.md) for instructions on upgrading to this build. |
#### Windows Mixed Reality headset requirements
| Requirements | Details |
|:----------------------------------------------|:-----------------------------------------------------------|
| Windows 10 PC with build 16299.0 or higher | The Windows 10 PC hardware must be able to support the headset. See [Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) for specific hardware requirements. We recommend following the **Windows Mixed Reality Ultra** hardware guidelines. |
| Motion controllers | Motion controllers are hardware accessories that allow users to take action in mixed reality. See [Motion controllers](https://docs.microsoft.com/en-us/windows/mixed-reality/motion-controllers) to learn more. |
### Technical requirements
Have the following technical requirements in place to start using Microsoft Layout.
| Requirement | Details | Learn more |
|:----------------------------------|:------------------|:------------------|
| Azure Active Directory (Azure AD) | Required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can also install Layout on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) |
| Network connectivity | Internet access is required to download the app, and utilize all of its features. There are no bandwidth requirements. | |
| Apps for sharing | Video calling or screen sharing requires a separate app, such as Microsoft Remote Assist on HoloLens, or Skype or Skype for Business on Windows Mixed Reality headsets.<br/><br/>A Windows 10 PC that meets the Windows Mixed Reality Ultra specifications is also required for video calling or screen sharing when using Layout with a Windows Mixed Reality headset. | [Remote Assist](hololens-microsoft-remote-assist-app.md) <br/><br/>[Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) |
| Import Tool for Microsoft Layout | The Import Tool for Microsoft Layout is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, so they can be viewed and edited from the HoloLens or mixed reality headset. The Import Tool is also required to transfer Visio space dimensions to the HoloLens or Windows Mixed Reality headset. | [Import Tool for Microsoft Layout](#get-and-deploy-the-import-tool-for-microsoft-layout) |
## Get and deploy Microsoft Layout
Microsoft Layout is available from the Microsoft Store for Business for free for a limited time:
1. Go to the [Microsoft Layout](https://businessstore.microsoft.com/en-us/store/details/app/9NSJN53K3GFJ) app in the Microsoft Store for Business.
1. Click **Get the app**. Microsoft Layout is added to the **Products and Services** tab for your private store.
1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps.
For a limited time, users can also [Get Microsoft Layout from the Microsoft Store](https://www.microsoft.com/store/productId/9NSJN53K3GFJ) for free.
### Get and deploy the Import Tool for Microsoft Layout
The **Import Tool for Microsoft Layout** is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, for viewing and editing on Microsoft HoloLens or a Windows Mixed Reality headset.
The companion app is available in both the Microsoft Store for Business, and the Microsoft Store, for free for a limited time:
* [Get the Microsoft Layout Import Tool](https://businessstore.microsoft.com/en-us/store/details/app/9N88Q3RXPLP0) from the Microsoft Store for Business. See [Distribute apps to your employees from Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business) for instructions on using the Microsoft Store for Business, and/or MDM, to deploy Windows 10 apps throughout your organization.
* Alternately, have your users [Get the Microsoft Layout Import Tool](https://www.microsoft.com/store/productId/9N88Q3RXPLP0) from the Microsoft Store to install the app on their Windows 10 PC.
## Use Microsoft Layout
For guidance on using the features of the Microsoft Layout app, please see [Set up and use Microsoft Layout](https://support.microsoft.com/help/4294437).
## Questions and support
You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality).

66
devices/hololens/hololens-microsoft-remote-assist-app.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Microsoft Remote Assist
description: How to get and deploy the Microsoft Remote Assist app throughout your organization
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: hololens, devices
ms.sitesec: library
author: alhopper-msft
ms.author: alhopper
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/22/2018
---
# Microsoft Remote Assist
Collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. Firstline workers can share what they see with any expert on Microsoft Teams, while staying hands on to solve problems and complete tasks together, faster. Backed by enterprise-level security, Microsoft Remote Assist enables communication with peace of mind.
## Technical requirements
Below are the technical requirements to deploy and use Microsoft Remote Assist throughout your organization.
### Device requirements
| Device | OS requirements | Details |
|:---------------------------|:----------------------------------|:-----------------------------------------------------------|
| HoloLens | Build 10.0.14393.0 or above | See [Manage updates to HoloLens](https://docs.microsoft.com/en-us/HoloLens/hololens-updates) for instructions on using Windows Update for Business, MDM, and Windows Server Update Service (WSUS) to deploy updates to HoloLens. |
| Windows 10 PC (optional) | Any Windows 10 build | A Windows 10 PC can collaborate with the HoloLens using Microsoft Teams. |
> [!Note]
> HoloLens build 10.0.14393.0 is the minimum that supports Remote Assist. We recommend updating the HoloLens to newer versions when they are available.
### Licensing & product requirements
| Product required | Details | Learn more |
|:----------------------------------|:------------------|:------------------|
| Azure Active Directory (Azure AD) | Required to log users into the Remote Assist app through Microsoft Teams. Also required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can alternately install Remote Assist on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) |
| Microsoft Teams | Microsoft Teams facilitates communication in Remote Assist. Microsoft Teams must be installed on any device that will make calls to the HoloLens. | [Overview of Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/teams-overview) |
| Microsoft Office 365 | Because Microsoft Teams is part of Office 365, each user who will make calls from their PC/phone to the HoloLens will need an Office 365 license. | [Office 365 licensing for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/office-365-licensing) |
### Network requirements
1.5 MB/s is the recommended bandwidth for optimal performance of Microsoft Remote Assist. Though audio/video calls may be possible in environments with reduced bandwidth, you may experience HoloLens feature degradation, limiting the user experience. To test your companys network bandwidth, follow these steps:
1. Have a Teams user video call another Teams user.
2. Add another separate video call between a 3rd and 4th user, and another for a 5th and 6th user.
3. Continue adding video callers to stress test your network bandwidth until confident that multiple users can successfully connect on video calls at the same time.
See [Preparing your organization's network for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/prepare-network) to learn more.
## Get and deploy Microsoft Remote Assist
Microsoft Remote Assist is available from the Microsoft Store for Business for free for a limited time:
1. Go to the [Microsoft Remote Assist](https://businessstore.microsoft.com/en-us/store/details/app/9PPJSDMD680S) app in the Microsoft Store for Business.
1. Click **Get the app**. Microsoft Remote Assist is added to the **Products and Services** tab for your private store.
1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps.
For a limited time, users can also [Get Microsoft Remote Assist from the Microsoft Store](https://www.microsoft.com/store/productId/9PPJSDMD680S) for free.
## Use Microsoft Remote Assist
For guidance on using the features of the Microsoft Remote Assist app, please see [Set up and use Microsoft Remote Assist](https://support.microsoft.com/en-us/help/4294812).
## Questions and support
You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality).

2
devices/hololens/hololens-multiple-users.md
View File

@ -14,8 +14,6 @@ ms.date: 04/30/2018
# Share HoloLens with multiple people
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
A HoloLens device can be shared by multiple Azure Active Directory (Azure AD) accounts, each with their own user settings and user data on the device.

3
devices/hololens/hololens-provisioning.md
View File

@ -14,8 +14,7 @@ ms.date: 04/30/2018
# Configure HoloLens using a provisioning package
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
[Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages.

90
devices/hololens/hololens-public-preview-apps.md
View File

@ -1,6 +1,6 @@
---
title: Get early access to preview new mixed reality apps for HoloLens
description: Here's what you need to know to prepare for the public preview of new mixed reality apps for HoloLens
title: Preview new mixed reality apps for HoloLens
description: Here's how to download and distribute new mixed reality apps for HoloLens, free for a limited time during public preview
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: hololens, devices
@ -9,90 +9,24 @@ author: alhopper
ms.author: alhopper
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/08/2018
ms.date: 05/21/2018
---
# Get ready to preview new mixed reality apps for HoloLens
# Preview new mixed reality apps for HoloLens
Microsoft has just announced two new mixed reality apps coming to HoloLens: Microsoft Remote Assist and Microsoft Layout.
On May 22, 2018, these apps will be available to download for free for a limited time from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) and [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) as part of a public preview. During public preview, you'll be able to distribute the apps across your organization. In the meantime, here's what you need to know to prepare for the public preview of each app, to make sure your roll-out is smooth and seamless.
The gap between the real and digital world limits our ability to take advantage of new technologies and transform how we work, learn, create, communicate, and live. **Mixed reality is here to close that gap**.
## Microsoft Remote Assist
Mixed reality has the potential to help customers and businesses across the globe do things that until now, have never been possible. Mixed reality helps businesses and employees complete crucial tasks faster, safer, more efficiently, and create new ways to connect to customers and partners.
Microsoft Remote Assist enables collaboration in mixed reality to solve problems faster. Firstline workers can collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. They can share what they see with an expert on Microsoft Teams, while staying hands-on to solve problems and complete tasks together, faster.
Ready to get started? Check out the links below to learn more about how you can download and deploy Microsoft's new commercial-focused mixed reality apps.
Below are the technical requirements to distribute Microsoft Remote Assist throughout your organization when it's available from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) and [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) on May 22, 2018.
## In this section
### Device requirements
| Device | OS requirements | Details |
|:---------------------------|:----------------------------------|:-----------------------------------------------------------|
| HoloLens | Build 10.0.14393.0 or above | See [Manage updates to HoloLens](https://docs.microsoft.com/en-us/HoloLens/hololens-updates) for instructions on using Windows Update for Business, MDM, and Windows Server Update Service (WSUS) to deploy updates to HoloLens. |
| Windows 10 PC (optional) | Any Windows 10 build | You can use a Windows 10 PC to collaborate with the HoloLens. |
| Mobile device (optional) | Android or iOS | You can use a mobile device to collaborate with the HoloLens. Inking, annotations, and image insertion are not currently available on mobile. |
> [!Note]
> HoloLens build 10.0.14393.0 is the minimum that supports Remote Assist. We recommend updating the HoloLens to newer versions when they are available.
### Licensing & product requirements
| Product required | Details | Learn more |
|:----------------------------------|:------------------|:------------------|
| Azure Active Directory (Azure AD) | Required to log users into the Remote Assist app through Microsoft Teams. Also required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can alternately install Remote Assist on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) using their Microsoft Account credentials (MSA). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) |
| Microsoft Teams | Microsoft Teams facilitates communication in Remote Assist. Microsoft Teams must be installed on any device that will make calls to the HoloLens. | [Overview of Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/teams-overview) |
| Microsoft Office 365 | Because Microsoft Teams is part of Office 365, each user who will make calls from their PC/phone to the HoloLens will need an Office 365 license. | [Office 365 licensing for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/office-365-licensing) |
### Network requirements
1.5 MB/s is the recommended bandwidth for optimal performance of Microsoft Remote Assist. Though audio/video calls may be possible in environments with reduced bandwidth, you may experience HoloLens feature degradation, limiting the user experience. To test your companys network bandwidth, follow these steps:
1. Have a mobile Teams user (iOS or Android) video call a desktop Teams user.
2. Add another separate video call between a 3rd and 4th user, and another for a 5th and 6th user.
3. Continue adding video callers to stress test your network bandwidth until confident that multiple users can successfully connect on video calls at the same time.
See [Preparing your organization's network for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/prepare-network) to learn more.
## Microsoft Layout
Bring designs from concept to completion with confidence and speed using Microsoft Layout. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical or virtual space and edit in real time. With Microsoft Layout, see ideas in context, saving valuable time and money.
Below you'll find the device options, and technical requirements to consider, before distributing Layout throughout your organization when it's available from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) and [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) on May 22, 2018.
### Device options
You can use Microsoft Layout with a HoloLens, or with a Windows Mixed Reality headset with motion controllers.
#### HoloLens requirements
| OS requirements | Details |
|:----------------------------------|:-----------------------------------------------------------|
| Build 10.0.17134.77 or above | This build will be available as a HoloLens update on May 22, to align with the app release. Instructions for upgrading to this build are forthcoming. |
Alternately, you can get started testing out HoloLens build 10.0.17134.77 in advance of May 22. See [HoloLens RS4 Preview](https://docs.microsoft.com/en-us/windows/mixed-reality/hololens-rs4-preview) for instructions on flashing the upcoming build to your device. Be advised that doing so will erase all content on the device, and will put the device on track to receive future pre-released versions of the OS which may exhibit bugs and issues. We recommend using preview builds for testing only.
#### Windows Mixed Reality headset requirements
| OS requirements | Details |
|:----------------------------------------------|:-----------------------------------------------------------|
| Windows 10 PC with build 16299.0 or higher | The Windows 10 PC hardware must be able to support the headset. See [Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) for specific hardware requirements. We recommend following the **Windows Mixed Reality Ultra** hardware guidelines. |
| Motion controllers | Motion controllers are hardware accessories that allow users to take action in mixed reality. See [Motion controllers](https://docs.microsoft.com/en-us/windows/mixed-reality/motion-controllers) to learn more. |
### Technical requirements
Have the following technical requirements in place to start using Microsoft Layout as soon as it's available:
| Requirement | Details | Learn more |
|:----------------------------------|:------------------|:------------------|
| Azure Active Directory (Azure AD) | Required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can also install Layout on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) using their Microsoft Account credentials (MSA). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) |
| Network connectivity | Internet access is required to download the app, and utilize all of its features. There are no bandwidth requirements. | |
| Apps for sharing | Video calling or screen sharing requires a separate app, such as Microsoft Remote Assist on HoloLens, or Skype or Skype for Business on Windows Mixed Reality headsets.<br/><br/>A Windows 10 PC that meets the Windows Mixed Reality Ultra specifications is also required for video calling or screen sharing when using Layout with a Windows Mixed Reality headset. | [Remote Assist](#microsoft-remote-assist) <br/><br/>[Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) |
| Import Tool for Microsoft Layout | The Import Tool for Microsoft Layout is a companion app for Layout that makes model optimization and management easy. The Import Tool is required to transfer existing 3D models from your PC to Microsoft Layout, for viewing and editing on HoloLens or a Windows Mixed Reality headset. To import 3D models, users must download and launch the Import Tool for Microsoft Layout on their PC, available for free from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) and [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) starting May 22nd. The Import Tool is also required to transfer Visio space dimensions to the HoloLens or Windows Mixed Reality headset. | |
### Visio Add-in for Microsoft Layout
The free Visio Add-in for Microsoft Layout enables you to import space dimensions from Visio to view and edit on HoloLens or in Windows Mixed Reality. The Import Tool for Microsoft Layout is also required.
Be sure to grab the Import Tool and Visio Add-in for Microsoft Layout from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps) or [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) on May 22 if you'd like to import, view, and edit space dimensions from Visio.
| Topic | Description |
| --- | --- |
| [Microsoft Remote Assist](hololens-microsoft-remote-assist-app.md) | Microsoft Remote Assist enables collaboration in mixed reality to solve problems faster. Firstline workers can collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. They can share what they see with an expert on Microsoft Teams, while staying hands-on to solve problems and complete tasks together, faster. |
| [Microsoft Layout](hololens-microsoft-layout-app.md ) | Bring designs from concept to completion with confidence and speed using Microsoft Layout. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical or virtual space and edit in real time. With Microsoft Layout, you can see ideas in context, saving valuable time and money. |
## Questions and support

3
devices/hololens/hololens-updates.md
View File

@ -14,8 +14,7 @@ ms.date: 04/30/2018
# Manage updates to HoloLens
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).

3
devices/hololens/hololens-upgrade-enterprise.md
View File

@ -14,8 +14,7 @@ ms.date: 04/30/2018
# Unlock Windows Holographic for Business features
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://docs.microsoft.com/windows/mixed-reality/commercial-features), which provides extra features designed for business.

3
devices/hololens/hololens-whats-new.md
View File

@ -14,8 +14,7 @@ ms.date: 04/30/2018
# What's new in Microsoft HoloLens
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:

4
devices/hololens/index.md
View File

@ -9,7 +9,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/07/2018
ms.date: 05/21/2018
---
# Microsoft HoloLens
@ -33,7 +33,7 @@ ms.date: 05/07/2018
[Share HoloLens with multiple people](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. |
| [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging |
| [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens |
| [Get ready to preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Get ready to distribute and use new mixed reality apps for HoloLens during private preview |
| [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Download and deploy new mixed reality apps for HoloLens, free for a limited time during public preview |
| [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens |
| [Change history for Microsoft HoloLens documentation](change-history-hololens.md) | See new and updated topics in the HoloLens documentation library. |

1
devices/surface-hub/TOC.md
View File

@ -40,6 +40,7 @@
### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md)
### [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md)
### [Using a room control system](use-room-control-system-with-surface-hub.md)
### [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md)
## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)
## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
## [Top support solutions for Surface Hub](support-solutions-surface-hub.md)

8
devices/surface-hub/change-history-surface-hub.md
View File

@ -9,7 +9,7 @@ ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 03/06/2018
ms.date: 05/22/2018
ms.localizationpriority: medium
---
@ -17,6 +17,12 @@ ms.localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
## May 2018
New or changed topic | Description
--- | ---
[Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md) | New
## April 2018
New or changed topic | Description

BIN
devices/surface-hub/images/shrt-complete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
devices/surface-hub/images/shrt-done.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
devices/surface-hub/images/shrt-download.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
devices/surface-hub/images/shrt-drive-start.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
devices/surface-hub/images/shrt-drive.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
devices/surface-hub/images/shrt-guidance.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
devices/surface-hub/images/shrt-shortcut.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
devices/surface-hub/images/shrt-start.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

3
devices/surface-hub/manage-surface-hub.md
View File

@ -41,7 +41,8 @@ Learn about managing and updating Surface Hub.
| [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
| [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. |
[Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices.
| [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
| [Using a room control system](https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
[Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md) | Use the Surface Hub Recovery Tool to re-image the Surface Hub SSD.
## Related topics

98
devices/surface-hub/surface-hub-recovery-tool.md Normal file
View File

@ -0,0 +1,98 @@
---
title: Using the Surface Hub Recovery Tool
description: How to use the Surface Hub Recovery Tool to re-image the SSD.
ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1
keywords: manage Surface Hub
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 05/22/2018
ms.localizationpriority: medium
---
# Using the Surface Hub Recovery Tool
The [Microsoft Surface Hub Recovery Tool](https://www.microsoft.com/download/details.aspx?id=52210) helps you re-image your Surface Hub Solid State Drive (SSD) using a Windows 10 desktop device, without calling support or replacing the SSD. With this tool, you can reimage an SSD that has an unknown Administrator password, boot errors, was unable to complete a cloud recovery, or for a device that has an older version of the operating system. The tool will not fix physically damaged SSDs.
To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf).
If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support).
## Prerequisites
### Mandatory
- Host PC running 64-bit version of Windows 10, version 1607 or higher.
- Internet access
- Open USB 2.0 or greater port
- USB-to-SATA cable
- 10 GB of free disk space on the host computer
- SSDs shipped with Surface Hub or a SSD provided by Support as a replacement. SSDs not supplied by Microsoft are not supported.
### Recommended
- High-speed Internet connection
- Open USB 3.0 port
- USB 3.0 or higher USB-to-SATA cable
- The imaging tool was tested with the following make and model of cables:
- Startech USB312SAT3CB
- Rosewill RCUC16001
- Ugreen 20231
## Download Surface Hub Recovery Tool
Surface Hub Recovery Tool is available for download from [Surface Hub Tools for IT](https://www.microsoft.com/download/details.aspx?id=52210) under the file name **SurfaceHub_Recovery_v1.4.137.0.msi**.
To start the download, click **Download**, choose **SurfaceHub_Recovery_v1.4.137.0.msi** from the list, and click **Next**. From the pop-up, choose one of the following:
- Click **Run** to start the installation immediately.
- Click **Save** to copy the download to your computer for later installation.
Install Surface Hub Recovery Tool on the host PC.
## Run Surface Hub Recovery Tool
1. On the host PC, select the **Start** button, scroll through the alphabetical list on the left, and select the recovery tool shortcut.
![Microsoft Surface Hub Recovery Tool shortcut](images/shrt-shortcut.png)
2. Click **Start**.
![Recovery Tool Start button](images/shrt-start.png)
3. In the **Guidance** window, click **Next**.
![Do not let your machine go to sleep guidance](images/shrt-guidance.png)
4. click **Yes** to download the image. Time to download the recovery image is dependent on internet connection speeds. On an average corporate connection, it can take up to an hour to download the 8GB image file.
![Download the image?](images/shrt-download.png)
5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows. The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf).
![Connect SSD](images/shrt-drive.png)
6. When the drive is recognized, click **Start** to begin the re-imaging process. On the warning that all data on the drive will be erased, click **OK**.
![Start re-imaging the SSD](images/shrt-drive-start.png)
Prior to applying the system image to the drive, the SSD is repartitioned and formatted. Copying the system binaries will take approximately 30 minutes, but can take longer depending on the speed of your USB bus, the cable being used, or antivirus software installed on your system.
![Copying done](images/shrt-done.png)
![Reimaging complete](images/shrt-complete.png)
## Troubleshooting and common problems
Issue | Notes
--- | ---
The tool fails to image the SSD | Make sure you are using a factory-supplied SSD and one of the tested cables.
The reimaging process appears halted/frozen | It is safe to close and restart the Surface Hub Recovery Tool with no ill effect to the SSD.
The drive isnt recognized by the tool | Verify that the Surface Hub SSD is enumerated as a Lite-On drive, "LITEON L CH-128V2S USB Device". If the drive is recognized as another named device, your current cable isnt compatible. Try another cable or one of the tested cable listed above.
Error: -2147024809 | Open Disk Manager and remove the partitions on the Surface Hub drive. Disconnect and reconnect the drive to the host machine. Restart the imaging tool again.
If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support).

53
education/get-started/inclusive-classroom-it-admin.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Inclusive Classroom IT Admin Guide
description: Learning which Inclusive Classroom features are available in which apps and in which versions of Microsoft Office.
keywords: Test
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.topic: article
ms.localizationpriority: low
ms.pagetype: edu
ROBOTS: noindex,nofollow
author: alhughes
ms.author: alhughes
ms.date: 03/18/2018
---
|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
|---|---|---|---|---|---|---|---|---|---|
| Read aloud with simultaneous highlighting | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> | | |
| Adjustable text spacing and font size | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS</li></ul> | | <p style="text-align: center;">X</p> |<p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> | | |
| Syllabification | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> | | |
| Parts of speech identification | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul> | | <p style="text-align: center;">X</p> | | | | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> |
| Line focus mode | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul> | | | | | | <p style="text-align: center;">X</p> | | |
| Picture Dictionary | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul> | | | | | | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> |
</br>
| Writing and proofing features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
|---|---|---|---|---|---|---|---|---|---|
| Dictation | <ul><li>OneNote 2016, OneNote for Windows 10</li><li>Word 2016</li><li>Outlook 2016</li><li>PowerPoint 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | | |
| Spelling suggestions for phonetic misspellings | <ul><li>Word 2016, Word Online, Word for Mac</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | |
| Synonyms alongside spelling suggestions that can be read aloud | <ul><li>Word 2016</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | |
| Grammar checks | <ul><li>Word 2016, Word Online, Word for Mac</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | | |
| Customizable writing critiques | <ul><li>Word 2016, Word for Mac</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | | |
| Tell me what you want to do | <ul><li>Office 2016</li><li>Office Online</li><li>Office on iOS, Android, Windows 10</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> | | |
| Editor | <ul><li>Word 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | | |
</br>
| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
|---|---|---|---|---|---|---|---|---|---|
| Accessibility Checker | <ul><li>All Office 365 authoring applications on PC, Mac, Web</li></ul> | | | | | | | | |
| Accessible Templates | <ul><li>Word for PCs, Mac</li><li>Excel for PCs, Mac</li><li>PowerPoint for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul> | | | | | | | | |
| Ability to add alt-text for images | <ul><li>Word for PCs (includes automatic suggestions for image descriptions)</li><li>SharePoint Online (includes automatic suggestions for image descriptions)</li><li>PowerPoint for PCs (includes automatic suggestions for image descriptions)</li><li>OneNote (includes automatic extraction of text in images)</li><li>All Office 365 authoring applications (include ability to add alt-text manually)</li></ul> | | | | | | | | |
| Ability to add captions to videos | <ul><li>PowerPoint for PCs</li><li>Sway on iOS, Web, Windows 10</li></ul> | | | | | | | | |
| Export as tagged PDF | <ul><li>Word for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul> | | | | | | | | |
| Ability to request accessible content | <ul><li>Outlook Web Access</li></ul> | | | | | | | | |
</br>
| Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
|---|---|---|---|---|---|---|---|---|---|
| Translate Language of Document | <ul><li>Word 2016</li><li>PowerPoint 2016</li></ul> | | | | | | | | |
| PowerPoint Translator | <ul><li>PowerPoint 2016 Add-in</li></ul> | | | | | | | | |
</br>

198
education/index.md
View File

@ -18,7 +18,7 @@ ms.date: 10/30/2017
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_advanced.svg" src="/media/common/i_advanced.svg" alt="" />
<img data-hoverimage="https://docs.microsoft.com/en-us/media/common/i_advanced.svg" src="https://docs.microsoft.com/en-us/media/common/i_advanced.svg" alt="" />
</div>
</div>
<div class="cardText">
@ -30,35 +30,17 @@ ms.date: 10/30/2017
</a>
</li>
<li>
<a href="https://docs.microsoft.com/education/get-started/get-started-with-microsoft-education" target="_blank">
<a href="/microsoft-365/education/index?branch=m365-integration" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_get-started.svg" src="/media/common/i_get-started.svg" alt="" />
<img data-hoverimage="https://docs.microsoft.com/en-us/media/common/i_get-started.svg" src="https://docs.microsoft.com/en-us/media/common/i_get-started.svg" alt="" />
</div>
</div>
<div class="cardText">
<span class="likeAnH3">For IT Pros: Get Started using Microsoft Education</span>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/education/windows/test-windows10s-for-edu" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage">
<img data-hoverimage="/media/common/i_download-install.svg" src="/media/common/i_download-install.svg" alt="" />
</div>
</div>
<div class="cardText">
<span class="likeAnH3">Test Windows 10 S for Education</span>
<span class="likeAnH3">Deploy Microsoft 365 Education</span>
</div>
</div>
</div>
@ -82,18 +64,18 @@ ms.date: 10/30/2017
</div>
</li>
<li>
<a href="https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx" target="_blank">
<a href="/microsoft-365/education/index?branch=m365-integration#pivot=itpro&amp;panel=itpro-scd" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="images/M365-education.svg" alt="" />
<img src="https://docs.microsoft.com/en-us/media/hubs/education/education-pro-office365.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Microsoft 365 Education</h3>
<p>Find out how to empower educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education.</p>
<h3>Cloud deployment</h3>
<p>Get started by creating your Office 365 tenant, setting up a cloud infrastructure for your school, and creating, managing, and syncing user accounts.</p>
</div>
</div>
</div>
@ -101,159 +83,7 @@ ms.date: 10/30/2017
</a>
</li>
<li>
<a href="https://docs.microsoft.com/education/get-started/get-started-with-microsoft-education" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-get-started.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Get started for IT Pros</h3>
<p>Get started with Microsoft Education and set up a cloud infrastructure for your school, acquire apps, and configure and deploy settings to your Windows 10 devices.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="https://support.office.com/en-us/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa?ui=en-US&amp;rs=en-US&amp;ad=US&amp;fromAR=1#ID0EAAAAEAAA=Education" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-office365.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Office 365 for Education</h3>
<p>Manage Office 365 users and groups, get reports, and more.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/intune-education" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-intune.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Microsoft Intune for Education</h3>
<p>Manage apps and settings on your Windows 10 devices.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/education/windows" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-windows10.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Windows 10 for Education</h3>
<p>Configure and deploy the most secure Windows version for your school.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="https://docs.microsoft.com/schooldatasync/" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-school-data.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>School Data Sync</h3>
<p>Import Student Information System (SIS) into Office 365.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/azure/active-directory/" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-azure-directory.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Azure Active Directory</h3>
<p>Use to create and manage user and group accounts.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/microsoft-store/index?toc=/microsoft-store/education/toc.json" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-store.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Microsoft Store for Education</h3>
<p>Purchase and manage apps and licenses for your school.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/education/windows/school-get-minecraft" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-minecraft.svg" alt="" />
</div>
</div>
<div class="cardText">
<h3>Minecraft: Education Edition</h3>
<p>Learn how to get, distribute, and manage permissions for Minecraft: Education Edition.</p>
</div>
</div>
</div>
</div>
</a>
</li>
<li>
<a href="/education/windows/use-set-up-school-pcs-app" target="_blank">
<a href="/microsoft-365/education/index?branch=m365-integration#pivot=itpro&amp;panel=itpro-sdm" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -263,8 +93,8 @@ ms.date: 10/30/2017
</div>
</div>
<div class="cardText">
<h3>Set up School PCs</h3>
<p>Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.</p>
<h3>Device Management</h3>
<p>Improve student learning outcomes through connected classrooms and engaging new technologies with streamlined device management.</p>
</div>
</div>
</div>
@ -272,7 +102,7 @@ ms.date: 10/30/2017
</a>
</li>
<li>
<a href="https://docs.microsoft.com/en-us/microsoftteams/teams-quick-start-edu" target="_blank">
<a href="/microsoft-365/education/index?branch=m365-integration#pivot=itpro&amp;panel=itpro-atft" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -282,8 +112,8 @@ ms.date: 10/30/2017
</div>
</div>
<div class="cardText">
<h3>Microsoft Teams</h3>
<p>Make the most of Microsoft Teams and find out how to deploy, launch pilot teams, and launch Teams to the rest of your organization.</p>
<h3>Tools for Teachers</h3>
<p>The latest classroom resources at teachers fingertips when you deploy Learning Tools, OneNote Class Notebooks, Teams, and more.</p>
</div>
</div>
</div>

2
education/windows/get-minecraft-for-education.md
View File

@ -24,7 +24,7 @@ ms.topic: conceptual
[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft.
<iframe width="501" height="282" src="https://www.youtube.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe>
<iframe width="501" height="282" src="https://www.youtube-nocookie.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe>
Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution.

11
education/windows/s-mode-switch-to-edu.md
View File

@ -1,7 +1,7 @@
---
title: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
description: Overview of Windows 10 Pro Education in S mode, switching options, and system requirements
keywords: Windows 10 Pro Education in S mode, S mode, system requirements, Overview, Windows 10 Pro in S mode, Education, EDU
keywords: S mode Switch, switch in S mode, Switch S mode, Windows 10 Pro Education in S mode, S mode, system requirements, Overview, Windows 10 Pro in S mode, Education, EDU
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.prod: w10
@ -40,10 +40,7 @@ S mode is an enhanced security mode of Windows 10 streamlined for security a
|Device Guard | | | | X |
### Windows 10 in S mode is safe, secure, and fast.
However, in some limited scenarios, you might need to switch to Windows 10 Education. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
> [!IMPORTANT]
> While its free to switch to Windows 10 Pro, its not reversible. The only way to rollback this kind of switch is through a BMR factory reset.
However, in some limited scenarios, you might need to switch to Windows 10 Education. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
## How to switch
@ -55,8 +52,8 @@ There are two switch options available using the Microsoft Store for Education:
Tenant-wide Windows 10 Pro in S mode > Pro Education in S mode <BR>
Tenant-wide Windows 10 Pro > Pro Education
> [!NOTE]
> To rollback to Windows 10 Pro in S mode, a BMR factory reset must be performed.
> [!IMPORTANT]
> While its free to switch to Windows 10 Pro, its not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
### Devices running Windows 10, version 1709

730
mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
View File

@ -7,20 +7,25 @@ ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 06/16/2016
ms.date: 05/23/2018
---
# How to Move the MBAM 2.5 Databases
Use these procedures to move the following databases from one computer to another, that is, to move the databases from Server A to Server B:
Use these procedures to move the following databases from one computer to another; from Server A to Server B, for example:
- Compliance and Audit Database
- Recovery Database
If you are moving multiple features, move them in the following order:
>[!NOTE]
>It is important that the databases be restored to Machine B PRIOR to running the MBAM Configuration Wizard to update/configure them.
If the databases are NOT present, the Configuration Wizard creates NEW, empty, databases. When your existing databases are then restored, this process will break the MBAM configuration.
Restore the databases FIRST, then run the MBAM Configuration Wizard, choose the database option, and the Configuration Wizard will “connect” to the databases you restored; upgrading them if needed as part of the process.
**If you are moving multiple features, move them in the following order:**
1. Recovery Database
@ -32,13 +37,10 @@ If you are moving multiple features, move them in the following order:
5. Self-Service Portal
**Note**  
To run the example Windows PowerShell scripts provided in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](http://technet.microsoft.com/library/ee176949.aspx) for instructions.
 
## Moving the Recovery Database
>[!Note]
>To run the example Windows PowerShell scripts provided in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](http://technet.microsoft.com/library/ee176949.aspx) for instructions.
## Move the Recovery Database
The high-level steps for moving the Recovery Database are:
@ -46,473 +48,537 @@ The high-level steps for moving the Recovery Database are:
2. Back up the Recovery Database on Server A
3. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
3. Move the Recovery Database from Server A to Server B
4. Move the Recovery Database from Server A to Server B
4. Restore the Recovery Database on Server B
5. Restore the Recovery Database on Server B
5. Configure access to the Database on Server B and update connection data
6. Configure access to the Database on Server B and update connection data
6. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
7. Resume the instance of the Administration and Monitoring Website
**How to move the Recovery Database**
### How to move the Recovery Database
1. **Stop all instances of the MBAM Administration and Monitoring Website**
**Stop all instances of the MBAM Administration and Monitoring Website.** On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website.
- On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website.
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
```syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
``` syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
```
```
**Note**  
To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell.
>[!NOTE]
>To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell.
 
### Back up the Recovery Database on Server A
2. **Install MBAM Server software and run the MBAM Server Configuration wizard on Server B**
1. Use the **Back Up** task in SQL Server Management Studio to back up the Recovery Database on Server A. By default, the database name is **MBAM Recovery Database**.
1. Install the MBAM 2.5 Server software on Server B. For instructions, see [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md).
2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script, and change the MBAM Recovery Database to use the full recovery mode:
2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Recovery Database** feature.
```
USE master;
GO
ALTER DATABASE "MBAM Recovery and Hardware"
SET RECOVERY FULL;
GO
-- Create MBAM Recovery Database Data and MBAM Recovery logical backup devices.
USE master
GO
EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device',
'Z:\MBAM Recovery Database Data.bak';
GO
-- Back up the full MBAM Recovery Database.
BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device];
GO
BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate]
TO FILE = 'Z:\SQLServerInstanceCertificateFile'
WITH PRIVATE KEY
(
FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',
ENCRYPTION BY PASSWORD = '$PASSWORD$'
);
GO
```
Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Recovery Database.
3. Use the following value to replace the values in the code example with values that match your environment:
For instructions on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md).
**$PASSWORD$** - password that you use to encrypt the Private Key file.
3. **Back up the Recovery Database on Server A**
4. In Windows PowerShell, run the script that is stored in the file and similar to the following:
1. Use the **Back Up** task in SQL Server Management Studio to back up the Recovery Database on Server A. By default, the database name is **MBAM Recovery Database**.
```syntax
PS C:\> Invoke-Sqlcmd -InputFile
'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
5. Use the following value to replace the values in the code example with values that match your environment:
To automate this procedure, create a SQL file (.sql) that contains the following SQL script, and change the MBAM Recovery Database to use the full recovery mode:
**$SERVERNAME$\$SQLINSTANCENAME$** - server name and instance from which the Recovery Database will be backed up.
``` syntax
USE master;
GO
ALTER DATABASE "MBAM Recovery and Hardware"
SET RECOVERY FULL;
GO
-- Create MBAM Recovery Database Data and MBAM Recovery logical backup devices.
USE master
GO
EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device',
'Z:\MBAM Recovery Database Data.bak';
GO
-- Back up the full MBAM Recovery Database.
BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device];
GO
BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate]
TO FILE = 'Z:\SQLServerInstanceCertificateFile'
WITH PRIVATE KEY
(
FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',
ENCRYPTION BY PASSWORD = '$PASSWORD$'
);
GO
```
### Move the Recovery Database from Server A to Server B
Use the following value to replace the values in the code example with values that match your environment.
Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B.
**$PASSWORD$** - password that you will use to encrypt the Private Key file.
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
2. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
```syntax
PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak”
\\$SERVERNAME$\$DESTINATIONSHARE$
``` syntax
PS C:\> Invoke-Sqlcmd -InputFile 'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile”
\\$SERVERNAME$\$DESTINATIONSHARE$
Use the following value to replace the values in the code example with values that match your environment:
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey”
\\$SERVERNAME$\$DESTINATIONSHARE$
**$SERVERNAME$\\$SQLINSTANCENAME$** - server name and instance from which the Recovery Database will be backed up.
```
Use the information in the following table to replace the values in the code example with values that match your environment.
4. **Move the Recovery Database from Server A to Server B**
| **Parameter** | **Description** |
|----------------------|---------------------------------------------------------------|
| $SERVERNAME$ | Name of the server to which the files will be copied. |
| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
|---|---|
- Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B.
### Restore the Recovery Database on Server B
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
1. Restore the Recovery Database on Server B by using the **Restore Database** task in SQL Server Management Studio.
``` syntax
PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak” \\$SERVERNAME$\$DESTINATIONSHARE$
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile” \\$SERVERNAME$\$DESTINATIONSHARE$
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey” \\$SERVERNAME$\$DESTINATIONSHARE$
```
2. When the previous task finishes, select **From Device**, and then select the database backup file.
Use the information in the following table to replace the values in the code example with values that match your environment.
3. Use the **Add** command to select the **MBAM Recovery Database Data.bak** file, and click **OK** to complete the restoration process.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$</p></td>
<td align="left"><p>Name of the server to which the files will be copied.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DESTINATIONSHARE$</p></td>
<td align="left"><p>Name of the share and path to which the files will be copied.</p></td>
</tr>
</tbody>
</table>
4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
 
```syntax
-- Restore MBAM Recovery Database.
5. **Restore the Recovery Database on Server B**
USE master
1. Restore the Recovery Database on Server B by using the **Restore Database** task in SQL Server Management Studio.
GO
2. When the previous task finishes, select **From Device**, and then select the database backup file.
-- Drop certificate created by MBAM Setup.
3. Use the **Add** command to select the **MBAM Recovery Database Data.bak** file, and click **OK** to complete the restoration process.
DROP CERTIFICATE [MBAM Recovery Encryption Certificate]
To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
GO
``` syntax
-- Restore MBAM Recovery Database.
USE master
GO
-- Drop certificate created by MBAM Setup.
DROP CERTIFICATE [MBAM Recovery Encryption Certificate]
GO
--Add certificate
CREATE CERTIFICATE [MBAM Recovery Encryption Certificate]
FROM FILE = 'Z: \SQLServerInstanceCertificateFile'
WITH PRIVATE KEY
(
FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',
DECRYPTION BY PASSWORD = '$PASSWORD$'
);
GO
-- Restore the MBAM Recovery Database data and log files.
RESTORE DATABASE [MBAM Recovery and Hardware]
FROM DISK = 'Z:\MBAM Recovery Database Data.bak'
WITH REPLACE
```
--Add certificate
Use the following value to replace the values in the code example with values that match your environment.
CREATE CERTIFICATE [MBAM Recovery Encryption Certificate]
**$PASSWORD$** - password that you used to encrypt the Private Key file.
FROM FILE = 'Z:\SQLServerInstanceCertificateFile'
4. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
WITH PRIVATE KEY
``` syntax
PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
(
Use the following value to replace the values in the code example with values that match your environment.
FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',
**$SERVERNAME$\\$SQLINSTANCENAME$** - Server name and instance to which the Recovery Database will be restored.
DECRYPTION BY PASSWORD = '$PASSWORD$'
6. **Configure access to the Database on Server B and update connection data**
);
1. Verify that the Microsoft SQL Server user login that enables Recovery Database access on the restored database is mapped to the access account that you provided during the configuration process.
GO
If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
-- Restore the MBAM Recovery Database data and log files.
2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites.
RESTORE DATABASE [MBAM Recovery and Hardware]
3. Edit the following registry key: **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString**
FROM DISK = 'Z:\MBAM Recovery Database Data.bak'
4. Update the **Data Source** value with the name of the server and instance (for example, $SERVERNAME$\\$SQLINSTANCENAME) to which the Recovery Database was moved.
WITH REPLACE
```
5. Update the **Initial Catalog** value with the recovered database name.
5. Use the following value to replace the values in the code example with values that match your environment.
To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
**$PASSWORD$** - password that you used to encrypt the Private Key file.
``` syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;”
PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;”
```
6. In Windows PowerShell, run the script that is stored in the file and similar to the following:
**Note**  
This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
```syntax
PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
7. Use the following value to replace the values in the code example with values that match your environment.
 
**$SERVERNAME$\$SQLINSTANCENAME$** - Server name and instance to which the Recovery Database will be restored.
Use the following table to replace the values in the code example with values that match your environment.
### Configure access to the Database on Server B and update connection data
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the Recovery database.</p></td>
</tr>
</tbody>
</table>
1. Verify that the Microsoft SQL Server user login that enables Recovery Database access on the restored database is mapped to the access account that you provided during the configuration process.
 
>[!NOTE]
>If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
7. **Resume the instance of the Administration and Monitoring Website**
2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites.
1. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website.
3. Edit the following registry key:
2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
**HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString**
``` syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```
4. Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved.
**Note**  
To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell.
5. Update the **Initial Catalog** value with the recovered database name.
 
6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
## Moving the Compliance and Audit Database
```syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
PS C:\> Set-WebConfigurationProperty
'connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath
"IIS:\sites\Microsoft Bitlocker Administration and
Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data
Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and
Hardware;Integrated Security=SSPI;”
PS C:\> Set-WebConfigurationProperty
'connectionStrings/add[\@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]'
-PSPath "IIS:\sites\Microsoft Bitlocker Administration and
Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value
"Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery
and Hardware;Integrated Security=SSPI;”
```
>[!Note]
>This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
7. Use the following table to replace the values in the code example with values that match your environment.
```html
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the Recovery database.</p></td>
</tr>
</tbody>
</table>
```
### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
1. Install the MBAM 2.5 Server software on Server B. For details, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software).
2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Recovery Database** feature. For details on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases).
>[!TIP]
>Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Recovery Database.
### Resume the instance of the Administration and Monitoring Website
On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website.
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```
>[!NOTE]
>To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell.
## Move the Compliance and Audit Database
The high-level steps for moving the Compliance and Audit Database are:
1. Stop all instances of the MBAM Administration and Monitoring Website
2. Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
2. Back up the Compliance and Audit Database on Server A
3. Back up the Compliance and Audit Database on Server A
3. Move the Compliance and Audit Database from Server A to Server B
4. Move the Compliance and Audit Database from Server A to Server B
4. Restore the Compliance and Audit Database on Server B
5. Restore the Compliance and Audit Database on Server B
5. Configure access to the Database on Server B and update connection data
6. Configure access to the Database on Server B and update connection data
6. Install MBAM Server software and run the MBAM Server Configuration wizard on
Server B
7. Resume the instance of the Administration and Monitoring Website
**How to move the Compliance and Audit Database**
### How to move the Compliance and Audit Database
1. **Stop all instances of the MBAM Administration and Monitoring Website**
**Stop all instances of the MBAM Administration and Monitoring Website.** On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website.
- On each server that is running the MBAM Administration and Monitoring Server Website, use the Internet Information Services (IIS) Manager console to stop the Administration and Monitoring Website.
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
```syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
``` syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
```
```
**Note**  
To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell.
>[!NOTE]
>To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell.
 
### Back up the Compliance and Audit Database on Server A
2. **Install MBAM Server software and run the MBAM Server Configuration wizard on Server B**
1. Use the **Back Up** task in SQL Server Management Studio to back up the Compliance and Audit Database on Server A. By default, the database name is **MBAM Compliance Status Database**.
1. Install the MBAM 2.5 Server software on Server B. For instructions, see [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md).
2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Compliance and Audit Database** feature.
```syntax
Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Compliance and Audit Database.
USE master;
For instructions on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md).
GO
3. **Back up the Compliance and Audit Database on Server A**
ALTER DATABASE "MBAM Compliance Status"
1. Use the **Back Up** task in SQL Server Management Studio to back up the Compliance and Audit Database on Server A. By default, the database name is **MBAM Compliance Status Database**.
SET RECOVERY FULL;
To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
GO
``` syntax
USE master;
GO
ALTER DATABASE "MBAM Compliance Status"
SET RECOVERY FULL;
GO
-- Create MBAM Compliance Status Data logical backup devices.
USE master
GO
EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device',
'Z: \MBAM Compliance Status Database Data.bak';
GO
-- Back up the full MBAM Compliance Recovery database.
BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device];
GO
```
-- Create MBAM Compliance Status Data logical backup devices.
2. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
USE master
``` syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
GO
Using the following value, replace the values in the code example with values that match your environment:
EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device',
**$SERVERNAME$\\$SQLINSTANCENAME$** - server name and instance from which the Compliance and Audit Database will be backed up.
'Z: \MBAM Compliance Status Database Data.bak';
4. **Move the Compliance and Audit Database from Server A to Server B**
GO
- Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B.
-- Back up the full MBAM Compliance Recovery database.
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device];
``` syntax
PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak" \\$SERVERNAME$\$DESTINATIONSHARE$
```
GO
Using the following table, replace the values in the code example with values that match your environment.
```
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$</p></td>
<td align="left"><p>Name of the server to which the files will be copied.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DESTINATIONSHARE$</p></td>
<td align="left"><p>Name of the share and path to which the files will be copied.</p></td>
</tr>
</tbody>
</table>
3. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
 
```syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
5. **Restore the Compliance and Audit Database on Server B**
```
1. Restore the Compliance and Audit Database on Server B by using the **Restore Database** task in SQL Server Management Studio.
4. Using the following value, replace the values in the code example with values that match your environment:
2. When the previous task finishes, select **From Device**, and then select the database backup file.
**$SERVERNAME$\$SQLINSTANCENAME$** - server name and instance from which the Compliance and Audit Database will be backed up.
3. Use the **Add** command to select the **MBAM Compliance Status Database Data.bak** file, and click **OK** to complete the restoration process.
### Move the Compliance and Audit Database from Server A to Server B**
To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
1. Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** file from Server A to Server B.
``` syntax
-- Create MBAM Compliance Status Database Data logical backup devices.
Use master
GO
-- Restore the MBAM Compliance Status database data files.
RESTORE DATABASE [MBAM Compliance Status]
FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak'
WITH REPLACE
```
2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
4. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
```syntax
PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak"
\\$SERVERNAME$\$DESTINATIONSHARE$
``` syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
```
Using the following value, replace the values in the code example with values that match your environment.
3. Using the following table, replace the values in the code example with values that match your environment.
**$SERVERNAME$\\$SQLINSTANCENAME$** - Server name and instance to which the Compliance and Audit Database will be restored.
| **Parameter** | **Description** |
|----------------------|---------------------------------------------------------------|
| $SERVERNAME$ | Name of the server to which the files will be copied. |
| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
|---|---|
6. **Configure access to the Database on Server B and update connection data**
### Restore the Compliance and Audit Database on Server B
1. Verify that the Microsoft SQL Server user login that enables Compliance and Audit Database access on the restored database is mapped to the access account that you provided during the configuration process.
1. Restore the Compliance and Audit Database on Server B by using the **Restore Database** task in SQL Server Management Studio.
If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
2. When the previous task finishes, select **From Device**, and then select the database backup file.
2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website.
3. Use the **Add** command to select the **MBAM Compliance Status Database Data.bak** file and click **OK** to complete the restoration process.
3. Edit the following registry key: **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString**
4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
4. Update the **Data Source** value with the name of the server and instance (for example, $SERVERNAME$\\$SQLINSTANCENAME) to which the Recovery Database was moved.
```syntax
-- Create MBAM Compliance Status Database Data logical backup devices.
5. Update the **Initial Catalog** value with the recovered database name.
Use master
To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
GO
``` syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
```
-- Restore the MBAM Compliance Status database data files.
**Note**  
This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
RESTORE DATABASE [MBAM Compliance Status]
 
FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak'
Using the following table, replace the values in the code example with values that match your environment.
WITH REPLACE
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the recovered database.</p></td>
</tr>
</tbody>
</table>
```
 
5. In Windows PowerShell, run the script that is stored in the file and similar to the following:
7. **Resume the instance of the Administration and Monitoring Website**
```syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
1. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website.
```
2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
6. Using the following value, replace the values in the code example with values that match your environment.
``` syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```
**$SERVERNAME$\$SQLINSTANCENAME$** - Server name and instance to which the Compliance and Audit Database will be restored.
**Note**  
To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell.
### Configure access to the Database on Server B and update connection data
 
1. Verify that the Microsoft SQL Server user login that enables Compliance and Audit Database access on the restored database is mapped to the access account that you provided during the configuration process.
>[!NOTE]
>If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website.
## Related topics
3. Edit the following registry key:
**HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString**
[How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md)
4. Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved.
[Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
5. Update the **Initial Catalog** value with the recovered database name.
[Moving MBAM 2.5 Features to Another Server](moving-mbam-25-features-to-another-server.md)
6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
 
```syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
 
## Got a suggestion for MBAM?
- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
```
>[!NOTE]
>This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
7. Using the following table, replace the values in the code example with values that match your environment.
```html
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the recovered database.</p></td>
</tr>
</tbody>
</table>
```
### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
1. Install the MBAM 2.5 Server software on Server B. For details, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software).
2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Compliance and Audit Database** feature. For details on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases).
>[!TIP]
>Alternatively, you can use the **Enable-MbamDatabase** Windows PowerShell cmdlet to configure the Compliance and Audit Database.
### Resume the instance of the Administration and Monitoring Website
On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to start the Administration and Monitoring Website.
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```
>[!NOTE]
>To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell.

2
store-for-business/whats-new-microsoft-store-business-education.md
View File

@ -31,7 +31,7 @@ Weve been working on bug fixes and performance improvements to provide you a
| | |
|-----------------------|---------------------------------|
| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| <iframe width="288" height="232" src="https://www.youtube.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| <iframe width="288" height="232" src="https://www.youtube-nocookie.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
|| ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-->

1
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -2601,6 +2601,7 @@ The following list shows the configuration service providers supported in Window
| [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
[PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [VPN2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |

27
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 04/26/2018
ms.date: 05/11/2018
---
# What's new in MDM enrollment and management
@ -1626,6 +1626,31 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
### May 2018
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th>New or updated topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[Policy DDF file](policy-ddf-file.md)</td>
<td style="vertical-align:top"><p>Updated the DDF files in the Windows 10 version 1703 and 1709.</p>
<ul>
<li>[Download the Policy DDF file for Windows 10, version 1709](http://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)</li>
<li>[Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)</li>
</ul>
</td></tr>
</tbody>
</table>
### April 2018
<table class="mx-tdBreakAll">

6
windows/client-management/mdm/policy-csp-credentialproviders.md
View File

@ -201,14 +201,14 @@ ADMX Info:
<!--Description-->
Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students.
The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Enable the visibility of the credentials for Windows 10 Automatic ReDeployment
- 1 - Disable visibility of the credentials for Windows 10 Automatic ReDeployment
- 0 - Enable the visibility of the credentials for Autopilot Reset
- 1 - Disable visibility of the credentials for Autopilot Reset
<!--/SupportedValues-->
<!--/Policy-->

3
windows/client-management/mdm/policy-csp-notifications.md
View File

@ -79,6 +79,9 @@ If you disable or do not configure this policy setting, the client computer will
No reboots or service restarts are required for this policy setting to take effect.
> [!Warning]
> This policy is designed for zero exhaust. This policy may cause some MDM processes to break because WNS notification is used by the MDM server to send real time tasks to the device, such as remote wipe, unenroll, remote find, and mandatory app installation. When this policy is set to disallow WNS, those real time processes will no longer work and some time-sensitive actions such as remote wipe when the device is stolen or unenrollment when the device is compromised will not work.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:

1
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -23,6 +23,7 @@ New or changed topic | Description
--- | ---
[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Added note that Wi-Fi Sense is no longer available.
Topics about Windows 10 diagnostic data | Moved to [Windows Privacy](https://docs.microsoft.com/windows/privacy/).
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added details of event log entries to check for when customization is not applied as expected.
## RELEASE: Windows 10, version 1803

12
windows/configuration/windows-10-start-layout-options-and-policies.md
View File

@ -10,7 +10,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: high
ms.date: 10/31/2017
ms.date: 05/24/2018
---
# Manage Windows 10 Start and taskbar layout
@ -109,6 +109,16 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a
[Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md).
## Start layout configuration errors
If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events:
- **Event 22** is logged when the xml is malformed, meaning the specified file simply isnt valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format.
- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood or source is not found such as a missing or misspelled .lnk.
## Related topics

28
windows/deployment/deploy-enterprise-licenses.md
View File

@ -15,8 +15,20 @@ author: greg-lindsay
This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
>Note: Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.<BR>
>[!NOTE]
>Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.<BR>
>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.<BR>
>Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key.<BR>
## Firmware-embedded activation key
To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt
```
(Get-WmiObject -query select * from SoftwareLicensingService).OA3xOriginalProductKey
```
If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
## Enabling Subscription Activation with an existing EA
@ -82,7 +94,7 @@ The following methods are available to assign licenses:
## Explore the upgrade experience
Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, version 1703 edition to Windows 10 Enterprise edition. So what will the users experience? How will they upgrade their devices?
Now that your subscription has been established and Windows 10 Enterprise E3 or E5 licenses have been assigned to users, the users are ready to upgrade their devices running Windows 10 Pro, (version 1703 or later) to Windows 10 Enterprise. What will the users experience? How will they upgrade their devices?
### Step 1: Join Windows 10 Pro devices to Azure AD
@ -135,15 +147,17 @@ Now the device is Azure AD joined to the companys subscription.
Now the device is Azure AD joined to the companys subscription.
### Step 2: Verify that Pro edition is activated
### Step 2: Pro edition activation
Windows 10 Pro must be successfully activated in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 7a**.
>[!IMPORTANT]
>If the device is running Windows 10, version 1803 or later, this step is no longer necessary when there is a firmware-embedded activation key on the device. Starting with Windows 10, version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.<br>
>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 7a**.
<span id="win-10-pro-activated"/>
<img src="images/sa-pro-activation.png" alt="Windows 10 Pro activated" width="710" height="440" />
<BR>**Figure 7a - Windows 10 Pro activation in Settings** <BR>
Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled.
Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
### Step 3: Sign in using Azure AD account
@ -176,7 +190,7 @@ Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscr
In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1703 operating system is not activated.
- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later.
- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
@ -226,4 +240,4 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct
A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.

2
windows/deployment/mbr-to-gpt.md
View File

@ -25,7 +25,7 @@ ms.localizationpriority: high
See the following video for a detailed description and demonstration of MBR2GPT.
<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
You can use MBR2GPT to:

2
windows/deployment/update/update-compliance-monitor.md
View File

@ -37,7 +37,7 @@ See the following topics in this guide for detailed information about configurin
Click the following link to see a video demonstrating Update Compliance features.
[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube.com/embed/1cmF5c_R8I4)
[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube-nocookie.com/embed/1cmF5c_R8I4)
## Update Compliance architecture

58
windows/deployment/vda-subscription-activation.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
ms.date: 12/05/2017
ms.date: 05/17/2018
author: greg-lindsay
---
@ -23,15 +23,27 @@ Deployment instructions are provided for the following scenarios:
## Requirements
- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
- VMs must be Active Directory-joined or Azure Active Directory-joined.
- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined.
- VMs must be generation 1.
- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
## Activation
The underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise.
### Scenario 1
- The VM is running Windows 10, version 1803 or later.
- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
Procedures in this topic provide a Windows 10 Pro Generic Volume License Key (GVLK). Activation with this key is accomplished using a Volume License KMS activation server provided by the QMTH. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/).
### Scenario 2
- The Hyper-V host and the VM are both running Windows 10, version 1803 or later.
[Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in iwth a local account or using an Azure Active Directory account.
### Scenario 3
- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner.
In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/).
For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience).
@ -50,23 +62,26 @@ For examples of activation issues, see [Troubleshoot the user experience](https:
6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again.
7. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
8. Open Windows Configuration Designer and click **Provison desktop services**.
9. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
- Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
10. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
11. On the Set up network page, choose **Off**.
12. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
9. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 10.
1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
- Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
10. On the Set up network page, choose **Off**.
11. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
- Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
13. On the Add applications page, add applications if desired. This step is optional.
14. On the Add certificates page, add certificates if desired. This step is optional.
15. On the Finish page, click **Create**.
16. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image.
17. Type the following at an elevated commnand prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested:
12. On the Add applications page, add applications if desired. This step is optional.
13. On the Add certificates page, add certificates if desired. This step is optional.
14. On the Finish page, click **Create**.
15. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 16.
1. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image.
2. Type the following at an elevated commnand prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested:
```
Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
```
18. Right-click the mounted image in file explorer and click **Eject**.
19. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image.
3. Right-click the mounted image in file explorer and click **Eject**.
1. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image.
## Azure Active Directory-joined VMs
@ -75,8 +90,8 @@ For examples of activation issues, see [Troubleshoot the user experience](https:
For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
- In step 12, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials.
- In step 17, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**)
- In step 11, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials.
- In step 15, sub-step 2, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**)
- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rpd-settings-for-azure).
## Azure Gallery VMs
@ -92,9 +107,10 @@ For Azure AD-joined VMs, follow the same instructions (above) as for [Active Dir
4. Click **Add**, type **Authenticated users**, and then click **OK** three times.
5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
6. Open Windows Configuration Designer and click **Provison desktop services**.
7. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
- Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
8. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8.
1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
8. Under **Name**, type **Desktop Bulk Enrollment**, click **Finish**, and then on the **Set up device** page enter a device name.
9. On the Set up network page, choose **Off**.
10. On the Account Management page, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
11. On the Add applications page, add applications if desired. This step is optional.

24
windows/deployment/windows-10-enterprise-subscription-activation.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
ms.date: 10/20/2017
ms.date: 05/23/2018
author: greg-lindsay
---
@ -54,6 +54,7 @@ The following figure illustrates how deploying Windows 10 has evolved with each
- **Windows 10 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.<br>
- **Windows 10 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.<br>
- **Windows 10 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
- **Windows 10 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
## Requirements
@ -85,21 +86,24 @@ You can benefit by moving to Windows as an online service in the following ways:
When a licensed user signs in to a device that meets requirements using the Azure AD credentials associated with a Windows 10 Enterprise E3 or E5 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a users subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition, after a grace period of up to 90 days.
Devices currently running Windows 10 Pro, version 1703 can get Windows 10 Enterprise Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
Devices currently running Windows 10 Pro, version 1703 or later can get Windows 10 Enterprise Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
### Scenarios
**Scenario #1**:  Using KMS for activation, just purchased Windows 10 Enterprise E3 or E5 subscriptions (or for some reason have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise), and you are using Windows 10 1607 or above.
**Scenario #1**:  You are using Windows 10 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise).
All you need to do to change all of your Windows 10 Pro devices to Windows 10 Enterprise is to run this command on each computer:
All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but havent yet deployed Windows 10 Enterprise).
To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
<pre style="overflow-y: visible">
cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
</pre>
cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43</pre>
This key comes from [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx) in the Volume Activation guide.  The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
**Scenario #2**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, its really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
@ -122,7 +126,9 @@ When you have the required Azure AD subscription, group-based licensing is the p
### Existing Enterprise deployments
If you have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you are able to seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:

8
windows/deployment/windows-10-pro-in-s-mode.md
View File

@ -1,7 +1,7 @@
---
title: Windows 10 Pro in S mode
description: Overview of Windows 10 Pro in S mode, switching options, and system requirements
keywords: Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
keywords: S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.prod: w10
@ -42,8 +42,8 @@ Worried about your LOB apps not working in S mode? Using Desktop Bridge will ena
[Explore Desktop Bridge](https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root)
>[!NOTE]
>The only way to revert to Windows 10 in S mode is to perform a BMR factory reset. This will allow you to reimage a device.
> [!IMPORTANT]
> While its free to switch to Windows 10 Pro, its not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
### Windows 10 in S mode is safe, secure, and fast.
We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
@ -56,8 +56,6 @@ If youre running Windows 10, version 1709 or version 1803, you can switch to
3. In the offer, click **Buy**, **Get**, OR **Learn more.**
You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
> [!IMPORTANT]
> While its free to switch to Windows 10 Pro, its not reversible. The only way to rollback this kind of switch is through a BMR factory reset.
## Related topics

2
windows/deployment/windows-autopilot/windows-10-autopilot-demo-vm.md
View File

@ -21,7 +21,7 @@ ms.date: 05/09/18
In this topic you'll learn how to set-up a Windows Autopilot deployment for a Virtual Machine using Hyper-V. Watch the following video to see an overview of the process:
</br>
<iframe width="560" height="315" src="https://www.youtube.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
## Prerequisites

4
windows/deployment/windows-autopilot/windows-10-autopilot.md
View File

@ -24,7 +24,7 @@ This solution enables an IT department to achieve the above with little to no in
The following video shows the process of setting up Autopilot:
</br>
<iframe width="560" height="315" src="https://www.youtube.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
## Benefits of Windows Autopilot
@ -70,7 +70,7 @@ Multiple additional settings are skipped here, since the device automatically re
MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
</br>
<iframe width="560" height="315" align="center" src="https://www.youtube.com/embed/4K4hC5NchbE" frameborder="0" allowfullscreen></iframe>
<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/4K4hC5NchbE" frameborder="0" allowfullscreen></iframe>
#### Device registration and OOBE customization

8
windows/privacy/TOC.md
View File

@ -4,14 +4,14 @@
## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md)
## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
## Basic level diagnostics events and fields
## Basic level Windows diagnostic data events and fields
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
## Enhanced level diagnostics events and fields
## Enhanced level Windows diagnostic data events and fields
### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
## Full level diagnostics events and fields
### [Windows 10, version 1709 and later diagnostic data for the Full level](windows-diagnostic-data.md)
## Full level categories
### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -860,7 +860,7 @@ The following fields are available:
- **Programids** The unique program identifier the driver is associated with.
## Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.

20
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -32,7 +32,7 @@ To frame a discussion about diagnostic data, it is important to understand Micro
This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
@ -95,7 +95,7 @@ Windows diagnostic data also helps Microsoft better understand how customers use
- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
**These examples show how the use of diagnostic data data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
### Insights into your own organization
@ -122,7 +122,7 @@ Use Upgrade Readiness to get:
The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
## How is diagnostic data data handled by Microsoft?
## How is diagnostic data handled by Microsoft?
### Data collection
@ -131,13 +131,13 @@ Windows 10 and Windows Server 2016 includes the Connected User Experiences and T
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
4. The Connected User Experiences and Telemetry component transmits the diagnostic data data.
4. The Connected User Experiences and Telemetry component transmits the diagnostic data.
Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
### Data transmission
All diagnostic data data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day).
@ -163,7 +163,7 @@ The following table defines the endpoints for other diagnostic data services:
### Data use and access
The principle of least privileged access guides access to diagnostic data data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
@ -172,7 +172,7 @@ Microsoft believes in and practices information minimization. We strive to gathe
## Diagnostic data levels
This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
The diagnostic data data is categorized into four levels:
The diagnostic data is categorized into four levels:
- **Security**. Information thats required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
@ -193,7 +193,7 @@ The Security level gathers only the diagnostic data info that is required to kee
> [!NOTE]
> If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data data about Windows Server features or System Center gathered.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
The data gathered at this level includes:
@ -217,7 +217,7 @@ No user content, such as user files or communications, is gathered at the **Secu
### Basic level
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
@ -327,7 +327,7 @@ However, before more data is gathered, Microsofts privacy governance team, in
## Enterprise management
Sharing diagnostic data data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.

5
windows/privacy/diagnostic-data-viewer-overview.md
View File

@ -22,6 +22,7 @@ ms.date: 01/17/2018
The Diagnostic Data Viewer is a Windows app that lets you review the diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
## Install and Use the Diagnostic Data Viewer
You must turn on data viewing and download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic data.
### Turn on data viewing
@ -69,9 +70,9 @@ The Diagnostic Data Viewer provides you with the following features to view and
Selecting a check box lets you filter between the diagnostic event categories.
- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If youre a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
- **Help to make your Windows experience better.** Microsoft samples diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If youre a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
To signify your contribution, youll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, youll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)).
To signify your contribution, youll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the sampling group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, youll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)).
- **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.

2
windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
View File

@ -46,7 +46,7 @@ The following fields are available:
- **LicenseType:** Reserved for future use
- **ProcessDurationMS_Sum:** Total duration of wall clock process instances
- **ReadCountAtExit_Sum:** Total IO reads for a process when it exited
- **ReadSizeInKBAtExit_Sum:**Total IO read size for a process when it exited
- **ReadSizeInKBAtExit_Sum:** Total IO read size for a process when it exited
- **ResumeCount:** Number of times a process instance has resumed
- **RunningDurationMS_Sum:** Total uptime
- **SuspendCount:** Number of times a process instance was suspended

24
windows/privacy/index.yml
View File

@ -32,7 +32,7 @@ sections:
- type: markdown
text: Get ready for General Data Protection Regulation (GDPR) by viewing and configuring diagnostics data in your organization.
text: Get ready for General Data Protection Regulation (GDPR) by viewing and configuring Windows diagnostic data in your organization.
- items:
@ -68,21 +68,21 @@ sections:
- href: \windows\privacy\diagnostic-data-viewer-overview
html: <p>Review the diagnostic data sent to Microsoft by device in your organization</p>
html: <p>Review the Windows diagnostic data sent to Microsoft by device in your organization</p>
image:
src: https://docs.microsoft.com/media/common/i_investigate.svg
title: View diagnostic data
title: View Windows diagnostic data
- title: Understand Diagnostic Data in Windows 10
- title: Understand Windows diagnostic data in Windows 10
items:
- type: paragraph
text: 'For the latest Windows 10 version, Learn more about what Windows Diagnostic Data is gathered at various diagnostics levels.'
text: 'For the latest Windows 10 version, learn more about what Windows diagnostic data is collected at various diagnostics levels.'
- type: list
@ -96,7 +96,7 @@ sections:
- href: \windows\privacy\basic-level-windows-diagnostic-events-and-fields
html: <p>Learn more about basic diagnostics events and fields collected</p>
html: <p>Learn more about basic Windows diagnostic data events and fields collected</p>
image:
@ -106,7 +106,7 @@ sections:
- href: \windows\privacy\enhanced-diagnostic-data-windows-analytics-events-and-fields
html: <p>Learn more about diagnostics events and fields used by Windows Analytics</p>
html: <p>Learn more about Windows diagnostic data events and fields used by Windows Analytics</p>
image:
@ -116,13 +116,13 @@ sections:
- href: \windows\privacy\windows-diagnostic-data
html: <p>Learn more about all diagnostics data collected</p>
html: <p>Learn more about all Windows diagnostic data collected</p>
image:
src: https://docs.microsoft.com/media/common/i_get-started.svg
title: Full level events and fields
title: Full level data categories
- items:
@ -136,7 +136,7 @@ sections:
- title: View and manage Windows 10 connection endpoints
html: <p><a class="barLink" href="/windows/privacy/manage-windows-endpoints-version-1709">Manage Windows 10 connection endpoints</a></p>
html: <p><a class="barLink" href="/windows/privacy/manage-windows-endpoints">Manage Windows 10 connection endpoints</a></p>
<p><a class="barLink" href="/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services">Manage connections from Windows to Microsoft services</a></p>
@ -144,5 +144,7 @@ sections:
html: <p><a class="barLink" href="https://www.microsoft.com/en-us/trustcenter/cloudservices/windows10">Windows 10 on Trust Center</a></p>
<p><a class="barLink" href="https://docs.microsoft.com/en-us/microsoft-365/compliance/gdpr">GDPR on Microsoft365 Compliance solutions</a></p>
<p><a class="barLink" href="https://docs.microsoft.com/en-us/microsoft-365/compliance/gdpr">GDPR on Microsoft 365 Compliance solutions</a></p>
<p><a class="barLink" href="https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted">Support for GDPR Accountability on Service Trust Portal</a></p>

1
windows/privacy/windows-diagnostic-data.md
View File

@ -256,6 +256,7 @@ This table provides the ISO/IEC 19944:2017-specific definitions for use and de-i
|<a name="#promote">Promote</a>|9.3.6 Market/advertise/promote|Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.|
<br><br>
|Data identification qualifiers |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
|-|-|-|
|<a name="#pseudo">Pseudonymized Data</a> |8.3.3 Pseudonymized data|As defined|

6
windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
View File

@ -87,7 +87,11 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
## Does BitLocker support virtual hard disks (VHDs)?
BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
- With TPM - Yes it is supported
- Without TPM - Yes it is supported (with password ) protector
BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.
## Can I use BitLocker with virtual machines (VMs)?

318
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.localizationpriority: medium
ms.date: 10/16/2017
ms.date: 05/09/2018
---
# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@ -17,99 +17,74 @@ ms.date: 10/16/2017
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
>[!Important]
>This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md) topic.
>This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md) topic.
>If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined, the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**.
>Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Add a WIP policy
After youve set up Intune for your organization, you must create a WIP-specific policy.
Follow these steps to add a WIP policy using Intune.
**To add a WIP policy**
1. Open the Microsoft Intune mobile application management console, click **All settings**, and then click **App policy**.
1. Open Microsoft Intune and click **Mobile apps**.
![Microsoft Intune management console: App policy link](images/wip-azure-portal-start.png)
![Open Mobile apps](images/open-mobile-apps.png)
2. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
2. In **Mobile apps**, click **App protection policies**.
![App protection policies](images/app-protection-policies.png)
3. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
- **Name.** Type a name (required) for your new policy.
- **Description.** Type an optional description.
- **Platform.** Choose **Windows 10** as the supported platform for your policy.
- **Platform.** Choose **Windows 10**.
- **Enrollment state.** Choose **With enrollment** as the enrollment state for your policy.
- **Enrollment state.** Choose **With enrollment**.
![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-portal-add-policy.png)
![Add a mobile app policy](images/add-a-mobile-app-policy.png)
>[!Important]
>Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM, you must use these instructions, [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune), instead.
>Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM only (without device enrollment), you must use these instructions instead: [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune).
3. Click **Create**.
4. Click **Protected apps** and then click **Add apps**.
![Add protected apps](images/add-protected-apps.png)
You can add these types of apps:
- [Recommended apps](#add-recommended-apps)
- [Store apps](#add-store-apps)
- [Desktop apps](#add-desktop-apps)
The policy is created and appears in the table on the **App Policy** screen.
### Add recommended apps
>[!NOTE]
>Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available.
## Add apps to your Allowed apps list
During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app.
>[!Important]
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<br><br>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
### Add a Recommended app to your Allowed apps list
For this example, were going to add Microsoft Edge, a recommended app, to the **Allowed apps** list.
**To add a recommended app**
1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
To add **Recommended apps**, select each app you want to access your enterprise data, and then click **OK**.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
The **Protected apps** blade updates to show you your selected apps.
![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png)
![Microsoft Intune management console: Recommended apps](images/wip-azure-allowed-apps-with-apps.png)
2. From the **Allowed apps** blade, click **Add apps**.
The **Add apps** blade appears, showing you all **Recommended apps**.
### Add Store apps
![Microsoft Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png)
To add **Store apps**, type the app product name and publisher and click **OK**. For example, to add the Power BI Mobile App from the Store, type the following:
3. Select each app you want to access your enterprise data, and then click **OK**.
The **Allowed apps** blade updates to show you your selected apps.
- **Name**: Microsoft Power BI
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)
![Add Store app](images\add-a-protected-store-app.png)
### Add a Store app to your Allowed apps list
For this example, were going to add Microsoft Power BI, a store app, to the **Allowed apps** list.
To add multiple Store apps, click the elipsis **…**.
**To add a Store app**
1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
If you don't know the Store app publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
2. From the **Allowed apps** blade, click **Add apps**.
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*.
3. On the **Add apps** blade, click **Store apps** from the dropdown list.
The blade changes to show boxes for you to add a publisher and app name.
4. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the Product **name** is `Microsoft.MicrosoftPowerBIForWindows`.
5. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
>[!NOTE]
>To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
![Microsoft Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png)
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the publisher and product name values for Store apps without installing them**
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*.
2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value.
@ -122,24 +97,24 @@ If you don't know the publisher or product name, you can find them for both desk
}
```
4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
>[!Important]
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
**To find the publisher and product name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>**Note**<br>Your PC and phone must be on the same wireless network.
If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
>**Note**<br>Your PC and phone must be on the same wireless network.
3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
1. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
2. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
3. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
4. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
@ -151,83 +126,77 @@ If you don't know the publisher or product name, you can find them for both desk
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
### Add a Desktop app to your Allowed apps list
For this example, were going to add WordPad, a desktop app, to the **Allowed apps** list.
### Add Desktop apps
**To add a Desktop app**
1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
To add **Desktop apps**, complete the following fields, based on what results you want returned.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
2. From the **Allowed apps** blade, click **Add apps**.
3. On the **Add apps** blade, click **Desktop apps** from the dropdown list.
The blade changes to show boxes for you to add the following, based on what results you want returned:
<table>
<tr>
<th>Field</th>
<th>Manages</th>
</tr>
<tr>
<td>All fields marked as “*”</td>
<td>All files signed by any publisher. (Not recommended)</td>
</tr>
<tr>
<td>Publisher only</td>
<td>If you only fill out this field, youll get all files signed by the named publisher.<br><br>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td>Publisher and Name only</td>
<table>
<tr>
<th>Field</th>
<th>Manages</th>
</tr>
<tr>
<td>All fields marked as “*”</td>
<td>All files signed by any publisher. (Not recommended)</td>
</tr>
<tr>
<td>Publisher only</td>
<td>If you only fill out this field, youll get all files signed by the named publisher.<br><br>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td>Publisher and Name only</td>
<td>If you only fill out these fields, youll get all files for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>Publisher, Name, and File only</td>
<td>If you only fill out these fields, youll get any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>Publisher, Name, File, and Min version only</td>
<td>If you only fill out these fields, youll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<br><br>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td>Publisher, Name, File, and Max version only</td>
<td>If you only fill out these fields, youll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>All fields completed</td>
<td>If you fill out all fields, youll get the specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
</tr>
<tr>
<td>Publisher, Name, and File only</td>
<td>If you only fill out these fields, youll get any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>Publisher, Name, File, and Min version only</td>
<td>If you only fill out these fields, youll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<br><br>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td>Publisher, Name, File, and Max version only</td>
<td>If you only fill out these fields, youll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>All fields completed</td>
<td>If you fill out all fields, youll get the specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
4. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
After youve entered the info into the fields, click **OK**.
>[!Note]
>To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
>[!Note]
>To add multiple Desktop apps, click the elipsis **…**. When youre done, click **OK**.
![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
If youre unsure about what to include for the publisher, you can run this PowerShell command:
**To find the Publisher values for Desktop apps**
If youre unsure about what to include for the publisher, you can run this PowerShell command:
```ps1
Get-AppLockerFileInformation -Path "<path_of_the_exe>"
```
Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example:
```ps1
Get-AppLockerFileInformation -Path "<path_of_the_exe>"
```
Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"`.
```ps1
Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"
```
In this example, you'd get the following info:
In this example, you'd get the following info:
``` json
Path Publisher
---- ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box.
```
Path Publisher
---- ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
```
### Import a list of apps to your Allowed apps list
For this example, were going to add an AppLocker XML file to the **Allowed apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
**To create a list of Allowed apps using the AppLocker tool**
### Import a list of apps
For this example, were going to add an AppLocker XML file to the **Protected apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of protected apps using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
@ -238,11 +207,11 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, click **Next**.
4. On the **Before You Begin** page, click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-2.png)
@ -250,19 +219,19 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
![Create Packaged app Rules wizard, showing the Publisher](images/wip-applocker-secpol-wizard-3.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Dynamics 365.
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Dynamics 365.
![Create Packaged app Rules wizard, showing the Select applications page](images/wip-applocker-secpol-wizard-4.png)
8. On the updated **Publisher** page, click **Create**.
8. On the updated **Publisher** page, click **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-secpol-wizard-5.png)
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-default-rule-warning.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png)
@ -300,47 +269,49 @@ For this example, were going to add an AppLocker XML file to the **Allowed ap
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import your list of Allowed apps using Microsoft Intune**
**To import a list of protected apps using Microsoft Intune**
1. From the **Allowed apps** area, click **Import apps**.
1. In **Protected apps**, click **Import apps**.
![Import protected apps](images/import-protected-apps.png)
The blade changes to let you add your import file.
Then import your file.
![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png)
2. Browse to your exported AppLocker policy file, and then click **Open**.
The file imports and the apps are added to your **Allowed app** list.
The file imports and the apps are added to your **Protected apps** list.
### Add exempt apps to your policy
### Exempt apps from a WIP policy
If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list**
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list**
1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears.
1. In **Mobile apps - App protection policies**, click **Exempt apps**.
The **Exempt apps** blade appears, showing you any apps that are already included in the list for this policy.
![Exempt apps](images/exempt-apps.png)
2. From the **Exempt apps** blade, click **Add apps**.
2. In **Exempt apps**, click **Add apps**.
Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-apps-to_your-allowed-apps-list) section of this topic.
Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data.
3. Fill out the rest of the app info, based on the type of app youre adding:
- **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic.
- [Add Recommended apps](#add-recommended-apps)
- **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic.
- [Add Store apps](#add-store-apps)
- **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic.
- [Add Desktop apps](#add-desktop-apps)
- **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps.
- [Import apps](#import-a-list-of-apps)
4. Click **OK**.
4. Click **OK**.
## Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
@ -369,11 +340,9 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
**To change your corporate identity**
1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
1. From the **App policy** blade, click the name of your policy, and then click **Required settings**.
The **Required settings** blade appears.
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area.
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field. If you need to add additional domains, for example your email domains, you can do it in the **Advanced settings** area.
![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
@ -385,16 +354,12 @@ There are no default locations included with WIP, you must add each of your netw
>[!Important]
>Every WIP policy should include policy that defines your enterprise network locations.<br>Classless Inter-Domain Routing (CIDR) notation isnt supported for WIP configurations.
**To define where your allowed apps can find and send enterprise data on you network**
**To define where your protected apps can find and send enterprise data on you network**
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings**.
2. Click **Add network boundary** from the Network perimeter area.
The **Add network boundary** blade appears.
![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
3. Select the type of network boundary to add from the **Boundary type** box.
@ -413,7 +378,12 @@ There are no default locations included with WIP, you must add each of your netw
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
<td>Network domain names</td>
<td>Protected domains</td>
<td>exchange.contoso.com,contoso.com,region.contoso.com</td>
<td>Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple domains, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Network domains</td>
<td>corp.contoso.com,region.contoso.com</td>
<td>Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
@ -465,7 +435,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to
The **Advanced settings** blade appears.
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
@ -492,9 +462,9 @@ After you've decided where your protected apps can access enterprise data on you
- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option.
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
- **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection.

2
windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
View File

@ -28,6 +28,8 @@ By using Microsoft Intune with Mobile application management (MAM), organization
>[!NOTE]
>This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, you must follow the instructions in the [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md) topic.
>If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined, the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**.
>Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Prerequisites to using MAM with Windows Information Protection (WIP)
Before you can create your WIP policy with MAM, you must first set up your MAM provider. For more info about how to do this, see the [Get ready to configure app protection policies for Windows 10](https://docs.microsoft.com/en-us/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10) topic.

BIN
windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.3 KiB

BIN
windows/security/information-protection/windows-information-protection/images/add-protected-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.9 KiB

BIN
windows/security/information-protection/windows-information-protection/images/app-protection-policies.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/security/information-protection/windows-information-protection/images/exempt-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/security/information-protection/windows-information-protection/images/import-protected-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.4 KiB

BIN
windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 49 KiB

After

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 3.8 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 37 KiB

4
windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/21/2018
---
# Deploy, manage, and report on Windows Defender Antivirus
@ -47,7 +47,7 @@ PowerShell|Deploy with Group Policy, System Center Configuration Manager, or man
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager 2016 and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager 2016. See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
1. <span id="fn1" />The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
2. <span id="fn2" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)

4
windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/21/2018
---
# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
@ -63,7 +63,7 @@ Organizations running Windows 10 E5, version 1803 can also take advantage of eme
The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager.
Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | Configuration manager 2012 | Configuration manager (current branch) | Microsoft Intune
Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center Configuration Manager 2012 | System Center Configuration Manager (Current Branch) | Microsoft Intune
---|---|---|---|---|---|---
Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service
Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version

4
windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 05/08/2018
ms.date: 05/21/2018
---
# Use Automated investigations to investigate and remediate threats
@ -117,7 +117,7 @@ Status | Description
| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
| Running | Investigation ongoing. Malicious entities found will be remediated. |
| Remediated | Malicious entities found were successfully remediated. |
| Terminated by system | Investigation was stopped due to <reason>. |
| Terminated by system | Investigation was stopped by the system. |
| Terminated by user | A user stopped the investigation before it could complete.
| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |

68
windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -38,68 +38,26 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
### Use the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Login to the [Microsoft Azure portal](https://portal.azure.com).
a. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
2. Select **Device Configuration > Profiles > Create profile**.
b. Select Windows 10 as the operating system.
3. Enter a **Name** and **Description**.
c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
d. Click **Download package**, and save the .zip file.
4. For **Platform**, select **Windows 10 and later**.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
5. For **Profile type**, select **Windows Defender ATP (Windows 10 Desktop)**.
3. Login to the [Microsoft Azure portal](https://portal.azure.com).
6. Configure the settings:
- **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service.
- **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis.
- **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently.
- **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from the Windows Defender ATP portal, and add it. Otherwise, skip this property.
7. Select **OK**, and **Create** to save your changes, which creates the profile.
4. From the Intune blade, choose **Device configuration**.
![Image of device configuration menu in Microsoft Azure](images/atp-azure-intune-device-config.png)
5. Under **Manage**, choose **Profiles** and click **Create Profile**.
![Image of policy creation in Azure](images/atp-azure-intune-create-profile.png)
6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type.
![Image of naming a policy](images/atp-intune-custom.png)
7. Click **Settings** > **Configure**.
![Image of settings](images/atp-intune-configure.png)
8. Under Custom OMA-URI Settings, click **Add**.
![Image of configuration settings](images/atp-custom-oma-uri.png)
9. Enter the following values, then click **OK**.
![Image of profile creation](images/atp-oma-uri-values.png)
- **Name**: Type a name for the setting.
- **Description**: Type a description for the setting.
- **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_
- **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
10. Save the settings by clicking **OK**.
11. Click **Create**.
![Image of the policy being created](images/atp-intune-create-policy.png)
12. To deploy the Profile, click **Assignments**.
![Image of groups](images/atp-intune-assignments.png)
13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**.
![Image of groups](images/atp-intune-group.png)
14. Click **Save** to finish deploying the Configuration Profile.
![Image of deployment](images/atp-intune-save-deployment.png)
### Onboard and monitor machines using the classic Intune console

6
windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/21/2018
---
@ -63,11 +63,9 @@ Exploit protection works best with [Windows Defender Advanced Threat Protection]
## Requirements
Exploit protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection.
Windows 10 version | Windows Defender Advanced Threat Protection
-|-
Windows 10 version 1709 or later | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
Windows 10 version 1709 or later | For full reporting, you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
## Review Exploit protection events in Windows Event Viewer