deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into wsfb-9186167

Browse Source
This commit is contained in:
Trudy Hakala 2016-10-11 15:04:07 -07:00
commit eda19a3881
24 changed files with 268 additions and 385 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
devices/surface-hub/admin-group-management-for-surface-hub.md
View File

@ -14,96 +14,73 @@ localizationpriority: medium
# Admin group management (Surface Hub)
Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device. However, to prevent people who are not administrators from changing the settings, the Settings app requires administrator credentials to open the app and change settings.
Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app.
The Settings app requires local administrator credentials to open the app.
## Admin Group Management
You can set up administrator accounts for the device in one of three ways:
You can set up administrator accounts for the device in any of three ways:
- Create a local admin account
- Domain join the device to Active Directory (AD)
- Azure Active Directory (Azure AD) join the device
- Create a local admin account.
- Domain join the device to Active Directory (AD).
- Azure Active Directory (Azure AD) join the device.
### Create a local admin account
To create a local admin, choose to use a local admin during first run. This will create a single local admin account on the Surface Hub with the username and password of your choice. These same credentials will need to be provided to open the Settings app.
To create a local admin, [choose to use a local admin during first run](first-run-program-surface-hub.md#use-a-local-admin). This will create a single local admin account on the Surface Hub with the username and password of your choice. Use these credentials to open the Settings app.
Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admins password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD tenant, then youll need to [reset the device](device-reset-surface-hub.md) and go through the first-time program again.
Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admins password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD organization, then youll need to reset the device and go through first-time setup again.
### Domain join the device to Active Directory (AD)
You can set a security group from your domain as local administrators on the Surface Hub after you domain join the device to AD. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. Anyone who is a member of that security group can enter their credentials and unlock Settings.
You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#a-href-iduse-active-directoryause-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
>**Note**  Surface Hubs domain join for the single purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
#### What happens when you domain join your Surface Hub?
Surface Hubs use domain join to:
- Grant admin rights to members of a specified security group in AD.
- Backup the device's BitLocker recovery key by storing it under the computer object in AD. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
- Synchronize the system clock with the domain controller for encrypted communication
 
Surface Hub does not support applying group policies or certificates from the domain controller.
>**Note**  If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, reset the device first.
> [!NOTE]
> If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, [reset the device](device-reset-surface-hub.md) first.
 
### Azure Active Directory (Azure AD) join the device
You can set up IT pros from your Azure AD organization as local administrators on the Surface Hub after you join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you successfully join Azure AD, the appropriate people will be set as local admins on the device. Any user who was set up as a local admin as a result of this process can enter their credentials and unlock the Settings app.
You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#a-href-iduse-microsoft-azureause-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be granted admin rights on the device.
>**Note**  If your Azure AD organization is configured with mobile device management (MDM) enrollment, Surface Hubs will be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be managed using the MDM solution that your organization uses.
By default, all **global administrators** will be given admin rights on an Azure AD joined Surface Hub. With **Azure AD Premium** or **Enterprise Mobility Suite (EMS)**, you can add additional administrators:
1. In the [Azure classic portal](https://manage.windowsazure.com/), click **Active Directory**, and then click the name of your organization's directory.
2. On the **Configure** page, under **Devices** > **Additional administrators on Azure AD joined devices**, click **Selected**.
3. Click **Add**, and select the users you want to add as administrators on your Surface Hub and other Azure AD joined devices.
4. When you have finished, click the checkmark button to save your change.
#### What happens when you Azure AD join your Surface Hub?
Surface Hubs use Azure AD join to:
- Grant admin rights to the appropriate users in your Azure AD tenant.
- Backup the device's BitLocker recovery key by storing it under the account that was used to Azure AD join the device. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
> [!IMPORTANT]
> If your Azure AD organization is configured to automatically enroll devices into mobile device management (MDM), you will need to disable this for the Surface Hubs you plan to join to Azure AD, and manually enroll into MDM using Settings. A known issue prevents Surface Hubs from supporting this setting.
 
### Which should I choose?
If your organization is using AD or Azure AD, we recommend you either domain join or join Azure AD, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with you domain or organization.
If your organization is using AD or Azure AD, we recommend you either domain join or Azure AD join, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain.
We recommend that a local admin be set up only if you do not have Active Directory or Azure AD, or if you cannot connect to your Active Directory or Azure AD during first run.
### Summary
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">How is the local administrator set up?</th>
<th align="left">Requirements</th>
<th align="left">Which credentials can be used for the Settings app?</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">A local admin account is created.</td>
<td align="left">None.</td>
<td align="left">The credentials of the local admin that was created.</td>
</tr>
<tr class="even">
<td align="left">The Surface Hub is joined to a domain.</td>
<td align="left">Your organization is using Active Directory (AD).</td>
<td align="left">Credentials of any AD user from a specified security group</td>
</tr>
<tr class="odd">
<td align="left">The Surface Hub is joined to Azure Active Directory (Azure AD).</td>
<td align="left">Your organization is using Azure AD Basic.</td>
<td align="left">Tenant or device admins</td>
</tr>
<tr class="even">
<td align="left">Your organization is using Azure AD Premium.</td>
<td align="left">Tenant or device admins + additional specified people</td>
<td align="left"></td>
</tr>
</tbody>
</table>
 
 
 
| Option | Requirements | Which credentials can be used to access the Settings app? |
|---------------------------------------------------|-----------------------------------------|-------|
| Create a local admin account | None | The user name and password specified during first run |
| Domain join to Active Directory (AD) | Your organization uses AD | Any AD user from a specific security group in your domain |
| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic | Global administators only |
| &nbsp; | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators |

6
devices/surface-hub/create-a-device-account-using-office-365.md
View File

@ -133,7 +133,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be
5. Finally, to connect to Exchange Online Services, run:
``` syntax
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri"https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" AllowRedirection
$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $cred -Authentication "Basic" AllowRedirection
```
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-21.png)
@ -202,7 +202,7 @@ Now that you're connected to the online services, you can finish setting up the
``` syntax
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
![Image showing PowerShell cmdlet.](images/setupdeviceaccto365-26.png)
@ -350,7 +350,7 @@ Now that you're connected to the online services, you can finish setting up the
``` syntax
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. Now we have to set some properties in AD. To do that, you need the alias of the account (this is the part of the UPN that becomes before the “@”).

175
devices/surface-hub/create-and-test-a-device-account-surface-hub.md
View File

@ -16,166 +16,43 @@ localizationpriority: medium
This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype.
A "device account" is an account that the Microsoft Surface Hub uses to:
A **device account** is an Exchange resource account that Surface Hub uses to:
- sync its meeting calendar,
- send mail,
- and enable Skype for Business compatibility.
- Display its meeting calendar
- Join Skype for Business calls
- Send email (for example, email whiteboard content from a meeting)
People can book this account by scheduling a meeting with it. The Surface Hub will be able to join that meeting and provide various features to the meeting attendees.
Once the device account is provisioned to a Surface Hub, people can add this account to a meeting invitation the same way that they would invite a meeting room.
>**Important**  Without a device account, none of these features will work.
## Configuration overview
 
This table explains the main steps and configuration decisions when you create a device account.
| Step | Description | Purpose |
|------|---------------------------------|--------------------------------------|
| 1 | Created a logon-enabled Exchange resource mailbox (Exchange 2013 or later, or Exchange Online) | This resource mailbox allows the device to maintain a meeting calendar, receive meeting requests, and send mail. It must be logon-enabled to be provisioned to a Surface Hub. |
| 2 | Configure mailbox properties | The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. For more information on mailbox properties, see [Mailbox properties](exchange-properties-for-surface-hub-device-accounts.md). |
| 3 | Apply a compatible mobile device mailbox policy to the mailbox | Surface Hub is managed using mobile device management (MDM) rather than through mobile device mailbox policies. For compatibility, the device account must have a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Otherwise, Surface Hub can't sync mail and calendar info. |
| 4 | Enable mailbox with Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business must be enabled to use conferencing features like video calls, IM, and screen sharing. |
| 5 | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to whitelist the ActiveSync Device ID of your Surface Hub. |
| 6 | (Optional) Disable password expiration | To simplify management, you can turn off password expiration for the device account and allow Surface Hub to automatically rotate the device account password. For more information about password management, see [Password management](password-management-for-surface-hub-device-accounts.md). |
Every device account is unique to a single Surface Hub, and requires some setup:
## Detailed configuration steps
- The device account must be configured correctly, as described in the folllowing sections.
- Your infrastructure must be configured to allow the Surface Hub to validate the device account, and to reach the appropriate Microsoft services.
We recommend setting up your device accounts using remote PowerShell. There are PowerShell scripts available to help create and validate device accounts For more information on PowerShell scripts and instructions, see [Appendix A: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md).
You can think of a device account as the resource account that people recognize as a conference rooms or meeting spaces account. When you want to schedule a meeting using that conference room, you invite the account to that meeting. In order to use the Surface Hub most effectively, you do the same with the device account that's assigned to each one.
For detailed steps using PowerShell to provision a device account, choose an option from the table, based on your organization deployment.
If you already have a resource mailbox account set up for the meeting space where youre putting a Surface Hub, you can change that resource account into a device account. Once thats done, all you need to do is add the device account to a Surface Hub. See step 2 of either [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) or [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md).
| Organization deployment | Description |
|---------------------------------|--------------------------------------|
| [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md) | Your organization's environment is deployed entirely on Office 365. |
| [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync). |
| [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
The following sections will describe how to create and test a device account before configuring your Surface Hub.
### Basic configuration
These properties represent the minimum configuration for a device account to work on a Surface Hub. Your device account may require further setup, which is covered in [Advanced configuration](#advanced-config).
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Property</th>
<th align="left">Purpose</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Exchange mailbox (Exchange 2013 or later, or Exchange Online)</p></td>
<td align="left"><p>Enabling the account with an Exchange mailbox gives the device account the capability to receive and send both mail and meeting requests, and to display a meetings calendar on the Surface Hubs welcome screen. The Surface Hub mailbox must be a room mailbox.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Skype for Business-enabled (Lync/Skype for Business 2013 or later or Skype for Business Online)</p></td>
<td align="left"><p>Skype for Business must be enabled in order to use various conferencing features, like video calls, IM, and screen-sharing.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Password-enabled</p></td>
<td align="left"><p>The device account must be enabled with a password, or it cannot authenticate with either Exchange or Skype for Business.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Compatible EAS policies</p></td>
<td align="left"><p>The device account must use a compatible EAS policy in order for it to sync its mail and calendar. In order to implement this policy, the PasswordEnabled property must be set to False. If an incompatible EAS policy is used, the Surface Hub will not be able to use any services provided by Exchange and ActiveSync.</p></td>
</tr>
</tbody>
</table>
 
### <a href="" id="advanced-config"></a>Advanced configuration
While the properties for the basic configuration will allow the device account to be set up in a simple environment, it is possible your environment has other restrictions on directory accounts that must be met in order for the Surface Hub to successfully use the device account.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Property</th>
<th align="left">Purpose</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Certificate-based authentication</p></td>
<td align="left"><p>Certificates may be required for both ActiveSync and Skype for Business. To deploy certificates, you need to use provisioning packages or an MDM solution.</p>
<p>See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Allowed device IDs (ActiveSync Device ID)</p></td>
<td align="left"><p>Your Exchange ActiveSync setup may require that an account must whitelist device IDs so that ActiveSync can retrieve the device accounts mail and calendar. You must ensure that the Surface Hubs device ID is added to this whitelist. This can either be configured using PowerShell (by setting the <code>ActiveSyncAllowedDeviceIDs</code> property) or the Exchange administrative portal.</p>
<p>You can find out how to find and whitelist a device ID with PowerShell in [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet).</p></td>
</tr>
</tbody>
</table>
 
### How do I set up the account?
The best way to set up device accounts is to configure them using remote PowerShell. We provide several PowerShell scripts that will help create new device accounts, or validate existing resource accounts you have in order to help you turn them into compatible Surface Hub device accounts. These PowerShell scripts, and instructions for their use, are in [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md).
You can check online for updated versions at [Surface Hub device account scripts](http://aka.ms/surfacehubscripts).
### Device account configuration
Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
- [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organizations environment is deployed entirely on Office 365.
- [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
- [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md): Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365.
If you prefer to use the Office 365 UI over PowerShell cmdlets, some steps can be performed manually. See [Creating a device account using Office 365](create-a-device-account-using-office-365.md).
### Device account resources
These sections describe resources used by the Surface Hub device account.
- [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md): The Exchange properties of the device account must be set to particular values for the Surface Hub to work properly.
- [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md): The Surface Hub uses ActiveSync to sync both mail and its meeting calendar.
- [Password management](password-management-for-surface-hub-device-accounts.md): Every device account requires a password to authenticate. This section describes your options for managing this password.
## In this section
If you prefer to use a graphical user interface, some steps can be done using UI instead of PowerShell.
For more information, see [Creating a device account using UI](create-a-device-account-using-office-365.md).
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Online deployment](online-deployment-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>This topic has instructions for adding a device account for your Surface Hub when you have a pure, online deployment.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>This topic explains how you add a device account for your Surface Hub when you have a single-forest, on-premises deployment.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>A hybrid deployment requires special processing in order to set up a device account for your Surface Hub. If youre using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided PowerShell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Create a device account using UI](create-a-device-account-using-office-365.md)</p></td>
<td align="left"><p>If you prefer to use a graphical user interface, you can create a device account for your Surface Hub with either the [Office 365 UI](#create-device-acct-o365) or the [Exchange Admin Center](#create-device-acct-eac).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>Some Exchange properties of the device account must be set to particular values to have the best meeting experience on Surface Hub. The following table lists various Exchange properties based on PowerShell cmdlet parameters, their purpose, and the values they should be set to.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>The Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Password management](password-management-for-surface-hub-device-accounts.md)</p></td>
<td align="left"><p>Every Surface Hub device account requires a password to authenticate and enable features on the device.</p></td>
</tr>
</tbody>
</table>
 

12
devices/surface-hub/first-run-program-surface-hub.md
View File

@ -169,17 +169,19 @@ On this page, the Surface Hub will ask for credentials for the device account th
>**Note**  This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors.
 
![Image showing Enter device account info page.](images/setupdeviceacct.png)
### Details
Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field.
Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field. Use the format that matches your environment, and enter the password.
| Environment | Required format for device account|
| ------------ | ----------------------------------|
| Device account is hosted only online. | username@domain.com|
| Device account is hosted only on-prem. | DOMAIN\username|
| Device account is hosted online and on-prem (hybrid). | DOMAIN\username|
- **User principal name:** This is the UPN of the device account for this Surface Hub. If youre using Azure Active Directory (Azure AD) or a hybrid deployment, then you must enter the UPN of the device account.
- **Domain\\user name:** This is the identity of the device account for this Surface Hub, in domain\\user name format. If youre using an Active Directory (AD) deployment, then you must enter the account in this format.
- **Password:** Enter the device account password.
Click **Skip setting up a device account** to skip setting up a device account. However, if you don't set up a device account, the device will not be fully integrated into your infrastructure. For example, people won't be able to:

2
devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
View File

@ -71,7 +71,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
```PowerShell
Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a <tla rid="surface_hub"/> room!"
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.

56
devices/surface-hub/password-management-for-surface-hub-device-accounts.md
View File

@ -13,62 +13,24 @@ localizationpriority: medium
# Password management (Surface Hub)
Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change (or "rotate") this password regularly. However, if the device accounts password changes, the password that was previously stored on the Surface Hub will be invalid, and all features that depend on the device account will be disabled. You will need to update the device accounts password on the Surface Hub from the Settings app to re-enable these features.
Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device. For security reasons, you may want to change ( or "rotate") this password. However, if the device accounts password changes, the device account on the Surface Hub will be expired, and all features that depend on the device account will be disabled. You can update the device accounts password on the Surface Hub from the Settings app to re-enable these features.
To simplify password management for your Surface Hub device accounts, there are two options:
To prevent the device account from expiring, there are two options:
1. Set the password on the device account so it doesn't expire.
1. Turn off password expiration for the device account.
2. Allow the Surface Hub to automatically rotate the device accounts password.
## Setting the password so it doesn't expire
## Turn off password rotation for the device account
Set the device accounts **PasswordNeverExpires** property to True. You should verify whether this meets your organizations security requirements.
## Allow the Surface Hub to manage the password
The Surface Hub can manage a device accounts password by changing it frequently without requiring you to manually update the device accounts information from the Surface Hub. You can enable this feature in **Settings**. Once enabled, the device account's password will change daily.
Note that when the device accounts password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory to reset the password.
For your device account to use password rotation, you must meet enter the device accounts information when you set up your Surface Hub (during First-run experience), or in **Settings**. The format you'll use depends on where your device account it hosted:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Environment</th>
<th align="left">Required format for device account</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Device account is hosted only online</p></td>
<td align="left"><p>username@contoso.com</p></td>
</tr>
<tr class="even">
<td align="left"><p>Device account is hosted only on-prem</p></td>
<td align="left"><p>DOMAIN\username</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Device account is hosted online and on-prem (hybrid)</p></td>
<td align="left"><p>DOMAIN\username</p></td>
</tr>
</tbody>
</table>
 
 
 
## Allow the Surface Hub to automatically rotate the device accounts password
The Surface Hub can manage a device accounts password by changing it frequently without requiring you to manually update the device accounts information. You can enable this feature in **Settings**. Once enabled, the device account's password will change weekly during maintenance hours.
Note that when the device accounts password is changed, you will not be shown the new password. If you need to sign in to the account, or to provide the password again (for example, if you want to change the device account settings on the Surface Hub), then you'll need use Active Directory or the Office 365 admin portal to reset the password.
> [!IMPORTANT]
> If your organization uses a hybrid topology (some services are hosted on-premises and some are hosted online through Office 365), you must setup the device account in **domain\username** format. Otherwise, password rotation will not work.

34
windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -40,30 +40,30 @@ In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with
1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
1. General
* General
2. Name: Install Windows 10 Enterprise x64
* Name: Install Windows 10 Enterprise x64
3. Limited Collection: All Systems
* Limited Collection: All Systems
4. Membership rules:
* Membership rules:
5. Direct rule
* Direct rule
6. Resource Class: System Resource
* Resource Class: System Resource
7. Attribute Name: Name
* Attribute Name: Name
8. Value: PC0003
* Value: PC0003
9. Select **Resources**
* Select **Resources**
10. Select **PC0003**
* Select **PC0003**
2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
**Note**  
It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
>[!NOTE] 
>It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
 
@ -82,8 +82,8 @@ Using the Configuration Manager console, in the Software Library workspace, sele
- Make available to the following: Configuration Manager clients, media and PXE
**Note**  
It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
>[!NOTE]  
>It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
 
@ -110,10 +110,8 @@ Now you can start the computer refresh on PC0003.
1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**.
**Note**  
The Client Notification feature is new in Configuration Manager.
 
>[!NOTE]  
>The Client Notification feature is new in Configuration Manager.
2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**.

59
windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
View File

@ -20,7 +20,7 @@ This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (L
For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
![figure 1](images/mdt-04-fig01.png)
![The machines used in this topic](images/mdt-04-fig01.png "The machines used in this topic")
Figure 1. The machines used in this topic.
@ -28,15 +28,21 @@ Figure 1. The machines used in this topic.
Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation.
For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
1. Back up data and settings locally, in a backup folder.
2. Wipe the partition, except for the backup folder.
3. Apply the new operating system image.
4. Install other applications.
5. Restore data and settings.
During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
**Note**  
In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
>[!NOTE] 
>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
 
### Multi-user migration
@ -45,8 +51,8 @@ by configuring command-line switches to ScanState (added as rules in MDT).
As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
**Note**  
You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
>[!NOTE] 
>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
 
### Support for additional settings
@ -55,12 +61,15 @@ In addition to the command-line switches that control which profiles to migrate,
## <a href="" id="sec02"></a>Create a custom User State Migration Tool (USMT) template
In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will:
1. Back up the **C:\\Data** folder (including all files and folders).
2. Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine.
The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
- [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
- [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
- [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
* [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
* [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
* [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
### Add the custom XML template
@ -77,27 +86,30 @@ In order to use the custom MigContosoData.xml USMT template, you need to copy it
After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10.
**Note**  
MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
>[!NOTE]   
>MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
 
### Upgrade (refresh) a Windows 7 SP1 client
1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings:
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
2. Computer name: &lt;default&gt;
3. Specify where to save a complete computer backup: Do not back up the existing computer
**Note**  
Skip this optional full WIM backup. The USMT backup will still run.
* Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
* Computer name: &lt;default&gt;
* Specify where to save a complete computer backup: Do not back up the existing computer
>[!NOTE]
>Skip this optional full WIM backup. The USMT backup will still run.
 
2. Select one or more applications to install: Install - Adobe Reader XI - x86
3. The setup now starts and does the following:
1. Backs up user settings and data using USMT.
2. Installs the Windows 10 Enterprise x64 operating system.
3. Installs the added application(s).
4. Updates the operating system via your local Windows Server Update Services (WSUS) server.
5. Restores user settings and data using USMT.
![figure 2](images/fig2-taskseq.png)
3. The setup now starts and does the following:
* Backs up user settings and data using USMT.
* Installs the Windows 10 Enterprise x64 operating system.
* Installs the added application(s).
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores user settings and data using USMT.
![Start the computer refresh from the running Windows 7 client](images/fig2-taskseq.png "Start the computer refresh from the running Windows 7 client")
Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
@ -109,7 +121,6 @@ Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)

62
windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -32,9 +32,9 @@ In this topic, you will create a backup-only task sequence that you run on PC000
3. On the **General** page, assign the following settings and click **Next**:
1. Task sequence name: Replace Task Sequence
* Task sequence name: Replace Task Sequence
2. Task sequence comments: USMT backup only
* Task sequence comments: USMT backup only
4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
@ -48,9 +48,11 @@ In this topic, you will create a backup-only task sequence that you run on PC000
9. On the **Confirmation** page, click **Finish**.
10. Review the Replace Task Sequence. Note: This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
10. Review the Replace Task Sequence.
>[!NOTE]
>This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence.
![figure 34](images/mdt-06-fig42.png)
![The back-up only task sequence](images/mdt-06-fig42.png "The back-up only task sequence")
Figure 34. The backup-only task sequence (named Replace Task Sequence).
@ -67,13 +69,13 @@ This section walks you through the process of associating a blank machine, PC000
4. On the **Single Computer** page, use the following settings and then click **Next**:
1. Computer Name: PC0006
* Computer Name: PC0006
2. MAC Address: &lt;the mac address from step 1&gt;
* MAC Address: &lt;the mac address from step 1&gt;
3. Source Computer: PC0004
* Source Computer: PC0004
![figure 35](images/mdt-06-fig43.png)
![Create the computer association](images/mdt-06-fig43.png "Create the computer association")
Figure 35. Creating the computer association between PC0004 and PC0006.
@ -96,25 +98,25 @@ This section walks you through the process of associating a blank machine, PC000
1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings.
1. General
* General
2. Name: USMT Backup (Replace)
* Name: USMT Backup (Replace)
3. Limited Collection: All Systems
* Limited Collection: All Systems
4. Membership rules:
* Membership rules:
5. Direct rule
* Direct rule
6. Resource Class: System Resource
* Resource Class: System Resource
7. Attribute Name: Name
* Attribute Name: Name
8. Value: PC0004
* Value: PC0004
9. Select **Resources**
* Select **Resources**
10. Select **PC0004**
* Select **PC0004**
2. Review the USMT Backup (Replace) collection. Do not continue until you see the PC0004 machine in the collection.
@ -158,10 +160,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
**Note**  
You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
>[!NOTE]  
>You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
3. Using the Software Center, select the **Replace Task Sequence** deployment and click **INSTALL**.
@ -173,8 +173,8 @@ This section assumes that you have a machine named PC0004 with the Configuration
7. Using the Configuration Manager console, in the Asset and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
**Note**  
It may take a few minutes for the user state store location to be populated.
>[!NOTE]  
>It may take a few minutes for the user state store location to be populated.
 
@ -183,21 +183,21 @@ It may take a few minutes for the user state store location to be populated.
1. Start the PC0006 virtual machine, press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
1. Password: P@ssw0rd
* Password: P@ssw0rd
2. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
* Select a task sequence to execute on this computer: Windows 10 Enterprise x64 Custom Image
2. The setup now starts and does the following:
1. Installs the Windows 10 operating system
* Installs the Windows 10 operating system
2. Installs the Configuration Manager client
* Installs the Configuration Manager client
3. Joins it to the domain
* Joins it to the domain
4. Installs the applications
* Installs the applications
5. Restores the PC0004 backup
* Restores the PC0004 backup
When the process is complete, you will have a new Windows 10 machine in your domain with user data and settings restored.

70
windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
View File

@ -19,7 +19,7 @@ author: mtniehaus
A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
![figure 1](images/mdt-03-fig01.png)
![The machines used in this topic](images/mdt-03-fig01.png "The machines used in this topic")
Figure 1. The machines used in this topic.
@ -30,11 +30,13 @@ When preparing for the computer replace, you need to create a folder in which to
### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
1. On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules.
2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
### Create and share the MigData folder
1. On MDT01, log on as **CONTOSO\\Administrator**.
2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
``` syntax
New-Item -Path E:\MigData -ItemType directory
@ -45,75 +47,89 @@ When preparing for the computer replace, you need to create a folder in which to
### Create a backup only (replace) task sequence
1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**.
2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: REPLACE-001
2. Task sequence name: Backup Only Task Sequence
3. Task sequence comments: Run USMT to backup user data and settings
4. Template: Standard Client Replace Task Sequence
* Task sequence ID: REPLACE-001
* Task sequence name: Backup Only Task Sequence
* Task sequence comments: Run USMT to backup user data and settings
* Template: Standard Client Replace Task Sequence
3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
![figure 2](images/mdt-03-fig02.png)
![The Backup Only Task Sequence action list](images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
Figure 2. The Backup Only Task Sequence action list.
## <a href="" id="sec02"></a>Perform the computer replace
During a computer replace, these are the high-level steps that occur:
1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
2. On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
### Execute the replace task sequence
1. On PC0002, log on as **CONTOSO\\Administrator**.
2. Verify that you have write access to the **\\\\MDT01\\MigData$** share.
3. Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
4. Complete the Windows Deployment Wizard using the following settings:
1. Select a task sequence to execute on this computer: Backup Only Task Sequence
1. Specify where to save your data and settings: Specify a location
2. Location: \\\\MDT01\\MigData$\\PC0002
**Note**  
If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
* Specify where to save your data and settings: Specify a location
* Location: \\\\MDT01\\MigData$\\PC0002
>[!NOTE]  
>If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
 
2. Specify where to save a complete computer backup: Do not back up the existing computer
3. Password: P@ssw0rd
The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
![figure 3](images/mdt-03-fig03.png)
![The new task sequence](images/mdt-03-fig03.png "The new task sequence")
Figure 3. The new task sequence running the Capture User State action on PC0002.
5. On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
![figure 4](images/mdt-03-fig04.png)
![The USMT backup](images/mdt-03-fig04.png "The USMT backup")
Figure 4. The USMT backup of PC0002.
### Deploy the PC0007 virtual machine
1. Create a virtual machine with the following settings:
1. Name: PC0007
2. Location: C:\\VMs
3. Generation: 2
4. Memory: 2048 MB
5. Hard disk: 60 GB (dynamic disk)
* Name: PC0007
* Location: C:\\VMs
* Generation: 2
* Memory: 2048 MB
* Hard disk: 60 GB (dynamic disk)
2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
![figure 5](images/mdt-03-fig05.png)
![The initial PXE boot process](images/mdt-03-fig05.png "The initial PXE boot process")
Figure 5. The initial PXE boot process of PC0005.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
1. Password: P@ssw0rd
2. Select a task sequence to execute on this computer:
1. Windows 10 Enterprise x64 RTM Custom Image
2. Computer Name: PC0007
3. Applications: Select the Install - Adobe Reader XI - x86 application.
* Password: P@ssw0rd
* Select a task sequence to execute on this computer:
* Windows 10 Enterprise x64 RTM Custom Image
* Computer Name: PC0007
* Applications: Select the Install - Adobe Reader XI - x86 application.
4. The setup now starts and does the following:
1. Installs the Windows 10 Enterprise operating system.
2. Installs the added application.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
4. Restores the USMT backup from PC0002.
* Installs the Windows 10 Enterprise operating system.
* Installs the added application.
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores the USMT backup from PC0002.
## Related topics

10
windows/deploy/resolve-windows-10-upgrade-errors.md
View File

@ -102,7 +102,7 @@ Note: If only a result code is returned, this can be because a tool is being use
### Result codes
>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <BR>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Other error codes](#other-error-codes) section later in this topic.
>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <BR>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](#resolution-procedures) section later in this topic.
Result codes can be matched to the type of error encountered. To match a result code to an error:
@ -736,6 +736,12 @@ This error has more than one possible cause. Attempt [quick fixes](#quick-fixes)
<td BGCOLOR="#a0e4fa"><B>Mitigation</th>
</tr>
<tr>
<td>0xC1800118</td>
<td>WSUS has downloaded content that it cannot use due to a missing decryption key.</td>
<td>See [Steps to resolve error 0xC1800118](https://blogs.technet.microsoft.com/wsus/2016/09/21/resolving-error-0xc1800118/) for information.</td>
</tr>
<tr>
<td>0xC1900200</td>
<td>Setup.exe has detected that the machine does not meet the minimum system requirements.</td>
@ -765,7 +771,7 @@ This error has more than one possible cause. Attempt [quick fixes](#quick-fixes)
<tr>
<td>0x80246007</td>
<td>The update was not downloaded successfully.</td>
<td>Attempt other methods of upgrading the operatign system.<BR>
<td>Attempt other methods of upgrading the operating system.<BR>
Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
<BR>Attempt to upgrade using .ISO or USB.<BR>
**Note**: Windows 10 Enterprise isnt available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx).

56
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -33,15 +33,53 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
a. Select **Endpoint Management** on the **Navigation pane**.
b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
![Endpoint onboarding](images/atp-onboard-mdm.png)
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
a. Select **Policy** > **Configuration Policies** > **Add**.
![Microsoft Intune Configuration Policies](images/atp-intune-add-policy.png)
b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png)
c. Type a name and description for the policy.
![Microsoft Intune Create Policy](images/atp-intune-policy-name.png)
d. Under OMA-URI settings, select **Add...**.
![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png)
e. Type the following values then select **OK**:
![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png)
- **Setting name**: Type a name for the setting.
- **Setting description**: Type a description for the setting.
- **Data type**: Select **String**.
- **OMA-URI**: *./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding*
- **Value**: Copy and paste the contents of the *WindowsDefenderATP.onboarding* file you downloaded.
f. Save the policy.
![Microsoft Intune save policy](images/atp-intune-save-policy.png)
g. Deploy the policy.
![Microsoft Intune deploy policy](images/atp-intune-deploy-policy.png)
h. Select the device group to deploy the policy to:
![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png)
When the policy is deployed and is propagated, endpoints will be shown in the **Machines view**.
You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
- Onboarding
- Health Status for onboarded machines
- Configuration for onboarded machines
@ -49,10 +87,10 @@ Onboarding - Use the onboarding policies to deploy configuration settings on end
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding
Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
> [!NOTE]
@ -83,8 +121,8 @@ Offboarding - Use the offboarding policies to remove configuration settings on e
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
Health Status for offboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
> [!NOTE]
> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.

BIN
windows/keep-secure/images/atp-intune-add-oma.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/keep-secure/images/atp-intune-add-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
windows/keep-secure/images/atp-intune-deploy-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/keep-secure/images/atp-intune-manage-deployment.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 63 KiB

BIN
windows/keep-secure/images/atp-intune-new-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 178 KiB

BIN
windows/keep-secure/images/atp-intune-oma-uri-setting.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/keep-secure/images/atp-intune-policy-name.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/keep-secure/images/atp-intune-save-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
windows/keep-secure/images/atp-onboard-mdm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 80 KiB

2
windows/keep-secure/manage-identity-verification-using-microsoft-passport.md
View File

@ -19,7 +19,7 @@ localizationpriority: high
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.
>[!NOTE]
> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Hello addresses the following problems with passwords:
- Passwords can be difficult to remember, and users often reuse passwords on multiple sites.

5
windows/manage/windows-10-start-layout-options-and-policies.md
View File

@ -80,11 +80,6 @@ The following table lists the different parts of Start and any applicable policy
<td align="left">Group Policy: <strong>Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands</strong></td>
<td align="left">None</td>
</tr>
<tr class="odd">
<td align="left">All apps</td>
<td align="left">Group Policy: <strong>Remove All Programs list from the Start menu</strong></td>
<td align="left">None</td>
</tr>
<tr class="even">
<td align="left">Start layout</td>
<td align="left"><p>MDM: <strong>Start layout</strong></p>

3
windows/whats-new/whats-new-windows-10-version-1607.md
View File

@ -67,12 +67,13 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it
### Windows Hello for Business
When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Additional changes for Windows Hello in Windows 10, version 1607:
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
- Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
<!--- Users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser.-->
[Learn more about Windows Hello for Business.](../keep-secure/manage-identity-verification-using-microsoft-passport.md)